Home > front end >  Are there any good examples of cross-account deployments using the same terraform script?
Are there any good examples of cross-account deployments using the same terraform script?

Time:10-11

Based on this comment I wanted to give @Davos the opportunity to supply his answer to this question:

can you point at a good example of this (cross) account deployment setup? I am using the .aws/config and ./aws/credentials entries of another account, and specifying AWS_PROFILE=dev_admin for example, but resource owners are still showing as the main org's Management Account #. I've had no luck with the provider "profile" either...

CodePudding user response:

I'm not aware of any kind of comprehensive tutorial for cross-account deployment.

AWS Terraform provider has options such as profile where we can specify which profile should be used from our ~/.aws/config file. Moreover, the provider can have a assume_role in which case a certain role will be assumed to create resources, although this can be necessary only we would want to use the same user and assume a role in another account.

We can have multiple providers in the same project. Each provider can use credentials for different users in different accounts. Each resource can specify which provider to use, so it will be provisioned in that specific account.

Bringing this all together, we can have the following example:

~/.aws/credentials file:

[default]
aws_access_key_id=ACCESS_KEY
aws_secret_access_key=SECRET_KEY

[user1]
aws_access_key_id=ACCESS_KEY
aws_secret_access_key=SECRET_KEY

~/.aws/config file:

[default]
region=us-west-1
output=json

[profile user1]
region=us-east-1
output=text

Terraform code:

# Default provider, it will use the credentials for the default profile and it will provision resources in the default account
provider "aws" {
  region = "us-west-1"
}

# Provider for another account, it will use the credentials for profile user1 and it will provision resources in the secondary account
provider "aws" {
  alias  = "account1"
  region = "us-east-1"
  profile = "user1"
}

# No provider is explicitly specified, this will use the default provider
# It will be deployed in the default account
resource "aws_vpc" "default_vpc" {
  cidr_block = "10.0.0.0/16"
}

# Provider is explicitly specified, so this will go into secondary account
resource "aws_vpc" "another_vpc" {
  provider = aws.account1
  cidr_block = "10.0.0.0/16"
}

Obviously, the state will be kept in a single place, which can be a bucket in any of the accounts.

Page link:https//www.codepudding.com/frontend/147665.html

Prev:How do I prevent search engine crawlers from indexing a domain on AWS?
Next:AWS LoadBalancer access from EKS worker nodes in provate subnets
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding