Building a Multi-User Environment in AWS with Terraform

In this blog post, we'll explore a project where we created a multi-user environment in AWS using Terraform. This setup aims to establish a structured permissions model that accommodates different user groups and roles within an AWS account. Specifically, we have three categories of users: administrators, cloud engineers, and developers.

Project Overview

The primary aim of this project is to create distinct user groups with tailored permissions, ensuring that each group has the necessary access rights to perform their specific tasks. Here's a breakdown of the groups we are setting up:

1. Administrator Group: This group will have full rights to manage all resources.
2. Cloud Engineer Group: Members will have permissions related to cloud infrastructure management.
3. Developer Role: Developers can assume this role to perform specific actions without granting them full access.

Now, let's delve into the Terraform code that accomplishes this setup.

Code Explanation

Below is the complete code for setting up the multi-user environment in AWS using Terraform. Each line is commented to provide clear explanations of what each part does.

Start by creating a project folder and a Terraform file named main.tf, then place the code below in that file.

# When we run terraform init, Terraform will download the AWS provider plugin from this line of code
provider "aws" {
  region = "us-east-1"  # Specify the AWS region
}

# Administrator Group
resource "aws_iam_group" "administrator-group" {
  name = "administrator-group"  # Create a group for administrators
}

# User Creation
resource "aws_iam_user" "user-1" {
  name = "user-1"  # Create a user named user-1
}

# AWS Managed Policy Attachment for Administrator Group
resource "aws_iam_policy_attachment" "administrator-access" {
  name       = "administrator-access"
  policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"  # Attach the AdministratorAccess policy
  groups     = [aws_iam_group.administrator-group.name]  # Add to the administrator group
  users      = ["your-user"]  # Include the existing admin user. If not included, this user will lose admin rights.
}

# Group Membership for Administrators
resource "aws_iam_group_membership" "add-to-administrators-group" {
  name  = "add-to-administrators-group"
  group = aws_iam_group.administrator-group.name  # Add user-1 to the admin group
  users = [aws_iam_user.user-1.name]
}

# Cloud Engineer Group
resource "aws_iam_group" "cloud-engineer-group" {
  name = "cloud-engineer-group"  # Create a group for cloud engineers
}

# User for Cloud Engineers
resource "aws_iam_user" "user-2" {
  name = "user-2"  # Create a user named user-2
}

# Group Membership for Cloud Engineers
resource "aws_iam_group_membership" "add-to-cloud-engineer-group" {
  name  = "add-to-cloud-engineer-group"
  group = aws_iam_group.cloud-engineer-group.name  # Add user-2 to the cloud engineer group
  users = [aws_iam_user.user-2.name]
}

# Custom JSON Policy Document for Cloud Engineers Group Policy
data "aws_iam_policy_document" "cloud-engineer-policy" {
  statement {
    effect    = "Allow"
    actions   = [ 
      "cloudformation:CreateStack",
      "cloudformation:ListStacks",
      "cloudformation:DeleteStack",
      "ec2:RunInstances",
      "ec2:StopInstances",
      "ec2:StartInstances"
    ]
    resources = ["*"]  # Allow actions on all resources
  }
}

# Inline Policy for Cloud Engineers
resource "aws_iam_group_policy" "cloud-engineer-policy" {
  policy = data.aws_iam_policy_document.cloud-engineer-policy.json 
  group  = aws_iam_group.cloud-engineer-group.name  # Attach policy to the cloud engineer group
}

# Developer Role Trust Policy JSON Document
data "aws_iam_policy_document" "developer-role" {
  statement {
    effect = "Allow"
    actions = ["sts:AssumeRole"]  # Allow assumption of this role
    principals {
      type        = "AWS"
      identifiers = ["*"]  # Allow any AWS entity to assume this role
    }
  }
}

# Developer Role
resource "aws_iam_role" "developer-role" {
  name                 = "developer-role"
  assume_role_policy   = data.aws_iam_policy_document.developer-role.json  # Trust policy for the developer role
}

# Developer Permissions Policy JSON Document
data "aws_iam_policy_document" "developer-access" {
  statement {
    effect = "Allow"
    actions = [
      "lambda:CreateFunction",
      "lambda:DeleteFunction",
      "s3:GetObject",
      "s3:ListBucket"
    ]
    resources = [
      "arn:aws:lambda:us-east-1:471112828017:*",  # Specify resources for Lambda
      "arn:aws:s3:::*",
      "arn:aws:s3:::*/*"
    ]
  }
}

# Customer Managed Policy for Developer Role
resource "aws_iam_policy" "developer-policy" {
  policy = data.aws_iam_policy_document.developer-access.json  # Use the defined permissions
}

# Attach Developer Policy to Role
resource "aws_iam_role_policy_attachment" "attach-developer-policy" {
  role       = aws_iam_role.developer-role.name
  policy_arn = aws_iam_policy.developer-policy.arn  # Attach policy to the developer role
}

1. Initialize Terraform: Run the following command in your console. This step will download the required plugins:
   terraform init

2. Plan the Infrastructure: This command will show what infrastructure this code will create in AWS:
   terraform plan

3. Apply the Changes: Run this command, and it will prompt you for confirmation. Type yes to proceed. If everything is correct, this will create the groups, users, and roles in AWS:
   terraform apply

This should create resources in AWS,feel free to tweak any sections further.