IAM 초기 세팅 2
(production account) Multi Account 운영에 필요한 IAM 세팅
Production Account 세팅
ID 계정에서 Assume할 역할을 생성합니다.
다른 계정이 추가로 있는 경우에는 본 가이드를 반복하시면 됩니다.
작업을 위해서는 Account 생성에 필요한 초기화 계정 반드시 필요합니다. 아래 링크를 통해 초기화 사용자를 생성하시기 바랍니다.
page초기화 IAM 사용자 생성backend와 provider 설정
backend.tf 파일에서 id -> prod로 변경합니다.
terraform {
required_version = "= 0.12.18" # Terraform Version
backend "s3" {
bucket = "dayone-prod-apnortheast2-tfstate" # Set bucket name
key = "dayone/terraform/iam/dayone-prod/terraform.tfstate"
region = "ap-northeast-2"
encrypt = true
dynamodb_table = "terraform-lock" # Set DynamoDB Table
}
}provider "aws" {
region = "us-east-1"
version = "~> 2.49"
}Assume Role 생성
id account(dayone-id)에서 Assume할 역할을 생성합니다.ID에서는 admin과 readonly를 생성했으니, 이에 맞는 역할을 생성합니다.
아래 두 개의 파일을 수정합니다.
terraform/iam/dayone-prod/assume-dayone-prod-admin-with-dayone-id.tfterraform/iam/dayone-prod/assume-dayone-prod-readonly-with-dayone-id.tf
vim assume-dayone-prod-admin-with-dayone-id.tf
#
# dayone-prod administrator
#
resource "aws_iam_role" "assume_dayone_prod_admin" {
name = "assume-dayone-prod-admin"
path = "/"
max_session_duration = "43200"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${var.id_account_id}:root"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
}
resource "aws_iam_role_policy" "assume_dayone_prod_admin" {
name = "assume-dayone-prod-admin-passrole"
role = aws_iam_role.assume_dayone_prod_admin.id
policy = <<EOF
{
"Statement": [
{
"Sid": "AllowIAMPassRole",
"Action": [
"iam:PassRole"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
EOF
}
resource "aws_iam_role_policy_attachment" "assume_dayone_prod_admin" {
role = aws_iam_role.assume_dayone_prod_admin.id
policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
}vim assume-dayone-prod-readonly-with-dayone-id.tf
#
# dayone-prod readonly
#
resource "aws_iam_role" "assume_dayone_prod_readonly" {
name = "assume-dayone-prod-readonly"
path = "/"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${var.id_account_id}:root"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
}
resource "aws_iam_role_policy" "assume_dayone_prod_readonly" {
name = "assume-dayone-prod-readonly-passrole"
role = aws_iam_role.assume_dayone_prod_readonly.id
policy = <<EOF
{
"Statement": [
{
"Sid": "AllowIAMPassRole",
"Action": [
"iam:PassRole"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
EOF
}
resource "aws_iam_role_policy_attachment" "assume_dayone_prod_readonly" {
role = aws_iam_role.assume_dayone_prod_readonly.id
policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
}
Variables 정의 및 세팅
variables.tf에 필요한 변수를 정의합니다.
variable "aws_region" {
description = "The AWS region to deploy the shard storage layer into"
}
variable "id_account_id" {
description = "The AWS account number of ID account"
}terraform.tfvars에 각 변수에 대한 값을 입력합니다.
aws_region = "us-east-1"
id_account_id = "<account_number_of_id>" #12-digit Number of ID account리소스 생성
수정을 마쳤으면 terraform 초기화 작업을 진행합니다.
$ terraform init
Initializing the backend...
Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.
Initializing provider plugins...
- Checking for available provider plugins...
- Downloading plugin for provider "aws" (hashicorp/aws) 2.56.0...
Terraform has been successfully initialized!
You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.
If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.리소스 생성을 확인합니다.
$ terraform plan -parallelism=30
Acquiring state lock. This may take a few moments...
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.
