AWS Control Tower 创建的 aws 多账户环境中的 Terraform
[英]Terraform in aws multi account env created by AWS Control Tower
问题描述
I have just moved to a multi account set up using Control Tower and am having a 'mare using Terraform to deploy resources in different accounts.
我刚刚转移到使用 Control Tower 设置的多账户,并且正在使用 Terraform 在不同账户中部署资源。
My (simplified) account structure is:我的(简化的)账户结构是:
|--Master
|--management (backends etc)
|--images (s3, ecr)
|--dev
|--test
As a simplified experiment I am trying to create an ecr in the images account.作为一个简化的实验,我正在尝试在图像帐户中创建一个 ecr。 So I think I need to create a policy to enable role switching and provide permissions within the target account.所以我想我需要创建一个策略来启用角色切换并在目标帐户内提供权限。 For now I am being heavy handed and just trying to switch to Admin access.现在我手忙脚乱,只是想切换到管理员访问权限。 The AWSAdministratorAccess role is created by Control Tower on configuration. AWSAdministratorAccess 角色由 Control Tower 在配置时创建。
provider "aws" {
region = "us-west-2"
version = "~> 3.1"
}
data "aws_iam_group" "admins" { // want to attach policy to admins to switch role
group_name = "administrators"
}
// Images account
resource "aws_iam_policy" "images-admin" {
name = "Assume-Role-Images_Admin"
description = "Allow assuming AWSAdministratorAccess role on Images account"
policy = <<EOP
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": "arn:aws:iam::<Images_Account_ID>:role/AWSAdministratorAccess"
}
]
}
EOP
}
resource "aws_iam_group_policy_attachment" "assume-role-images-admin" {
group = data.aws_iam_group.admins.group_name
policy_arn = aws_iam_policy.images-admin.arn
}
Having deployed this stack I then attempt to deploy another stack which creates a resource in the images account.部署了这个堆栈后,我然后尝试部署另一个堆栈,它在图像帐户中创建一个资源。
provider "aws" {
region = var.region
version = "~>3.1"
}
provider "aws" {
alias = "images"
region = var.region
version = "~> 3.1"
assume_role {
role_arn = "arn:aws:iam::<Images_Account_ID>:role/AWSAdministratorAccess"
}
}
resource "aws_ecr_repository" "boot-images" {
provider = aws.images
name = "boot-images"
}
On deployment I got:在部署时我得到:
> Error: error configuring Terraform AWS Provider: IAM Role (arn:aws:iam::*********:role/AWSAdministratorAccess) cannot be assumed.
There are a number of possible causes of this - the most common are:
* The credentials used in order to assume the role are invalid
* The credentials do not have appropriate permission to assume the role
* The role ARN is not valid
Error: NoCredentialProviders: no valid providers in chain. Deprecated.
For verbose messaging see aws.Config.CredentialsChainVerboseErrors
First one: the creds provided are from the master account which always worked in a single account environment第一个:提供的信用来自始终在单个帐户环境中工作的主帐户
Second: that's what I think has been achieved by attaching the policy第二:这是我认为通过附加政策实现的
Third: less sure on this but AWSAdministratorAccess defo exists in the account, I think the arn format is correct and while AWS Single Sign On refers to it as a Permission Set the console also describes this as a role.第三:对此不太确定,但帐户中存在 AWSAdministratorAccess defo,我认为 arn 格式是正确的,而 AWS Single Sign On 将其称为权限集,控制台也将其描述为角色。
I found Deploying to multiple AWS accounts with Terraform?我发现使用 Terraform 部署到多个 AWS 账户? which was helpful but I am missing something here.这很有帮助,但我在这里遗漏了一些东西。
I am also at a loss of how to extend this idea to deploying an s3 remote backend into my "management" account.我也不知道如何将这个想法扩展到将 s3 远程后端部署到我的“管理”帐户中。
Terraform version 0.12.29 Terraform 版本 0.12.29
2 个解决方案
解决方案1
0 2020-08-27 14:32:42
Turns out there were a couple of issues here:结果发现这里有几个问题:
- Profile轮廓
The credentials profile was incorrect.凭据配置文件不正确。 Setting the correct creds in Env Vars let me run a simple test when just using the creds file failed.在 Env Vars 中设置正确的 creds 可以让我在仅使用 creds 文件失败时运行一个简单的测试。 There is still an issue here I don't understand as updating the creds file also failed but I have a system that works.这里仍然存在一个问题,我不明白,因为更新 creds 文件也失败了,但我有一个可以工作的系统。
- AWS created roles AWS 创建的角色
While my assumption was correct that the Permission Sets are defined as Roles, they have a trust relationship which was not extended to my Master Admin User (my bad) AND it cannot be amended as it was created by AWS automatically and it is locked down.虽然我的假设是正确的,权限集被定义为角色,但它们有一个信任关系,没有扩展到我的主管理员用户(我的坏)并且它不能被修改,因为它是由 AWS 自动创建的并且被锁定。
- Manually grant permissions手动授予权限
So while I can grant permissions to a Group to assume a role programatically via Terraform I need to manually create a role in the Target account which extends trust and hence permissions to the Master account.因此,虽然我可以通过 Terraform 以编程方式授予组权限以承担角色,但我需要在 Target 帐户中手动创建一个角色,以扩展信任,从而扩展主帐户的权限。
解决方案2
0 2022-02-07 11:16:49
In my own experience and considering you already have a working AWS infrastructure, I'd rule out and move away from Control Tower and look into doing same things with CloudFormation StackSets.根据我自己的经验,并考虑到您已经拥有一个可用的 AWS 基础设施,我会排除并离开 Control Tower,并考虑使用 CloudFormation StackSets 做同样的事情。 They let you target OUs or individual accounts.它们让您可以定位 OU 或个人账户。
Control Tower has been recommended to me several times, but having an AWS ecosystem of more >25 accounts with production workloads, I am very reluctant to event try. Control Tower 已多次向我推荐,但拥有超过 25 个帐户和生产工作负载的 AWS 生态系统,我非常不愿意事件尝试。 It's great to start from scratch I guess, but not when you already have a decent amount of workloads and accounts in AWS.我想从头开始很棒,但当您在 AWS 中已经拥有相当数量的工作负载和账户时就不行了。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.