add support for S3 object based TF state lock (#192)

smangels · plejd-sebman · milldr · web-flow · commit 719364693cb7 · 2025-08-13T17:17:12.000+03:00
* add support for S3 object based TF state lock

* atmos docs generate readme

* atmos docs generate readme

* resolved tflint warnings

* resolved tflint warnings

---------

Co-authored-by: Sebastian Mangelsen &lt;sebastian.mangelsen@plejd.com&gt;
Co-authored-by: milldr &lt;miller0daniel@gmail.com&gt;
diff --git a/.gitignore b/.gitignore
@@ -10,3 +10,5 @@ terraform-aws-tfstate-backend.iml
 
 .build-harness
 build-harness
+
+.atmos/cache.yaml
diff --git a/README.md b/README.md
@@ -233,6 +233,7 @@ module "terraform_state_backend" {
 | [aws_s3_bucket.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
 | [aws_s3_bucket_acl.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
 | [aws_s3_bucket_logging.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource |
+| [aws_s3_bucket_object_lock_configuration.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_object_lock_configuration) | resource |
 | [aws_s3_bucket_ownership_controls.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource |
 | [aws_s3_bucket_policy.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
 | [aws_s3_bucket_public_access_block.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
@@ -292,6 +293,7 @@ module "terraform_state_backend" {
 | <a name="input_s3_bucket_name"></a> [s3\_bucket\_name](#input\_s3\_bucket\_name) | S3 bucket name. If not provided, the name will be generated from the context by the label module. | `string` | `""` | no |
 | <a name="input_s3_replica_bucket_arn"></a> [s3\_replica\_bucket\_arn](#input\_s3\_replica\_bucket\_arn) | The ARN of the S3 replica bucket (destination) | `string` | `""` | no |
 | <a name="input_s3_replication_enabled"></a> [s3\_replication\_enabled](#input\_s3\_replication\_enabled) | Set this to true and specify `s3_replica_bucket_arn` to enable replication | `bool` | `false` | no |
+| <a name="input_s3_state_lock_enabled"></a> [s3\_state\_lock\_enabled](#input\_s3\_state\_lock\_enabled) | Whether to create the S3 bucket. | `bool` | `false` | no |
 | <a name="input_source_policy_documents"></a> [source\_policy\_documents](#input\_source\_policy\_documents) | List of IAM policy documents (in JSON format) that are merged together into the generated S3 bucket policy.<br/>Statements must have unique SIDs.<br/>Statement having SIDs that match policy SIDs generated by this module will override them. | `list(string)` | `[]` | no |
 | <a name="input_sse_encryption"></a> [sse\_encryption](#input\_sse\_encryption) | The server-side encryption algorithm to use.<br/>Valid values are `AES256`, `aws:kms`, and `aws:kms:dsse`. | `string` | `"AES256"` | no |
 | <a name="input_stage"></a> [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |
@@ -301,7 +303,7 @@ module "terraform_state_backend" {
 | <a name="input_terraform_backend_config_file_path"></a> [terraform\_backend\_config\_file\_path](#input\_terraform\_backend\_config\_file\_path) | (Deprecated) Directory for the terraform backend config file, usually `.`. The default is to create no file. | `string` | `""` | no |
 | <a name="input_terraform_backend_config_template_file"></a> [terraform\_backend\_config\_template\_file](#input\_terraform\_backend\_config\_template\_file) | (Deprecated) The path to the template used to generate the config file | `string` | `""` | no |
 | <a name="input_terraform_state_file"></a> [terraform\_state\_file](#input\_terraform\_state\_file) | The path to the state file inside the bucket | `string` | `"terraform.tfstate"` | no |
-| <a name="input_terraform_version"></a> [terraform\_version](#input\_terraform\_version) | The minimum required terraform version | `string` | `"1.0.0"` | no |
+| <a name="input_terraform_version"></a> [terraform\_version](#input\_terraform\_version) | The minimum required terraform version | `string` | `null` | no |
 | <a name="input_write_capacity"></a> [write\_capacity](#input\_write\_capacity) | DynamoDB write capacity units when using provisioned mode | `number` | `5` | no |
 
