AWS AOS Edge Terraform backend setup

NOTE: Be aware to use Terraform v1.2.9

NOTE: This steps should be executed manually, not through pipeline (One time setup execution).

Export your OWN AWS credentials into env variables and apply terraform s3 aftewards. More info here

export AWS_ACCESS_KEY_ID="anaccesskey"
export AWS_SECRET_ACCESS_KEY="asecretkey"
export AWS_DEFAULT_REGION="eu-central-1"

Check your current sts user:

aws sts get-caller-identity
{ "UserId": "xxxxx:xxxx@domain.com", "Account": "XXXX", "Arn": "XXXX" }

Modify terraform.tfvars file to match the read only terraform user/roles arns:

terraform_users_arn = [
"arn:aws:iam::xxx:user/",
"arn:aws:iam::xxx:user/",
]
# In case federated access it is implemented in your organization.
terraform_sts_user_ids = [
"*:",
]

Create AWS terraform backend resources

export TF_VAR_environment=demo
export TF_VAR_project=aos
# Comment temporarily backend config:
sed -i '/BACKEND_CONFIG_BEGIN/,/BACKEND_CONFIG_END/s/^/#/' main.tf
terraform init -backend=false
terraform apply -auto-approve

Migrate setup state to remote

This stage will generate a .envrc_<project>-<environment> with the required evfile which should be saved for future purposes, we recommend to backup this file. Those variables will be used in the next stages.

# Export setup state file
source .envrc_aos-<env>

You should get an output like the above:

# aws sts get-caller-identity
{ "UserId": "XX:AWSCLI-Session", "Account": "XXXXXX", "Arn": "arn:aws:sts::XXXXX:assumed-role/aos-staging-terraform-admin/AWSCLI-Session" }

# Remove backend commented part of main.tf file
sed -i '/BACKEND_CONFIG_BEGIN/,/BACKEND_CONFIG_END/s/^#//' main.tf
# Migrate state (Recommended to use terraform sts)
terraform init -backend-config "bucket=${TF_VAR_remote_state_bucket}" \
-backend-config "dynamodb_table=${TF_VAR_remote_state_db_table}" \
-backend-config "kms_key_id=${TF_VAR_remote_state_kms_key_id}" \
-reconfigure
# Type 'yes' to migrate the current setup state to remote state

Return to main readme