Lots of people deploying services in the cloud use a script in order to assume roles in the different AWS accounts. Having multiple projects in different accounts or deploy a project to different accounts at once (e.g. deploy an AWS iam role to dev/test/prod account) doesn't make it easier.
In order to simplify this process i created terraless. It is a wrapper arround terraform with assume role capabilities.
Terraless uses a global and a project config. In the global config you can define common roles and accounts that you use in multiple projects.
In the project config you can define which global profiles to use and also special configuration for the project.
If you have docker installed, you can test terraless with:
docker run -ti --entrypoint bash odaniait/terraless
The terraless.yml is looked up in different path. The easiest is to put it in your home folder in the directory ".terraless". Here is an example:
--- Teams: - Name: MyTeam Data: profile: base-profile-name intermediate-profile: my-team-session mfa-device: arn:aws:iam::ACCOUNT:mfa/MFA-USER Providers: - Type: aws Name: my-team-development Data: accountId: 'AWS-ACCOUNT-ID' region: eu-central-1 Roles: - developer Plugins: - Name: terraless-provider-aws
Here is the terraless-project.yml
--- Settings: AutoSignIn: true NoProviderGeneration: true ActiveProviders: - Team: MyTeam Providers: - Type: global Name: my-team-development Data: role: developer ProjectName: my-awsome-project
For information about the loaded plugins and configuration use:
For authentication use:
This will use the aws profile "base-profile-name". This needs to be already setup in your .aws/credentials. You can change it to any profile you like.
It will the ask for a mfa-token for the provided arn. It will use the profile and the mfa-token to retrieve new aws credentials and store it in your .aws/credentials file in the profile "my-team-session".
After that it will use the profile "my-team-session" to create new aws-credentials for "my-team-development-developer". Also these will be stored in your .aws/credentials file.
You can now add additional accounts if you like.
You can authenticate agains a single provider with the "--auth-provider" flag:
terraless auth --auth-provider <- Format: Team:Provider-Name:Data Data-Forma: key1=value:key2=value e.g.: terraless auth --auth-provider MyTeam:my-team-development:role=developer
This command can be run in any directory, if the provider is defined in the global config.
You can find additional information on https://github.com/Odania-IT/terraless