Package com.hashicorp.cdktf

Interface S3BackendConfig

All Superinterfaces:
software.amazon.jsii.JsiiSerializable
All Known Subinterfaces:
DataTerraformRemoteStateS3Config
All Known Implementing Classes:
DataTerraformRemoteStateS3Config.Jsii$Proxy, S3BackendConfig.Jsii$Proxy
@Generated(value="jsii-pacmak/1.102.0 (build e354887)", date="2025-01-21T14:44:58.082Z") @Stability(Experimental) public interface S3BackendConfig extends software.amazon.jsii.JsiiSerializable
(experimental) Stores the state as a given key in a given bucket on Amazon S3.

This backend also supports state locking and consistency checking via Dynamo DB, which can be enabled by setting the dynamodb_table field to an existing DynamoDB table name. A single DynamoDB table can be used to lock multiple remote state files. Terraform generates key names that include the values of the bucket and key variables.

Warning! It is highly recommended that you enable Bucket Versioning on the S3 bucket to allow for state recovery in the case of accidental deletions and human error.

Read more about this backend in the Terraform docs: https://developer.hashicorp.com/terraform/language/settings/backends/s3

  • Method Details

    • getBucket

      @Stability(Experimental) @NotNull String getBucket()
      (experimental) Name of the S3 Bucket.

    • getKey

      @Stability(Experimental) @NotNull String getKey()
      (experimental) Path to the state file inside the S3 Bucket.

      When using a non-default workspace, the state path will be /workspace_key_prefix/workspace_name/key

    • getAccessKey

      @Stability(Experimental) @Nullable default String getAccessKey()
      (experimental) (Optional) AWS access key.

      If configured, must also configure secret_key. This can also be sourced from the AWS_ACCESS_KEY_ID environment variable, AWS shared credentials file (e.g. ~/.aws/credentials), or AWS shared configuration file (e.g. ~/.aws/config).

    • getAcl

      @Stability(Experimental) @Nullable default String getAcl()
      (experimental) (Optional) Canned ACL to be applied to the state file.

    • getAllowedAccountIds

      @Stability(Experimental) @Nullable default List<String> getAllowedAccountIds()
      (experimental) (Optional) List of allowed AWS account IDs to prevent potential destruction of a live environment.

      Conflicts with forbidden_account_ids.

    • getAssumeRole

      @Stability(Experimental) @Nullable default S3BackendAssumeRoleConfig getAssumeRole()
      (experimental) Assuming an IAM Role can be configured in two ways.

      The preferred way is to use the argument assume_role, the other, which is deprecated, is with arguments at the top level.

    • getAssumeRolePolicy

      @Stability(Deprecated) @Deprecated @Nullable default String getAssumeRolePolicy()
      Deprecated.
      Use assumeRole.policy instead.
      (deprecated) (Optional) IAM Policy JSON describing further restricting permissions for the IAM Role being assumed.

    • getAssumeRolePolicyArns

      @Stability(Deprecated) @Deprecated @Nullable default List<String> getAssumeRolePolicyArns()
      Deprecated.
      Use assumeRole.policyArns instead.
      (deprecated) (Optional) Set of Amazon Resource Names (ARNs) of IAM Policies describing further restricting permissions for the IAM Role being assumed.

    • getAssumeRoleTags

      @Stability(Deprecated) @Deprecated @Nullable default Map<String,String> getAssumeRoleTags()
      Deprecated.
      Use assumeRole.tags instead.
      (deprecated) (Optional) Map of assume role session tags.

    • getAssumeRoleTransitiveTagKeys

      @Stability(Deprecated) @Deprecated @Nullable default List<String> getAssumeRoleTransitiveTagKeys()
      Deprecated.
      Use assumeRole.transitiveTagKeys instead.
      (deprecated) (Optional) Set of assume role session tag keys to pass to any subsequent sessions.

    • getAssumeRoleWithWebIdentity

      @Stability(Experimental) @Nullable default S3BackendAssumeRoleWithWebIdentityConfig getAssumeRoleWithWebIdentity()
      (experimental) Assume Role With Web Identity Configuration.

    • getCustomCaBundle

      @Stability(Experimental) @Nullable default String getCustomCaBundle()
      (experimental) (Optional) File containing custom root and intermediate certificates.

      Can also be set using the AWS_CA_BUNDLE environment variable. Setting ca_bundle in the shared config file is not supported.

    • getDynamodbEndpoint

      @Stability(Deprecated) @Deprecated @Nullable default String getDynamodbEndpoint()
      Deprecated.
      Use endpoints.dynamodb instead
      (deprecated) (Optional) Custom endpoint for the AWS DynamoDB API.

      This can also be sourced from the AWS_DYNAMODB_ENDPOINT environment variable.

    • getDynamodbTable

      @Stability(Experimental) @Nullable default String getDynamodbTable()
      (experimental) (Optional) Name of DynamoDB Table to use for state locking and consistency.

      The table must have a partition key named LockID with type of String. If not configured, state locking will be disabled.

