Terraform: Whats the Aws IAM infrastructure best practice?

Created on 26 Oct 2016  ยท  3Comments  ยท  Source: hashicorp/terraform

What is best practice for creating IAM stuff for the whole infrastructure. I was thinking to splitting up into this format:-

โ”œโ”€โ”€ Modules
โ”œโ”€โ”€ Dev
โ”‚   โ”œโ”€โ”€ users
โ”‚   โ”‚   โ”œโ”€โ”€ user1.tf
โ”‚   โ”‚   โ”œโ”€โ”€ user2.tf
โ”‚   โ”‚   โ”œโ”€โ”€ user3.tf
โ”‚   โ”‚   โ””โ”€โ”€ terraform.tfstate
โ”‚   โ”œโ”€โ”€ groups
โ”‚   โ”‚   โ”œโ”€โ”€ group1.tf
โ”‚   โ”‚   โ”œโ”€โ”€ group2.tf
โ”‚   โ”‚   โ”œโ”€โ”€ group3.tf
โ”‚   โ”‚   โ””โ”€โ”€ terraform.tfstate
โ”‚   โ”œโ”€โ”€ roles
โ”‚   โ”‚   โ”œโ”€โ”€ role1.tf
โ”‚   โ”‚   โ”œโ”€โ”€ role2.tf
โ”‚   โ”‚   โ”œโ”€โ”€ role3.tf
โ”‚   โ”‚   โ””โ”€โ”€ terraform.tfstate
โ””โ”€โ”€ Prod
โ”‚   โ”œโ”€โ”€ users
โ”‚   โ”‚   โ”œโ”€โ”€ user1.tf
โ”‚   โ”‚   โ”œโ”€โ”€ user2.tf
โ”‚   โ”‚   โ”œโ”€โ”€ user3.tf
โ”‚   โ”‚   โ””โ”€โ”€ terraform.tfstate
โ”‚   โ”œโ”€โ”€ groups
โ”‚   โ”‚   โ”œโ”€โ”€ group1.tf
โ”‚   โ”‚   โ”œโ”€โ”€ group2.tf
โ”‚   โ”‚   โ”œโ”€โ”€ group3.tf
โ”‚   โ”‚   โ””โ”€โ”€ terraform.tfstate
โ”‚   โ”œโ”€โ”€ roles
โ”‚   โ”‚   โ”œโ”€โ”€ role1.tf
โ”‚   โ”‚   โ”œโ”€โ”€ role2.tf
โ”‚   โ”‚   โ”œโ”€โ”€ role3.tf
โ”‚   โ”‚   โ””โ”€โ”€ terraform.tfstate
โ””โ”€โ”€

This way whenever user/group/role no longer required i could simply delete the tf file and terraform apply will remove the exisiting IAM resource. I would like to know how you guys are implementing it.

provideaws question
Source
picture zerolaser

Most helpful comment

@stack72 I have gone through the best-practices and it helped me re-write the module in a better way. But my actual question was how multiple IAM resources are handled? Should all the IAM resources should be handled in a single state file or an individual state file for each application?

  1. If Assumed all the iam resources to be in a single state file, and using the iam module repeatedly will create user and groups. but if a particular user is part of more than one group say Admin and Super Admin ,Terraform was throwing an error user already exists.
  2. If each application is handled separately how to link the common resources ?
picture zerolaser on 1 Nov 2016
👍2

All 3 comments

Hi @zerolaser

Thanks for checking in with us on this :) Luckily, we have a best-practices repo that may be able to give you some insight :)

Hopefully it helps

Please let us know if it doesn't

Paul

stack72 picture stack72 on 27 Oct 2016

@stack72 I have gone through the best-practices and it helped me re-write the module in a better way. But my actual question was how multiple IAM resources are handled? Should all the IAM resources should be handled in a single state file or an individual state file for each application?

  1. If Assumed all the iam resources to be in a single state file, and using the iam module repeatedly will create user and groups. but if a particular user is part of more than one group say Admin and Super Admin ,Terraform was throwing an error user already exists.
  2. If each application is handled separately how to link the common resources ?
zerolaser picture zerolaser on 1 Nov 2016
👍2

I'm going to lock this issue because it has been closed for _30 days_ โณ. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

hashibot[bot] picture hashibot[bot] on 20 Apr 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

jrnt30 picture jrnt30  ยท  3Comments
ronnix picture ronnix  ยท  3Comments
c4milo picture c4milo  ยท  3Comments
sprokopiak picture sprokopiak  ยท  3Comments
franklinwise picture franklinwise  ยท  3Comments