Hey everyone! I'm trying to figure out how to set up a multi-account AWS architecture using Terraform, and I'd love to see a minimal example if anyone has one. From what I understand, the roles need to be established in the individual environment accounts. For instance, in my `sandbox` account, I want a role that allows me to create an EC2 instance. This role should have an assume role policy that gives access to my administrative account. Additionally, users in the administrative account must have the corresponding permissions set up.
I've already set up an S3 bucket in the administrative account for storing the Terraform state. My goals are: 1) Create an EC2 instance in the sandbox account, 2) Store the state of this sandbox in the S3 bucket, 3) Define all roles and permissions with minimal access rights, 4) Use workspaces to easily switch between deploying to the sandbox and other accounts, and 5) Ensure everything is managed through Terraform without the need to manually configure anything in the AWS console.
Do you think this approach is feasible, or am I overcomplicating things?
5 Answers
I think you’re on the right track! Setting up multi-accounts can get a bit tricky though, and it typically requires careful planning. Are you implementing this setup for a company, or just for personal learning?
Have you checked out Terragrunt? It could make managing your Terraform modules and workspaces easier, especially for this use case.
It can be tough to find a solid example since creating multiple accounts involves a lot of effort. If you're not sure you need multiple accounts, it might be worth reconsidering. But the AWS article you referenced does provide a good blueprint!
AWS Organizations is designed for setting this up! You can manage it with Terraform using `aws_organization_account` for creating accounts within the organization. If you're feeling adventurous, integrate AWS Identity Center for easier user access across accounts.
I use Pulumi for similar setups, and it's been great! Just thought I'd mention that as an alternative.
Yeah, it's for a company. Even if it feels like overkill now, I want to build a solid foundation for future growth.