v0.1.0 — Initial release
Three sub-modules and a root composition:
- state-backend: S3 + customer-managed KMS CMK with S3-native
locking (use_lockfile = true). prevent_destroy on the bucket;
TLS-only / SSE-KMS-required bucket policy.
- automation-iam: GitHub Actions OIDC IDP + assumable role,
wrapping terraform-aws-modules/iam (~> 5.0) for the IDP and
role-with-OIDC sub-modules.
- nuke-config: rendered aws-nuke (ekristen fork) YAML from typed
inputs. No AWS resources; optional local_file write via
output_path.
The root composes all three behind a 4-required-input surface
(account_id, region, project_name, github_repo) plus 7 optional
overrides for tags, naming, and per-knob tightening.
Pre-1.0: minor bumps may break the input/output surface. Stable
semver from v1.0.
Out of scope (consumers add via downstream stacks): account
hardening (alias, password policy, EBS, public-access block),
audit logging (CloudTrail), AWS Config, threat detection
(GuardDuty, Security Hub, Access Analyzer), human operator roles.
Master spec: docs/development/specs/2026-04-26-aws-bootstrap-v0.1.md