Attempt to create a development role in a second aws account to then attache it to the main aws account
# setup aws provider for dev account
provider "aws" {
alias = "dev"
region = "${var.aws_region}"
access_key = "${var.dev_access_key}"
secret_key = "${var.dev_secret_key}"
}
# in dev account create iam policy, which will grants admin rights
resource "aws_iam_policy" "external_admin_policy" {
provider = "aws.dev"
name = "ExternalAdminPolicy"
path = "/"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
EOF
}
# in dev account create a role which can be assumed by main account
resource "aws_iam_role" "external_admin_role" {
provider = "aws.dev"
name = "ExternalAdminRole"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${var.main_account_id}:root"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
}
# attach policy to role
resource "aws_iam_policy_attachment" "external_admin_policy_attachment_to_external_admin_role" {
provider = "aws.dev"
name = "external_admin_policy_attachment"
roles = ["${aws_iam_role.external_admin_role.name}"]
policy_arn = "${aws_iam_policy.external_admin_policy.arn}"
}