Skip to content

Instantly share code, notes, and snippets.

@choonkeat
Last active August 1, 2021 07:54
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Embed
What would you like to do?
terraform declaration to "Another AWS account" with "external ID" for infrastructure scanning purpose, e.g. Cloudcraft
resource "aws_iam_role" "foobar-role" {
name = "foobar"
path = "/"
assume_role_policy = data.aws_iam_policy_document.foobar-assume-role-policy-document.json
managed_policy_arns = [aws_iam_policy.foobar-policy.arn]
}
data "aws_iam_policy_document" "foobar-assume-role-policy-document" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "AWS"
identifiers = ["arn:aws:iam::{ACCOUNT ID}:root"] # change {ACCOUNT ID} with a given numeric id
}
# (Optional) if given an External ID
condition {
test = "StringEquals"
variable = "sts:ExternalId"
values = ["{External ID}"] # change {External ID} with a given uuid
}
}
}
resource "aws_iam_policy" "foobar-policy" {
name = "foobar"
path = "/"
policy = jsonencode({
"Version" : "2012-10-17",
"Statement" : [
{
"Action" : [
"s3:List*",
],
"Effect" : "Allow",
"Resource" : "*"
}
]
}) # change `Action` accordingly
}
output "foobar_arn" {
value = aws_iam_role.foobar-role.arn
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment