Overview
This article outlines the process for migrating from AWS IAM users with access keys to IAM roles in Terraform. The shift to IAM roles is crucial for improving security by eliminating the risk of exposed access keys.
Issue
A security concern was raised regarding the use of IAM user access keys in Terraform configurations, particularly when storing state files in an S3 bucket. The goal is to remove IAM users completely and replace them with IAM roles.
Solution
1. Create an IAM Role
-
Define an IAM role with the necessary permissions to perform required AWS operations.
-
Attach the appropriate policy (e.g.,
AmazonS3FullAccess
) to the role.
2. Create an Instance Profile & Attach IAM Role
-
Create an instance profile in AWS.
-
Attach the IAM role to the instance profile.
-
Associate the instance profile with the EC2 instances running Terraform Enterprise (TFE).
3. Update Terraform Configuration
-
Modify Terraform configurations to assume the IAM role instead of using hardcoded IAM user credentials.
4. Remove IAM Users & Access Keys
-
Ensure access keys are not present in the Terraform configuration.
-
Take a full backup before making changes.
-
Run the following commands on the Terraform Enterprise instance:
replicatedctl app-config set s3_access_key --value "" replicatedctl app-config set s3_secret_key --value "" replicatedctl app-config set aws_instance_profile --value "true" replicatedctl app apply-config
5. Restart Terraform Enterprise
-
Apply the configuration changes by restarting Terraform Enterprise:
replicatedctl app stop replicatedctl app start
6. Test & Validate
-
Ensure that Terraform can perform all required operations using the IAM role.
-
Verify that state file storage and AWS operations are working as expected.
Considerations for Active-Active Setup
-
If using a Terraform Enterprise active-active setup, update the user data script to reflect the new instance profile settings.
-
Test the changes in a non-production environment before implementing them in production.
Outcome
After following the above steps, the migration was successfully tested in a non-production environment. The organization is currently obtaining approvals to proceed with the production rollout.
Conclusion
Migrating from IAM users to IAM roles significantly enhances security and eliminates the risk associated with access key exposure. If you encounter any issues during the migration, open a new support ticket for further assistance.