Terraform is an automation tool used to provision cloud resources. Infrastructure also needs to be provisioned with the proper privileges. In large enterprises, administrators use it to automatically provision or retire potentially hundreds of resources without manually configuring them.
Why Use AWS IAM with Terraform?
With AWS Access and Identity Management (IAM), Terraform can also be used to set access permissions on provisioned resources. In a secure environment, using privileges to give access to cloud-provisioned resources is part of a zero-trust network and should be incorporated into any security strategy. Instead of giving everyone access to resources, administrators can use it to assign permissions only to people who need them.
AWS IAM on Terraform: 3 Key Features
IAM is meant for creating and updating users, roles, and user groups. The three key features that benefit organizations are the ease of controlling access policies, using keys instead of standard network credentials, and assigning user roles. All three work together to control access to cloud resources usually provisioned using Terraform.
Terraform uses files with the .tf extension to automate commands. Configuration files contain commands that can be reused every time a resource must be created. Because files are pre-programmed with settings and configurations, they speed up provisioning of cloud resources in AWS.
How Do You Use IAM Policies in Terraform?
Policies define users and user permissions to specific cloud resources. You use policies when you provision a resource in AWS (e.g., an S3 bucket) and need to assign various users with specific permissions (e.g., listing S3 bucket contents).
How Do You Use IAM Key Pairs in Terraform?
Users are assigned keys in AWS rather than usernames and passwords. A key pair consists of an access key and a secret key. Both are necessary for users to access resources. In Terraform, you assign key pairs to users when giving them access to a resource.
How Do You Use IAM Roles in Terraform?
An IAM role is a group of permissions assigned to a specific user. Assigning roles in Terraform will give permissions to a specified user. A role can allow users to perform multiple actions on a resource, so it should be reviewed prior to assigning the role in it.
How to Use AWS IAM with Terraform: An Example
In this example, a new user file named create_user.tf is used to create a user account on AWS via Terraform. The user is created and assigned a policy to an S3 bucket.
Step 1: Install Terraform
Install Terraform. In Debian type:
sudo apt-get install terraform
Step 2: Create a Terraform Directory
Create a directory for the new Terraform project:
mkdir linuxhint-terraform && cd linuxhint-terraform
Step 3: Create the create_user.tf File
Create the create_user.tf file:
nano user_create.tf
Step 4: Configure the New User Account
With the file created and open, add the following code:
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 3.27"
}
}
}
provider "aws" {
region = "us-west-1"
access_key = "user_access_key"
secret_key = "user_secret"
}
resource "aws_iam_user" "new_user" {
name = "NewUserExample"
}
resource "aws_iam_access_key" "AccK" {
user = aws_iam_user.new_user.name
}
output "secret_key" {
value = aws_iam_access_key.AccK.secret
sensitive = true
}
output "access_key" {
value = aws_iam_access_key.AccK.id
}
Step 5: Create a Policy and Add the New User
With the user created, you can create a policy and add the user to it. This policy example gives the user permission to list buckets.
Append the following code to the create_user.tf file:
resource "aws_iam_user_policy" "iam" {
name = "ListBuckets"
user = aws_iam_user.new_user.name
policy = <<EOF
{
"Version": "2022-1-6",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
}
]
}
EOF
}
Step 6: Initialize Terraform and Apply Changes
With the file created, you can then apply the changes to AWS using Terraform. First, initialize an instance:
terraform init
Next, apply changes to your AWS environment:
terraform apply
Step 7: Confirm Changes in AWS IAM
At this point, the resource was created, but you can confirm the changes manually by going into your AWS account and viewing users in the IAM dashboard.
Conclusion
Automating cloud provisioning saves time and uses templates for IAM policies, accounts, and permissions. By using Terraform, administrators can streamline deployment of resources across their AWS environments. Learn more with How to Create an AWS Instance with Terraform.
