The Background
I am an admin IAM user of an AWS account which has an organization.
What I want to do, is use these credentials to setup the bare minimum infrastructure necessary to handover everything to terraform, so that the maximum amount of work is fully automated and scripted in terraform, with minimal manual intervention from myself.
The terraform project will run in a CI pipeline on GitLab / GitHub etc.
I also don't want to put my IAM user credentials into the CI pipeline, following the principle of least permissions, I believe it to be more secure to create a specific terraform IAM user with only the permissions they need to administer the entire stack.
I understand there is a bit of chicken and egg situation here, because terraform needs certain things to be in existence before it can run. So here's what I have created manually:
- An S3 bucket in the root account, to store terraform state.
- An IAM user (TerraformAdmin), exporting the AWS access and secret keys and stored in CI secrets vault
- Some policies for the TerraformAdmin user so they can do what I need it to do (more on that later)
The Problem
I'm trying to create a multi-account setup, so that different apps and environments have their own AWS accounts. I can do this easily enough using my Admin IAM User role, but I'm struggling to delegate the correct permissions to the TerraformAdmin role so it can perform the multi-account administration.
For example, I can give it permissions such as:
"organizations:CreateOrganizationalUnit",
"organizations:CreateAccount",
and have it create the OU structure I want, and start creating dev and prod accounts in the appropriate OU.
Where I then run into trouble, is using the TerraformAdmin user to AssumeRole and take control of the organisational sub accounts.
I can do this step manually, by logging in with my Admin credentials to AWS console, then switching to the sub account, adding the correct role with the TerraformAdmin account ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[TfAdminAccountID]:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
But when I try to automate this process, the TerraformAdmin account is capable of creating a sub account, but by default this sub account is given the OrganizationAccountAccessRole role, but the Principal in the policy is hard-wired back to the parent organisation account ID.
So then when TerraformAdmin tries to assume the OrganizationAccountAccessRole it can't, because it has a different Account ID.
I'm trying to work out what policies / permissions I need to grant to the TerraformAdmin account, so it can create accounts automatically and also access them via the assume role action so it can create resources inside them and scaffold up the rest of the infrastructure for the account (VPC, LB etc).
I hope this makes sense.
