Sling Academy
Home/DevOps/Terraform: How to work with multiple AWS accounts

Terraform: How to work with multiple AWS accounts

Last updated: February 03, 2024

Introduction

Managing resources across multiple AWS accounts can greatly enhance your infrastructure’s security and efficiency. Terraform, an open-source infrastructure as code software tool created by HashiCorp, allows you to safely and predictably create, change, and improve infrastructure. In this tutorial, you will learn how to leverage Terraform to work with multiple AWS accounts, facilitating a more organized, scalable, and security-conscious infrastructure setup.

Before diving into the multi-account architecture, ensure you have Terraform and AWS CLI installed and configured. This tutorial assumes you have basic knowledge of both.

Understanding Terraform’s AWS Provider

The first step in managing multiple AWS accounts is to understand how the Terraform AWS provider works. It allows you to declare AWS resources in configuration files that Terraform can manage. You can specify an AWS account by using the provider block with your AWS access keys or using environment variables.

provider "aws" {
  region     = "us-east-1"
  access_key = "YOUR_ACCESS_KEY_HERE"
  secret_key = "YOUR_SECRET_KEY_HERE"
}

Using AWS AssumeRole for Multiple Accounts

The assume_role argument within the AWS provider block enables Terraform to assume an IAM role in another AWS account. This is crucial for managing resources across accounts without hardcoding credentials.

provider "aws" {
  region     = "us-east-1"
  assume_role {
    role_arn     = "arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME"
    session_name = "SessionName"
  }
}

This configuration tells Terraform to assume the specified IAM role in the other account, allowing it to manage resources without directly providing access keys.

Structuring Terraform Configuration for Multi-Account Setups

Organizing your Terraform configurations is key in a multi-account setup. One common approach is using separate directories for each account or environment. This keeps your configurations clear and organized.

Example Directory Structure

./terraform
├── prod
│   ├── main.tf
│   ├── variables.tf
│   └── outputs.tf
└── dev
    ├── main.tf
    ├── variables.tf
    └── outputs.tf

Each directory represents a different AWS account or environment (prod, dev, etc.).

Using Workspaces for Environment Separation

Terraform workspaces allow you to manage state files separately for different environments. This is ideal for using the same configuration across multiple accounts/environments by switching the workspace.

terraform workspace new dev
terraform workspace select dev

After selecting the correct workspace, all Terraform operations apply to that workspace, letting you apply the same configuration across different environments with minimal changes.

Advanced: Centralizing State Management

For advanced users, managing state files in a centralized S3 bucket can further improve your multi-account strategy. This setup allows you to consolidate state management and leverage features like state locking and versioning for enhanced security and collaboration.

terraform {
  backend "s3" {
    bucket = "my-terraform-state-bucket"
    key    = "path/to/my/key"
    region = "us-east-1"
    profile = "default"
  }
}

This configuration specifies the S3 bucket where Terraform will store its state files. You’ll need to set up this bucket in an account that’s accessible to all other accounts, typically through IAM roles and policies.

Managing Multiple Configuration Versions

To handle different configurations or Terraform versions across accounts, you can use version pinning in your provider blocks. This ensures that you’re always using the correct version of the provider for each specific environment.

provider "aws" {
  version = "~> 2.0"
  ...
}

Version pinning makes your infrastructure more predictable and stable across different deployments.

Conclusion

Managing multiple AWS accounts with Terraform doesn’t have to be daunting. By understanding core concepts such as the AWS provider, leveraging AssumeRole, organizing configurations efficiently, and utilizing workspaces, you can maintain a versatile and secure multi-account infrastructure. With this knowledge, you’re well on your way to mastering Terraform’s capabilities across several AWS environments.

Next Article: Terraform: How to work with multiple different cloud providers

Previous Article: Terraform: How to work with multiple AWS regions and availability zones

Series: Terraform Tutorials

DevOps

You May Also Like

  • How to reset Ubuntu to factory settings (4 approaches)
  • Making GET requests with cURL: A practical guide (with examples)
  • Git: What is .DS_Store and should you ignore it?
  • NGINX underscores_in_headers: Explained with examples
  • How to use Jenkins CI with private GitHub repositories
  • Terraform: Understanding State and State Files (with Examples)
  • SHA1, SHA256, and SHA512 in Terraform: A Practical Guide
  • CSRF Protection in Jenkins: An In-depth Guide (with examples)
  • Terraform: How to Merge 2 Maps
  • Terraform: How to extract filename/extension from a path
  • JSON encoding/decoding in Terraform: Explained with examples
  • Sorting Lists in Terraform: A Practical Guide
  • Terraform: How to trigger a Lambda function on resource creation
  • How to use Terraform templates
  • Understanding terraform_remote_state data source: Explained with examples
  • Jenkins Authorization: A Practical Guide (with examples)
  • Solving Jenkins Pipeline NotSerializableException: groovy.json.internal.LazyMap
  • Understanding Artifacts in Jenkins: A Practical Guide (with examples)
  • Using Jenkins with AWS EC2 and S3: A Practical Guide