Gruntwork Access
Overview
You can use this service to grant the Gruntwork team access to your AWS account to either:
- Deploying a Reference Architecture
- Helping your team with troubleshooting.
Under the hood, this service creates an IAM Role in your AWS account that the Gruntwork team can assume. This allows the Gruntwork team to securely access your AWS accounts without having to create, share, or manage credentials.
Features
- Create an IAM role that grants Gruntwork access to your AWS accounts
- Choose the Managed IAM Policy to grant
- Require MFA for assuming the IAM role
- Grant access to your own security account (required for Reference Architecture deployments)
Learn
This repo is a part of the Gruntwork Service Catalog, a collection of reusable, battle-tested, production ready infrastructure code. If you’ve never used the Service Catalog before, make sure to read How to use the Gruntwork Service Catalog!
Core concepts
Deploy
Non-production deployment (quick start for learning)
If you just want to try this repo out for experimenting and learning, check out the following resources:
- examples/for-learning-and-testing folder: The
examples/for-learning-and-testing
folder contains standalone sample code optimized for learning, experimenting, and testing (but not direct production usage).
Production deployment
If you want to deploy this repo in production, check out the following resources:
- examples/for-production folder: The
examples/for-production
folder contains sample code optimized for direct usage in production. This is code from the Gruntwork Reference Architecture, and it shows you how we build an end-to-end, integrated tech stack on top of the Gruntwork Service Catalog, configure CI / CD for your apps and infrastructure.
Sample Usage
- Terraform
- Terragrunt
# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S GRUNTWORK-ACCESS MODULE
# ------------------------------------------------------------------------------------------------------
module "gruntwork_access" {
source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/landingzone/gruntwork-access?ref=v0.118.5"
# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ----------------------------------------------------------------------------------------------------
# Set to true to grant your security account, with the account ID specified in
# var.security_account_id, access to the IAM role. This is required for
# deploying a Reference Architecture.
grant_security_account_access = <bool>
# The ID of your security account (where IAM users are defined). Required for
# deploying a Reference Architecture, as the Gruntwork team deploys an EC2
# instance in the security account, and that instance assumes this IAM role to
# get access to all the other child accounts and bootstrap the deployment
# process.
security_account_id = <string>
# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------
# The ID of the AWS account that will be allowed to assume the IAM role.
gruntwork_aws_account_id = "583800379690"
# The name to use for the IAM role
iam_role_name = "GruntworkAccountAccessRole"
# The name of the AWS Managed Policy to attach to the IAM role. To deploy a
# Reference Architecture, the Gruntwork team needs AdministratorAccess, so
# this is the default.
managed_policy_name = "AdministratorAccess"
# If set to true, require MFA to assume the IAM role from the Gruntwork
# account.
require_mfa = true
# Tags to apply to all resources created by this module
tags = {}
}
# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S GRUNTWORK-ACCESS MODULE
# ------------------------------------------------------------------------------------------------------
terraform {
source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/landingzone/gruntwork-access?ref=v0.118.5"
}
inputs = {
# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ----------------------------------------------------------------------------------------------------
# Set to true to grant your security account, with the account ID specified in
# var.security_account_id, access to the IAM role. This is required for
# deploying a Reference Architecture.
grant_security_account_access = <bool>
# The ID of your security account (where IAM users are defined). Required for
# deploying a Reference Architecture, as the Gruntwork team deploys an EC2
# instance in the security account, and that instance assumes this IAM role to
# get access to all the other child accounts and bootstrap the deployment
# process.
security_account_id = <string>
# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------
# The ID of the AWS account that will be allowed to assume the IAM role.
gruntwork_aws_account_id = "583800379690"
# The name to use for the IAM role
iam_role_name = "GruntworkAccountAccessRole"
# The name of the AWS Managed Policy to attach to the IAM role. To deploy a
# Reference Architecture, the Gruntwork team needs AdministratorAccess, so
# this is the default.
managed_policy_name = "AdministratorAccess"
# If set to true, require MFA to assume the IAM role from the Gruntwork
# account.
require_mfa = true
# Tags to apply to all resources created by this module
tags = {}
}
Reference
- Inputs
- Outputs
Required
Set to true to grant your security account, with the account ID specified in security_account_id
, access to the IAM role. This is required for deploying a Reference Architecture.
security_account_id
stringThe ID of your security account (where IAM users are defined). Required for deploying a Reference Architecture, as the Gruntwork team deploys an EC2 instance in the security account, and that instance assumes this IAM role to get access to all the other child accounts and bootstrap the deployment process.
Optional
gruntwork_aws_account_id
stringThe ID of the AWS account that will be allowed to assume the IAM role.
"583800379690"
iam_role_name
stringThe name to use for the IAM role
"GruntworkAccountAccessRole"
managed_policy_name
stringThe name of the AWS Managed Policy to attach to the IAM role. To deploy a Reference Architecture, the Gruntwork team needs AdministratorAccess, so this is the default.
"AdministratorAccess"
require_mfa
boolIf set to true, require MFA to assume the IAM role from the Gruntwork account.
true
tags
map(string)Tags to apply to all resources created by this module
{}
The ARN of the IAM role
The name of the IAM role