 ## Outputs
diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf
@@ -1,160 +1,6 @@
 variable "region" {
-  type = string
-}
-
-variable "arn_format" {
-  type        = string
-  default     = "arn:aws"
-  description = "ARN format to be used. May be changed to support deployment in GovCloud/China regions."
-}
-
-variable "acl" {
-  type        = string
-  description = "The canned ACL to apply to the S3 bucket"
-  default     = "private"
-}
-
-variable "billing_mode" {
-  default     = "PROVISIONED"
-  description = "DynamoDB billing mode"
-}
-
-variable "read_capacity" {
-  default     = 5
-  description = "DynamoDB read capacity units"
-}
-
-variable "write_capacity" {
-  default     = 5
-  description = "DynamoDB write capacity units"
-}
-
-variable "force_destroy" {
-  type        = bool
-  description = "A boolean that indicates the S3 bucket can be destroyed even if it contains objects. These objects are not recoverable"
-  default     = false
-}
-
-variable "mfa_delete" {
-  type        = bool
-  description = "A boolean that indicates that versions of S3 objects can only be deleted with MFA. ( Terraform cannot apply changes of this value; https://github.com/terraform-providers/terraform-provider-aws/issues/629 )"
-  default     = false
-}
-
-variable "enable_point_in_time_recovery" {
-  type        = bool
-  description = "Enable DynamoDB point-in-time recovery"
-  default     = true
-}
-
-variable "enable_server_side_encryption" {
-  type        = bool
-  description = "Enable DynamoDB server-side encryption"
-  default     = true
-}
-
-variable "enable_public_access_block" {
-  type        = bool
-  description = "Enable Bucket Public Access Block"
-  default     = true
-}
-
-variable "block_public_acls" {
-  type        = bool
-  description = "Whether Amazon S3 should block public ACLs for this bucket"
-  default     = true
-}
-
-variable "ignore_public_acls" {
-  type        = bool
-  description = "Whether Amazon S3 should ignore public ACLs for this bucket"
-  default     = true
-}
-
-variable "block_public_policy" {
-  description = "Whether Amazon S3 should block public bucket policies for this bucket"
-  default     = true
-}
-
-variable "restrict_public_buckets" {
-  type        = bool
-  description = "Whether Amazon S3 should restrict public bucket policies for this bucket"
-  default     = true
-}
-
-variable "prevent_unencrypted_uploads" {
-  type        = bool
-  default     = true
-  description = "Prevent uploads of unencrypted objects to S3"
-}
-
-variable "profile" {
-  type        = string
-  default     = ""
-  description = "AWS profile name as set in the shared credentials file"
-}
-
-variable "role_arn" {
-  type        = string
-  default     = ""
-  description = "The role to be assumed"
-}
-
-variable "terraform_backend_config_file_name" {
-  type        = string
-  default     = "terraform.tf"
-  description = "Name of terraform backend config file"
-}
-
-variable "terraform_backend_config_file_path" {
   type        = string
-  default     = ""
-  description = "Directory for the terraform backend config file, usually `.`. The default is to create no file."
-}
-
-variable "terraform_backend_config_template_file" {
-  type        = string
-  default     = ""
-  description = "The path to the template used to generate the config file"
-}
-
-variable "terraform_version" {
-  type        = string
-  default     = "0.12.2"
-  description = "The minimum required terraform version"
-}
-
-variable "terraform_state_file" {
-  type        = string
-  default     = "terraform.tfstate"
-  description = "The path to the state file inside the bucket"
-}
-
-variable "s3_bucket_name" {
-  type        = string
-  default     = ""
-  description = "S3 bucket name. If not provided, the name will be generated by the label module in the format namespace-stage-name"
-}
-
-variable "s3_replication_enabled" {
-  type        = bool
-  default     = false
-  description = "Set this to true and specify `s3_replica_bucket_arn` to enable replication"
-}
-
-variable "s3_replica_bucket_arn" {
-  type        = string
-  default     = ""
-  description = "The ARN of the S3 replica bucket (destination)"
-}
-
-variable "logging" {
-  type = object({
-    bucket_name = string
-    prefix      = string
-  })
-  default     = null
-  description = "Bucket access logging configuration."
+  description = "AWS region"
 }
 
 variable "bucket_enabled" {
diff --git a/main.tf b/main.tf
@@ -1,8 +1,9 @@
 locals {
   enabled = module.this.enabled
 
