Open nitrocode opened 2 years ago
Have a question? Please checkout our Slack Community or visit our Slack Archive.
Docs on how to create this https://github.com/cloudposse/terraform-aws-components/tree/master/modules/vpc-peering
It would be nice to create the accepter_aws_assume_role_arn IAM role using a submodule
accepter_aws_assume_role_arn
locals { account_id = data.aws_caller_identity.current.account_id } data "aws_caller_identity" "current" {} data "aws_iam_policy_document" "vpc_peering" { statement { sid = "" effect = "Allow" resources = ["arn:aws:ec2:*:${var.accepter_account}:route-table/*"] actions = [ "ec2:CreateRoute", "ec2:DeleteRoute", ] } statement { sid = "" effect = "Allow" resources = ["*"] actions = [ "ec2:DescribeVpcPeeringConnections", "ec2:DescribeVpcs", "ec2:ModifyVpcPeeringConnectionOptions", "ec2:DescribeSubnets", "ec2:DescribeVpcAttribute", "ec2:DescribeRouteTables", ] } statement { sid = "" effect = "Allow" resources = [ "arn:aws:ec2:*:${var.accepter_account}:vpc-peering-connection/*", "arn:aws:ec2:*:${var.accepter_account}:vpc/*", ] actions = [ "ec2:AcceptVpcPeeringConnection", "ec2:DeleteVpcPeeringConnection", "ec2:CreateVpcPeeringConnection", "ec2:RejectVpcPeeringConnection", ] } statement { sid = "" effect = "Allow" resources = ["arn:aws:ec2:*:${var.accepter_account}:vpc-peering-connection/*"] actions = [ "ec2:DeleteTags", "ec2:CreateTags", ] } } resource "aws_iam_role" "vpc_peering" { name = "vpc-peering-role" assume_role_policy = jsonencode({ Version = "2012-10-17" Statement = [ { Action = "sts:AssumeRole" Effect = "Allow" Sid = "" Principal = { AWS = [ "arn:aws:iam::${var.requester_account}:root", ] } }, ] }) } resource "aws_iam_role_policy" "vpc_peering" { name = "vpc-peering-policy" role = aws_iam_role.vpc_peering.id policy = data.aws_iam_policy_document.vpc_peering.json }
Have a question? Please checkout our Slack Community or visit our Slack Archive.
Describe the Feature
Docs on how to create this https://github.com/cloudposse/terraform-aws-components/tree/master/modules/vpc-peering
It would be nice to create the
accepter_aws_assume_role_arn
IAM role using a submodule