> For the complete documentation index, see [llms.txt](https://terraform201.devart.tv/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://terraform201.devart.tv/2.-aws-iam-role/3..md). # 3. 운영환경 계정 설정 ### Production Account 세팅 * ID 계정에서 Assume할 역할을 생성합니다. * **다른 계정이 추가로 있는 경우**에는 **본 가이드를 반복**하시면 됩니다. 작업을 위해서는 Account 생성에 필요한 **초기화 계정 반드시 필요**합니다. 아래 링크를 통해 초기화 사용자를 생성하시기 바랍니다. ### [초기화 IAM 사용자 생성](/0.-terraform-intermediate/iam.md)기 ### backend와 provider 설정 `backend.tf` 파일에서 `id -> prod`로 변경합니다. ```hcl terraform { required_version = ">= 1.0.0" # Terraform Version backend "s3" { bucket = "art-prod-apnortheast2-tfstate" # Set bucket name key = "art/terraform/iam/art-prod/terraform.tfstate" region = "ap-northeast-2" encrypt = true dynamodb_table = "terraform-lock" # Set DynamoDB Table } } ``` ```hcl provider "aws" { region = "us-east-1" } ``` ### ### Assume Role 생성 * `id account(dayone-id)` 에서 Assume할 역할을 생성합니다. * ID에서는 admin과 readonly를 생성했으니, 이에 맞는 역할을 생성합니다. 아래 두 개의 파일을 수정합니다. * `terraform/iam/art-prod/assume-art-prod-admin-with-art-id.tf` * `terraform/iam/art-prod/assume-art-prod-readonly-with-art-id.tf` {% code title="vim assume-art-prod-admin-with-art-id.tf" %} ```hcl # # art-prod administrator # resource "aws_iam_role" "assume_art_prod_admin" { name = "assume-art-prod-admin" path = "/" max_session_duration = "43200" assume_role_policy = data.aws_iam_policy_document.assume_art_prod_admin_assume_role.json } data "aws_iam_policy_document" "assume_art_prod_admin_assume_role" { statement { actions = ["sts:AssumeRole"] effect = "Allow" principals { type = "AWS" identifiers = ["arn:aws:iam::${var.id_account_id}:root"] } } } resource "aws_iam_role_policy" "assume_art_prod_admin_passrole" { name = "assume-art-prod-admin-passrole" role = aws_iam_role.assume_art_prod_admin.id policy = data.aws_iam_policy_document.assume_art_prod_admin_pass_role.json } data "aws_iam_policy_document" "assume_art_prod_admin_pass_role" { statement { actions = ["iam:PassRole"] effect = "Allow" resources = ["*"] } } resource "aws_iam_role_policy_attachment" "assume_art_prod_admin" { role = aws_iam_role.assume_art_prod_admin.id policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess" } ``` {% endcode %} {% code title="vim assume-art-prod-readonly-with-art-id.tf" %} ```hcl # # art-prod readonly # resource "aws_iam_role" "assume_art_prod_readonly" { name = "assume-art-prod-readonly" path = "/" max_session_duration = "43200" assume_role_policy = data.aws_iam_policy_document.assume_art_prod_readonly_assume_role.json } data "aws_iam_policy_document" "assume_art_prod_readonly_assume_role" { statement { actions = ["sts:AssumeRole"] effect = "Allow" principals { type = "AWS" identifiers = ["arn:aws:iam::${var.id_account_id}:root"] } } } resource "aws_iam_role_policy" "assume_art_prod_readonly_passrole" { name = "assume-art-prod-readonly-passrole" role = aws_iam_role.assume_art_prod_readonly.id policy = data.aws_iam_policy_document.assume_art_prod_readonly_pass_role.json } data "aws_iam_policy_document" "assume_art_prod_readonly_pass_role" { statement { actions = ["iam:PassRole"] effect = "Allow" resources = ["*"] } } resource "aws_iam_role_policy_attachment" "assume_art_prod_readonly" { role = aws_iam_role.assume_art_prod_readonly.id policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess" } ``` {% endcode %} ### Variables 정의 및 세팅 * `variables.tf` 에 필요한 변수를 정의합니다. ```hcl variable "aws_region" { description = "The AWS region to deploy the shard storage layer into" } variable "id_account_id" { description = "The AWS account number of ID account" } ``` * `terraform.tfvars` 에 각 변수에 대한 값을 입력합니다. ```hcl aws_region = "us-east-1" id_account_id = "" #12-digit Number of ID account ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://terraform201.devart.tv/2.-aws-iam-role/3..md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.