Terraform Multi-Account Deployment: A Complete Guide

• Introduction
• Step-by-Step Guide
• Code Example
• Additional Notes
• Summary
• Conclusion
• References

Managing infrastructure across multiple AWS accounts is a common requirement for organizations seeking to enhance security, separation of concerns, or compliance. Terraform, a popular Infrastructure as Code (IaC) tool, provides robust capabilities to streamline this process. This article outlines essential practices for effectively managing multiple AWS accounts using Terraform, enabling you to orchestrate resources seamlessly across your environments.

1. Utilize multiple provider configurations: Define separate provider blocks within your Terraform configuration file for each AWS account you want to target. Each provider block should have a unique alias assigned to it.

   provider "aws" {
     region  = "us-west-2"
     alias  = "dev"
   }
   
   provider "aws" {
     region  = "us-east-1"
     alias  = "prod"
   }

2. Leverage provider aliases: When defining resources that should be deployed to a specific AWS account, reference the corresponding provider alias using the provider argument within the resource block.

   resource "aws_instance" "dev_instance" {
     ami           = "ami-0c94855ba95c574c8"
     instance_type = "t2.micro"
     provider      = aws.dev
   }
   
   resource "aws_instance" "prod_instance" {
     ami           = "ami-0c94855ba95c574c8"
     instance_type = "t2.micro"
     provider      = aws.prod
   }

3. Implement authentication for each account: Ensure that you have configured appropriate AWS credentials for each provider alias. This can be achieved through environment variables, AWS profiles, or other supported authentication methods.

4. Organize your code: Structure your Terraform code in a modular and reusable manner. Consider using modules to encapsulate resources specific to each AWS account or environment.

5. Employ remote state management: Utilize a shared state backend, such as AWS S3, to store the Terraform state file. This enables collaboration and ensures consistency across multiple deployments.

6. Consider cross-account roles: For scenarios where resources in one account need to interact with resources in another account, leverage AWS IAM roles and assume cross-account access.

7. Implement security best practices: Follow security best practices, such as principle of least privilege, when configuring IAM roles and policies for cross-account access.

8. Test thoroughly: Before deploying to production, thoroughly test your Terraform configuration in a staging or development environment to validate its behavior across multiple AWS accounts.

This Terraform code configures two AWS providers, one for a development account and one for a production account. It uses an S3 bucket for remote state management. An EC2 instance module is defined for reusability. The code deploys resources to both accounts, showcasing how to reference specific providers. It includes a commented-out section demonstrating the potential use of cross-account roles. Finally, it outputs the public IP addresses of the deployed instances. Before running, replace placeholders with your specific values, configure AWS credentials, and create the EC2 instance module as instructed in the comments.

# Configure Terraform to use multiple AWS providers
terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.0"
    }
  }
  backend "s3" { # Use S3 for remote state management
    bucket = "your-terraform-state-bucket"
    key    = "your-project/terraform.tfstate"
    region = "us-west-2"
  }
}

# Configure AWS Provider for Development Account
provider "aws" {
  region = "us-west-2"
  alias  = "dev"
}

# Configure AWS Provider for Production Account
provider "aws" {
  region = "us-east-1"
  alias  = "prod"
}

# Define a module for deploying an EC2 instance
module "ec2_instance" {
  source  = "./modules/ec2"
  providers = {
    aws = aws
  }
  instance_name = "${var.environment}-instance"
  ami           = var.ami_id
  instance_type = var.instance_type
}

# Deploy resources to the Development Account
resource "aws_instance" "dev_instance" {
  provider      = aws.dev
  ami           = "ami-0c94855ba95c574c8"
  instance_type = "t2.micro"
}

# Deploy resources to the Production Account
module "prod_instance" {
  source         = module.ec2_instance
  providers      = {
    aws = aws.prod
  }
  environment    = "production"
  ami_id         = "ami-0a9d27a4ff2f09d91"
  instance_type  = "t2.medium"
}

# Example of using cross-account roles (not implemented in this example)
# resource "aws_iam_role" "cross_account_role" {
#   # ... Role configuration ...
# }

# Output values
output "dev_instance_public_ip" {
  value = aws_instance.dev_instance.public_ip
}

output "prod_instance_public_ip" {
  value = module.prod_instance.public_ip
}

Explanation:

1. Provider Configuration: Two AWS providers are defined, dev for the development account and prod for the production account.
2. Remote State: The code uses an S3 bucket for remote state management, enabling collaboration and state consistency.
3. Modules: An ec2_instance module encapsulates the logic for deploying an EC2 instance, promoting code reusability.
4. Resource Deployment: Resources are deployed to specific accounts by referencing the corresponding provider alias (e.g., aws.dev, aws.prod).
5. Cross-Account Roles (Commented Out): The code includes a commented-out section demonstrating the use of cross-account roles, which would require further configuration.
6. Outputs: The output blocks provide information about the deployed resources, such as the public IP addresses of the instances.

Before running this code:

• Replace placeholders: Update the S3 bucket name, AWS regions, AMI IDs, and instance types with your desired values.
• Configure credentials: Ensure you have configured AWS credentials for both the dev and prod aliases. This can be done using environment variables, AWS profiles, or other supported methods.
• Create the module: Create a directory named modules and a subdirectory named ec2 within it. Then, create a file named main.tf inside the modules/ec2 directory and paste the following code into it:

resource "aws_instance" "main" {
  ami           = var.ami_id
  instance_type = var.instance_type
  tags = {
    Name = var.instance_name
  }
}

output "public_ip" {
  value = aws_instance.main.public_ip
}

This code defines the ec2_instance module, which creates an EC2 instance with the specified AMI, instance type, and name tag.

