The purpose of this repo is to learn Terraform by coding the infrastructure in AWS.
This github repository is inspired by a KnowledgeIndia YouTube tutorial, AWS - cross account access using IAM role, where the presenter with help of a demo explained the concept very well. The scope and the concept of that tutorial is shown in the screenshot below (click to watch the video).
The purpose in this repo is not to repeat what has already been explained in the video. It is expected that the required setup is already in place (e.g. AWS accounts, IAM users and roles).
Building on from the video instructions, we will write configurations (IaC) in terraform that when executed will create infrastructure in AWS. This repository shows:
- Configurations (
dev_machine_configsfolder) required for an IAM user with MFA enabled in AWS account #1 to be able to assume an IAM role in AWS account #2 - Scripts (
getCredentials.sh) that allow getting temporary security credentials from AWS account #2 in order to build infrastructure in AWS acount #2- Typically, you use AssumeRole within your account or for cross-account access. It returns a set of temporary security credentials that you can use to access AWS resources that you might not normally have access to. These temporary credentials consist of an access key ID, a secret access key, and a security token.
- Commands to build infrastructure in AWS account #2. Example Terraform configuration (
main.tf) will build a VPC.
- Users have been able to follow the demo along and understood the concepts in the above video tutorial
- As explained in the tutorial above, users have multiple AWS accounts to experiment with; an initial account to log in to and other accounts where IAM roles will be assumed into.
- You might find this KnowledgeIndia tutorial helpful in understanding how to organize multiple AWS accounts
- Users have necessary tools installed on their dev machines / laptops i.e. Terraform, jq and AWS CLI (this solution has been tested on a MacBook Pro).
It is expected that the required setup is already in place:
- AWS account #1
- In this initial account, an IAM user has been granted permissions to assume STS roles; as explained in the tutorial above
- AWS account #2
- In this account, an IAM role have been created that users from the initial AWS acount are allowed to assume into; as explained in the tutorial above
.
├── README.md
├── dev_machine_configs
│ ├── README.md --> Instructions required to configure local dev machine
│ ├── config --> Update the file with user name and AWS accounts #1 & #2. This will needs to be coppied in "~/.aws/"
│ ├── credentials --> Update the file with IAM user credentials. This will needs to be coppied in "~/.aws/"
│ └── getCredentials.sh --> Update the file with AWS accounts #2 and role name.
├── main.tf --> Update the "region" value
└── pics
└── iam_role.png
These configurations are required for an IAM user with MFA enabled in AWS account #1 to be able to assume an IAM role in AWS account #2
- Change to
dev_machine_configsfolder of this repo and follow the README instructions.
The script allows getting temporary security credentials from AWS account #2 in order to build infrastructure in AWS acount #2
- "
. ~/.aws/getCredentials.sh" Terraform will require the temporary credentials that this script returns. They are exported as environment variables
- "
terraform init" The first command to run in order to initialize plugins - "
terraform plan" This command will show the plan that Terraform will build - "
terraform apply -auto-approve" Once you are happy with the plan, this command will then build the infrastructure as per your configuration. In this repo, only a VPC will be built in the AWS account 2.
- With the IAM user, log in to AWS account #1 via AWS console
- Switch to the IAM role in AWS account #2 and check the a VPC has been created
- "
terraform destroy -auto-approve" Destroy the infrastructure if it is no longer needed