AWS Multi-Account Strategy
It's possible to use a different set of credentials for operations against multiple resources.
In this example, we'll configure credentials for a QA and Production environment and use each set of credentials against a different resource.
Create the following GitHub Secrets in your Terraform repository
QA_AWS_ACCESS_KEY_ID
QA_AWS_SECRET_ACCESS_KEY
PROD_AWS_ACCESS_KEY_ID
PROD_AWS_SECRET_ACCESS_KEY
Add the following hooks to your Terrateam configuration file
hooks:
plan:
pre:
# Set AWS credentials and profile for the QA environment
- type: run
cmd: ["aws", "configure", "set", "aws_access_key_id", "$QA_AWS_ACCESS_KEY_ID", "--profile", "qa"]
- type: run
cmd: ["aws", "configure", "set", "aws_secret_access_key", "$QA_AWS_SECRET_ACCESS_KEY", "--profile", "qa"]
# Set AWS credentials and profile for the Production environment
- type: run
cmd: ["aws", "configure", "set", "aws_access_key_id", "$PROD_AWS_ACCESS_KEY_ID", "--profile", "production"]
- type: run
cmd: ["aws", "configure", "set", "aws_secret_access_key", "$PROD_AWS_SECRET_ACCESS_KEY", "--profile", "production"]
post: []
apply:
pre:
# Set AWS credentials and profile for the QA environment
- type: run
cmd: ["aws", "configure", "set", "aws_access_key_id", "$QA_AWS_ACCESS_KEY_ID", "--profile", "qa"]
- type: run
cmd: ["aws", "configure", "set", "aws_secret_access_key", "$QA_AWS_SECRET_ACCESS_KEY", "--profile", "qa"]
# Set AWS credentials and profile for the Production environment
- type: run
cmd: ["aws", "configure", "set", "aws_access_key_id", "$PROD_AWS_ACCESS_KEY_ID", "--profile", "production"]
- type: run
cmd: ["aws", "configure", "set", "aws_secret_access_key", "$PROD_AWS_SECRET_ACCESS_KEY", "--profile", "production"]
post: []
- Use the desired profile in your AWS provider configuration in your Terraform repository
ec2/qa/main.tf
provider "aws" {
profile = "qa"
}
ec2/production/main.tf
provider = "aws" {
profile = "production"
}
See the official AWS Provider documentation for more details.