I'm really new to terraform and has been stuck in this for a while.
So I'm using an external module which creates an aws_iam_role and also corresponding policies. In my terraform code, I just use the following code to create the module but how can I make sure the roles are created under specific aws account? I have multiple aws accounts right now but I just want the external module to be in one of them. The account id for the target aws account is known. Thanks!
module "<external_module>" {
source = "git::..."
...
}
Thanks!
Related
I'm new to GCP and terraform, i need some explanation about the topic in the title.
My problem:
I have 2 (or more) GCP projects under the same organization.
I want a cloud run from project A to write on a bucket in project B.
I have two terraform projects, one for each GCP project.
My question is: how can I make things work?
Thanks in advance.
I created the bucket in project B.
I created the cloud run in project A.
I created a service account in project A for the cloudrun.
In project B I created the binding, but something is not clear to me...
Add this to your project's B terraform:
resource "google_storage_bucket_iam_member" "grant_access_to_sa_from_project_a_to_this_bucket" {
provider = google
bucket = "<my_project_b_bucket_name"
role = "roles/storage.objectViewer"
member = "serviceAccount:my_service_account#project_a.iam.gserviceaccount.com"
}
Specify the role according to what you need. The list of the gcs roles are here.
The docs of gcs buckets IAM policies are here.
AWS Quicksight has a built in default role aws-quicksight-service-role-v0 which does not have any policy attached to it. Knowing its ARN, I want to attach policies to the role via terraform. How can I achieve this?
In other words, how can I import a manually/automatically created resource outside terraform, into terraform?
If you just want to add a new policy to an existing IAM role and you know its ARN, you don't have to import it. You can just use aws_iam_role_policy to define and add the policy that you want to pre-existing role.
To work with resources already existing use data-sources:
https://www.terraform.io/language/data-sources
In my particular case, the below reference helped to pick the role by name and attach needed policies to it. As explained it works per policy, meaning you need to pick one policy at a time and attach it to as many roles or users you want.
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment
I'm using terraform to make an AWS Batch compute environment (registry link) and the resource wants me to specify a spot_iam_fleet_role role. When I read the documentation it seems like there are multiple spot roles I need to hand in and two are service linked?? I'm very confused.
What role is supposed to be in spot_iam_fleet_role and why?
I am trying to create new aws account within our AWS org, but I am still getting no changes after terraform plan:
"No changes. Your infrastructure matches the configuration.
Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed."
Am I missing something? This is the code:
resource "aws_organizations_account" "new_aws_member_account" {
name = "XXX"
email = "XXX#XXX"
iam_user_access_to_billing = "ALLOW"
}
I already tried to deploy new IAM policy (within AWS org account) and there was no problem, but I just can't create new account using this code, I probably missed something, but don't know what.
Our AWS org is created manually using AWS console, so not via terraform, but this shouldn't be a problem or yes?
Can you help please?
I am trying to share a custom image in GCP between projects in the organization.
1) Project A
2) project B
All my custom Images are in project A.
I would like to share images of project A to Project B
As per the documentation I ran the following command to share images to project B
gcloud projects add-iam-policy-binding projecta --member serviceAccount:xxxxxx#cloudservices.gserviceaccount.com --role roles/compute.imageUser
I am using Terraform to provision the instances. In terraform, I am specifying to take the image from project A.
boot_disk {
initialize_params {
image = "projects/project_A/global/images/custom_image"
}
}
I am getting the below error
Error: Error creating instance: googleapi: Error 403: Required 'compute.images.useReadOnly' permission for 'projects/project_A/global/images/custom_image', forbidden
Can someone please help me out....
I guess the documentation is for Deployment Manager, not for Terraform, the command you run granted the role to service account xxxxxx#cloudservices.gserviceaccount.com, but Terraform is not using that account by default.
You need to make sure Terraform has enough permission. You may supply xxxxxx#cloudservices.gserviceaccount.com to Terraform or create a new service account for Terraform and grant roles/compute.imageUser to it.
You've just done the first step which is granti an service account a proper permissions to share your images across your organisation. The roles/compute.imageUser role is required to do it.
Your Terraform config also looks OK (you have to make sure the self_link to your image is correct (refer to this documentation to make sure image value in Terraform config is OK).
Also make sure you're providing proper service account credentials to Terraform as stated in #Ken Hung's answer.