search

kz8s / tack

Terraform module for creating Kubernetes cluster running on Container Linux by CoreOS in an AWS VPC
MIT License
719 stars 145 forks source link

using AWS organisations/delegate accounts #164

Open lukeab opened 7 years ago

lukeab commented 7 years ago

When you setup an AWS consolidated billing, or what is now AWS Organisations, the aws tool uses an IAM user in the root account to assume a role in the subaccount. So you need to identify this int he ~/.aws/config file. However terraform doesn't read the config, only the credentials file. So you have to tell terraform's aws provider to use the root account, but assume the role in the delegate account using it's account-id. so your aws provider block would look like: 

aws = {
  account-id = 121212121212
  profile = "root-acc"
  role_arn = "arn:aws:iam::121212121212:role/root-acc-administrator"
  azs = ...etc

modifying the init-variables script to use some env vars would solve this. I will submit a PR and link it to this to explain and start an enhancement proposal

lukeab commented 7 years ago

I've tested my branch and it works with an organisation account now. I will still have to test it standalone account, and see if it handles normal operation.