diff --git a/bootstrap/configs/pipeline-config.json b/bootstrap/configs/pipeline-config.json new file mode 100644 index 0000000..afbd934 --- /dev/null +++ b/bootstrap/configs/pipeline-config.json @@ -0,0 +1,41 @@ +{ + "schema_version": "tags/20220517.1", + "ecr_region": "us-east-2", + "docker_context_directory": "Lambda", + "docker_file": "config.Dockerfile", + "services": { + "lsports": { + "service_name": "lsports_consume", + "ecr_tag": 20220517.1 + }, + "firebase": { + "service_name": "populate_firebase", + "ecr_tag": 20220517.1 + }, + "create_market": { + "service_name": "create_market", + "ecr_tag": 20220517.1 + } + }, + "lambda_configs_path": "Lambda/configs", + "config_schema_path": "config-schemas", + "terraform_directory": "Terraform2", + "environments": { + "prod": { + "workspaces": [ + "solid", + "flexible" + ] + }, + "dev": { + "workspaces": [ + "default" + ] + }, + "sandbox": { + "workspaces": [ + "default" + ] + } + } +} \ No newline at end of file diff --git a/bootstrap/configs/s3-policy.json b/bootstrap/configs/s3-policy.json new file mode 100644 index 0000000..18e30ae --- /dev/null +++ b/bootstrap/configs/s3-policy.json @@ -0,0 +1,17 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:*" + ], + "Resource": "arn:aws:s3:::BUCKET/RESOURCE/terraform/KEY", + "Principal": { + "AWS": [ + "ARN" + ] + } + } + ] +} \ No newline at end of file diff --git a/bootstrap/configs/user-assume-role.json b/bootstrap/configs/user-assume-role.json new file mode 100644 index 0000000..468261a --- /dev/null +++ b/bootstrap/configs/user-assume-role.json @@ -0,0 +1,17 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "sts:AssumeRole", + "Resource": "arn:aws:iam::ACCOUNT:role/ROLE" + }, + { + "Effect": "Allow", + "Action": [ + "s3:*" + ], + "Resource": "arn:aws:s3:::BUCKET/RESOURCE/terraform/KEY" + } + ] +} \ No newline at end of file diff --git a/bootstrap/multi-account/bootstrap.sh b/bootstrap/multi-account/bootstrap.sh new file mode 100644 index 0000000..bbf402a --- /dev/null +++ b/bootstrap/multi-account/bootstrap.sh @@ -0,0 +1,117 @@ +#!/bin/bash + +set -eu + +# need to pass in environments & aws account +USAGE="USAGE: +${0} ..." + +if [[ $# < 3 ]]; then + echo "${USAGE}" >&2 + exit 1 +fi + +TERRAFORM_S3_BUCKET="ubet-tfstate-s3" +REGION="us-east-2" +MAIN_ACCOUNT_ID=$1 + +# get credentials +AWS_CREDENTIALS=(${2//:/ }) +AWS_ID="${AWS_CREDENTIALS[0]}" +AWS_KEY="${AWS_CREDENTIALS[1]}" + + +# ---------------------------------------------------------- +# Create S3 Bucket +# N.B: No need state locking! (dynamodb) +# Each environment would be applied via ci and sandbox would have each "user" make use of a local state +# +# Hardcoding region & bucketname, since we would not want to have it otherwise +# states would be created in terraform but we handle state file policy access here +if [[ $(aws s3api list-buckets --query 'Buckets[].Name' | grep $TERRAFORM_S3_BUCKET) != *$TERRAFORM_S3_BUCKET* ]]; then + aws s3api create-bucket \ + --bucket $TERRAFORM_S3_BUCKET \ + --region $REGION \ + --create-bucket-configuration LocationConstraint=$REGION + + # set bucket resource permissions for arn + ARN="arn:aws:iam::${MAIN_ACCOUNT_ID}:user/terraform-user" + RESOURCES="" + for i in "${@:3}" + do + env_acc=(${i//:/ }) + RESOURCES="\"arn:aws:s3:::${TERRAFORM_S3_BUCKET}/${env_acc[0]}/terraform/.tfstate\", ${RESOURCES}" + done + RESOURCES=${RESOURCES::-2} + + sed \ + -e "s/S3_BUCKET/${TERRAFORM_S3_BUCKET}/g" \ + -e "s|RESOURCES|${RESOURCES}|g" \ + -e "s|ARN|${ARN}|g" \ + "$(dirname "$0")/../configs/s3-policy.json" > s3-policy.json + aws s3api put-bucket-policy --bucket $TERRAFORM_S3_BUCKET --policy file://s3-policy.json + aws s3api put-bucket-versioning --bucket $TERRAFORM_S3_BUCKET --versioning-configuration Status=Enabled + rm s3-policy.json + +fi + + +# ---------------------------------------------------------- +# create roles for each environment if they do not exist [assume_role] +# create terraform user to assume the role +# production & testnet +# create user if !exist +if [[ $(aws iam list-users --query 'Users[*].UserName' | grep "terraform-user") != *"terraform-user"* ]]; then + aws iam create-user --user-name "terraform-user" + echo "created the terraform-user!" +fi +sleep 5 # Let user creation complete to avoid role not finding user + +# create policy +if [[ $(aws iam list-policies --query 'Policies[*].PolicyName' | grep "terraform-user-policy") != *"terraform-user-policy"* ]]; then + ROLE_ARNS="" + for i in "${@:3}" + do + env_acc=(${i//:/ }) + ROLE_ARNS="\"arn:aws:iam::${env_acc[1]}:role/${env_acc[0]}-terraform-role\", ${ROLE_ARNS}" + done + ROLE_ARNS=${ROLE_ARNS::-2} # remove last , & space + sed -e "s|ROLE_ARNS|${ROLE_ARNS}|g" -e "s|ACCOUNT|${env_acc[0]}|g" "$(dirname "$0")/../configs/user-assume-role-policy.json" > user-assume-role-policy.json + aws iam create-policy --policy-name "terraform-user-policy" --policy-document file://user-assume-role-policy.json + echo "created terraform-user-policy!" + aws iam attach-user-policy --user-name "terraform-user" --policy-arn "arn:aws:iam::$MAIN_ACCOUNT_ID:policy/terraform-user-policy" + echo "attached terraform-user-policy to terraform-user!" + aws iam list-attached-user-policies --user-name "terraform-user" + rm user-assume-role-policy.json + +fi + +sleep 5 # Let policy creation complete + +for i in "${@:3}" +do + env_acc=(${i//:/ }) + if [[ $(aws iam list-roles --query 'Roles[*].RoleName' | grep "${env_acc[0]}-terraform-role") != *"${env_acc[0]}-terraform-role"* ]]; then + + # role needs to be created in account the user would be deploying infrastructure to + # assume role & aws configure | credentials set + eval $(aws sts assume-role --role-arn arn:aws:iam::${env_acc[1]}:role/setup-role --role-session-name terraform-${env_acc[0]}-role-setup-session | jq -r '.Credentials | "export AWS_ACCESS_KEY_ID=\(.AccessKeyId)\nexport AWS_SECRET_ACCESS_KEY=\(.SecretAccessKey)\nexport AWS_SESSION_TOKEN=\(.SessionToken)\n"') + + sed -e "s/USER/terraform-user/g" -e "s|ACCOUNT|$MAIN_ACCOUNT_ID|g" "$(dirname "$0")/../configs/role-trust-policy.json" > ${env_acc[0]}-role-trust-policy.json + aws iam create-role --role-name "${env_acc[0]}-terraform-role" --assume-role-policy-document file://${env_acc[0]}-role-trust-policy.json + echo "created ${env_acc[0]}-terraform-role!" + aws iam list-attached-role-policies --role-name "${env_acc[0]}-terraform-role" + rm ${env_acc[0]}-role-trust-policy.json + + # drain assume role credentials + unset AWS_ACCESS_KEY_ID + unset AWS_SECRET_ACCESS_KEY + unset AWS_SESSION_TOKEN + # fill in git user credentials | aws configure + aws configure set aws_access_key_id $AWS_ID + aws configure set aws_secret_access_key $AWS_KEY + fi +done + +# One state file per environment with multiple workspaces +# roles get access to state file for their respective environment \ No newline at end of file diff --git a/bootstrap/single-account/bootstrap.sh b/bootstrap/single-account/bootstrap.sh new file mode 100644 index 0000000..9e8b29b --- /dev/null +++ b/bootstrap/single-account/bootstrap.sh @@ -0,0 +1,69 @@ +#!