状态文件中包含Terraform远程状态s3存储桶创建? [英] Terraform remote state s3 bucket creation included in the state file?
问题描述
我正在寻找在S3存储桶中创建和存储状态文件的最佳实践.
I am looking for the best practice to create and store my state file in S3 bucket.
- 我应该包括创建S3存储桶以及基础架构还是
- 为其S3存储桶创建一个单独的状态文件,为资源创建一个不同的状态文件.
如果它是一个不同的文件,我还需要存储创建的s3存储桶的状态文件,那么在这种情况下,我应该创建两个s3存储桶,一个用于基础架构状态,另一个用于s3存储桶状态文件.
if it is a different file I also need to store the state file of the s3 bucket created, then in this case I should be creating two s3 buckets one for infrastructure state and other for s3 bucket state file.
第二,如果设置了远程配置并且执行"terraform destroy"使我无法上载状态文件,则错误:找不到这样的存储桶,因为存储桶已被破坏.我应该先禁用terraform remote config -disable,然后再运行terraform destroy吗? 我应该遵循的最佳做法是什么?
Secondly, if remote configuration is set and performing 'terraform destroy' is throwing me an error failed to upload state file: no such bucket found, as the bucket has been destroyed. should i first disable terraform remote config -disable and then run terraform destroy? What's the best practice I should be following?
推荐答案
我个人使用Terraform基本堆栈来有效引导用于Terraform的AWS账户.该堆栈仅将其状态文件存储在本地,然后将其提交给版本控制.该堆栈仅应运行一次,因此我认为不使用远程后端就没有问题.
Personally I use a Terraform base stack to effectively bootstrap an AWS account for use with Terraform. This stack just stores its state file locally which is then committed to version control. This stack should only ever have to be run once so I see no problem with it not using a remote backend.
我的Terraform基本堆栈创建:
My Terraform base stack creates:
- IAM用户,Terraform可以像将来一样运行
- s3存储状态的存储桶
- 用于加密/解密状态的KMS CMK
- 用于强制加密的桶策略声明
- 桶策略语句,以防止Terraform用户执行除
s3:putObject&s3:getObject状态 - KMS政策声明,以阻止Terraform用户执行除
kms:GenerateDataKey*&kms:Decrypt - 用于状态锁定的DynamoDB表.
- IAM user for Terraform to run as in future
- s3 Bucket for storing state
- KMS CMK for encrypting/decrypting state
- Bucket policy statement to enforce encryption
- Bucket policy statement to prevent the Terraform user from doing anything but
s3:putObject&s3:getObjectwith state - KMS policy statement to prevent the Terraform user from doing anything but
kms:GenerateDataKey*&kms:Decrypt - A DynamoDB table for state locking.
这可以扩展为包括角色,尤其是当您的Terraform用户将跨多个帐户部署时.
This can be expanded to include Roles, especially if your Terraform user will be deploying across multiple accounts.
这篇关于状态文件中包含Terraform远程状态s3存储桶创建?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
