Connection Wizard – Terraform

Jul 29, 2024

Introduction

The CloudSaver Connection Wizard’s Terraform connector for AWS allows users to quickly deploy both the IAM cross-account role and IAM permission policies using their existing Terraform tools.

Guidance on the setup of Terraform for use with AWS can be found within HashiCorp’s Terraform documentation.

Descriptions of the resource and data types used in CloudSaver’s template can be found within the Terraform Registry under the AWS provider documentation.

For this guide, we’re using the Terraform command-line in Windows Subsystem for Linux, but the resource and data blocks provided in the CloudSaver template will work however you implement Terraform.

Getting Started

We’ll begin by logging into CloudSaver and clicking “Get started” from the dashboard.

As noted here, to connect, Terraform will need to authenticate with credentials to the AWS Organization’s management account and use a role that’s authorized to deploy IAM roles and policies.

We’ll also need to know our AWS Organization’s management account ID, which we can find in the AWS Management Console, or through the AWS CLI.

Instructions to find your management account ID can be found within the AWS documentation. We’ll also verify that we’re authenticated to the management account later in this guide.

Click “Next” and select “Terraform”.

Here we enter our management account ID to populate our Terraform template.

Once the ID is entered, the template becomes available for download.

We’ll download it and save to a local folder.

Command-Line

Visual Studio Code allows us to both edit the template and use the terminal for the Terraform command-line, but any terminal and text editor combination will work.

First, we’ll verify Terraform is configured with credentials for our management account.

Depending on how you use Terraform, your steps to verify your credentials will vary. Right now our Terraform is running via command-line using shared credentials setup from the AWS CLI.
This means we can verify authentication in the management account like we would with the AWS CLI itself.

In the terminal, we first run a command for “organizations” with a “describe organization” sub-command. Then, run a command for “sts” with a “get caller identity” sub-command.

Ensuring each number matches — in this case ending in “1411” — means we’re authenticated to the management account and can proceed.

Next, we need to add our Terraform AWS providers blocks to the template.

Because configuration here changes dependent on each user’s method of running Terraform on AWS, the CloudSaver template is generated without these blocks.

For example, a user who wishes to deploy the CloudSaver connection to multiple accounts across their Organization could define multiple AWS providers using aliases. The HashiCorp Terraform documentation on Providers includes more detail on how this can be done.

At a minimum, the CloudSaver platform should be connected to the AWS Organization’s management account. For purposes of this guide, we’ll connect to our management account alone.

To do so we first enter our starting “Required Providers” block for AWS . . .
. . .then our provider block itself, with a region set to “us-east-1”. We need a region to execute the deployment, but IAM resources are global, so pick whichever region you prefer.

Because our Terraform command-line is using shared credentials which we verified earlier, there is no need for additional provider parameters for our authentication to AWS.

At this point, be sure to save your Terraform file so your new blocks are written and used in the deployment.

Now we’ll initialize this Terraform template with “terraform init” in the terminal.

We can see Terraform initialized successfully and we’ll now run “terraform fmt” to standardize our formatting.

Then we’ll run “terraform validate” to check our template with Terraform itself.

We see a valid configuration so we’re ready to apply, but first we’ll clear the output with “clear”.

Now we run “terraform apply”.

Terraform will first plan the deployment and give a prompt to proceed, enter “yes”.

We can see from the output that the resources have been deployed.

When we return to the Connection Wizard in our browser, we can see the connection confirm.

Clicking “View connections” takes us to the Connections tree where we can see the management account is connected.

In this article

Introduction
Getting Started
Command-Line

FEATURE	BENEFIT
Tag Automation & Batch Tag Processing	Employ powerful automation to quickly and accurately tag cloud resources minimizing manual tasks and saving valuable time and effort. Reduce security vulnerabilities and human errors with accurate and swift tagging.
Real-time, Native Cloud Sync	Tag changes are reflected in real-time in native cloud service provider environments. Data is timely and accurate and can be leveraged with additional CloudSaver and third-party tools.
Tag Explorer Query Engine	Utilize our patented filtering and search technology for rapid and efficient location of client data across resources, zones, accounts, and service providers. This capability drastically reduces mean-time-to-resolution by quickly identifying key cloud data. Its deep dive, robust exploration enables you to “find anything.”
Tag Intelligence Dashboards & Tools	Benefit from a guided tag health experience that automatically delivers valuable insights without the need for customized reports or dashboards. These insights cover both your entire tag environment and also specific categories.
Customizable Dashboards	Create customized dashboards to display data according to your specific needs, offering real-time visibility into cloud resources, tags and spend. Obtain timely, accurate, and relevant data for insightful analysis and to identify tagging gaps.
Efficient Tag Remediation	Benefit from suggested, spell-checked tag keys and values – detect and batch merge tag variations.
Legacy Tagging Solutions	Retroactively tag or modify tags on existing legacy resources during cloud migration, either individually or in bulk and eliminate time-consuming manual efforts for smooth integration into your cloud environment.
Multi-Tenant & Multi-Cloud	Manage every cloud data set from a single screen across resources, zones, accounts, and cloud service providers (AWS and Azure).
Tag Policy Compliance Monitoring	Ingest tag policies from native cloud environments to ensure consistent tag syntax and taxonomy.
User Role & Permission Console	Enhance security with Identity and Access Management features contained in the permissions assigned through tagging.
Configuration Management Database (CMDB) Integration	The CloudSaver platform seamlessly incorporates CMDB data related to known cloud infrastructure, offering precise control, efficient tagging, and enhanced visibility by viewing, filtering, and sorting cloud resources based on CMDB data.