Use a lockable state repository.

Also, make use of terraform workspaces.

state/.terraform.lock.hcl

@@ -0,0 +1,21 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/aws" {
+  version     = "3.74.3"
+  constraints = "~> 3.27"
+  hashes = [
+    "h1:h4TYqgRKTuuWfZtxJnEGcs/NxGCaxZ4jr0IwTfgZDRM=",
+    "zh:25401cd4667d0496caf7e92e74ecef7c98cf74465570705cda2207770c27ff6c",
+    "zh:2d154527a9b2585f72fc5eceac635257e3f50f68de8a519e71c795d5166a0a22",
+    "zh:499fa5201804a5a33a90d683147fb2f81da91bfcd8ed20293f88f6f39cedbf97",
+    "zh:730284250fd949a59afb6935b3a68a33709d5a78b686fa98f351ad32c919cfc3",
+    "zh:7461ebd6fb35900d620cfa3f42126d988ea1e604ee3828d1c64d5727f908bd26",
+    "zh:7c85743b31c7459f8e74aaa98471ba82c54517eb908603411808a12982d89b1c",
+    "zh:8ed977b7fb97de624f5414b08cab36fd973a624072e0e9082c0c822e0864c7b9",
+    "zh:94ae7313bb0b425d4007a0b70601a337972c4f0f7a323487acf69215e74b4425",
+    "zh:b5a1589672d709da725a72c46d28bf5b2dea71325f6e0b44a0049f644cd09eba",
+    "zh:c7e8e7ce59e4578416557fc2f138137af3c8365ac3e34f0ff5166323c7d641a1",
+    "zh:ccf2e286b207e749fff76bb4075deddb9e7e237936d8654f34828c54e7035455",
+  ]
+}

state/README.md

@@ -0,0 +1,17 @@
+# state
+
+This terraform infra creates mandatory s3 bucket & dynamo db for locks to handle terraform's states.
+
+## Usage
+
+```sh
+$ export AWS_PROFILE=infra-test
+$ terraform init
+$ terraform plan -var "aws_profile=$AWS_PROFILE" -out tf.plan
+$ terraform apply tf.plan
+...
+
+$
+```
+
+Once created, other terraform infras' states can be saved in those s3/dynamo's repositories.

state/dynamo.tf

@@ -0,0 +1,9 @@
+resource "aws_dynamodb_table" "terraform_locks" {
+    name = "terraform-state-locks-infra-aws-eks"
+    billing_mode = "PAY_PER_REQUEST"
+    hash_key = "LockID"
+    attribute {
+        name = "LockID"
+        type = "S"
+    }
+}

state/main.tf

@@ -0,0 +1,15 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 3.27"
+    }
+  }
+
+  required_version = ">= 0.14.9"
+}
+
+provider "aws" {
+    profile = var.aws_profile
+    region = var.aws_region
+}

state/s3.tf

@@ -0,0 +1,19 @@
+resource "aws_s3_bucket" "terraform_state" {
+    bucket = "terraform-state-infra-aws-eks"
+
+    # lifecycle {
+    #     prevent_destroy = true
+    # }
+
+    versioning {
+        enabled = true
+    }
+
+    server_side_encryption_configuration {
+        rule {
+            apply_server_side_encryption_by_default {
+                sse_algorithm = "AES256"
+            }
+        }
+    }
+}

state/variables.tf

@@ -0,0 +1,10 @@
+variable "aws_profile" {
+    type = string
+    default = "aws-infra"
+}
+
+variable "aws_region" {
+    type = string
+    default = "eu-west-3"
+}
+