Service Catalog Version 0.118.1Last updated in version 0.20.0

Gruntwork Access

Overview

You can use this service to grant the Gruntwork team access to your AWS account to either:

Deploying a Reference Architecture
Helping your team with troubleshooting.

Under the hood, this service creates an IAM Role in your AWS account that the Gruntwork team can assume. This allows the Gruntwork team to securely access your AWS accounts without having to create, share, or manage credentials.

Features

Create an IAM role that grants Gruntwork access to your AWS accounts
Choose the Managed IAM Policy to grant
Require MFA for assuming the IAM role
Grant access to your own security account (required for Reference Architecture deployments)

Learn

note

This repo is a part of the Gruntwork Service Catalog, a collection of reusable, battle-tested, production ready infrastructure code. If you’ve never used the Service Catalog before, make sure to read How to use the Gruntwork Service Catalog!

Core concepts

What is the Gruntwork Reference Architecture?

Deploy

Non-production deployment (quick start for learning)

If you just want to try this repo out for experimenting and learning, check out the following resources:

examples/for-learning-and-testing folder: The examples/for-learning-and-testing folder contains standalone sample code optimized for learning, experimenting, and testing (but not direct production usage).

Production deployment

If you want to deploy this repo in production, check out the following resources:

examples/for-production folder: The examples/for-production folder contains sample code optimized for direct usage in production. This is code from the Gruntwork Reference Architecture, and it shows you how we build an end-to-end, integrated tech stack on top of the Gruntwork Service Catalog, configure CI / CD for your apps and infrastructure.

Sample Usage

Terraform
Terragrunt

main.tf

# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S GRUNTWORK-ACCESS MODULE
# ------------------------------------------------------------------------------------------------------

module "gruntwork_access" {

  source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/landingzone/gruntwork-access?ref=v0.118.1"

  # ----------------------------------------------------------------------------------------------------
  # REQUIRED VARIABLES
  # ----------------------------------------------------------------------------------------------------

  # Set to true to grant your security account, with the account ID specified in
  # var.security_account_id, access to the IAM role. This is required for
  # deploying a Reference Architecture.
  grant_security_account_access = <bool>

  # The ID of your security account (where IAM users are defined). Required for
  # deploying a Reference Architecture, as the Gruntwork team deploys an EC2
  # instance in the security account, and that instance assumes this IAM role to
  # get access to all the other child accounts and bootstrap the deployment
  # process.
  security_account_id = <string>

  # ----------------------------------------------------------------------------------------------------
  # OPTIONAL VARIABLES
  # ----------------------------------------------------------------------------------------------------

  # The ID of the AWS account that will be allowed to assume the IAM role.
  gruntwork_aws_account_id = "583800379690"

  # The name to use for the IAM role
  iam_role_name = "GruntworkAccountAccessRole"

  # The name of the AWS Managed Policy to attach to the IAM role. To deploy a
  # Reference Architecture, the Gruntwork team needs AdministratorAccess, so
  # this is the default.
  managed_policy_name = "AdministratorAccess"

  # If set to true, require MFA to assume the IAM role from the Gruntwork
  # account.
  require_mfa = true

  # Tags to apply to all resources created by this module
  tags = {}

}

terragrunt.hcl

# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S GRUNTWORK-ACCESS MODULE
# ------------------------------------------------------------------------------------------------------

terraform {
  source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/landingzone/gruntwork-access?ref=v0.118.1"
}

inputs = {

  # ----------------------------------------------------------------------------------------------------
  # REQUIRED VARIABLES
  # ----------------------------------------------------------------------------------------------------

  # Set to true to grant your security account, with the account ID specified in
  # var.security_account_id, access to the IAM role. This is required for
  # deploying a Reference Architecture.
  grant_security_account_access = <bool>

  # The ID of your security account (where IAM users are defined). Required for
  # deploying a Reference Architecture, as the Gruntwork team deploys an EC2
  # instance in the security account, and that instance assumes this IAM role to
  # get access to all the other child accounts and bootstrap the deployment
  # process.
  security_account_id = <string>

  # ----------------------------------------------------------------------------------------------------
  # OPTIONAL VARIABLES
  # ----------------------------------------------------------------------------------------------------

  # The ID of the AWS account that will be allowed to assume the IAM role.
  gruntwork_aws_account_id = "583800379690"

  # The name to use for the IAM role
  iam_role_name = "GruntworkAccountAccessRole"

  # The name of the AWS Managed Policy to attach to the IAM role. To deploy a
  # Reference Architecture, the Gruntwork team needs AdministratorAccess, so
  # this is the default.
  managed_policy_name = "AdministratorAccess"

  # If set to true, require MFA to assume the IAM role from the Gruntwork
  # account.
  require_mfa = true

  # Tags to apply to all resources created by this module
  tags = {}

}

Reference

Inputs
Outputs

Required

grant_security_account_accessboolrequired

Set to true to grant your security account, with the account ID specified in security_account_id, access to the IAM role. This is required for deploying a Reference Architecture.

security_account_idstringrequired

The ID of your security account (where IAM users are defined). Required for deploying a Reference Architecture, as the Gruntwork team deploys an EC2 instance in the security account, and that instance assumes this IAM role to get access to all the other child accounts and bootstrap the deployment process.

Optional

gruntwork_aws_account_idstringoptional

The ID of the AWS account that will be allowed to assume the IAM role.

Default:"583800379690"

iam_role_namestringoptional

The name to use for the IAM role

Default:"GruntworkAccountAccessRole"

managed_policy_namestringoptional

The name of the AWS Managed Policy to attach to the IAM role. To deploy a Reference Architecture, the Gruntwork team needs AdministratorAccess, so this is the default.

Default:"AdministratorAccess"

require_mfabooloptional

If set to true, require MFA to assume the IAM role from the Gruntwork account.

Default:true

tagsmap(string)optional

Tags to apply to all resources created by this module

Default:{}

iam_role_arn

The ARN of the IAM role

iam_role_name

The name of the IAM role

Overview​

Features​

Learn​

Core concepts​

Deploy​

Non-production deployment (quick start for learning)​

Production deployment​

Sample Usage​

Reference​

Required​

Optional​