16.8 C
London
Sunday, September 15, 2024

How one can you create a Cross Account Position in Terraform


To create a cross-account position in Terraform, you could carry out the next steps:

1. Outline the IAM position

Outline the IAM position within the Terraform configuration

useful resource "aws_iam_role" "cross_account_role" {
  title               = "CrossAccountRole"
  assume_role_policy = <<EOF
{
  "Model": "2012-10-17",
  "Assertion": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<ACCOUNT_ID>:root"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
EOF
}

Within the assume_role_policy part, change <ACCOUNT_ID> with the AWS account ID of the goal account that may assume this position.

2. Connect the mandatory insurance policies

Connect the mandatory insurance policies to the position. Insurance policies outline the permissions granted to the position

useful resource "aws_iam_role_policy_attachment" "cross_account_role_attachment" {
  position       = aws_iam_role.cross_account_role.title
  policy_arn = "arn:aws:iam::aws:coverage/AmazonS3ReadOnlyAccess"  # Instance coverage
}

Exchange "arn:aws:iam::aws:coverage/AmazonS3ReadOnlyAccess" with the ARN of the coverage you need to connect to the position.

3. Create a task belief relationship

Create a task belief relationship within the goal AWS account to permit the cross-account entry. This step is carried out outdoors of Terraform. It is advisable log in to the goal AWS account and create a task belief coverage for the position created within the earlier steps.

Right here’s an instance of the belief coverage in JSON format:

{
  "Model": "2012-10-17",
  "Assertion": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<SOURCE_ACCOUNT_ID>:root"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Exchange <SOURCE_ACCOUNT_ID> with the AWS account ID the place the position is created.

4. Use the created cross-account position

Use the created cross-account position in different sources by specifying the ARN of the position:

useful resource "aws_s3_bucket" "example_bucket" {
  bucket = "example-bucket"

  # Specify the ARN of the cross-account position
  role_arn = aws_iam_role.cross_account_role.arn
}

Bear in mind to execute terraform init, terraform plan, and terraform apply to initialize the Terraform configuration, plan the adjustments, and apply them to create the cross-account position.

5. What it’s a must to do within the goal account

Along with creating the IAM position within the supply account utilizing Terraform, you additionally must carry out the next steps within the goal account to determine the cross-account entry:

  1. Log in to the AWS Administration Console of the goal account.
  2. Navigate to the IAM service.
  3. Create a brand new IAM position that may assume the cross-account position.
  4. Connect a belief coverage to the newly created position to permit the supply account to imagine this position.
    • Click on on “Belief relationships” for the position.
    • Click on on “Edit belief relationship.”
    • Specify the belief coverage doc with the mandatory permissions. Right here’s an instance of the belief coverage in JSON format:
{
  "Model": "2012-10-17",
  "Assertion": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<SOURCE_ACCOUNT_ID>:root"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Exchange <SOURCE_ACCOUNT_ID> with the AWS account ID the place the cross-account position is created.

  • Click on on “Replace Belief Coverage” to save lots of the adjustments.
  1. As soon as the belief coverage is about up, you should utilize the ARN of the cross-account position within the supply account to grant the mandatory permissions to sources within the goal account.

By configuring the belief coverage within the goal account, you enable the required position within the supply account to imagine the cross-account position and entry sources within the goal account.

Latest news
Related news

LEAVE A REPLY

Please enter your comment!
Please enter your name here