Provisioning Cross-Account Dependencies in Amazon Account Factory for Terraform

Before we dive into setting up an additional provider it might help to go over a little of the project structure for Amazon Account Factory for Terraform (AFT). When you create a new customization script. When you copy the template directory in your project you will notice in your terraform folder two jinja files these files act as templates that work with the AFT pipeline to properly configure your terraform script for execution. By default these files come pre-configured with one provider in the template this provider will become the provider to your target account when executing the pipeline. jinja uses {{ variable }} to replace the values in the file to those ambient in the execution pipeline. So what if you need to configure a cross-account dependency between your account and another account?

Configuring a 2nd provider is pretty straight forward simply copy the provider block and paste it into the template file and replace the role_arn with a role to the secondary account. If using AFT in other accounts you could assume the /AWSAFTExecution role in the secondary account to gain administative access for the terraform provider and then set your alias in the second block to something you can reference in your script. That's it now you can apply changes to multiple accounts via the customization script

provider "aws" {
  region = "us-east-1"
  alias  = "*YOURALIASHERE*"
  assume_role {
    role_arn    = "arn:aws:iam::*YOURACCOUNTHERE*:role/AWSAFTExecution"
  }
  default_tags {
    tags = {
      managed_by                  = "AFT"
    }
  }
}

Using Terraform Remote Modules Sourced From CodeCommit using HTTPS (GRC) with AWS Account Factory (AFT) Workflow

AWS Account Factory is a robust templating framework allowing users to apply account configuration using terraform uniformly across an organization utilizing multiple accounts and consolidated billing. Currently, there is a limitation preventing the inclusion of codecommit modules in the customization terraform script, which makes it difficult to compartmentalize the account customization scripts. Amazon recommends using HTTPS (GRC) to access CodeCommit; this method allows you to use AWS credentials to access the repository, negating the need for usernames, passwords, and keys. Fortunately, all of the nuts and bolts to source modules from codecommit are already there. We just need to make a few tweaks to the customizations folder and role used to execute the customizations CodeBuild Project.

Terraform pre-api-helpers.sh

To support codecommit GRC access, you need to install the git-remote-codecommit credential helper. This can be done using the pre-api-helper.sh script negating the need to modify the boilerplate codebuild project provided from Amazon.

#AWS overwrites the python VENV when executing the pre-api-helpers you first need 
#to re-map it back to the one used when terraform executes 
python3 -m venv $DEFAULT_PATH/aft-venv
#Install the codecommit helper to the terraform venv pip location
$DEFAULT_PATH/aft-venv/bin/pip install git-remote-codecommit

Terraform module reference

When setting up your repositories in codecommit for access as a module reference, it is recommended to use a convention so that you can specify that convention in the policy, avoiding the need to add each repository to the policy individually or granting access to all repositories. Note the use of the aft-management in the URI. This tells the credential helper to use the credential profile used to connect to the management account or aft management role when connecting to the repository.

module "aft-module-mymodule" {
  source = "git::codecommit::us-east-1://aft-management@aft-module-mymodule"
}

IAM Policy Changes

Next, we need to give AFT access to the module's repositories so they can be referenced as noted above, it is recommended to use a convention so any new modules you create are automatically granted in the IAM Policy. First, Locate the aft-customizations-role in IAM and add the following policy or amend the existing policy that allows access to the aft-account-customizations repository

...
          {
            "Effect": "Allow",
            "Action": [
                "codecommit:GetBranch",
                "codecommit:GetRepository",
                "codecommit:GetCommit",
                "codecommit:GitPull",
                "codecommit:UploadArchive",
                "codecommit:GetUploadArchiveStatus",
                "codecommit:CancelUploadArchive"
            ],
            "Resource": [
                "arn:aws:codecommit:us-east-1:YOURACCOUNTNUMBERHERE:aft-*-customizations*",
                "arn:aws:codecommit:us-east-1:YOURACCOUNTNUMBERHERE:aft-module-*"
            ]
        }
...