Thursday, February 29, 2024
HomeSoftware EngineeringHow you can you create a Cross Account Position in Terraform

How you can you create a Cross Account Position in Terraform


To create a cross-account function in Terraform, you want to carry out the next steps:

1. Outline the IAM function

Outline the IAM function within the Terraform configuration

useful resource "aws_iam_role" "cross_account_role" {
  title               = "CrossAccountRole"
  assume_role_policy = <<EOF
{
  "Model": "2012-10-17",
  "Assertion": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<ACCOUNT_ID>:root"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
EOF
}

Within the assume_role_policy part, exchange <ACCOUNT_ID> with the AWS account ID of the goal account that can assume this function.

2. Connect the required insurance policies

Connect the required insurance policies to the function. Insurance policies outline the permissions granted to the function

useful resource "aws_iam_role_policy_attachment" "cross_account_role_attachment" {
  function       = aws_iam_role.cross_account_role.title
  policy_arn = "arn:aws:iam::aws:coverage/AmazonS3ReadOnlyAccess"  # Instance coverage
}

Exchange "arn:aws:iam::aws:coverage/AmazonS3ReadOnlyAccess" with the ARN of the coverage you wish to connect to the function.

3. Create a task belief relationship

Create a task belief relationship within the goal AWS account to permit the cross-account entry. This step is carried out outdoors of Terraform. It’s essential to log in to the goal AWS account and create a task belief coverage for the function created within the earlier steps.

Right here’s an instance of the belief coverage in JSON format:

{
  "Model": "2012-10-17",
  "Assertion": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<SOURCE_ACCOUNT_ID>:root"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Exchange <SOURCE_ACCOUNT_ID> with the AWS account ID the place the function is created.

4. Use the created cross-account function

Use the created cross-account function in different sources by specifying the ARN of the function:

useful resource "aws_s3_bucket" "example_bucket" {
  bucket = "example-bucket"

  # Specify the ARN of the cross-account function
  role_arn = aws_iam_role.cross_account_role.arn
}

Bear in mind to execute terraform init, terraform plan, and terraform apply to initialize the Terraform configuration, plan the modifications, and apply them to create the cross-account function.

5. What it’s a must to do within the goal account

Along with creating the IAM function within the supply account utilizing Terraform, you additionally have to carry out the next steps within the goal account to determine the cross-account entry:

  1. Log in to the AWS Administration Console of the goal account.
  2. Navigate to the IAM service.
  3. Create a brand new IAM function that can assume the cross-account function.
  4. Connect a belief coverage to the newly created function to permit the supply account to imagine this function.
    • Click on on “Belief relationships” for the function.
    • Click on on “Edit belief relationship.”
    • Specify the belief coverage doc with the required permissions. Right here’s an instance of the belief coverage in JSON format:
{
  "Model": "2012-10-17",
  "Assertion": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<SOURCE_ACCOUNT_ID>:root"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Exchange <SOURCE_ACCOUNT_ID> with the AWS account ID the place the cross-account function is created.

  • Click on on “Replace Belief Coverage” to save lots of the modifications.
  1. As soon as the belief coverage is ready up, you should utilize the ARN of the cross-account function within the supply account to grant the required permissions to sources within the goal account.

By configuring the belief coverage within the goal account, you permit the desired function within the supply account to imagine the cross-account function and entry sources within the goal account.

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Recent Comments