Skip to main content
Stores the state as a given key in a given bucket on Amazon S3. This backend also supports state locking and consistency checking via Dynamo DB, which can be enabled by setting the dynamodb_table field to an existing DynamoDB table name. A single DynamoDB table can be used to lock multiple remote state files. Terraform generates key names that include the values of the bucket and key variables. Warning! It is highly recommended that you enable Bucket Versioning on the S3 bucket to allow for state recovery in the case of accidental deletions and human error. Read more about this backend in the Terraform docs: https://developer.hashicorp.com/terraform/language/settings/backends/s3

Initializer 

using Io.Cdktn;

new S3BackendConfig {
    string Bucket,
    string Key,
    string AccessKey = null,
    string Acl = null,
    string[] AllowedAccountIds = null,
    S3BackendAssumeRoleConfig AssumeRole = null,
    string AssumeRolePolicy = null,
    string[] AssumeRolePolicyArns = null,
    System.Collections.Generic.IDictionary<string, string> AssumeRoleTags = null,
    string[] AssumeRoleTransitiveTagKeys = null,
    S3BackendAssumeRoleWithWebIdentityConfig AssumeRoleWithWebIdentity = null,
    string CustomCaBundle = null,
    string DynamodbEndpoint = null,
    string DynamodbTable = null,
    string Ec2MetadataServiceEndpoint = null,
    string Ec2MetadataServiceEndpointMode = null,
    bool Encrypt = null,
    string Endpoint = null,
    S3BackendEndpointConfig Endpoints = null,
    string ExternalId = null,
    string[] ForbiddenAccountIds = null,
    bool ForcePathStyle = null,
    string HttpProxy = null,
    string HttpsProxy = null,
    string IamEndpoint = null,
    bool Insecure = null,
    string KmsKeyId = null,
    double MaxRetries = null,
    string NoProxy = null,
    string Profile = null,
    string Region = null,
    string RetryMode = null,
    string RoleArn = null,
    string SecretKey = null,
    string SessionName = null,
    string[] SharedConfigFiles = null,
    string SharedCredentialsFile = null,
    string[] SharedCredentialsFiles = null,
    bool SkipCredentialsValidation = null,
    bool SkipMetadataApiCheck = null,
    bool SkipRegionValidation = null,
    bool SkipRequestingAccountId = null,
    bool SkipS3Checksum = null,
    string SseCustomerKey = null,
    string StsEndpoint = null,
    string StsRegion = null,
    string Token = null,
    bool UseLegacyWorkflow = null,
    bool UsePathStyle = null,
    string WorkspaceKeyPrefix = null
};

