Interface S3BackendConfig
- All Superinterfaces:
software.amazon.jsii.JsiiSerializable
- All Known Subinterfaces:
DataTerraformRemoteStateS3Config
- All Known Implementing Classes:
DataTerraformRemoteStateS3Config.Jsii$Proxy
,S3BackendConfig.Jsii$Proxy
This backend also supports state locking and consistency checking via Dynamo DB, which can be enabled by setting the dynamodb_table field to an existing DynamoDB table name. A single DynamoDB table can be used to lock multiple remote state files. Terraform generates key names that include the values of the bucket and key variables.
Warning! It is highly recommended that you enable Bucket Versioning on the S3 bucket to allow for state recovery in the case of accidental deletions and human error.
Read more about this backend in the Terraform docs: https://developer.hashicorp.com/terraform/language/settings/backends/s3
-
Nested Class Summary
Modifier and TypeInterfaceDescriptionstatic final class
A builder forS3BackendConfig
static final class
An implementation forS3BackendConfig
-
Method Summary
Modifier and TypeMethodDescriptionstatic S3BackendConfig.Builder
builder()
default String
(experimental) (Optional) AWS access key.default String
getAcl()
(experimental) (Optional) Canned ACL to be applied to the state file.default String
(experimental) (Optional) IAM Policy JSON describing further restricting permissions for the IAM Role being assumed.(experimental) (Optional) Set of Amazon Resource Names (ARNs) of IAM Policies describing further restricting permissions for the IAM Role being assumed.(experimental) (Optional) Map of assume role session tags.(experimental) (Optional) Set of assume role session tag keys to pass to any subsequent sessions.(experimental) Name of the S3 Bucket.default String
(experimental) (Optional) Custom endpoint for the AWS DynamoDB API.default String
(experimental) (Optional) Name of DynamoDB Table to use for state locking and consistency.default Boolean
(experimental) (Optional) Enable server side encryption of the state file.default String
(experimental) (Optional) Custom endpoint for the AWS S3 API.default String
(experimental) (Optional) External identifier to use when assuming the role.default Boolean
(experimental) (Optional) Enable path-style S3 URLs (https:/// instead of https:// . ). default String
(experimental) (Optional) Custom endpoint for the AWS Identity and Access Management (IAM) API.getKey()
(experimental) Path to the state file inside the S3 Bucket.default String
(experimental) (Optional) Amazon Resource Name (ARN) of a Key Management Service (KMS) Key to use for encrypting the state.default Number
(experimental) (Optional) The maximum number of times an AWS API request is retried on retryable failure.default String
(experimental) (Optional) Name of AWS profile in AWS shared credentials file (e.g.default String
(experimental) AWS Region of the S3 Bucket and DynamoDB Table (if used).default String
(experimental) (Optional) Amazon Resource Name (ARN) of the IAM Role to assume.default String
(experimental) (Optional) AWS secret access key.default String
(experimental) (Optional) Session name to use when assuming the role.default String
(experimental) (Optional) Path to the AWS shared credentials file.default Boolean
(experimental) (Optional) Skip credentials validation via the STS API.default Boolean
(experimental) (Optional) Skip usage of EC2 Metadata API.default Boolean
(experimental) (Optional) Skip validation of provided region name.default String
(experimental) (Optional) The key to use for encrypting state with Server-Side Encryption with Customer-Provided Keys (SSE-C).default String
(experimental) (Optional) Custom endpoint for the AWS Security Token Service (STS) API.default String
getToken()
(experimental) (Optional) Multi-Factor Authentication (MFA) token.default String
(experimental) (Optional) Prefix applied to the state path inside the bucket.Methods inherited from interface software.amazon.jsii.JsiiSerializable
$jsii$toJson
-
Method Details
-
getBucket
(experimental) Name of the S3 Bucket. -
getKey
(experimental) Path to the state file inside the S3 Bucket.When using a non-default workspace, the state path will be /workspace_key_prefix/workspace_name/key
-
getAccessKey
(experimental) (Optional) AWS access key.If configured, must also configure secret_key. This can also be sourced from the AWS_ACCESS_KEY_ID environment variable, AWS shared credentials file (e.g. ~/.aws/credentials), or AWS shared configuration file (e.g. ~/.aws/config).