-  bucket_enabled   = local.enabled && var.bucket_enabled
-  dynamodb_enabled = local.enabled && var.dynamodb_enabled
+  bucket_enabled        = local.enabled && var.bucket_enabled
+  s3_state_lock_enabled = local.enabled && var.s3_state_lock_enabled
+  dynamodb_enabled      = local.enabled && var.dynamodb_enabled
 
   dynamodb_table_name = local.dynamodb_enabled ? coalesce(var.dynamodb_table_name, module.dynamodb_table_label.id) : ""
 
@@ -16,19 +17,23 @@ locals {
     var.terraform_backend_config_file_name
   )
 
-  terraform_backend_config_template_file = var.terraform_backend_config_template_file != "" ? var.terraform_backend_config_template_file : "${path.module}/templates/terraform.tf.tpl"
+  terraform_backend_default_template_file = local.s3_state_lock_enabled ? "${path.module}/templates/terraform-s3-lock.tf.tpl" : "${path.module}/templates/terraform.tf.tpl"
+  terraform_version_minimum               = local.s3_state_lock_enabled ? "1.11.0" : "1.0.0"
+  terraform_version_requested             = var.terraform_version != null ? var.terraform_version : local.terraform_version_minimum
+  terraform_backend_config_template_file  = var.terraform_backend_config_template_file != "" ? var.terraform_backend_config_template_file : local.terraform_backend_default_template_file
 
   terraform_backend_config_content = templatefile(local.terraform_backend_config_template_file, {
     region = data.aws_region.current.name
     # Template file inputs cannot be null, so we use empty string if the variable is null
     bucket = try(aws_s3_bucket.default[0].id, "")
 
     dynamodb_table = try(aws_dynamodb_table.with_server_side_encryption[0].name, "")
+    use_lockfile   = local.s3_state_lock_enabled
 
     encrypt              = "true"
     role_arn             = var.role_arn == null ? "" : var.role_arn
     profile              = var.profile == null ? "" : var.profile
-    terraform_version    = var.terraform_version == null ? "" : var.terraform_version
+    terraform_version    = local.terraform_version_requested
     terraform_state_file = var.terraform_state_file == null ? "" : var.terraform_state_file
     namespace            = var.namespace == null ? "" : var.namespace
     stage                = var.stage == null ? "" : var.stage
@@ -166,6 +171,19 @@ resource "aws_s3_bucket" "default" {
   tags = module.this.tags
 }
 
+resource "aws_s3_bucket_object_lock_configuration" "default" {
+  count = local.s3_state_lock_enabled ? 1 : 0
+
+  bucket = one(aws_s3_bucket.default[*].id)
+
+  rule {
+    default_retention {
+      mode = "GOVERNANCE"
+      days = 7
+    }
+  }
+}
+
 resource "aws_s3_bucket_policy" "default" {
   count = local.bucket_enabled ? 1 : 0
 
diff --git a/templates/terraform-s3-lock.tf.tpl b/templates/terraform-s3-lock.tf.tpl
@@ -0,0 +1,24 @@
+terraform {
+  required_version = ">= ${terraform_version}"
+
+  backend "s3" {
+    region  = "${region}"
+    bucket  = "${bucket}"
+    key     = "${terraform_state_file}"
+    profile = "${profile}"
+    encrypt = "${encrypt}"
+    %{~ if role_arn != "" ~}
+
+    assume_role {
+      role_arn = "${role_arn}"
+    }
+    %{~ endif ~}
+    %{~ if ! use_lockfile ~}
+
+    dynamodb_table = "${dynamodb_table}"
+    %{~ else ~}
+
+    use_lockfile     = "${use_lockfile}"
+    %{~ endif ~}
+  }
+}
diff --git a/variables.tf b/variables.tf
@@ -127,7 +127,7 @@ variable "terraform_backend_config_template_file" {
 
 variable "terraform_version" {
   type        = string
-  default     = "1.0.0"
+  default     = null
   description = "The minimum required terraform version"
 }
 
@@ -179,6 +179,12 @@ variable "bucket_enabled" {
   description = "Whether to create the S3 bucket."
 }
 
+variable "s3_state_lock_enabled" {
+  type        = bool
+  default     = false
+  description = "Whether to create the S3 bucket."
+}
+
 variable "dynamodb_enabled" {
   type        = bool
   default     = true