Properties

NameTypeDescription
BucketstringName of the S3 Bucket.
KeystringPath to the state file inside the S3 Bucket.
AccessKeystring(Optional) AWS access key.
Aclstring(Optional) Canned ACL to be applied to the state file.
AllowedAccountIdsstring[](Optional) List of allowed AWS account IDs to prevent potential destruction of a live environment.
AssumeRoleS3BackendAssumeRoleConfigAssuming an IAM Role can be configured in two ways.
AssumeRolePolicystring(Optional) IAM Policy JSON describing further restricting permissions for the IAM Role being assumed.
AssumeRolePolicyArnsstring[](Optional) Set of Amazon Resource Names (ARNs) of IAM Policies describing further restricting permissions for the IAM Role being assumed.
AssumeRoleTagsSystem.Collections.Generic.IDictionary< string, string >(Optional) Map of assume role session tags.
AssumeRoleTransitiveTagKeysstring[](Optional) Set of assume role session tag keys to pass to any subsequent sessions.
AssumeRoleWithWebIdentityS3BackendAssumeRoleWithWebIdentityConfigAssume Role With Web Identity Configuration.
CustomCaBundlestring(Optional) File containing custom root and intermediate certificates.
DynamodbEndpointstring(Optional) Custom endpoint for the AWS DynamoDB API.
DynamodbTablestring(Optional) Name of DynamoDB Table to use for state locking and consistency.
Ec2MetadataServiceEndpointstringOptional) Custom endpoint URL for the EC2 Instance Metadata Service (IMDS) API.
Ec2MetadataServiceEndpointModestring(Optional) Mode to use in communicating with the metadata service.
Encryptbool(Optional) Enable server side encryption of the state file.
Endpointstring(Optional) Custom endpoint for the AWS S3 API.
EndpointsS3BackendEndpointConfig(Optional) The endpoint configuration block.
ExternalIdstring(Optional) External identifier to use when assuming the role.
ForbiddenAccountIdsstring[](Optional) List of forbidden AWS account IDs to prevent potential destruction of a live environment.
ForcePathStylebool(Optional) Enable path-style S3 URLs (https://< HOST >/< BUCKET > instead of https://< BUCKET >.< HOST >).
HttpProxystring(Optional) URL of a proxy to use for HTTP requests when accessing the AWS API.
HttpsProxystring(Optional) URL of a proxy to use for HTTPS requests when accessing the AWS API.
IamEndpointstring(Optional) Custom endpoint for the AWS Identity and Access Management (IAM) API.
InsecureboolOptional) Whether to explicitly allow the backend to perform “insecure” SSL requests.
KmsKeyIdstring(Optional) Amazon Resource Name (ARN) of a Key Management Service (KMS) Key to use for encrypting the state.
MaxRetriesdouble(Optional) The maximum number of times an AWS API request is retried on retryable failure.
NoProxystring(Optional) Comma-separated list of hosts that should not use HTTP or HTTPS proxies.
Profilestring(Optional) Name of AWS profile in AWS shared credentials file (e.g. ~/.aws/credentials) or AWS shared configuration file (e.g. ~/.aws/config) to use for credentials and/or configuration. This can also be sourced from the AWS_PROFILE environment variable.
RegionstringAWS Region of the S3 Bucket and DynamoDB Table (if used).
RetryModestring(Optional) Specifies how retries are attempted.
RoleArnstring(Optional) Amazon Resource Name (ARN) of the IAM Role to assume.
SecretKeystring(Optional) AWS secret access key.
SessionNamestring(Optional) Session name to use when assuming the role.
SharedConfigFilesstring[](Optional) List of paths to AWS shared configuration files.
SharedCredentialsFilestring(Optional) Path to the AWS shared credentials file.
SharedCredentialsFilesstring[](Optional) List of paths to AWS shared credentials files.
SkipCredentialsValidationbool(Optional) Skip credentials validation via the STS API.
SkipMetadataApiCheckbool(Optional) Skip usage of EC2 Metadata API.
SkipRegionValidationbool(Optional) Skip validation of provided region name.
SkipRequestingAccountIdbool(Optional) Whether to skip requesting the account ID.
SkipS3Checksumbool(Optional) Do not include checksum when uploading S3 Objects.
SseCustomerKeystring(Optional) The key to use for encrypting state with Server-Side Encryption with Customer-Provided Keys (SSE-C).
StsEndpointstring(Optional) Custom endpoint for the AWS Security Token Service (STS) API.
StsRegionstring(Optional) AWS region for STS.
Tokenstring(Optional) Multi-Factor Authentication (MFA) token.
UseLegacyWorkflowbool(Optional) Use the legacy authentication workflow, preferring environment variables over backend configuration.
UsePathStylebool(Optional) Enable path-style S3 URLs (https://< HOST >/< BUCKET > instead of https://< BUCKET >.< HOST >).
WorkspaceKeyPrefixstring(Optional) Prefix applied to the state path inside the bucket.

BucketRequired 

public string Bucket { get; set; }
  • Type: string
Name of the S3 Bucket.