This comprehensive example demonstrates how to manage multiple AWS accounts using Terraform, incorporating best practices for organization, reusability, and security. Remember to adapt the code to your specific requirements and thoroughly test it before deploying to production.

Configuration and Organization:

• Terraform workspaces: Consider using workspaces to manage different environments (dev, staging, prod) within your Terraform codebase, further separating configurations for each AWS account.
• Variable definitions: Define variables for account-specific values like VPC IDs, subnet IDs, and security group names. This promotes reusability and avoids hardcoding sensitive information.
• Directory structure: Organize your Terraform code into directories that reflect your account structure or application boundaries. This improves readability and maintainability.

Security and Best Practices:

• Assume roles within CI/CD: When using Terraform in a CI/CD pipeline, configure the pipeline to assume the necessary IAM roles for each AWS account, rather than storing long-term credentials.
• Secrets management: Utilize a dedicated secrets management tool like AWS Secrets Manager or HashiCorp Vault to securely store and retrieve sensitive information like access keys and API tokens.
• Resource tagging: Implement consistent tagging strategies across all accounts to facilitate resource tracking, cost allocation, and automation.

Advanced Techniques:

• Terraform remote state data sources: Access and utilize data from the Terraform state of one AWS account in another account. This is useful for sharing information like VPC IDs or security group rules.
• Custom modules for cross-account interactions: Develop reusable modules that encapsulate the logic for cross-account resource provisioning and management, such as creating IAM roles and policies.
• Terraform Cloud/Enterprise: Explore features offered by Terraform Cloud or Enterprise for enhanced collaboration, governance, and remote execution capabilities in multi-account environments.

Troubleshooting and Debugging:

• Terraform console: Utilize the terraform console to experiment with provider configurations, data sources, and expressions to validate your code before deployment.
• Verbose logging: Enable verbose logging in Terraform and AWS to gain detailed insights into API calls, resource changes, and potential errors.
• Resource dependency visualization: Use the terraform graph command to visualize the dependencies between resources across different accounts, aiding in understanding and troubleshooting deployment issues.

This article outlines best practices for managing resources across multiple AWS accounts using Terraform.

Key Concepts:

• Provider Aliases: Define separate provider blocks for each AWS account, assigning a unique alias to each (e.g., aws.dev, aws.prod).
• Resource Targeting: Use the provider argument within resource blocks to specify the target AWS account using its alias.
• Authentication: Configure appropriate AWS credentials (environment variables, profiles, etc.) for each provider alias.
• Code Organization: Structure code modularly, using modules to encapsulate resources for specific accounts or environments.
• Remote State Management: Utilize a shared state backend (e.g., AWS S3) for collaboration and consistency.
• Cross-Account Access: Leverage IAM roles and assume roles for resources requiring interaction across accounts.
• Security: Adhere to security best practices, like the principle of least privilege, when configuring IAM roles and policies.
• Thorough Testing: Test your configuration in a staging environment before deploying to production.

By following these practices, you can effectively manage infrastructure across multiple AWS accounts with Terraform, ensuring clarity, maintainability, and security.

By implementing these strategies and adapting the provided code snippets to your specific needs, you can leverage Terraform's power to manage infrastructure across multiple AWS accounts effectively. This approach not only streamlines your workflow but also enhances security, promotes code reusability, and ensures consistency across your diverse AWS environments. As you delve deeper into managing multi-account deployments, consider exploring advanced techniques like Terraform remote state data sources and custom modules for cross-account interactions to further optimize your infrastructure management practices. Remember to prioritize security by adhering to best practices such as the principle of least privilege and utilizing secrets management tools. Through a combination of best practices, appropriate tooling, and a well-structured approach, you can confidently manage even the most complex multi-account AWS environments with Terraform.

• Terraform with Multi-Account AWS : r/Terraform | Posted by u/dub1za - 1 vote and 6 comments
• 4 steps to deploy to multiple AWS accounts with Terraform | by AW ... | No matter the size of your business, multiple accounts to segregate key functional areas of the AWS environment is always highly…
• Using Terraform with multiple AWS accounts and a single S3 ... | Posted by u/CptSupermrkt - 7 votes and 7 comments
• Terraform multi AWS account deployment - Terraform - HashiCorp ... | Hi everyone, I have 3 different AWS accounts; dev, qa and prod. I have main.tf to create aws vpc. Here is the code of main.tf module "vpc" { source = "terraform-aws-modules/vpc/aws" name = "${var.environment}-vpc" cidr_block = "10.0.0.0/16" tags = { Terraform = "true" Environment = var.environment } } I have backend.tf terraform { backend "s3" { bucket = "${var.environment}/terraform.tfstate-test" key = "terraforn.tfstate" } } I have provider.tf with pro...
• Terraform AWS Provider — Everything you need to know about Multi ... | There are multiple options available to configure the authentication between Terraform and AWS. But the two entry points are IAM users and…
• Terraform: Deploy To Multiple AWS Accounts In Single Project ... | Generally, when using HashiCorp Terraform to deploy and manage Amazon AWS resources, the Terraform project will be working with AWS resources in only a single
• Manage multiaccount and multi-Region infrastructure in Terraform ... | Learn how to reduce the use of managing secret and access keys and quickly deploy all the resources. Use version control to track all changes and enable better control in a multiaccount infrastructure.
• Deploy AWS Resources in Different AWS Account and Multi-Region ... | Introduction As a company with a multi-account AWS setup, we recently faced the challenge...
• AWS Cross-Account Deployment with Terraform | by KangZheng Li ... | In this article, we will explore using Terraform to do cross-account deployment in AWS.