I have set up a new AWS account and enabled organizations and Identity Center. Within this, I have created a test account as a sandbox for now. Also, we currently have one existing separate AWS account with all our infra there.
I have set up one IAM user for terraform in the new management account, and added it to a group which has a policy that allows it to assume a role in any other account having a name like 'terraform*'. In my test account, I've created a role called 'terraform', and allowed any user from the management account with a name like 'terraform*' to assume this role.
I am able to then user the IAM user from the management account, to perform actions on the test account via the cli using the assume role. What I am not clear on is in terraform I need the following
- Backend should use a profile that writes to S3 in my existing AWS account since all our state and infra is there already.
- Use credentials from my new management account's IAM user to get a token to access the new sandbox account.
- Use the temporary credentials from 2 above to have terraform create infra in the sandbox account.
It seems at most you can configure a backend in a separate account, and then in your provider section define an 'assume_role' block, but not sure how to manage passing the IAM user credentials to be used to then assume that role. Or if this is possible to do in a CICD scenario as well ?
If there is another way to do this, please let me know, for both a manual and CICD use case.
EDIT* I also wanted to ask how you guys are managing to access different accounts, if you use the 'assume_role' in the aws_provider of your TF script, then this would have to be different for every account you want to run the script in. Is there a simple way to manage this ?