Based on this comment I wanted to give @Davos the opportunity to supply his answer to this question:
can you point at a good example of this (cross) account deployment setup? I am using the .aws/config and ./aws/credentials entries of another account, and specifying AWS_PROFILE=dev_admin for example, but resource owners are still showing as the main org's Management Account #. I've had no luck with the provider "profile" either...
CodePudding user response:
I'm not aware of any kind of comprehensive tutorial for cross-account deployment.
AWS Terraform provider has options such as profile
where we can specify which profile should be used from our ~/.aws/config
file. Moreover, the provider can have a assume_role
in which case a certain role will be assumed to create resources, although this can be necessary only we would want to use the same user and assume a role in another account.
We can have multiple providers in the same project. Each provider can use credentials for different users in different accounts. Each resource can specify which provider to use, so it will be provisioned in that specific account.
Bringing this all together, we can have the following example:
~/.aws/credentials
file:
[default]
aws_access_key_id=ACCESS_KEY
aws_secret_access_key=SECRET_KEY
[user1]
aws_access_key_id=ACCESS_KEY
aws_secret_access_key=SECRET_KEY
~/.aws/config
file:
[default]
region=us-west-1
output=json
[profile user1]
region=us-east-1
output=text
Terraform code:
# Default provider, it will use the credentials for the default profile and it will provision resources in the default account
provider "aws" {
region = "us-west-1"
}
# Provider for another account, it will use the credentials for profile user1 and it will provision resources in the secondary account
provider "aws" {
alias = "account1"
region = "us-east-1"
profile = "user1"
}
# No provider is explicitly specified, this will use the default provider
# It will be deployed in the default account
resource "aws_vpc" "default_vpc" {
cidr_block = "10.0.0.0/16"
}
# Provider is explicitly specified, so this will go into secondary account
resource "aws_vpc" "another_vpc" {
provider = aws.account1
cidr_block = "10.0.0.0/16"
}
Obviously, the state will be kept in a single place, which can be a bucket in any of the accounts.