chore: use s3 state locking

README.md

@@ -52,6 +52,7 @@ The AWS account must already have the landing-zone or StackSet network in place
 - the expected VPC and subnets must therefore already exist
 - the private subnets must be tagged so the module lookups can find them, for example with names matching `*private*`
 - if you plan to deploy the frontend custom domain, the matching Route53 hosted zone must also already exist
+- the S3 Terraform state bucket should have bucket versioning enabled, because the repo uses the S3 backend lockfile path rather than DynamoDB state locking
 
 If those shared network or DNS resources do not exist yet, the infra applies in this repo will fail during data lookup or certificate/DNS creation.
 

infra/modules/aws/_shared/oidc/README.md

@@ -19,7 +19,7 @@ This repo vendors the module locally so the live `aws/oidc` stacks do not depend
 ## Requirements
 
 - the AWS account must already contain the IAM OIDC provider for `https://token.actions.githubusercontent.com`
-- the Terragrunt caller must provide the state bucket and DynamoDB lock table names
+- the Terragrunt caller must provide the state bucket name
 - caller policy scope is controlled by `allowed_role_actions` and `allowed_role_resources`
 
 ## Repo Contract
@@ -58,7 +58,6 @@ The `ci` role is not the repo's general deploy role. If a workflow needs deploy
 - `allowed_role_actions`
 - `allowed_role_resources`
 - `state_bucket`
-- `state_lock_table`
 
 In this repo, `deploy_role_name` is not set directly in each live `aws/oidc` stack. It is derived in `infra/root.hcl` and passed in through shared Terragrunt inputs:
 

infra/modules/aws/_shared/oidc/data.tf

@@ -76,10 +76,6 @@ data "aws_s3_bucket" "tf_state_bucket" {
   bucket = var.state_bucket
 }
 
-data "aws_dynamodb_table" "tf_lock_table" {
-  name = var.state_lock_table
-}
-
 data "aws_iam_policy_document" "state_management" {
   statement {
     sid     = "AllowS3StateManagement"
@@ -89,12 +85,4 @@ data "aws_iam_policy_document" "state_management" {
       "${data.aws_s3_bucket.tf_state_bucket.arn}/*"
     ]
   }
-
-  statement {
-    sid     = "AllowDynamodbLockManagemnt"
-    actions = local.dyanamodb_state_actions
-    resources = [
-      data.aws_dynamodb_table.tf_lock_table.arn
-    ]
-  }
 }

infra/modules/aws/_shared/oidc/locals.tf

@@ -27,16 +27,6 @@ locals {
     "s3:PutObject",
     "s3:DeleteObject",
   ]
-  dyanamodb_state_actions = [
-    "dynamodb:ListTables",
-    "dynamodb:DescribeTable",
-    "dynamodb:GetItem",
-    "dynamodb:PutItem",
-    "dynamodb:DeleteItem",
-    "dynamodb:DescribeContinuousBackups",
-    "dynamodb:DescribeTimeToLive",
-    "dynamodb:ListTagsOfResource"
-  ]
   oidc_management_actions = [
     "iam:GetOpenIDConnectProvider"
   ]

infra/modules/aws/_shared/oidc/variables.tf

@@ -13,11 +13,6 @@ variable "state_bucket" {
   type        = string
 }
 
-variable "state_lock_table" {
-  description = "Name of dynamo db terraform state lock table - used to allow state locking in ci deployments"
-  type        = string
-}
-
 variable "deploy_branches" {
   type        = list(string)
   description = "The target repo branches for OIDC access i.e main or feature/this"
@@ -44,7 +39,7 @@ variable "allow_deployments" {
 
 variable "allowed_role_actions" {
   type        = list(string)
-  description = "The action(s) to be allowed i.e. [ 's3:*', 'dynamodb:*/' ]"
+  description = "The action(s) to be allowed i.e. [ 's3:*', 'iam:*' ]"
   default     = []
 }
 

infra/root.hcl

@@ -24,7 +24,6 @@ locals {
   plan_bucket             = "${local.base_reference}-tfplan"
   state_key               = "${local.environment}/${local.provider}/${local.module}/terraform.tfstate"
   plan_artifact_stack_key = "${local.environment}/${local.provider}/${local.module}"
-  state_lock_table        = "${local.project_name}-tf-lockid"
   plan_artifact_retention_days = try(
     local.environment_vars.inputs.infra_plan_artifact_expiration_days,
     1,
@@ -39,7 +38,7 @@ terraform {
   before_hook "print_locals" {
     commands = ["init"]
     execute = [
-      "bash", "-c", "echo STATE:${local.state_bucket}/${local.state_key} TABLE:${local.state_lock_table}"
+      "bash", "-c", "echo STATE:${local.state_bucket}/${local.state_key} LOCKFILE:${local.state_key}.tflock"
     ]
   }
 
@@ -82,11 +81,11 @@ terraform {
 remote_state {
   backend = "s3"
   config = {
-    bucket         = local.state_bucket
-    key            = local.state_key
-    region         = local.aws_region
-    dynamodb_table = local.state_lock_table
-    encrypt        = true
+    bucket       = local.state_bucket
+    key          = local.state_key
+    region       = local.aws_region
+    use_lockfile = true
+    encrypt      = true
   }
 }
 
@@ -144,7 +143,6 @@ inputs = merge(
     deploy_role_arn              = local.deploy_role_arn
     state_bucket                 = local.state_bucket
     plan_bucket                  = local.plan_bucket
-    state_lock_table             = local.state_lock_table
     code_bucket                  = local.code_bucket
     ecr_repository_name          = local.ecr_repository_name
   }