KeyRequired 

public string Key { get; set; }
  • Type: string
Path to the state file inside the S3 Bucket. When using a non-default workspace, the state path will be /workspace_key_prefix/workspace_name/key

AccessKeyOptional 

public string AccessKey { get; set; }
  • Type: string
(Optional) AWS access key. If configured, must also configure secret_key. This can also be sourced from the AWS_ACCESS_KEY_ID environment variable, AWS shared credentials file (e.g. ~/.aws/credentials), or AWS shared configuration file (e.g. ~/.aws/config).

AclOptional 

public string Acl { get; set; }
  • Type: string
(Optional) Canned ACL to be applied to the state file.

AllowedAccountIdsOptional 

public string[] AllowedAccountIds { get; set; }
  • Type: string[]
(Optional) List of allowed AWS account IDs to prevent potential destruction of a live environment. Conflicts with forbidden_account_ids.

AssumeRoleOptional 

public S3BackendAssumeRoleConfig AssumeRole { get; set; }
Assuming an IAM Role can be configured in two ways. The preferred way is to use the argument assume_role, the other, which is deprecated, is with arguments at the top level.

AssumeRolePolicyOptional

  • Deprecated: Use assumeRole.policy instead.
public string AssumeRolePolicy { get; set; }
  • Type: string
(Optional) IAM Policy JSON describing further restricting permissions for the IAM Role being assumed.

AssumeRolePolicyArnsOptional

  • Deprecated: Use assumeRole.policyArns instead.
public string[] AssumeRolePolicyArns { get; set; }
  • Type: string[]
(Optional) Set of Amazon Resource Names (ARNs) of IAM Policies describing further restricting permissions for the IAM Role being assumed.

AssumeRoleTagsOptional

  • Deprecated: Use assumeRole.tags instead.
public System.Collections.Generic.IDictionary<string, string> AssumeRoleTags { get; set; }
  • Type: System.Collections.Generic.IDictionary< string, string >
(Optional) Map of assume role session tags.

AssumeRoleTransitiveTagKeysOptional

  • Deprecated: Use assumeRole.transitiveTagKeys instead.
public string[] AssumeRoleTransitiveTagKeys { get; set; }
  • Type: string[]
(Optional) Set of assume role session tag keys to pass to any subsequent sessions.

AssumeRoleWithWebIdentityOptional 

public S3BackendAssumeRoleWithWebIdentityConfig AssumeRoleWithWebIdentity { get; set; }
Assume Role With Web Identity Configuration.

CustomCaBundleOptional 

public string CustomCaBundle { get; set; }
  • Type: string
(Optional) File containing custom root and intermediate certificates. Can also be set using the AWS_CA_BUNDLE environment variable. Setting ca_bundle in the shared config file is not supported.

DynamodbEndpointOptional

  • Deprecated: Use endpoints.dynamodb instead
public string DynamodbEndpoint { get; set; }
  • Type: string
(Optional) Custom endpoint for the AWS DynamoDB API. This can also be sourced from the AWS_DYNAMODB_ENDPOINT environment variable.

DynamodbTableOptional 

public string DynamodbTable { get; set; }
  • Type: string
(Optional) Name of DynamoDB Table to use for state locking and consistency. The table must have a partition key named LockID with type of String. If not configured, state locking will be disabled.

Ec2MetadataServiceEndpointOptional 

public string Ec2MetadataServiceEndpoint { get; set; }
  • Type: string
Optional) Custom endpoint URL for the EC2 Instance Metadata Service (IMDS) API. Can also be set with the AWS_EC2_METADATA_SERVICE_ENDPOINT environment variable.

Ec2MetadataServiceEndpointModeOptional 

public string Ec2MetadataServiceEndpointMode { get; set; }
  • Type: string
(Optional) Mode to use in communicating with the metadata service. Valid values are IPv4 and IPv6. Can also be set with the AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE environment variable.

EncryptOptional 

public bool Encrypt { get; set; }
  • Type: bool
(Optional) Enable server side encryption of the state file.