-
getAcl
(experimental) (Optional) Canned ACL to be applied to the state file. -
getAssumeRolePolicy
(experimental) (Optional) IAM Policy JSON describing further restricting permissions for the IAM Role being assumed. -
getAssumeRolePolicyArns
(experimental) (Optional) Set of Amazon Resource Names (ARNs) of IAM Policies describing further restricting permissions for the IAM Role being assumed. -
getAssumeRoleTags
(experimental) (Optional) Map of assume role session tags. -
getAssumeRoleTransitiveTagKeys
(experimental) (Optional) Set of assume role session tag keys to pass to any subsequent sessions. -
getDynamodbEndpoint
(experimental) (Optional) Custom endpoint for the AWS DynamoDB API.This can also be sourced from the AWS_DYNAMODB_ENDPOINT environment variable.
-
getDynamodbTable
(experimental) (Optional) Name of DynamoDB Table to use for state locking and consistency.The table must have a partition key named LockID with type of String. If not configured, state locking will be disabled.
-
getEncrypt
(experimental) (Optional) Enable server side encryption of the state file. -
getEndpoint
(experimental) (Optional) Custom endpoint for the AWS S3 API.This can also be sourced from the AWS_S3_ENDPOINT environment variable.
-
getExternalId
(experimental) (Optional) External identifier to use when assuming the role. -
getForcePathStyle
(experimental) (Optional) Enable path-style S3 URLs (https:/// instead of https:// . ). -
getIamEndpoint
(experimental) (Optional) Custom endpoint for the AWS Identity and Access Management (IAM) API.This can also be sourced from the AWS_IAM_ENDPOINT environment variable.
-
getKmsKeyId
(experimental) (Optional) Amazon Resource Name (ARN) of a Key Management Service (KMS) Key to use for encrypting the state.Note that if this value is specified, Terraform will need kms:Encrypt, kms:Decrypt and kms:GenerateDataKey permissions on this KMS key.
-
getMaxRetries
(experimental) (Optional) The maximum number of times an AWS API request is retried on retryable failure.Defaults to 5.
-
getProfile
(experimental) (Optional) Name of AWS profile in AWS shared credentials file (e.g. ~/.aws/credentials) or AWS shared configuration file (e.g. ~/.aws/config) to use for credentials and/or configuration. This can also be sourced from the AWS_PROFILE environment variable. -
getRegion
(experimental) AWS Region of the S3 Bucket and DynamoDB Table (if used).This can also be sourced from the AWS_DEFAULT_REGION and AWS_REGION environment variables.
-
getRoleArn
(experimental) (Optional) Amazon Resource Name (ARN) of the IAM Role to assume. -
getSecretKey
(experimental) (Optional) AWS secret access key.If configured, must also configure access_key. This can also be sourced from the AWS_SECRET_ACCESS_KEY environment variable, AWS shared credentials file (e.g. ~/.aws/credentials), or AWS shared configuration file (e.g. ~/.aws/config)
-
getSessionName
(experimental) (Optional) Session name to use when assuming the role. -
getSkipCredentialsValidation
(experimental) (Optional) Skip credentials validation via the STS API. -
getSkipMetadataApiCheck
(experimental) (Optional) Skip usage of EC2 Metadata API. -
getSkipRegionValidation
(experimental) (Optional) Skip validation of provided region name. -
getSseCustomerKey
(experimental) (Optional) The key to use for encrypting state with Server-Side Encryption with Customer-Provided Keys (SSE-C).This is the base64-encoded value of the key, which must decode to 256 bits. This can also be sourced from the AWS_SSE_CUSTOMER_KEY environment variable, which is recommended due to the sensitivity of the value. Setting it inside a terraform file will cause it to be persisted to disk in terraform.tfstate.
-
getStsEndpoint
(experimental) (Optional) Custom endpoint for the AWS Security Token Service (STS) API.This can also be sourced from the AWS_STS_ENDPOINT environment variable.
-
getToken
(experimental) (Optional) Multi-Factor Authentication (MFA) token.This can also be sourced from the AWS_SESSION_TOKEN environment variable.
-
getWorkspaceKeyPrefix
(experimental) (Optional) Prefix applied to the state path inside the bucket.This is only relevant when using a non-default workspace. Defaults to env:
-
builder
- Returns:
- a
S3BackendConfig.Builder
ofS3BackendConfig
-