# 3. 운영환경 계정 설정 ### Production Account 세팅 * ID 계정에서 Assume할 역할을 생성합니다. * **다른 계정이 추가로 있는 경우**에는 **본 가이드를 반복**하시면 됩니다. 작업을 위해서는 Account 생성에 필요한 **초기화 계정 반드시 필요**합니다. 아래 링크를 통해 초기화 사용자를 생성하시기 바랍니다. ### [iam](https://terraform201.devart.tv/0.-terraform-intermediate/iam "mention")기 ### backend와 provider 설정 `backend.tf` 파일에서 `id -> prod`로 변경합니다. ```hcl terraform { required_version = ">= 1.0.0" # Terraform Version backend "s3" { bucket = "art-prod-apnortheast2-tfstate" # Set bucket name key = "art/terraform/iam/art-prod/terraform.tfstate" region = "ap-northeast-2" encrypt = true dynamodb_table = "terraform-lock" # Set DynamoDB Table } } ``` ```hcl provider "aws" { region = "us-east-1" } ``` ### ### Assume Role 생성 * `id account(dayone-id)` 에서 Assume할 역할을 생성합니다. * ID에서는 admin과 readonly를 생성했으니, 이에 맞는 역할을 생성합니다. 아래 두 개의 파일을 수정합니다. * `terraform/iam/art-prod/assume-art-prod-admin-with-art-id.tf` * `terraform/iam/art-prod/assume-art-prod-readonly-with-art-id.tf` {% code title="vim assume-art-prod-admin-with-art-id.tf" %} ```hcl # # art-prod administrator # resource "aws_iam_role" "assume_art_prod_admin" { name = "assume-art-prod-admin" path = "/" max_session_duration = "43200" assume_role_policy = data.aws_iam_policy_document.assume_art_prod_admin_assume_role.json } data "aws_iam_policy_document" "assume_art_prod_admin_assume_role" { statement { actions = ["sts:AssumeRole"] effect = "Allow" principals { type = "AWS" identifiers = ["arn:aws:iam::${var.id_account_id}:root"] } } } resource "aws_iam_role_policy" "assume_art_prod_admin_passrole" { name = "assume-art-prod-admin-passrole" role = aws_iam_role.assume_art_prod_admin.id policy = data.aws_iam_policy_document.assume_art_prod_admin_pass_role.json } data "aws_iam_policy_document" "assume_art_prod_admin_pass_role" { statement { actions = ["iam:PassRole"] effect = "Allow" resources = ["*"] } } resource "aws_iam_role_policy_attachment" "assume_art_prod_admin" { role = aws_iam_role.assume_art_prod_admin.id policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess" } ``` {% endcode %} {% code title="vim assume-art-prod-readonly-with-art-id.tf" %} ```hcl # # art-prod readonly # resource "aws_iam_role" "assume_art_prod_readonly" { name = "assume-art-prod-readonly" path = "/" max_session_duration = "43200" assume_role_policy = data.aws_iam_policy_document.assume_art_prod_readonly_assume_role.json } data "aws_iam_policy_document" "assume_art_prod_readonly_assume_role" { statement { actions = ["sts:AssumeRole"] effect = "Allow" principals { type = "AWS" identifiers = ["arn:aws:iam::${var.id_account_id}:root"] } } } resource "aws_iam_role_policy" "assume_art_prod_readonly_passrole" { name = "assume-art-prod-readonly-passrole" role = aws_iam_role.assume_art_prod_readonly.id policy = data.aws_iam_policy_document.assume_art_prod_readonly_pass_role.json } data "aws_iam_policy_document" "assume_art_prod_readonly_pass_role" { statement { actions = ["iam:PassRole"] effect = "Allow" resources = ["*"] } } resource "aws_iam_role_policy_attachment" "assume_art_prod_readonly" { role = aws_iam_role.assume_art_prod_readonly.id policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess" } ``` {% endcode %} ### Variables 정의 및 세팅 * `variables.tf` 에 필요한 변수를 정의합니다. ```hcl variable "aws_region" { description = "The AWS region to deploy the shard storage layer into" } variable "id_account_id" { description = "The AWS account number of ID account" } ``` * `terraform.tfvars` 에 각 변수에 대한 값을 입력합니다. ```hcl aws_region = "us-east-1" id_account_id = "" #12-digit Number of ID account ```