Migrating from AWS IAM Users to IAM Roles in Terraform Enterprise - Replicated

Avatar
Tarun Bansal
  • Updated

Introduction

This guide outlines the procedure for migrating a Replicated deployment of Terraform Enterprise from using AWS IAM user access keys to using IAM roles for authentication. This change improves security by removing long-lived credentials from your configuration and instead leveraging temporary credentials provided by an IAM role associated with your EC2 instances.

Prerequisites

  • A Replicated deployment of Terraform Enterprise running on AWS EC2 instances.
  • An S3 bucket for Terraform Enterprise storage.
  • Permissions to create and manage AWS IAM roles, instance profiles, and EC2 instance configurations.

Procedure

Follow these steps to transition your Terraform Enterprise instance to use an IAM role.

  1. Create an IAM Role

    Define an IAM role with the permissions Terraform Enterprise requires to perform its AWS operations. Attach the appropriate policies to the role, such as AmazonS3FullAccess if you are using S3 for storage.

  2. Create and Attach an Instance Profile

    Create an AWS instance profile and attach the IAM role you created in the previous step. Associate this instance profile with the EC2 instances running Terraform Enterprise.

  3. Update Terraform Enterprise Configuration

    Before making changes, take a full backup of your Terraform Enterprise instance.

    Connect to the Terraform Enterprise instance and run the following commands to clear the stored S3 credentials and enable the use of an instance profile. This tells Terraform Enterprise to retrieve credentials from the attached IAM role.

    # replicatedctl app-config set s3_access_key --value ""
# replicatedctl app-config set s3_secret_key --value ""
# replicatedctl app-config set aws_instance_profile --value "true"
# replicatedctl app apply-config

  4. Restart Terraform Enterprise

    Apply the configuration changes by restarting the Terraform Enterprise application.

    # replicatedctl app stop
# replicatedctl app start

  5. Validate the Configuration

    After the instance restarts, verify that Terraform Enterprise can perform all required operations, such as accessing its S3 bucket for state file storage and other AWS-related tasks.

Additional Information

  • Active-Active Deployments: If you use a Terraform Enterprise active-active setup, you must update the launch configuration or launch template's user data script to reflect the new instance profile settings for all nodes in the cluster.
  • Testing: We recommend testing these changes in a non-production environment before implementing them in production.
  • Replicated Admin CLI documentation

Articles in this section

See more

Related articles