------------------------------------------------------------------------
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# aws_iam_role.assume_dayone_prod_admin will be created
+ resource "aws_iam_role" "assume_dayone_prod_admin" {
+ arn = (known after apply)
+ assume_role_policy = jsonencode(
{
+ Statement = [
+ {
+ Action = "sts:AssumeRole"
+ Effect = "Allow"
+ Principal = {
+ AWS = "arn:aws:iam::xxxxxxxxxx:root"
}
+ Sid = ""
},
]
+ Version = "2012-10-17"
}
)
+ create_date = (known after apply)
+ force_detach_policies = false
+ id = (known after apply)
+ max_session_duration = 43200
+ name = "assume-dayone-prod-admin"
+ path = "/"
+ unique_id = (known after apply)
}
# aws_iam_role.assume_dayone_prod_readonly will be created
+ resource "aws_iam_role" "assume_dayone_prod_readonly" {
+ arn = (known after apply)
+ assume_role_policy = jsonencode(
{
+ Statement = [
+ {
+ Action = "sts:AssumeRole"
+ Effect = "Allow"
+ Principal = {
+ AWS = "arn:aws:iam::xxxxxxxxxx:root"
}
+ Sid = ""
},
]
+ Version = "2012-10-17"
}
)
+ create_date = (known after apply)
+ force_detach_policies = false
+ id = (known after apply)
+ max_session_duration = 3600
+ name = "assume-dayone-prod-readonly"
+ path = "/"
+ unique_id = (known after apply)
}
# aws_iam_role_policy.assume_dayone_prod_admin will be created
+ resource "aws_iam_role_policy" "assume_dayone_prod_admin" {
+ id = (known after apply)
+ name = "assume-dayone-prod-admin-passrole"
+ policy = jsonencode(
{
+ Statement = [
+ {
+ Action = [
+ "iam:PassRole",
]
+ Effect = "Allow"
+ Resource = "*"
+ Sid = "AllowIAMPassRole"
},
]
}
)
+ role = (known after apply)
}
# aws_iam_role_policy.assume_dayone_prod_readonly will be created
+ resource "aws_iam_role_policy" "assume_dayone_prod_readonly" {
+ id = (known after apply)
+ name = "assume-dayone-prod-readonly-passrole"
+ policy = jsonencode(
{
+ Statement = [
+ {
+ Action = [
+ "iam:PassRole",
]
+ Effect = "Allow"
+ Resource = "*"
+ Sid = "AllowIAMPassRole"
},
]
}
)
+ role = (known after apply)
}
# aws_iam_role_policy_attachment.assume_dayone_prod_admin will be created
+ resource "aws_iam_role_policy_attachment" "assume_dayone_prod_admin" {
+ id = (known after apply)
+ policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
+ role = (known after apply)
}
# aws_iam_role_policy_attachment.assume_dayone_prod_readonly will be created
+ resource "aws_iam_role_policy_attachment" "assume_dayone_prod_readonly" {
+ id = (known after apply)
+ policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
+ role = (known after apply)
}
Plan: 6 to add, 0 to change, 0 to destroy.Plan: 6 to add, 0 to change, 0 to destroy. 결과가 나오면 정상입니다.
이제, 리소스를 생성합니다.
$ terraform apply -parallelism=30
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
(... 중략 ...)
Plan: 6 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
aws_iam_role.assume_dayone_prod_readonly: Creating...
aws_iam_role.assume_dayone_prod_admin: Creating...
aws_iam_role.assume_dayone_prod_readonly: Creation complete after 2s [id=assume-dayone-prod-readonly]
aws_iam_role_policy_attachment.assume_dayone_prod_readonly: Creating...
aws_iam_role_policy.assume_dayone_prod_readonly: Creating...
aws_iam_role.assume_dayone_prod_admin: Creation complete after 3s [id=assume-dayone-prod-admin]
aws_iam_role_policy.assume_dayone_prod_admin: Creating...
aws_iam_role_policy_attachment.assume_dayone_prod_admin: Creating...
aws_iam_role_policy_attachment.assume_dayone_prod_readonly: Creation complete after 2s [id=assume-dayone-prod-readonly-20200408174652290200000001]
aws_iam_role_policy_attachment.assume_dayone_prod_admin: Creation complete after 1s [id=assume-dayone-prod-admin-20200408174652674300000002]
aws_iam_role_policy.assume_dayone_prod_readonly: Creation complete after 3s [id=assume-dayone-prod-readonly:assume-dayone-prod-readonly-passrole]
aws_iam_role_policy.assume_dayone_prod_admin: Creation complete after 2s [id=assume-dayone-prod-admin:assume-dayone-prod-admin-passrole]
Apply complete! Resources: 6 added, 0 changed, 0 destroyed.Apply complete! Resources: 6 added, 0 changed, 0 destroyed. 위의 plan과 동일한 결과가 나오면 정상입니다.
Last updated