NEW: module for creating state bucket and lock

modules/terraform-setup/README.md

@@ -0,0 +1,6 @@
+# terraform-setup module
+Module for creating terraform state bucket and locks. 
+
+The output ```provider-config-block``` shows how to configure terraform provider.
+
+Please enable terraform default tags. See https://www.hashicorp.com/blog/default-tags-in-the-terraform-aws-provider

modules/terraform-setup/main.tf

@@ -0,0 +1,98 @@
+resource "aws_s3_bucket" "s3bucket" {
+  bucket = var.bucket-name
+}
+
+resource "aws_s3_bucket_public_access_block" "s3-public-access-settings" {
+  depends_on = [aws_s3_bucket.s3bucket]
+  bucket = aws_s3_bucket.s3bucket.id
+
+  block_public_acls   = true
+  block_public_policy = true
+  ignore_public_acls =  true
+  restrict_public_buckets = true
+}
+
+resource "aws_s3_bucket_ownership_controls" "bucket-ownership-setting" {
+  depends_on = [aws_s3_bucket_public_access_block.s3-public-access-settings]
+  bucket = aws_s3_bucket.s3bucket.id
+
+  rule {
+    object_ownership = "BucketOwnerPreferred"
+  }
+}
+
+resource "aws_s3_bucket_lifecycle_configuration" "bucket-lifecycle-config" {
+  count = var.bucket-enable-lifecycle ? 1 : 0
+
+  bucket = aws_s3_bucket.s3bucket.bucket
+
+  rule {
+    id = "default"
+    status = "Enabled"
+
+    dynamic "noncurrent_version_expiration" {
+      for_each = var.enable-bucket-versioning ? [1] : []
+      content {
+        noncurrent_days = 90
+      }
+    }
+
+    dynamic "expiration" {
+      for_each = var.bucket-retain-days > 0 ? [1] : []
+      content {
+        days = var.bucket-retain-days
+      }
+    }
+
+    transition {
+      days          = var.transition-ia-days
+      storage_class = "STANDARD_IA"
+    }
+  }
+}
+
+resource "aws_s3_bucket_versioning" "bucket-versioning" {
+  count = var.enable-bucket-versioning ? 1 : 0
+  bucket = aws_s3_bucket.s3bucket.id
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "bucket-encryption" {
+  bucket = aws_s3_bucket.s3bucket.bucket
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm     = "AES256"
+    }
+  }
+}
+
+resource "aws_s3_bucket_acl" "bucket-acl" {
+  bucket = aws_s3_bucket.s3bucket.bucket
+  acl    = var.bucket-acl
+}
+
+resource "aws_s3_bucket_policy" "bucket-policy" {
+  bucket = aws_s3_bucket.s3bucket.bucket
+  policy = var.bucket-policy-json
+}
+
+resource "aws_dynamodb_table" "tfstate-lock-table" {
+  name           = var.ddb-table-name
+  billing_mode   = "PAY_PER_REQUEST"
+  hash_key       = "LockID"
+  point_in_time_recovery {
+    enabled = true
+  }
+  #  If enabled is false then server-side encryption is set to AWS owned CMK (shown as DEFAULT in the AWS console)
+  server_side_encryption {
+    enabled = false
+  }
+  attribute {
+    name = "LockID"
+    type = "S"
+  }
+}
+
+data aws_caller_identity this {}

modules/terraform-setup/outputs.tf

@@ -0,0 +1,27 @@
+output bucket-name {
+  value = aws_s3_bucket.s3bucket.id
+}
+
+output bucket_regional_domain_name {
+  value = aws_s3_bucket.s3bucket.bucket_regional_domain_name
+}
+
+output ddb-table-name {
+  value = aws_dynamodb_table.tfstate-lock-table.name
+}
+
+output ddb-table-arn {
+  value = aws_dynamodb_table.tfstate-lock-table.arn
+}
+
+output provider-config-block {
+  value = <<EOT
+  backend "s3" {
+    bucket = "${aws_s3_bucket.s3bucket.id}"
+    key = "terraform_state/terraform.tfstate"
+    region = ""
+    dynamodb_table = "${aws_dynamodb_table.tfstate-lock-table.name}"
+    encrypt = true
+  }
+EOT
+}

modules/terraform-setup/variables.tf

@@ -0,0 +1,20 @@
+variable resource-prefix {}
+variable ddb-table-name {}
+
+variable "transition-ia-days" {}
+variable "bucket-retain-days" {
+  default = 0
+}
+variable "bucket-enable-lifecycle" {
+  default = true
+}
+
+variable "bucket-acl" {
+  default = "private"
+}
+variable "bucket-policy-json" {}
+variable "enable-bucket-versioning" {
+  default = true
+}
+
+variable "bucket-name" {}