    • getEc2MetadataServiceEndpoint

      @Stability(Experimental) @Nullable default String getEc2MetadataServiceEndpoint()
      (experimental) Optional) Custom endpoint URL for the EC2 Instance Metadata Service (IMDS) API.

      Can also be set with the AWS_EC2_METADATA_SERVICE_ENDPOINT environment variable.

    • getEc2MetadataServiceEndpointMode

      @Stability(Experimental) @Nullable default String getEc2MetadataServiceEndpointMode()
      (experimental) (Optional) Mode to use in communicating with the metadata service.

      Valid values are IPv4 and IPv6. Can also be set with the AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE environment variable.

    • getEncrypt

      @Stability(Experimental) @Nullable default Boolean getEncrypt()
      (experimental) (Optional) Enable server side encryption of the state file.

    • getEndpoint

      @Stability(Deprecated) @Deprecated @Nullable default String getEndpoint()
      Deprecated.
      Use endpoints.s3 instead
      (deprecated) (Optional) Custom endpoint for the AWS S3 API.

      This can also be sourced from the AWS_S3_ENDPOINT environment variable.

    • getEndpoints

      @Stability(Experimental) @Nullable default S3BackendEndpointConfig getEndpoints()
      (experimental) (Optional) The endpoint configuration block.

    • getExternalId

      @Stability(Deprecated) @Deprecated @Nullable default String getExternalId()
      Deprecated.
      Use assume_role.external_id instead.
      (deprecated) (Optional) External identifier to use when assuming the role.

    • getForbiddenAccountIds

      @Stability(Experimental) @Nullable default List<String> getForbiddenAccountIds()
      (experimental) (Optional) List of forbidden AWS account IDs to prevent potential destruction of a live environment.

      Conflicts with allowed_account_ids.

    • getForcePathStyle

      @Stability(Deprecated) @Deprecated @Nullable default Boolean getForcePathStyle()
      Deprecated.
      Use usePathStyle instead
      (deprecated) (Optional) Enable path-style S3 URLs (https:/// instead of https://.).

    • getHttpProxy

      @Stability(Experimental) @Nullable default String getHttpProxy()
      (experimental) (Optional) URL of a proxy to use for HTTP requests when accessing the AWS API.

      Can also be set using the HTTP_PROXY or http_proxy environment variables.

    • getHttpsProxy

      @Stability(Experimental) @Nullable default String getHttpsProxy()
      (experimental) (Optional) URL of a proxy to use for HTTPS requests when accessing the AWS API.

      Can also be set using the HTTPS_PROXY or https_proxy environment variables.

    • getIamEndpoint

      @Stability(Deprecated) @Deprecated @Nullable default String getIamEndpoint()
      Deprecated.
      Use endpoints.iam instead
      (deprecated) (Optional) Custom endpoint for the AWS Identity and Access Management (IAM) API.

      This can also be sourced from the AWS_IAM_ENDPOINT environment variable.

    • getInsecure

      @Stability(Experimental) @Nullable default Boolean getInsecure()
      (experimental) Optional) Whether to explicitly allow the backend to perform "insecure" SSL requests.

      If omitted, the default value is false.

    • getKmsKeyId

      @Stability(Experimental) @Nullable default String getKmsKeyId()
      (experimental) (Optional) Amazon Resource Name (ARN) of a Key Management Service (KMS) Key to use for encrypting the state.

      Note that if this value is specified, Terraform will need kms:Encrypt, kms:Decrypt and kms:GenerateDataKey permissions on this KMS key.

    • getMaxRetries

      @Stability(Experimental) @Nullable default Number getMaxRetries()
      (experimental) (Optional) The maximum number of times an AWS API request is retried on retryable failure.

      Defaults to 5.

    • getNoProxy

      @Stability(Experimental) @Nullable default String getNoProxy()
      (experimental) (Optional) Comma-separated list of hosts that should not use HTTP or HTTPS proxies.

      Each value can be one of:

      • A domain name
      • An IP address
      • A CIDR address
      • An asterisk (*), to indicate that no proxying should be performed Domain name and IP address values can also include a port number. Can also be set using the NO_PROXY or no_proxy environment variables.

    • getProfile

      @Stability(Experimental) @Nullable default String getProfile()
      (experimental) (Optional) Name of AWS profile in AWS shared credentials file (e.g. ~/.aws/credentials) or AWS shared configuration file (e.g. ~/.aws/config) to use for credentials and/or configuration. This can also be sourced from the AWS_PROFILE environment variable.

    • getRegion

      @Stability(Experimental) @Nullable default String getRegion()
      (experimental) AWS Region of the S3 Bucket and DynamoDB Table (if used).

      This can also be sourced from the AWS_DEFAULT_REGION and AWS_REGION environment variables.

    • getRetryMode

      @Stability(Experimental) @Nullable default String getRetryMode()
      (experimental) (Optional) Specifies how retries are attempted.