/bin/bash + +set -eu + +USAGE="USAGE: +${0} " + +if [[ $# -ne 1 ]]; then + echo "${USAGE}" >&2 + exit 1 +fi + +function cleanup (){ + export_sate + rm -f state.tf + pushd ${ENV_BOOTSTRAP_DIR} > /dev/null + rm -f .tfstate.backup + rm -rf terraform.log +} + +# import +# - lockfile tfvars +function import_state(){ + pushd ${ENV_BOOTSTRAP_DIR} > /dev/null + echo $(pwd) + echo "here" + touch -f terraform.log + [ -f ./.terraform.lock.hcl ] && mv ./.terraform.lock.hcl $BOOTSTRAP_MODULE_DIR + [ -f ./variables.tfvars ] && mv ./variables.tfvars $BOOTSTRAP_MODULE_DIR + popd +} + +# export +# - tfvars lockfile +function export_sate(){ + [ -f "./.terraform.lock.hcl" ] && mv "./.terraform.lock.hcl" $ENV_BOOTSTRAP_DIR + [ -f "./variables.tfvars" ] && mv "./variables.tfvars" $ENV_BOOTSTRAP_DIR +} + +# safe exit +trap cleanup EXIT + +## Set vars +BOOTSTRAP_MODULE_DIR=$( cd $( dirname "${BASH_SOURCE[0]}" ); pwd -P ) +pushd ${BOOTSTRAP_MODULE_DIR} > /dev/null +# Get absolute path to environment bootstrap directory +ENV_BOOTSTRAP_DIR=$(cd "../../environments/${1}/bootstrap"; pwd -P) +echo ${BOOTSTRAP_MODULE_DIR} +echo ${ENV_BOOTSTRAP_DIR} +ENVIRONMENT=$(basename $(cd ${ENV_BOOTSTRAP_DIR}; pwd -P)) +echo ${ENVIRONMENT} + +# import resources +import_state + +# set terraform env vars +export TF_DATA_DIR=$ENV_BOOTSTRAP_DIR/.terraform +export TF_LOG_PATH=$ENV_BOOTSTRAP_DIR/terraform.log +export TF_LOG="trace" +# update statefile reference +sed -e "s|ENVIRONMENT|$ENVIRONMENT|g" "${BOOTSTRAP_MODULE_DIR}/state.tf.template" > state.tf + +# terraform +terraform init +terraform validate +terraform apply -var-file="variables.tfvars" # --auto-approve + +# export resources +export_sate diff --git a/bootstrap/single-account/iam.tf b/bootstrap/single-account/iam.tf new file mode 100644 index 0000000..dd3dfb0 --- /dev/null +++ b/bootstrap/single-account/iam.tf @@ -0,0 +1,62 @@ +/* + setup the infrastructure provisioning user + */ +resource "aws_iam_user" "terraform_user" { + name = local.terraform_user + tags = local.common_tags + +} + +resource "aws_iam_user_policy_attachment" "terraform_user_policy_attachment" { + user = aws_iam_user.terraform_user.name + policy_arn = aws_iam_policy.terraform_user_policy.arn +} + +resource "aws_iam_policy" "terraform_user_policy" { + name = "${local.terraform_user}-policy" + description = "Set permissions for creating different pieces of infrastructure" + + policy = data.aws_iam_policy_document.terraform_user_policy_document.json + +} + +data "aws_iam_policy_document" "terraform_user_policy_document" { + override_policy_documents = [ + data.aws_iam_policy_document.s3_policy_document.json, + data.aws_iam_policy_document.permissions_policy_document.json + # add policy documents here + ] + +} + +# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document +data "aws_iam_policy_document" "s3_policy_document" { + statement { + actions = [ + "s3:ListAllMyBuckets" + ] + resources = ["arn:aws:s3:::*"] + effect = "Allow" + } + statement { + actions = [ + "s3:GetObject", + "s3:PutObject", + "s3:DeleteObject" + ] + resources = [ + "${aws_s3_bucket.terraform_bucket[0].arn}/${var.environment}/terraform/.tfstate*" # state file + ] + effect = "Allow" + } + +} + +data "aws_iam_policy_document" "permissions_policy_document" { + statement { + actions = var.terraform_user_permissions + resources = ["*"] + effect = "Allow" + } + +} diff --git a/bootstrap/single-account/locals.tf b/bootstrap/single-account/locals.tf new file mode 100644 index 0000000..31064a9 --- /dev/null +++ b/bootstrap/single-account/locals.tf @@ -0,0 +1,16 @@ + +locals { + region = var.region + account_environment = "${var.company}-${var.environment}" + terraform_user = "${var.environment}-${var.terraform_user}" + state_bucket = "${var.company}-${var.bucket_purpose}-${var.environment}" + logging_bucket = "${var.company}-${var.bucket_purpose}-${var.log_name}-${var.environment}" +} + +locals { + # Common tags to be assigned to all resources + common_tags = { + Environment = local.account_environment + Project = "${var.company}-Infrastructure" + } +} diff --git a/bootstrap/single-account/outputs.tf b/bootstrap/single-account/outputs.tf new file mode 100644 index 0000000..cff2893 --- /dev/null +++ b/bootstrap/single-account/outputs.tf @@ -0,0 +1,9 @@ +output "state_bucket" { + description = "The state_bucket name" + value = local.state_bucket +} + +output "logging_bucket" { + description = "The logging_bucket name" + value = local.logging_bucket +} diff --git a/bootstrap/single-account/providers.tf b/bootstrap/single-account/providers.tf new file mode 100644 index 0000000..f4e4ffc --- /dev/null +++ b/bootstrap/single-account/providers.tf @@ -0,0 +1,9 @@ + +provider "aws" { + region = local.region + default_tags { + tags = { + owner = "Sports Inference - Ubet" + } + } +} diff --git a/bootstrap/single-account/readme.md b/bootstrap/single-account/readme.md new file mode 100644 index 0000000..c36264b --- /dev/null +++ b/bootstrap/single-account/readme.md @@ -0,0 +1,79 @@ +# Single account Bootstrap \[Terraform - AWS\] + +This is a solution for solving the 🐓 and 🥚 problem for implementing terraform support for AWS accounts: How do you Terraform the remote state bucket & user with the right infrastructure generation policies? + +It takes the approach of keeping a local statefile in the repo that only manages these resources: + +- AWS IAM user for provisioning infrastructure +- S3 bucket for remote state file +- S3 bucket for storing state bucket access logs + +References: + +- https://github.com/trussworks/terraform-aws-bootstrap + +## Requirements + +| Name | Version | +| ----------------------------------- | ----------- | +| [terraform](#requirement_terraform) | \>= v1.1.9 | +| [aws cli](#requirement_aws) | \>=v1.22.61 | + +## Providers + +| Name | Version | +| -------------------- | --------------- | +| [aws](#provider_aws) | \>= 3.0, \< 4.0 | + +## Resources + +| Name | Type | +| ------------------------------------------------------------------------------------------------------ | -------- | +| [aws_s3_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | +| [aws_iam_user](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +| ----------------------------------------------------- | ------------------------------------------------------------------- | ------------- | ------------- | -------- | +| [company](#input_company) | The company name. | `string` | n/a | yes | +| [bucket_purpose](#input_bucket_purpose) | Name to identify the bucket's purpose | `string` | `"terraform"` | no | +| [log_bucket_versioning](#input_log_bucket_versioning) | Bool for toggling versioning for log bucket | `bool` | `false` | no | +| [log_name](#input_log_name) | Log name (for backwards compatibility this can be modified to logs) | `string` | `"log"` | no | +| [log_retention](#input_log_retention) | Log retention of access logs of state bucket. | `number` | `90` | no | +| [state_bucket_tags](#input_state_bucket_tags) | Tags to associate with the bucket storing the Terraform state files | `map(string)` | { | + +"Automation": "Terraform" +} | no | + +## Outputs + +| Name | Description | +| ---------------------------------------- | ----------------------- | +| [logging_bucket](#output_logging_bucket) | The logging_bucket name | +| [state_bucket](#output_state_bucket) | The state_bucket name | + +## Bootstrapping + +``` +terraform init && terraform plan +# Review output of plan +terraform apply +``` + +## Using the backend + +After provisioning the S3 bucket & user. You can create the `state.tf` file in the environment terraform path to use it. + +``` +terraform { + required_version = "~> 0.13" + + backend "s3" { + bucket = "bucket-name" + key = "${environment}/terraform/.tfstate" + region = "region" + encrypt = "true" + } +} +``` diff --git a/bootstrap/single-account/s3.tf b/bootstrap/single-account/s3.tf new file mode 100644 index 0000000..a68abaf --- /dev/null +++ b/bootstrap/single-account/s3.tf @@ -0,0 +1,76 @@ + +resource "aws_s3_bucket" "terraform_bucket" { + bucket = local.state_bucket + + count = 1 + + tags = local.common_tags +} + +resource "aws_s3_bucket_acl" "terraform_bucket_acl" { + bucket = aws_s3_bucket.terraform_bucket[0].id + acl = "private" +} + + +resource "aws_s3_bucket_logging" "logging" { + bucket = aws_s3_bucket.terraform_bucket[0].id + + target_bucket = aws_s3_bucket.log_bucket.id + target_prefix = "log/" +} +resource "aws_s3_bucket" "log_bucket" { + bucket = local.logging_bucket + + tags = local.common_tags + +} + +resource "aws_s3_bucket_acl" "log_bucket_acl" { + bucket = aws_s3_bucket.log_bucket.id + acl = "private" +} + +# put policy on bucket +resource "aws_s3_bucket_policy" "terraform_bucket_policy" { + bucket = aws_s3_bucket.terraform_bucket[0].id + policy = data.aws_iam_policy_document.terraform_bucket_policy_document.json +} + +# bucket policy +data "aws_iam_policy_document" "terraform_bucket_policy_document" { + statement { + sid = "User List Bucket" + principals { + type = "AWS" + identifiers = [aws_iam_user.terraform_user.arn] + } + + effect = "Allow" + actions = [ + "s3:ListBucket" + ] + + resources = [ + aws_s3_bucket.terraform_bucket[0].arn # bucket + ] + } + statement { + sid = "User Access state file" + principals { + type = "AWS" + identifiers = [aws_iam_user.terraform_user.arn] + } + + effect = "Allow" + actions = [ + "s3:GetObject", + "s3:PutObject", + "s3:DeleteObject" + ] + + resources = [ + "${aws_s3_bucket.terraform_bucket[0].arn}/${var.environment}/terraform/.tfstate*" # state file + ] + } +} diff --git a/bootstrap/single-account/state.tf.template b/bootstrap/single-account/state.tf.template new file mode 100644 index 0000000..303b14b --- /dev/null +++ b/bootstrap/single-account/state.tf.template @@ -0,0 +1,5 @@ +terraform { + backend "local" { + path = "../../ENVIRONMENT/bootstrap/.tfstate" + } +} diff --git a/bootstrap/single-account/variables.tf b/bootstrap/single-account/variables.tf new file mode 100644 index 0000000..d780873 --- /dev/null +++ b/bootstrap/single-account/variables.tf @@ -0,0 +1,67 @@ +variable "region" { + description = "Provider region" + type = string + default = "us-east-2" +} +variable "company" { + description = "The company name to add to naming convention." + type = string +} + + +variable "environment" { + description = "work environment - sandbox | dev | uat | prod" + type = string +} + +variable "log_retention" { + description = "Log retention of access logs of state bucket." + default = 90 + type = number +} + +variable "bucket_purpose" { + description = "Name to identify the bucket's purpose" + default = "terraform" + type = string +} + +variable "log_name" { + description = "Log name" + default = "logs" + type = string +} + +variable "log_bucket_versioning" { + description = "A string that indicates the versioning status for the log bucket." + default = "Disabled" + type = string + validation { + condition = contains(["Enabled", "Disabled", "Suspended"], var.log_bucket_versioning) + error_message = "Valid values for versioning_status are Enabled, Disabled, or Suspended." + } +} + +variable "state_bucket_tags" { + type = map(string) + default = { Automation : "Terraform" } + description = "Tags to associate with the bucket storing the Terraform state files" +} + +variable "log_bucket_tags" { + type = map(string) + default = { Automation : "Terraform", Logs : "Terraform" } + description = "Tags to associate with the bucket storing the Terraform state bucket logs" +} + +variable "terraform_user" { + description = "The username for the infrastructure provisioning user." + type = string + default = "terraform-user" +} + +variable "terraform_user_permissions" { + description = "The permissions for the infrastructure provisioning." + type = list(string) + default = ["s3:CreateBucket"] +} diff --git a/bootstrap/single-account/versions.tf b/bootstrap/single-account/versions.tf new file mode 100644 index 0000000..f428fc2 --- /dev/null +++ b/bootstrap/single-account/versions.tf @@ -0,0 +1,14 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = ">=3.52.0" + } + local = { + source = "hashicorp/local" + version = "= 2.1.0" + + } + } + required_version = "~> 1.5.6" +} diff --git a/environments/dev/bootstrap/variables.tfvars b/environments/dev/bootstrap/variables.tfvars new file mode 100644 index 0000000..71199dd --- /dev/null +++ b/environments/dev/bootstrap/variables.tfvars @@ -0,0 +1,11 @@ +region = "eu-central-1" +company = "company-name" +environment = "dev" +log_retention = 90 +bucket_purpose = "logging" +log_name = "company-name-environment-log" +log_bucket_versioning = "Enabled" +state_bucket_tags = { Automation : "Terraform" } +log_bucket_tags = { Automation : "Terraform", Logs : "Terraform" } +terraform_user = "terraform-user" +terraform_user_permissions = ["s3:CreateBucket"] diff --git a/environments/dev/main.tf b/environments/dev/main.tf new file mode 100644 index 0000000..092cf08 --- /dev/null +++ b/environments/dev/main.tf @@ -0,0 +1,7 @@ +provider "aws" { + region = "us-east-2" + assume_role { + role_arn = "arn:aws:iam::${var.aws_accountnumber}:role/dev-terraform-role" + } +} + diff --git a/environments/production/bootstrap/variables.tfvars b/environments/production/bootstrap/variables.tfvars new file mode 100644 index 0000000..bcd3ac5 --- /dev/null +++ b/environments/production/bootstrap/variables.tfvars @@ -0,0 +1,11 @@ +region = "eu-central-1" +company = "company-name" +environment = "production" +log_retention = 90 +bucket_purpose = "logging" +log_name = "logbucket" +log_bucket_versioning = "Enabled" +state_bucket_tags = { Automation : "Terraform" } +log_bucket_tags = { Automation : "Terraform", Logs : "Terraform" } +terraform_user = "terraform-user" +terraform_user_permissions = ["s3:CreateBucket"] diff --git a/environments/production/main.tf b/environments/production/main.tf new file mode 100644 index 0000000..d5cf398 --- /dev/null +++ b/environments/production/main.tf @@ -0,0 +1,7 @@ +provider "aws" { + region = "us-east-2" + assume_role { + role_arn = "arn:aws:iam::${var.aws_accountnumber}:role/production-terraform-role" + } +} + diff --git a/environments/staging/bootstrap/variables.tfvars b/environments/staging/bootstrap/variables.tfvars new file mode 100644 index 0000000..3496d37 --- /dev/null +++ b/environments/staging/bootstrap/variables.tfvars @@ -0,0 +1,11 @@ +region = "eu-central-1" +company = "company-name" +environment = "staging" +log_retention = 90 +bucket_purpose = "logging" +log_name = "company-name-environment-log" +log_bucket_versioning = "Enabled" +state_bucket_tags = { Automation : "Terraform" } +log_bucket_tags = { Automation : "Terraform", Logs : "Terraform" } +terraform_user = "terraform-user" +terraform_user_permissions = ["s3:CreateBucket"] diff --git a/environments/staging/main.tf b/environments/staging/main.tf new file mode 100644 index 0000000..00d8d97 --- /dev/null +++ b/environments/staging/main.tf @@ -0,0 +1,7 @@ +provider "aws" { + region = "us-east-2" + assume_role { + role_arn = "arn:aws:iam::${var.aws_accountnumber}:role/staging-terraform-role" + } +} +