Part 2: Automated AWS multi account setup with Terraform and OneLogin SSO

IMPORTANT: This tutorial was written with Terraform 0.9.x, so it may not work exactly with newer versions or need to be adapted. E.g. the new provider plugins need to be initialized before doing anything starting with Terraform 0.10.0 and up

After you’ve setup your AWS master account in the previous part of this series, it’s now time to create as many sub accounts as you need. At least one sub account should be dedicated for operations, e.g. responsible for the CloudTrail bucket of all accounts and storing the Terraform state file of this initialization plan.

To have a nice multi account setup usable for different breed of developers and admins, we add the SAML IdP to the sub accounts to, but also create assumeRole trust relationships to simply switch roles in AWS console or use a role_arn for the AWS CLI credentials file (and Terraform providers).

The advantage is you only need to get one set of temporary credentials and then you’re assuming the right role in the sub accounts. Otherwise you’ve always have to obtain temporary credentials via SAML for every sub account you work with and use different profiles to save those and it can happen you use the wrong profile in your Terraform runs. With role_arn you play more safe, because you have to run Terraform with your master account credentials profile which has the correct permissions to assume the target sub account role. If you have the wrong credentials, it will fail.

Side Note: Don’t create accounts with AWS organizations yet. You can still use it for applying SCPs and consolidated billing. But don’t create the account within. Create the account separately and invite it to the organization.
If you create the account within AWS organizations you won’t be able to delete it or remove it from the consolidated billing (especially bad as an agency when the customer wants to take over the account for billing).

In this tutorials series I’m using OneLogin as SSO provider, but you can use any SSO provider you want. Or still manage your IAM users by hand. If you do this, then you can omit the SAML/OneLogin stuff and use only assumeRole trust relationships.

Create your new sub account as usual, activate IAM access to billing. Create a TerraformInit with the following IAM policy. ACCOUNTID is the account ID of the new sub account.

AWS TerraformInit policy for AWS sub accounts with OneLogin

Then create the IAM user called terraform-init and attach to it the TerraformInit policy from above. This user needs Programmatic access only.

And update the TerraformInit policy on the master account with the following statement (add it). ACCOUNTID is the account ID of the existing master account.

Additions to the TerraformInit policy of the AWS master account

To provision the sub account add the following new Terraform files into your project. As said, you’ll provision OneLogin as SAML IdP and cross account access roles. The ACCOUNTID is the account ID of the sub account.

New Terraform configuration for the new operations AWS sub account

Add the following parts to the from the previous tutorial. For further sub accounts you only need to add the role ARNs of the sub accounts into the resources arrays below.

Additions to the organization root account roles with new cross account access policies

Now execute terraform plan to take a look what will be done. If it looks good to you run terraform apply to configure your sub account with cross access from the master account.

When the run has finished you see the acme_operations_saml_provider_arn output which you need to add to the AWS setup within OneLogin. If you’ve finished this part to, you should be able to login to the AWS sub account from your OneLogin dashboard.

Depending on your role mappings you may see only one role or multiple roles per account

Additionally you can switch from the master account to the roles of the sub account. Since you’ve set an account alias for the sub account you don’t need to know the account ID. Simply enter the account alias in the switch role dialog of the AWS console.

Switch to the sub account role from the master account

Although we have explicitly attached the AdministratorCrossAccountAccess policy to the Administrator role, the Administrator is able to switch to every role of the sub account, as long as he has attached the AdministratorAccess job function policy.

As noted on the beginning, use this operations sub account for important stuff of your AWS multi account setup, like the S3 bucket for CloudTrail or saving the Terraform state of the account initialization.

This is part 2 of a multi-part series how you manage the AWS account basics with Terraform with minimal manual steps required. The daily work can be done with the temporary credentials from the assumed role via SAML or if you don’t use SAML with the credentials of the created IAM users.

Part 1: Automated AWS account initialization with Terraform and OneLogin SAML SSO