Reputation: 802
Deploying resources on multiple AWS Organizations account
Let me give some context to the issue.
I'm trying to create a terraform script that deploys an AWS Organization with some accounts and also some resources in those accounts.
So, the issue is that I cant seem to be able to figure out how to create resources on multiple accounts at runetime. Meaning that I'd like to create resources on accounts I created on the same script.
The "workflow" would be something like this
- Script creates AWS Organization
- Same script creates AWS Organizations account
- Same script creates an S3 bucket on the account created
Is this a thing that is possible doing? I know one can "impersonate" users by doing something like the following.
provider "aws" {
alias = "dns"
assume_role {
role_arn = "arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME"
session_name = "SESSION_NAME"
external_id = "EXTERNAL_ID"
}
}
But is this information something I can get after creating the account as some sort of output from the AWS-organization-account terraform module?
Maybe there is another way of doing this and I just need some reading material.
Upvotes: 2
Views: 1467
Answers (1)
Reputation: 56849
You can do this but you may want to separate some of these things out to minimise blast radius so it's not all in a single terraform apply or terraform destroy.
As a quick example you could do something like the following:
resource "aws_organizations_organization" "org" {
aws_service_access_principals = [
"cloudtrail.amazonaws.com",
"config.amazonaws.com",
]
feature_set = "ALL"
}
resource "aws_organizations_account" "new_account" {
name = "my_new_account"
email = "[email protected]"
depends_on = [
aws_organizations_organization.org,
]
}
provider "aws" {
alias = "new_account"
assume_role {
role_arn = "arn:aws:iam::${aws_organizations_account.new_account.id}:role/OrganizationAccountAccessRole"
session_name = "new_account_creation"
}
}
resource "aws_s3_bucket" "bucket" {
provider = aws.new_account
bucket = "new-account-bucket-${aws_organizations_account.new_account.id}"
acl = "private"
}
The above uses the default OrganizationAccountAccessRole IAM role that is created in the child account to then create the S3 bucket in that account.
Upvotes: 2
Related Questions
- How to use multiple AWS account to isolate terraform state between environment
- Deploy Terraform resource in multiple regions using providers
- One terraform apply to multiple AWS accounts
- multi region deployment using terraform providers?
- Multiple terraform project sharing infrastructure
- Are there any good examples of cross-account deployments using the same terraform script?
- AWS - Creating resources in a multi-account environment
- Deploying to multiple AWS accounts with Terraform?
- Terraform - Multiple accounts with multiple environments (regions)
- Terraform provision to multiple accounts