This is some Cloudformation that will create a terraform state bucket and prevent deletions, while making the bucket private and ensuring versioning is enabled.
AWSTemplateFormatVersion: 2010-09-09
Description: CloudFormation stack for Terraform resources.
Resources:
TerraformStateBucket:
Type: AWS::S3::Bucket
Properties:
AccessControl: Private
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
BucketName: !Sub terraform-state-${AWS::AccountId}
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
VersioningConfiguration:
Status: Enabled
TerraformStatePolicy:
DependsOn: [ TerraformStateBucket ]
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref TerraformStateBucket
PolicyDocument:
Statement:
- Action: s3:DeleteObject
Effect: Deny
Principal: "*"
Resource: !Sub arn:aws:s3:::${TerraformStateBucket}/*
Sid: DenyDeleteTerraformState
TerraformLocksTable:
Type: AWS::DynamoDB::Table
Properties:
AttributeDefinitions:
- AttributeName: LockID
AttributeType: S
BillingMode: PAY_PER_REQUEST
KeySchema:
- AttributeName: LockID
KeyType: HASH
PointInTimeRecoverySpecification:
PointInTimeRecoveryEnabled: true
SSESpecification:
SSEEnabled: true
TableName: terraform-locks
Outputs:
TerraformLocksTableArn:
Description: ARN of the DynamoDB table used for locking Terraform state.
Value: !GetAtt TerraformLocksTable.Arn
TerraformLocksTableName:
Description: Name of the DynamoDB table used for locking Terraform state.
Value: !Ref TerraformLocksTable
TerraformStateBucketArn:
Description: ARN of the S3 bucket used to store Terraform state.
Value: !GetAtt TerraformStateBucket.Arn
TerraformStateBucketName:
Description: Name of the S3 bucket used to store Terraform state.
Value: !Ref TerraformStateBucket