Merge commit '9cdd6c487ffbeaccc125ab062052730edcf330d6' as 'terraform…

…-backend-manager'

terraform-backend-manager/assume_role.tf

@@ -0,0 +1,23 @@
+resource "aws_iam_role" "iac_role" {
+  name = "${var.prefix}-iac-role"
+
+  # Define the trust relationship policy that allows Terraform to assume this role
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Allow",
+        Principal = {
+          AWS = var.approved_arns
+        },
+        Action = "sts:AssumeRole"
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "terraform_role_admin_access" {
+  role       = aws_iam_role.iac_role.name
+  policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
+}
+

terraform-backend-manager/dynamo.tf

@@ -0,0 +1,41 @@
+#  a new AWS DynamoDB table resource 
+resource "aws_dynamodb_table" "locking" {
+  for_each = toset(var.environments)
+  name     = "${var.prefix}-${each.key}-locktable"
+
+  hash_key       = "LockID"
+  read_capacity  = 20
+  write_capacity = 20
+
+  # an attribute for the DynamoDB table
+  attribute {
+    name = "LockID"
+    type = "S" # Attribute type (String)
+  }
+
+  server_side_encryption {
+    enabled     = true
+    kms_key_arn = aws_kms_key.cmk_dynamo.arn
+  }
+
+  point_in_time_recovery {
+    enabled = true
+  }
+
+  # tags for the DynamoDB table for better organization
+  tags = {
+    Name = "${var.prefix}-${each.key}-locktable"
+  }
+
+  # lifecycle {
+  #   prevent_destroy = true
+  # }
+}
+
+resource "aws_kms_key" "cmk_dynamo" {
+  description         = "Customer Managed Key for DynamoDB encryption"
+  key_usage           = "ENCRYPT_DECRYPT"
+  enable_key_rotation = true
+  multi_region        = false
+}
+

terraform-backend-manager/providers.tf

@@ -0,0 +1,15 @@
+terraform {
+  required_version = ">=1.9.0"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">=5.60.0"
+    }
+    local = {
+      source = "hashicorp/local"
+    }
+    terraform = {
+      source = "terraform.io/builtin/terraform"
+    }
+  }
+}

terraform-backend-manager/s3.tf

@@ -0,0 +1,52 @@
+resource "aws_s3_bucket" "state" {
+  bucket_prefix = "${var.prefix}-state-"
+
+  # lifecycle {
+  #   prevent_destroy = true
+  # }
+}
+
+resource "aws_s3_bucket_versioning" "enabled" {
+  bucket = aws_s3_bucket.state.id
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
+  bucket = aws_s3_bucket.state.id
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm = "AES256"
+    }
+  }
+}
+
+resource "aws_s3_bucket_public_access_block" "public_access" {
+  bucket                  = aws_s3_bucket.state.id
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+resource "aws_s3_bucket_policy" "access_control" {
+  bucket = aws_s3_bucket.state.id
+  policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Effect" : "Allow",
+        "Principal" : "*",
+        "Action" : "s3:*",
+        "Resource" : "${aws_s3_bucket.state.arn}/*",
+        "Condition" : {
+          "StringEquals" : {
+            "aws:SourceArn" = var.approved_arns
+          }
+        }
+      }
+    ]
+  })
+}
+

terraform-backend-manager/vars.tf

@@ -0,0 +1,26 @@
+
+variable "prefix" {
+  type        = string
+  description = "string used to prefix resource names and identify the project a resource belongs to"
+}
+
+variable "environments" {
+  type        = list(string)
+  description = "A list of possible environments"
+}
+
+variable "approved_arns" {
+  type = list(string)
+}
+
+output "bucket" {
+  value = aws_s3_bucket.state.bucket
+}
+
+output "lock_tables" {
+  value = { for k, v in aws_dynamodb_table.locking : k => v.arn }
+}
+
+output "role_arn" {
+  value = aws_iam_role.iac_role.arn
+}