Using different AWS account for the different Environments is now a days best practice so that we can have complete isolation for all the Environments.
In above diagram [copied from segment.io blog] Ops AWS account is the entry point for rest of the AWS accounts. What this means is we don't need to have users on Dev, Staging and Prod AWS account instead we can use AWS STS and Assume Role to bootstrap/access AWS services.
By using separate AWS accounts for different environments
and many more…..
4 AWS accounts and make sure to enable MFA for the root accounts.
Note: We can setup this with 2 AWS accounts too but in this post we are considering 4 AWS accounts.
Lets give name to 4 AWS accounts which we will refer in the post.
The ops
account serves as the jump point and centralized login. Everyone in the organization can have a IAM account for it.
The other environments have a set of IAM roles to switch between them. It means there’s only ever one login point for our admin accounts, and a single place to restrict access.
As an example, Anay might have access to all three environments, but Abhi can only access dev . But they both login through the ops
account.
Instead of having complex IAM settings to restrict access, we can easily lock down users by environment and group them by role. Using each account from the interface is as simple as switching the currently active role.
As soon as we get AWS accounts below are the steps which we need to perform in all
4. Create a user in Ops staging account and it must have rights to assume role from the Dev, Stage and Production account. below is the sample policy you can attach to the user to assume roles.
{“Version”: “2012–10–17”,“Statement”: [{“Effect”: “Allow”,“Action”: “sts:AssumeRole”,“Resource”: “arn:aws:iam::123545678:role/rolename”}]}
Once you have user created configure aws-cli on the host server where you want to run terraform ( you can configure it on your local machine too).
I am assuming here you will have terraform latest version binary on your system and using terraform assume role
provider "aws" { assume_role { role_arn = "arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME" session_name = "SESSION_NAME" external_id = "EXTERNAL_ID" }}
Now just add below 2 lines in state file for the module which you want to bootstrap.
role_arn = "arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME" profile = "my_profile_name"
You are all set now to run Terraform securely !