Switch to S3 terraform backend

Author: Alex-Welsh

.github/workflows/terraform-github.yml

@@ -14,6 +14,8 @@ name: Terraform GitHub
   workflow_dispatch:
 env:
   TF_VAR_GITHUB_APP_PEM_FILE: ${{ secrets.TF_VAR_GITHUB_APP_PEM_FILE }}
+  AWS_ACCESS_KEY_ID: ${{ secrets.TF_S3_ACCESS_KEY_ID }}
+  AWS_SECRET_ACCESS_KEY: ${{ secrets.TF_S3_SECRET_ACCESS_KEY }}
 jobs:
   terraform:
     name: Terraform
@@ -25,8 +27,6 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - uses: hashicorp/setup-terraform@5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85 # v4.0.0
-        with:
-          cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }}
 
       - name: Terraform fmt
         id: fmt

terraform/github/provider.tf

@@ -5,12 +5,23 @@ terraform {
       version = "6.11.1"
     }
   }
-  cloud {
-    organization = "stackhpc"
 
-    workspaces {
-      name = "github"
+  backend "s3" {
+    bucket = "github-terraform-backend"
+    key    = "github/terraform.tfstate"
+    region = "auto" # Cloudflare R2 uses "auto" for the region
+    use_lockfile = true
+
+    endpoints = {
+      s3 = "https://99e8d2e95b14ef888ce364a5ab310629.r2.cloudflarestorage.com"
     }
+
+    # Bypasses strict AWS checks so the S3-compatible API works
+    skip_credentials_validation = true
+    skip_region_validation      = true
+    skip_requesting_account_id  = true
+    skip_metadata_api_check     = true
+    skip_s3_checksum            = true
   }
 }