有没有使用相同 terraform 脚本的跨账户部署的好例子? [英] Are there any good examples of cross-account deployments using the same terraform script?

问题描述

基于此评论 我想让@Davos 有机会回答这个问题:

Based on this comment I wanted to give @Davos the opportunity to supply his answer to this question:

您能举出这个(跨)帐户部署设置的好例子吗?我正在使用另一个帐户的 .aws/config 和 ./aws/credentials 条目，并指定 AWS_PROFILE=dev_admin 例如，但资源所有者仍显示为主组织的管理帐户#.我对提供商的个人资料"不满意.要么……

can you point at a good example of this (cross) account deployment setup? I am using the .aws/config and ./aws/credentials entries of another account, and specifying AWS_PROFILE=dev_admin for example, but resource owners are still showing as the main org's Management Account #. I've had no luck with the provider "profile" either...

推荐答案

我不知道有什么全面的跨账户部署教程.

I'm not aware of any kind of comprehensive tutorial for cross-account deployment.

AWS Terraform 提供程序具有诸如 profile 之类的选项，我们可以在其中指定应从 ~/.aws/config 文件中使用的配置文件.此外，提供者可以有一个 assume_role 在这种情况下，将假定某个角色来创建资源，尽管这可能是必要的，只有我们希望使用相同的用户并在另一个帐户中担任角色.

AWS Terraform provider has options such as profile where we can specify which profile should be used from our ~/.aws/config file. Moreover, the provider can have a assume_role in which case a certain role will be assumed to create resources, although this can be necessary only we would want to use the same user and assume a role in another account.

我们可以在同一个项目中有多个提供商.每个提供商都可以为不同帐户中的不同用户使用凭据.每个资源都可以指定要使用的提供程序，因此将在该特定帐户中进行配置.

We can have multiple providers in the same project. Each provider can use credentials for different users in different accounts. Each resource can specify which provider to use, so it will be provisioned in that specific account.

综上所述，我们可以有以下示例:

Bringing this all together, we can have the following example:

~/.aws/credentials 文件:

[default]
aws_access_key_id=ACCESS_KEY
aws_secret_access_key=SECRET_KEY

[user1]
aws_access_key_id=ACCESS_KEY
aws_secret_access_key=SECRET_KEY

~/.aws/config 文件:

[default]
region=us-west-1
output=json

[profile user1]
region=us-east-1
output=text

地形代码:

# Default provider, it will use the credentials for the default profile and it will provision resources in the default account
provider "aws" {
  region = "us-west-1"
}

# Provider for another account, it will use the credentials for profile user1 and it will provision resources in the secondary account
provider "aws" {
  alias  = "account1"
  region = "us-east-1"
  profile = "user1"
}

# No provider is explicitly specified, this will use the default provider
# It will be deployed in the default account
resource "aws_vpc" "default_vpc" {
  cidr_block = "10.0.0.0/16"
}

# Provider is explicitly specified, so this will go into secondary account
resource "aws_vpc" "another_vpc" {
  provider = aws.account1
  cidr_block = "10.0.0.0/16"
}

显然，状态将保存在一个地方，可以是任何帐户中的存储桶.

Obviously, the state will be kept in a single place, which can be a bucket in any of the accounts.

这篇关于有没有使用相同 terraform 脚本的跨账户部署的好例子?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！