EndpointOptional

  • Deprecated: Use endpoints.s3 instead
public string Endpoint { get; set; }
  • Type: string
(Optional) Custom endpoint for the AWS S3 API. This can also be sourced from the AWS_S3_ENDPOINT environment variable.

EndpointsOptional 

public S3BackendEndpointConfig Endpoints { get; set; }
(Optional) The endpoint configuration block.

ExternalIdOptional

  • Deprecated: Use assume_role.external_id instead.
public string ExternalId { get; set; }
  • Type: string
(Optional) External identifier to use when assuming the role.

ForbiddenAccountIdsOptional 

public string[] ForbiddenAccountIds { get; set; }
  • Type: string[]
(Optional) List of forbidden AWS account IDs to prevent potential destruction of a live environment. Conflicts with allowed_account_ids.

ForcePathStyleOptional

  • Deprecated: Use usePathStyle instead
public bool ForcePathStyle { get; set; }
  • Type: bool
(Optional) Enable path-style S3 URLs (https://< HOST >/< BUCKET > instead of https://< BUCKET >.< HOST >).

HttpProxyOptional 

public string HttpProxy { get; set; }
  • Type: string
(Optional) URL of a proxy to use for HTTP requests when accessing the AWS API. Can also be set using the HTTP_PROXY or http_proxy environment variables.

HttpsProxyOptional 

public string HttpsProxy { get; set; }
  • Type: string
(Optional) URL of a proxy to use for HTTPS requests when accessing the AWS API. Can also be set using the HTTPS_PROXY or https_proxy environment variables.

IamEndpointOptional

  • Deprecated: Use endpoints.iam instead
public string IamEndpoint { get; set; }
  • Type: string
(Optional) Custom endpoint for the AWS Identity and Access Management (IAM) API. This can also be sourced from the AWS_IAM_ENDPOINT environment variable.

InsecureOptional 

public bool Insecure { get; set; }
  • Type: bool
Optional) Whether to explicitly allow the backend to perform “insecure” SSL requests. If omitted, the default value is false.

KmsKeyIdOptional 

public string KmsKeyId { get; set; }
  • Type: string
(Optional) Amazon Resource Name (ARN) of a Key Management Service (KMS) Key to use for encrypting the state. Note that if this value is specified, Terraform will need kms:Encrypt, kms:Decrypt and kms:GenerateDataKey permissions on this KMS key.

MaxRetriesOptional 

public double MaxRetries { get; set; }
  • Type: double
(Optional) The maximum number of times an AWS API request is retried on retryable failure. Defaults to 5.

NoProxyOptional 

public string NoProxy { get; set; }
  • Type: string
(Optional) Comma-separated list of hosts that should not use HTTP or HTTPS proxies. Each value can be one of:
  • A domain name
  • An IP address
  • A CIDR address
  • An asterisk (*), to indicate that no proxying should be performed Domain name and IP address values can also include a port number. Can also be set using the NO_PROXY or no_proxy environment variables.

ProfileOptional 

public string Profile { get; set; }
  • Type: string
(Optional) Name of AWS profile in AWS shared credentials file (e.g. ~/.aws/credentials) or AWS shared configuration file (e.g. ~/.aws/config) to use for credentials and/or configuration. This can also be sourced from the AWS_PROFILE environment variable.

RegionOptional 

public string Region { get; set; }
  • Type: string
AWS Region of the S3 Bucket and DynamoDB Table (if used). This can also be sourced from the AWS_DEFAULT_REGION and AWS_REGION environment variables.

RetryModeOptional 

public string RetryMode { get; set; }
  • Type: string
(Optional) Specifies how retries are attempted. Valid values are standard and adaptive. Can also be configured using the AWS_RETRY_MODE environment variable or the shared config file parameter retry_mode.

RoleArnOptional

  • Deprecated: Use assumeRole.roleArn instead.
public string RoleArn { get; set; }
  • Type: string
(Optional) Amazon Resource Name (ARN) of the IAM Role to assume.

