Reputation: 317
How to store terraform state in one account and apply changes in another account using AWS?
I have set up an AWS Organization using ControlTower. I created a user for myself that has AWSAdministratorAccess for the 2 accounts below.
- Root
- Operations Group (Organizational Unit)
- Infrastructure Account (AWS Account - 111)
- Dev (Organizational Unit)
- DEV Account (AWS Account - 222)
- Operations Group (Organizational Unit)
I am starting simple for now to get a good base foundation while building up the organization. One thing I have read is that we should be storing our terraform state files in the Infrastructure Account while doing our operation changes on the DEV Account.
How can I do that in terraform? I am a bit lost because I am using AWS SSO and can't figure out what to place for the role_policy_arn.
Here is an example code:
terraform {
backend "s3" {
bucket = "terraform-infrastructure"
key = "dev/sqs/terraform.tfstate"
region = "us-east-1"
assume_role_policy_arns = ["<what do I put here>"]
}
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 4.16"
}
}
required_version = ">= 1.2.0"
}
provider "aws" {
region = "us-east-1"
allowed_account_ids = ["222"]
}
Also, is there anything I need to do on the S3 side? I am assuming no. If I can assume the role of AWSAdministratorAccess for Infrastructure Account and store the terraform state there and assume the role of AWSAdministratorAccess for DEV Account and apply my changes, then I don't need to mess with S3 permission to allow cross account publications.
Upvotes: 0
Views: 1905
Answers (2)
Reputation: 1642
As suggested by Terraform documentation, you should be using an IAM role delegation:
Each role's Assume Role Policy must grant access to the administrative AWS account, which creates a trust relationship with the administrative AWS account so that its users may assume the role.
The users or groups within the administrative account must also have a policy that creates the converse relationship, allowing these users or groups to assume that role.
AWS IAM credentials should allow access to both the S3 backend and to Terraform's AWS provider.
variable "workspace_iam_roles" {
default = {
staging = "arn:aws:iam::STAGING-ACCOUNT-ID:role/Terraform"
production = "arn:aws:iam::PRODUCTION-ACCOUNT-ID:role/Terraform"
}
}
provider "aws" {
# No credentials explicitly set here because they come from either the
# environment or the global credentials file.
assume_role = {
role_arn = "${var.workspace_iam_roles[terraform.workspace]}"
}
}
References:
Upvotes: 0
Reputation: 497
Consider adding the profile configuration to the backend block. The associated profile will need to be setup in your ~/.aws/config file. Also, you can add the profile configuration to the provider block to similarly use the AWS CLI profiles. Using the profile configurations and setting up AWS CLI using profiles with correct accounts and roles should enable you to accomplish what your intending to do.
Upvotes: 2
Related Questions
- How to use multiple AWS account to isolate terraform state between environment
- One terraform apply to multiple AWS accounts
- It is possible to store terraform state file in one aws account and deploy into another using environmental variables?
- multiple iam users in terraform
- Managing terraform states in a multi-account AWS environment setup
- Deploying to multiple AWS accounts with Terraform?
- Terraform - Multiple accounts with multiple environments (regions)
- Terraform to get AWS data from Account A and use it in Account B
- How do I use Terraform to maintain/manage IAM users
- Applying Terraform On Two Different AWS Accounts In the Same Plan