zot24
3/5/2017 - 11:47 AM

Attempt to create a development role in a second aws account to then attache it to the main aws account

Attempt to create a development role in a second aws account to then attache it to the main aws account

main.tf
content_copyfile_download
# setup aws provider for dev account
provider "aws" {
  alias = "dev"
  region = "${var.aws_region}"
  access_key = "${var.dev_access_key}"
  secret_key = "${var.dev_secret_key}"
}

# in dev account create iam policy, which will grants admin rights
resource "aws_iam_policy" "external_admin_policy" {
    provider = "aws.dev"
    name = "ExternalAdminPolicy"
    path = "/"
    policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}
EOF
}

# in dev account create a role which can be assumed by main account
resource "aws_iam_role" "external_admin_role" {
    provider = "aws.dev"
    name = "ExternalAdminRole"
    assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::${var.main_account_id}:root"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
EOF
}

# attach policy to role
resource "aws_iam_policy_attachment" "external_admin_policy_attachment_to_external_admin_role" {
    provider = "aws.dev"
    name = "external_admin_policy_attachment"
    roles = ["${aws_iam_role.external_admin_role.name}"]
    policy_arn = "${aws_iam_policy.external_admin_policy.arn}"
}