状态文件中包含的 Terraform 远程状态 s3 存储桶创建? [英] Terraform remote state s3 bucket creation included in the state file?
问题描述
我正在寻找在 S3 存储桶中创建和存储状态文件的最佳做法.
I am looking for the best practice to create and store my state file in S3 bucket.
- 我是否应该将 S3 存储桶的创建与基础架构一起包含在内,或者
- 为其 S3 存储桶创建一个单独的状态文件,并为资源创建一个不同的状态文件.
如果它是一个不同的文件,我还需要存储创建的 s3 存储桶的状态文件,那么在这种情况下,我应该创建两个 s3 存储桶,一个用于基础设施状态,另一个用于 s3 存储桶状态文件.
if it is a different file I also need to store the state file of the s3 bucket created, then in this case I should be creating two s3 buckets one for infrastructure state and other for s3 bucket state file.
其次,如果设置了远程配置并且执行terraform destroy"会向我抛出错误,无法上传状态文件:找不到这样的存储桶,因为存储桶已被销毁.我应该先禁用 terraform remote config -disable 然后运行 terraform destroy 吗?我应该遵循的最佳做法是什么?
Secondly, if remote configuration is set and performing 'terraform destroy' is throwing me an error failed to upload state file: no such bucket found, as the bucket has been destroyed. should i first disable terraform remote config -disable and then run terraform destroy? What's the best practice I should be following?
推荐答案
我个人使用 Terraform 基础堆栈来有效地引导 AWS 帐户以与 Terraform 一起使用.该堆栈仅在本地存储其状态文件,然后将其提交给版本控制.这个堆栈应该只需要运行一次,所以我认为不使用远程后端没有问题.
Personally I use a Terraform base stack to effectively bootstrap an AWS account for use with Terraform. This stack just stores its state file locally which is then committed to version control. This stack should only ever have to be run once so I see no problem with it not using a remote backend.
我的 Terraform 基础堆栈创建:
My Terraform base stack creates:
- Terraform 的 IAM 用户在未来运行
- s3 存储状态的桶
- 用于加密/解密状态的 KMS CMK
- 用于强制加密的存储桶策略声明
- 桶策略声明,以防止 Terraform 用户除了
s3:putObject&s3:getObject带状态 - KMS 政策声明,以防止 Terraform 用户执行除
kms:GenerateDataKey*之外的任何操作kms:解密 - 用于状态锁定的 DynamoDB 表.
- IAM user for Terraform to run as in future
- s3 Bucket for storing state
- KMS CMK for encrypting/decrypting state
- Bucket policy statement to enforce encryption
- Bucket policy statement to prevent the Terraform user from doing anything but
s3:putObject&s3:getObjectwith state - KMS policy statement to prevent the Terraform user from doing anything but
kms:GenerateDataKey*&kms:Decrypt - A DynamoDB table for state locking.
这可以扩展到包括角色,特别是如果您的 Terraform 用户将跨多个帐户进行部署.
This can be expanded to include Roles, especially if your Terraform user will be deploying across multiple accounts.
这篇关于状态文件中包含的 Terraform 远程状态 s3 存储桶创建?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