      Valid values are standard and adaptive. Can also be configured using the AWS_RETRY_MODE environment variable or the shared config file parameter retry_mode.

    • getRoleArn

      @Stability(Deprecated) @Deprecated @Nullable default String getRoleArn()
      Deprecated.
      Use assumeRole.roleArn instead.
      (deprecated) (Optional) Amazon Resource Name (ARN) of the IAM Role to assume.

    • getSecretKey

      @Stability(Experimental) @Nullable default String getSecretKey()
      (experimental) (Optional) AWS secret access key.

      If configured, must also configure access_key. This can also be sourced from the AWS_SECRET_ACCESS_KEY environment variable, AWS shared credentials file (e.g. ~/.aws/credentials), or AWS shared configuration file (e.g. ~/.aws/config)

    • getSessionName

      @Stability(Deprecated) @Deprecated @Nullable default String getSessionName()
      Deprecated.
      Use assumeRole.sessionName instead.
      (deprecated) (Optional) Session name to use when assuming the role.

    • getSharedConfigFiles

      @Stability(Experimental) @Nullable default List<String> getSharedConfigFiles()
      (experimental) (Optional) List of paths to AWS shared configuration files.

      Defaults to ~/.aws/config.

    • getSharedCredentialsFile

      @Stability(Experimental) @Nullable default String getSharedCredentialsFile()
      (experimental) (Optional) Path to the AWS shared credentials file.

      Defaults to ~/.aws/credentials.

    • getSharedCredentialsFiles

      @Stability(Experimental) @Nullable default List<String> getSharedCredentialsFiles()
      (experimental) (Optional) List of paths to AWS shared credentials files.

      Defaults to ~/.aws/credentials.

    • getSkipCredentialsValidation

      @Stability(Experimental) @Nullable default Boolean getSkipCredentialsValidation()
      (experimental) (Optional) Skip credentials validation via the STS API.

    • getSkipMetadataApiCheck

      @Stability(Experimental) @Nullable default Boolean getSkipMetadataApiCheck()
      (experimental) (Optional) Skip usage of EC2 Metadata API.

    • getSkipRegionValidation

      @Stability(Experimental) @Nullable default Boolean getSkipRegionValidation()
      (experimental) (Optional) Skip validation of provided region name.

    • getSkipRequestingAccountId

      @Stability(Experimental) @Nullable default Boolean getSkipRequestingAccountId()
      (experimental) (Optional) Whether to skip requesting the account ID.

      Useful for AWS API implementations that do not have the IAM, STS API, or metadata API.

    • getSkipS3Checksum

      @Stability(Experimental) @Nullable default Boolean getSkipS3Checksum()
      (experimental) (Optional) Do not include checksum when uploading S3 Objects.

      Useful for some S3-Compatible APIs.

    • getSseCustomerKey

      @Stability(Experimental) @Nullable default String getSseCustomerKey()
      (experimental) (Optional) The key to use for encrypting state with Server-Side Encryption with Customer-Provided Keys (SSE-C).

      This is the base64-encoded value of the key, which must decode to 256 bits. This can also be sourced from the AWS_SSE_CUSTOMER_KEY environment variable, which is recommended due to the sensitivity of the value. Setting it inside a terraform file will cause it to be persisted to disk in terraform.tfstate.

    • getStsEndpoint

      @Stability(Deprecated) @Deprecated @Nullable default String getStsEndpoint()
      Deprecated.
      Use endpoints.sts instead
      (deprecated) (Optional) Custom endpoint for the AWS Security Token Service (STS) API.

      This can also be sourced from the AWS_STS_ENDPOINT environment variable.

    • getStsRegion

      @Stability(Experimental) @Nullable default String getStsRegion()
      (experimental) (Optional) AWS region for STS.

      If unset, AWS will use the same region for STS as other non-STS operations.

    • getToken

      @Stability(Experimental) @Nullable default String getToken()
      (experimental) (Optional) Multi-Factor Authentication (MFA) token.

      This can also be sourced from the AWS_SESSION_TOKEN environment variable.

    • getUseLegacyWorkflow

      @Stability(Experimental) @Nullable default Boolean getUseLegacyWorkflow()
      (experimental) (Optional) Use the legacy authentication workflow, preferring environment variables over backend configuration.

      Defaults to true. This behavior does not align with the authentication flow of the AWS CLI or SDK's, and will be removed in the future.

    • getUsePathStyle

      @Stability(Experimental) @Nullable default Boolean getUsePathStyle()
      (experimental) (Optional) Enable path-style S3 URLs (https:/// instead of https://.).

    • getWorkspaceKeyPrefix

      @Stability(Experimental) @Nullable default String getWorkspaceKeyPrefix()
      (experimental) (Optional) Prefix applied to the state path inside the bucket.

      This is only relevant when using a non-default workspace. Defaults to env:

    • builder

      @Stability(Experimental) static S3BackendConfig.Builder builder()
      Returns:
      a S3BackendConfig.Builder of S3BackendConfig