Introduction
The CloudSaver Connection Wizard’s Terraform connector for AWS allows users to quickly deploy both the IAM cross-account role and IAM permission policies using their existing Terraform tools.
Guidance on the setup of Terraform for use with AWS can be found within HashiCorp’s Terraform documentation.
Descriptions of the resource and data types used in CloudSaver’s template can be found within the Terraform Registry under the AWS provider documentation.
For this guide, we’re using the Terraform command-line in Windows Subsystem for Linux, but the resource and data blocks provided in the CloudSaver template will work however you implement Terraform.
Getting Started
We’ll begin by logging into CloudSaver and clicking “Get started” from the dashboard.
As noted here, to connect, Terraform will need to authenticate with credentials to the AWS Organization’s management account and use a role that’s authorized to deploy IAM roles and policies.
We’ll also need to know our AWS Organization’s management account ID, which we can find in the AWS Management Console, or through the AWS CLI.
Instructions to find your management account ID can be found within the AWS documentation. We’ll also verify that we’re authenticated to the management account later in this guide.
Click “Next” and select “Terraform”.
Here we enter our management account ID to populate our Terraform template.
Once the ID is entered, the template becomes available for download.
We’ll download it and save to a local folder.
Command-Line
Visual Studio Code allows us to both edit the template and use the terminal for the Terraform command-line, but any terminal and text editor combination will work.
First, we’ll verify Terraform is configured with credentials for our management account.
Depending on how you use Terraform, your steps to verify your credentials will vary. Right now our Terraform is running via command-line using shared credentials setup from the AWS CLI.
This means we can verify authentication in the management account like we would with the AWS CLI itself.
In the terminal, we first run a command for “organizations” with a “describe organization” sub-command. Then, run a command for “sts” with a “get caller identity” sub-command.
Ensuring each number matches — in this case ending in “1411” — means we’re authenticated to the management account and can proceed.
Next, we need to add our Terraform AWS providers blocks to the template.
Because configuration here changes dependent on each user’s method of running Terraform on AWS, the CloudSaver template is generated without these blocks.
For example, a user who wishes to deploy the CloudSaver connection to multiple accounts across their Organization could define multiple AWS providers using aliases. The HashiCorp Terraform documentation on Providers includes more detail on how this can be done.
At a minimum, the CloudSaver platform should be connected to the AWS Organization’s management account. For purposes of this guide, we’ll connect to our management account alone.
To do so we first enter our starting “Required Providers” block for AWS . . .
. . .then our provider block itself, with a region set to “us-east-1”. We need a region to execute the deployment, but IAM resources are global, so pick whichever region you prefer.
Because our Terraform command-line is using shared credentials which we verified earlier, there is no need for additional provider parameters for our authentication to AWS.
At this point, be sure to save your Terraform file so your new blocks are written and used in the deployment.
Now we’ll initialize this Terraform template with “terraform init” in the terminal.
We can see Terraform initialized successfully and we’ll now run “terraform fmt” to standardize our formatting.
Then we’ll run “terraform validate” to check our template with Terraform itself.
We see a valid configuration so we’re ready to apply, but first we’ll clear the output with “clear”.
Now we run “terraform apply”.
Terraform will first plan the deployment and give a prompt to proceed, enter “yes”.
We can see from the output that the resources have been deployed.
When we return to the Connection Wizard in our browser, we can see the connection confirm.
Clicking “View connections” takes us to the Connections tree where we can see the management account is connected.
In this article