Managing Multiple Environments On AWS
Managing multiple environments and defining access policies are really important. Access can be easily managed via separating the AWS account for each environment. This environment needs to be identical to infrastructure architecture. And need to follow the gitops. Thanks to tools like terraform which manages the infrastructure in code and leverages the power of git to make infrastructure changes more agile.
Let’s take a simple scenario
- application has three environments testing staging and production
- the developer has power access to testing and reads access to staging infrastructure
We can achieve this simply using the terraform script.
First, define the backend for terraform.
terraform {
required_version = ">= 0.12"
backend "s3" {
bucket = "multi-account-tf-states"
region = "us-west-1"
}
}AWS provider needs to be defined. We are using a common region for simplicity. The assume_role section defines the role to assume to connect the account.
provider "aws" {
region = "us-west-1"
version = "~> 2.23"
assume_role {
role_arn = "arn:aws:iam::${local.account_id}:role/deployer"
session_name = "deployer"
}
}The account id and workspace are mapped in the locals' file.
locals {
account_ids = {
production = "123456789123",
staging = "123456789124",
testing = "123456789125"
}
account_id = local.account_ids[terraform.workspace]
}Add the policy for deployer user to assume the deployer role of all account.
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::123456789123:role/deployer",
"arn:aws:iam::123456789124:role/deployer",
"arn:aws:iam::123456789125:role/deployer"
]
}
}Create trust relationships on the deployer role of staging and testing with deployer user of production account.
Finally, create policies and attached them to the deployer role.
Happy DevOps’ing
