Terraform initialization of AWS sub account

15-acme-operations.tf

// Configure AWS provider
variable "acme_operations" {
  default = "ACCOUNTID"
}

provider "aws" {
  alias = "acme_operations"
  profile = "acme_operations"
  region = "${var.aws_default_region}"
  shared_credentials_file = "./credentials"
  allowed_account_ids = ["${var.acme_operations}"]
}

// Set human readable alias for the account
resource "aws_iam_account_alias" "acme_operations" {
  account_alias = "acme-operations"
  provider = "aws.acme_operations"
}

// Add OneLogin as SAML IdP
resource "aws_iam_saml_provider" "acme_operations_onelogin" {
  name = "OneLogin"
  saml_metadata_document = "${file("saml-metadata/acme.xml")}"
  provider = "aws.acme_operations"
}

output "acme_operations_saml_provider_arn" {
  value = "${aws_iam_saml_provider.acme_operations_onelogin.arn}"
}

data "aws_iam_policy_document" "acme_operations_onelogin_crossaccount_assume" {
  statement {
    sid = "OneLogin"
    actions = ["sts:AssumeRoleWithSAML"]

    principals {
      type = "Federated"
      identifiers = ["${aws_iam_saml_provider.acme_operations_onelogin.arn}"]
    }

    condition {
      test = "StringEquals"
      variable = "SAML:aud"
      values = ["https://signin.aws.amazon.com/saml"]
    }
  }

  statement {
    sid = "acme"
    actions = ["sts:AssumeRole"]

    principals {
      type = "AWS"
      identifiers = ["arn:aws:iam::${var.acme}:root"]
    }
  }

  provider = "aws.acme"
}

// Create roles to be assumed via OneLogin
resource "aws_iam_role" "acme_operations_administrator" {
  name = "Administrator"
  assume_role_policy = "${data.aws_iam_policy_document.acme_operations_onelogin_crossaccount_assume.json}"
  provider = "aws.acme_operations"
}

resource "aws_iam_role_policy_attachment" "acme_operations_administrator" {
  role = "${aws_iam_role.acme_operations_administrator.name}"
  policy_arn = "${var.administrator_default_arn}"
  provider = "aws.acme_operations"
}

resource "aws_iam_role" "acme_operations_developer" {
  name = "Developer"
  assume_role_policy = "${data.aws_iam_policy_document.acme_operations_onelogin_crossaccount_assume.json}"
  provider = "aws.acme_operations"
}

resource "aws_iam_role_policy_attachment" "acme_operations_developer" {
  role = "${aws_iam_role.acme_operations_developer.name}"
  policy_arn = "${var.developer_default_arn}"
  provider = "aws.acme_operations"
}

resource "aws_iam_role" "acme_operations_billing" {
  name = "Billing"
  assume_role_policy = "${data.aws_iam_policy_document.acme_operations_onelogin_crossaccount_assume.json}"
  provider = "aws.acme_operations"
}

resource "aws_iam_role_policy_attachment" "acme_operations_billing" {
  role = "${aws_iam_role.acme_operations_billing.name}"
  policy_arn = "${var.billing_default_arn}"
  provider = "aws.acme_operations"
}

// Create OneLogin external access
resource "aws_iam_policy" "acme_operations_onelogin_external" {
  name = "OneLoginExternalRole"
  description = "External role policy to enable OneLogin's AWS Account to pull Account Aliases and Roles."
  policy = "${data.aws_iam_policy_document.acme_onelogin_external.json}"
  provider = "aws.acme_operations"
}

resource "aws_iam_role" "acme_operations_onelogin_external" {
  name = "OneLogin"
  assume_role_policy = "${data.aws_iam_policy_document.acme_onelogin_external_assume.json}"
  provider = "aws.acme_operations"
}

resource "aws_iam_role_policy_attachment" "acme_operations_onelogin_external" {
  role = "${aws_iam_role.acme_operations_onelogin_external.name}"
  policy_arn = "${aws_iam_policy.acme_operations_onelogin_external.arn}"
  provider = "aws.acme_operations"
}

@EmilKhaos Should the acme_operations_onelogin_crossaccount_assume policy be created with provider aws.acme_operations?