How to create an IAM Role in AWS using Terraform

In this article we will see how to create an IAM Role. Before proceeding, I assume that you are familiar with the basics of Terraform and AWS IAM Roles. If you want to learn more about IAM Roles then click here. In this article we will create a role and assign it administrator's permissions. 

Pre-requisites

  1. Basic understanding of Terraform.
  2. Terraform installed on your system.
  3. AWS Account (Create if you don’t have one).
  4. 'access_key' & 'secret_key' of an AWS IAM User. (Click here to learn to create an IAM user with 'access_key' & 'secret_key' on AWS, )

What we will do

  1. Write Terraform configuration files for creating an IAM Role.
  2. Create an IAM Role using the Terraform configuration files.
  3. Delete the created IAM Role using Terraform.

Write Terraform configuration files for IAM Role

Create a dedicated directory where you can create terraform configuration files.

Use the following command to create a directory and change your present working directory to it.

mkdir terraform
cd terraform/

 I am using "vim" as an editor to write in files, you can use an editor of your choice and copy paste the following configurations to create variables.tf, terraform.tfvars and  main.tf

 

Create 'main.tf' which is responsible to create an IAM Role  on the AWS. This main.tf will read values of variables from variables.tf and terraform.tfvars.

vim main.tf

provider "aws" {
      region     = "${var.region}"
      access_key = "${var.access_key}"
      secret_key = "${var.secret_key}"
}
data "aws_iam_policy_document" "cross_account_assume_role_policy" {
  statement {
    effect = "Allow"

    principals {
      type        = "AWS"
      identifiers = var.principal_arns
    }

    actions = ["sts:AssumeRole"]
  }
}

resource "aws_iam_role" "cross_account_assume_role" {
  name               = var.name
  assume_role_policy = data.aws_iam_policy_document.cross_account_assume_role_policy.json
}

resource "aws_iam_role_policy_attachment" "cross_account_assume_role" {
  count = length(var.policy_arns)

  role       = aws_iam_role.cross_account_assume_role.name
  policy_arn = element(var.policy_arns, count.index)
}

Meaning of the arguments used in the above configuration:

  • assume_role_policy - (Required) The policy that grants an entity permission to assume the role.
  • policy_arn (Required) - The ARN of the policy you want to apply

Create 'variables.tf' which contains the declaration and definition of the variables.

Here, 

"principal_arns" variable holds the AWS Account Number which is to be allowed to assume use this role. You can even pass a list of Account Numbers here.

"policy_arns" variable holds the ARN of the policy which we need to attach to the Role we will be creating. You can even pass a list of Policy ARNs here.

vim variables.tf

variable "access_key" {
     description = "Access key to AWS console"
}
variable "secret_key" {
     description = "Secret key to AWS console"
}
variable "region" {
     description = "Region of AWS VPC"
}
variable "name" {
  default = "myrole"
  type        = "string"
  description = "The name of the role. "
}
variable "principal_arns" {
  default = ["123456789012"]
  type        = list(string)
  description = "ARNs of accounts, groups, or users with the ability to assume this role."
}

variable "policy_arns" {
  default = ["arn:aws:iam::aws:policy/AdministratorAccess"]
  type        = list(string)
  description = "List of ARNs of policies to be associated with the created IAM role"
}

Once you have created 'variables.tf', do not forget to change values assigned to variables. You must change the values highlighted as these are specific to my environment. You can keep the rest variables as is. If you do not want to assign the admin access to the role you are creating you can change it by defining the Policy ARN of your policy of choice.

Create 'terraform.tfvars' which contains the definition of access_key and secret_key variables defined in the above file. We have kept the declaration of these 2 variables in 'terraform.tfvars' file along with region.

For creating an IAM Role we do not specifically need a particular region,  I have just kept this variable here so that you can have an understanding of this region variable and you can use it in your other resource creation files.

The following keys need to be changed with the keys of your IAM user. Before specifying these keys, you need to create them from the AWS Console and do not share these keys with anyone. 

vim terraform.tfvars

region = "eu-west-3"
access_key = "AKIAQ6GAIA5XFLXF6HOV"
secret_key = "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"

Now, you should have 3 files, viz, variables.tf, terraform.tfvars and  main.tf

Create an IAM Role using the Terraform configuration files

Before you execute the following commands make sure you have configured the valid access_key and secret_key.

The  first command to be used is 'terraform init'. This command downloads and installs plugins for providers used within the configuration. In our case it is AWS.

 terraform init

The second command to be used is 'terraform plan'. This command is used to see the changes that will take place on the infrastructure.

 terraform plan

'terraform apply' command will create the resources on the AWS mentioned in the main.tf file. You will be prompted to provide your input to create the resources.

terraform apply

When you execute the above command, upon successful completion, you can see that new resource have been added and 0 has been destroyed.

You can go to the AWS IAM console under Role to verify if the IAM Role is created or not.

Delete the created IAM Role using Terraform

If you no longer require resources you created using the configuration mentioned in the main.tf file, You can use the "terraform destroy" command to delete all those resources.

terraform destroy

Conclusion

In this article we saw the steps to create an IAM Role with administrator privileges. We also saw how the IAM Role can be deleted in just one command.

Share this page:

0 Comment(s)