我一直在寻找一种能够在Terraform中同时部署到多个AWS账户并且干涸的方法。 AWS有使用Stacks执行此操作的概念,但我不确定是否有办法在Terraform中执行此操作?如果是这样的话会有什么解决方案?
您可以阅读有关Cloudformation解决方案here的更多信息。
您可以定义multiple provider aliases,它可用于在不同区域甚至不同的AWS账户中运行操作。
因此,要在默认区域中执行某些操作(或者如果未在环境变量/ ~/.aws/configure / etc中定义,则会提示它)以及在US East 1中,您将执行以下操作:
provider "aws" {
# ...
}
# Cloudfront ACM certs must exist in US-East-1
provider "aws" {
alias = "cloudfront-acm-certs"
region = "us-east-1"
}
然后你会像这样引用它们:
data "aws_acm_certificate" "ssl_certificate" {
provider = "aws.cloudfront-acm-certs"
...
}
resource "aws_cloudfront_distribution" "cloudfront" {
...
viewer_certificate {
acm_certificate_arn = "${data.aws_acm_certificate.ssl_certificate.arn}"
...
}
}
因此,如果您想同时在多个帐户中执行某些操作,那么您可以使用以下内容进行assume a role in the other account:
provider "aws" {
# ...
}
# Assume a role in the DNS account so we can add records in the zone that lives there
provider "aws" {
alias = "dns"
assume_role {
role_arn = "arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME"
session_name = "SESSION_NAME"
external_id = "EXTERNAL_ID"
}
}
并参考它如下:
data "aws_route53_zone" "selected" {
provider = "aws.dns"
name = "test.com."
}
resource "aws_route53_record" "www" {
provider = "aws.dns"
zone_id = "${data.aws_route53_zone.selected.zone_id}"
name = "www.${data.aws_route53_zone.selected.name}"
...
}
或者,您可以在a number of other ways中提供不同AWS账户的凭证,例如hardcoding them in the provider or using different Terraform variables,AWS SDK specific environment variables或使用configured profile。