How to centralize my state management to one account
Background
As you deploy your infrastructure across many different target cloud accounts, you may want to have a centralized location for all the state files that need to be maintained and managed.
How To
In Terraform, when preparing your backend config it is important to utilize one of the many options to help ensure your backend resides in the same account. For example, with s3, you can utilize the role_arn and bucket to help ensure that we will authenticate into a singular AWS account and use the same bucket for all of your infrastructure state files.
See the below backend configuration example:
backend"s3" {
bucket="env0-acme-tfstate"
dynamodb_table="env0-acme-tfstate-lock"
key="acme-demo-s3"
region="us-west-2"
# env0 will chain from the deployment role configured in the project -
# this means you need to setup trust between the deployer role and the role
# defined below
role_arn="arn:aws:iam::123456789:role/env0-acme-assume-role"
## (optional)
#external_id = specified in env0 through ENV0_TERRAFORM_BACKEND_CONFIG=external_id=<your external id>
}
Alternatives
The example above uses an assume role, but you can also consider configuring AWS profiles using Custom Flows (env0.yaml).
Reference:
- https://www.terraform.io/language/settings/backends/s3#assume-role-configuration
- https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html
If you'd like more information, please feel free to reach out to us through our website chat or email us at support@env0.com.