Github Actions with OIDC roles to deploy the resource (terraform) while accessing to the remote state file in a different AWS account S3 bucket

Question

I'm almost a newbie with AWS/Terraform/Github Action and I need your helps ..

We have two AWS accounts,

• A is for storing the remote tfstate file in S3 bucket
• B is for deploying the resources

I need to

• deploy the resources (written in Terraform) to account A
• by using github action and OIDC
• and at the same time, github action needs to access Account B for remote tfstate file

What I've done so far is like below and it worked well.

• I created a role with oidc in account B for resource deployment and configured the credential in workflow.
• I created backend file to store tfstate in s3 bucket in account B

But now I don't know how to set the role with oidc in backend file to allow github Action to access to account A for a remote state file while deploying resources in account B. I found this case but it didn't work for me. Github-Actions - Making OIDC Role to assume IAM Role within Terraform backend Workflow

Can anybody please help me to implement this requirement? (FYI, Github action settings is blocked by organization.) As I'm quite new with these topics, a guide like for babies would be very appreciated.

Thank you in advance!

Answer 1

I'm not sure I understand the requirement properly, but as far I see you don't have access to one of the accounts.

This could be because you only have one OIDC provider, and probably not in the proper account.

I did not try this myself, but my logic suggests, that you need the OIDC provider in the account where your statefile resides. This would be your base connection, this will be used for reaching your statefile. (dont forget to allow this webidentity user to access the s3 with the proper S3 policies)

Then you should have a second provider:

provider "aws" {
  alias  = "deployment"
  region = var.region

  assume_role {
    role_arn = "arn:aws:iam::${local.account_id}:role/Terraform"
  }
}

And you could use that provider when calling a module:

module "stuff" {
  source    = "../modules/stuff/"
  providers = { aws = aws.deployment }

...
}

---

Of course, you could try differently, so your base connection would be the role in the deployment account, and giving by S3 bucket policies access to the role in the deployment account. Something like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowTerraformRole",
            "Effect": "Allow",
            "Principal": {
                "AWS":"arn:aws:iam::111122223333:role/Terraform"
            },
            "Action": ["s3:*"],
            "Resource": "arn:aws:s3:::bucketname/*"
        }
    ]
}

This is just an example! in your policy you should do very strict and proper rules!

Notice: with the principal configuration, it is possible you need sts instead of iam!

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html