OWASP · arkid15r · Dec 3, 2025 · Nov 30, 2025 · Nov 30, 2025 · Nov 30, 2025
@@ -21,7 +21,8 @@ Follow these steps to set up the infrastructure:
   ```bash
   cd infrastructure/backend/
   ```
-*Note:* Optionally change the region: set `aws_region` in a `.tfvars` file.
+
+**Note:** Optionally change the region: set `aws_region` in a `.tfvars` file.
 
 - Initialize Terraform if needed:
   ```bash
@@ -33,6 +34,10 @@ Follow these steps to set up the infrastructure:
   terraform apply
   ```
 
+**Note:** Copy the state bucket name from the output.
+
+**Note:** It is recommended to not destroy the backend resources unless absolutely necessary.
+
 2. **Setup Main Infrastructure (staging)**:
 
 - Navigate to the main infrastructure directory. If you are in `infrastructure/backend`, you can use:
@@ -50,13 +55,23 @@ Follow these steps to set up the infrastructure:
   cat terraform.tfvars.example > terraform.tfvars
   ```
 
-- *Note:* Optionally change the region:
-  - set `aws_region` in a `.tfvars` file.
-  - set `region` in a `.tfbackend` file and provide it using `terraform init -backend-config=<file>`.
+- Create a local backend configuration file:
+  ```bash
+  touch terraform.tfbackend
+  ```
+
+- Copy the contents from the example file:
+  ```bash
+  cat terraform.tfbackend.example > terraform.tfbackend
+  ```
+
+*Note:* Update the state bucket name in `terraform.tfbackend` with the name of the state bucket created in the previous step.
+
+*Note:* Update defaults (e.g. `region`) as needed.
 
 - Initialize Terraform with the backend configuration:
   ```bash
-  terraform init
+  terraform init -backend-config=terraform.tfbackend
   ```
 
 - Apply the changes to create the main infrastructure using the command:

@@ -5,6 +5,10 @@ terraform {
       source  = "hashicorp/aws"
       version = "6.22.0"
     }
+    random = {
+      source  = "hashicorp/random"
+      version = "3.7.2"
+    }
   }
 }
 
@@ -46,6 +50,10 @@ data "aws_iam_policy_document" "state_https_only" {
   }
 }
 
+resource "random_id" "suffix" {
+  byte_length = 4
+}
+
 resource "aws_dynamodb_table" "state_lock" {
   name         = "${var.project_name}-terraform-state-lock"
   billing_mode = "PAY_PER_REQUEST"
@@ -64,14 +72,14 @@ resource "aws_dynamodb_table" "state_lock" {
 }
 
 resource "aws_s3_bucket" "logs" { # NOSONAR
-  bucket = "${var.project_name}-terraform-state-logs"
+  bucket = "${var.project_name}-terraform-state-logs-${random_id.suffix.hex}"
   tags = {
     Name = "${var.project_name}-terraform-state-logs"
   }
 }
 
 resource "aws_s3_bucket" "state" { # NOSONAR
-  bucket = "${var.project_name}-terraform-state"
+  bucket = "${var.project_name}-terraform-state-${random_id.suffix.hex}"
   tags = {
     Name = "${var.project_name}-terraform-state"
   }

@@ -1,9 +1,6 @@
 terraform {
   backend "s3" {
-    bucket         = "owasp-nest-terraform-state"
-    dynamodb_table = "owasp-nest-terraform-state-lock"
-    encrypt        = true
-    key            = "staging/terraform.tfstate"
-    region         = "us-east-2"
+    encrypt = true
+    key     = "staging/terraform.tfstate"
   }
 }
@@ -0,0 +1,3 @@
+bucket         = "${STATE_BUCKET_NAME}"
+dynamodb_table = "owasp-nest-terraform-state-lock"
+region         = "us-east-2"
@@ -6,5 +6,5 @@ db_name                    = "owasp_nest"
 db_user                    = "owasp_nest_db_user"
 db_port                    = 5432
 environment  = "staging"
-force_destroy_bucket = true
+force_destroy_bucket = false
 project_name = "owasp-nest"