Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
terraform declaration to "Another AWS account" with "external ID" for infrastructure scanning purpose, e.g. Cloudcraft
resource "aws_iam_role" "foobar-role" {
name = "foobar"
path = "/"
assume_role_policy = data.aws_iam_policy_document.foobar-assume-role-policy-document.json
managed_policy_arns = [aws_iam_policy.foobar-policy.arn]
}
data "aws_iam_policy_document" "foobar-assume-role-policy-document" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "AWS"
identifiers = ["arn:aws:iam::{ACCOUNT ID}:root"] # change {ACCOUNT ID} with a given numeric id
}
# (Optional) if given an External ID
condition {
test = "StringEquals"
variable = "sts:ExternalId"
values = ["{External ID}"] # change {External ID} with a given uuid
}
}
}
resource "aws_iam_policy" "foobar-policy" {
name = "foobar"
path = "/"
policy = jsonencode({
"Version" : "2012-10-17",
"Statement" : [
{
"Action" : [
"s3:List*",
],
"Effect" : "Allow",
"Resource" : "*"
}
]
}) # change `Action` accordingly
}
output "foobar_arn" {
value = aws_iam_role.foobar-role.arn
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment