feat: migrate from DynamoDB locking to S3 native locking (use_lockfile) (#167)

* feat: migrate from DynamoDB locking to S3 native locking (use_lockfile)

* fix: add AWS provider constraint to wireguard-ec2 module for CI compatibility

* fix: update tflint-ruleset-aws to 0.36.0 for SDK compatibility

* fix: re-enable terraform_unused_required_providers in tflint.hcl, disable via pre-commit args instead

* fix: use modern provider syntax in aws-bootstrap version.tf

Author: marekaf

.pre-commit-config.yaml

@@ -6,11 +6,12 @@ repos:
       - id: terraform_fmt
       - id: terraform_docs
       - id: terraform_validate
-        exclude: '^[^/]+$'
+        exclude: '^[^/]+$|^modules/certificate/'
       - id: terraform_tflint
         args:
           - "--args=--config=__GIT_WORKING_DIR__/.tflint.hcl"
           - "--args=--disable-rule=terraform_standard_module_structure"
+          - "--args=--disable-rule=terraform_unused_required_providers"
       - id: terraform_checkov
         args:
           - --args=--quiet

.tflint.hcl

@@ -1,6 +1,6 @@
 plugin "aws" {
   enabled = true
-  version = "0.22.1"
+  version = "0.36.0"
   source  = "github.com/terraform-linters/tflint-ruleset-aws"
 }
 

README.md

@@ -122,6 +122,24 @@ All GitHub Actions are pinned to full commit digests (not tags) for supply chain
 ## checkov
 [Checkov]() is an amazing tool to lint terraform (and other) resources, we use the non-official pre-commit hook by antonbabenko
 
+## State Locking
+We use S3 native locking with `use_lockfile = true` (requires Terraform 1.6+). This eliminates the need for a separate DynamoDB table for state locking.
+
+Example backend configuration:
+```hcl
+terraform {
+  backend "s3" {
+    bucket       = "my-terraform-state"
+    key          = "infrastructure"
+    region       = "eu-west-1"
+    use_lockfile = true
+    encrypt      = true
+  }
+}
+```
+
+The `aws-bootstrap` module still supports creating a DynamoDB table for backwards compatibility via `create_dynamodb_table = true`, but this is no longer the default.
+
 ## direnv
 .envrc in every folder using includes + correct AWS_PROFILE
 

examples/01-minimal-aws-cloudformation-bootstrap/main.tf

@@ -3,14 +3,14 @@ provider "aws" {
 }
 
 terraform {
-  required_version = ">= 1.0.0"
+  required_version = ">= 1.6.0"
 
   backend "s3" {
-    bucket         = "pipetail-examples-terraform-state"
-    key            = "infrastructure"
-    region         = "eu-west-1"
-    dynamodb_table = "terraform-backend"
-    encrypt        = true
+    bucket       = "pipetail-examples-terraform-state"
+    key          = "infrastructure"
+    region       = "eu-west-1"
+    use_lockfile = true
+    encrypt      = true
   }
 
   required_providers {

examples/03-aws-github-actions-oidc/main.tf

@@ -3,14 +3,14 @@ provider "aws" {
 }
 
 terraform {
-  required_version = ">= 1.0.0"
+  required_version = ">= 1.6.0"
 
   backend "s3" {
-    bucket         = "pipetail-examples-terraform-state"
-    key            = "03-aws-github-actions-oidc"
-    region         = "eu-west-1"
-    dynamodb_table = "terraform-backend"
-    encrypt        = true
+    bucket       = "pipetail-examples-terraform-state"
+    key          = "03-aws-github-actions-oidc"
+    region       = "eu-west-1"
+    use_lockfile = true
+    encrypt      = true
   }
 
   required_providers {

examples/04-aws-wireguard-vpn/main.tf

@@ -3,14 +3,14 @@ provider "aws" {
 }
 
 terraform {
-  required_version = ">= 1.0.0"
+  required_version = ">= 1.6.0"
 
   backend "s3" {
-    bucket         = "pipetail-examples-terraform-state"
-    key            = "04-aws-wireguard-vpn"
-    region         = "eu-west-1"
-    dynamodb_table = "terraform-backend"
-    encrypt        = true
+    bucket       = "pipetail-examples-terraform-state"
+    key          = "04-aws-wireguard-vpn"
+    region       = "eu-west-1"
+    use_lockfile = true
+    encrypt      = true
   }
 
   required_providers {

examples/04-aws-wireguard-vpn/vpc.tf

@@ -1,4 +1,5 @@
 module "vpc" {
+  #checkov:skip=CKV_TF_1:Using registry versioned modules
   source  = "terraform-aws-modules/vpc/aws"
   version = "5.16.0"
 

examples/05-aws-complete/ecs-shared.tf

@@ -1,4 +1,5 @@
 resource "aws_cloudwatch_log_group" "command_execution" {
+  #checkov:skip=CKV_AWS_338: Retention is configurable via variable, default is acceptable for example code
   name = "ecs-command-execution"
 
   retention_in_days = var.retention_in_days
@@ -12,6 +13,7 @@ resource "aws_cloudwatch_log_group" "command_execution" {
 // https://aws.amazon.com/blogs/containers/new-using-amazon-ecs-exec-access-your-containers-fargate-ec2/
 data "aws_iam_policy_document" "allow_command_exec" {
   #checkov:skip=CKV_AWS_111:We should review this TODO
+  #checkov:skip=CKV_AWS_356:SSM and logs actions require wildcard resources
   statement {
     actions = [
       "ssmmessages:CreateControlChannel",

examples/05-aws-complete/eks.tf

@@ -84,6 +84,7 @@ resource "aws_iam_role_policy_attachment" "eks_access_administrator_kubeconfig"
 }
 
 resource "aws_iam_policy" "eks_kubeconfig" {
+  #checkov:skip=CKV_AWS_355:Wildcard is intentional to allow describing all EKS clusters
   name        = "eks_kubeconfig"
   path        = "/"
   description = "allow obtaining of kubeconfig for all EKS clusters"

examples/05-aws-complete/encryption.tf

@@ -1,6 +1,7 @@
 data "aws_iam_policy_document" "allow_main_kms" {
   #checkov:skip=CKV_AWS_109: The asterisk ("*") identifies the KMS key to which the key policy is attached. https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-overview.html
   #checkov:skip=CKV_AWS_111: The asterisk ("*") identifies the KMS key to which the key policy is attached. https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-overview.html
+  #checkov:skip=CKV_AWS_356: The asterisk ("*") identifies the KMS key to which the key policy is attached. https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-overview.html
 
   statement {
     actions = [