SecretKeyOptional 

public string SecretKey { get; set; }
  • Type: string
(Optional) AWS secret access key. If configured, must also configure access_key. This can also be sourced from the AWS_SECRET_ACCESS_KEY environment variable, AWS shared credentials file (e.g. ~/.aws/credentials), or AWS shared configuration file (e.g. ~/.aws/config)

SessionNameOptional

  • Deprecated: Use assumeRole.sessionName instead.
public string SessionName { get; set; }
  • Type: string
(Optional) Session name to use when assuming the role.

SharedConfigFilesOptional 

public string[] SharedConfigFiles { get; set; }
  • Type: string[]
(Optional) List of paths to AWS shared configuration files. Defaults to ~/.aws/config.

SharedCredentialsFileOptional 

public string SharedCredentialsFile { get; set; }
  • Type: string
(Optional) Path to the AWS shared credentials file. Defaults to ~/.aws/credentials.

SharedCredentialsFilesOptional 

public string[] SharedCredentialsFiles { get; set; }
  • Type: string[]
(Optional) List of paths to AWS shared credentials files. Defaults to ~/.aws/credentials.

SkipCredentialsValidationOptional 

public bool SkipCredentialsValidation { get; set; }
  • Type: bool
(Optional) Skip credentials validation via the STS API.

SkipMetadataApiCheckOptional 

public bool SkipMetadataApiCheck { get; set; }
  • Type: bool
(Optional) Skip usage of EC2 Metadata API.

SkipRegionValidationOptional 

public bool SkipRegionValidation { get; set; }
  • Type: bool
(Optional) Skip validation of provided region name.

SkipRequestingAccountIdOptional 

public bool SkipRequestingAccountId { get; set; }
  • Type: bool
(Optional) Whether to skip requesting the account ID. Useful for AWS API implementations that do not have the IAM, STS API, or metadata API.

SkipS3ChecksumOptional 

public bool SkipS3Checksum { get; set; }
  • Type: bool
(Optional) Do not include checksum when uploading S3 Objects. Useful for some S3-Compatible APIs.

SseCustomerKeyOptional 

public string SseCustomerKey { get; set; }
  • Type: string
(Optional) The key to use for encrypting state with Server-Side Encryption with Customer-Provided Keys (SSE-C). This is the base64-encoded value of the key, which must decode to 256 bits. This can also be sourced from the AWS_SSE_CUSTOMER_KEY environment variable, which is recommended due to the sensitivity of the value. Setting it inside a terraform file will cause it to be persisted to disk in terraform.tfstate.

StsEndpointOptional

  • Deprecated: Use endpoints.sts instead
public string StsEndpoint { get; set; }
  • Type: string
(Optional) Custom endpoint for the AWS Security Token Service (STS) API. This can also be sourced from the AWS_STS_ENDPOINT environment variable.

StsRegionOptional 

public string StsRegion { get; set; }
  • Type: string
(Optional) AWS region for STS. If unset, AWS will use the same region for STS as other non-STS operations.

TokenOptional 

public string Token { get; set; }
  • Type: string
(Optional) Multi-Factor Authentication (MFA) token. This can also be sourced from the AWS_SESSION_TOKEN environment variable.

UseLegacyWorkflowOptional 

public bool UseLegacyWorkflow { get; set; }
  • Type: bool
(Optional) Use the legacy authentication workflow, preferring environment variables over backend configuration. Defaults to true. This behavior does not align with the authentication flow of the AWS CLI or SDK’s, and will be removed in the future.

UsePathStyleOptional 

public bool UsePathStyle { get; set; }
  • Type: bool
(Optional) Enable path-style S3 URLs (https://< HOST >/< BUCKET > instead of https://< BUCKET >.< HOST >).

WorkspaceKeyPrefixOptional 

public string WorkspaceKeyPrefix { get; set; }
  • Type: string
(Optional) Prefix applied to the state path inside the bucket. This is only relevant when using a non-default workspace. Defaults to env: