在本地验证 Account Factory for Terraform (AFT) 代码

由 Alexandru Pop (AWS) 和 Michal Gorniak (AWS) 编写

Summary

此模式显示了如何在本地测试由 AWS Control HashiCorp Tower Account Factory for Terraform (AFT) 管理的 Terraform 代码。Terraform 是一种开源的基础设施即代码（IaC）工具，可帮助您使用代码来预置和管理云基础结构和资源。AFT 构建了 Terraform 管道，帮助您在 AWS Control Tower 中配置和自定义多个 Amazon Web Services account。

在代码开发过程中，它可能有助于在 AFT 管道之外在本地测试 Terraform 基础设施即代码（IaC）。该模式说明了如何执行以下操作：

此过程还可以用于运行不属于普通 AFT 管道的 Terraform 命令。例如，您可使用此方法来运行 terraform validate、terraform plan、terraform destroy 和 terraform import 等命令。

先决条件和限制

先决条件

限制

架构

目标技术堆栈

自动化和扩缩

此模式显示了如何在单个 AFT 托管 Amazon Web Services account 中本地调用 Terraform 代码进行 AFT 全球账户自定义。验证您的 Terraform 代码后，您可将其应用于多账户环境中的其余账户。有关更多信息，请参阅 AWS Control Tower 文档中的重新调用自定义。

您还可使用类似的过程在本地终端中运行 AFT 账户自定义。要从 AFT 账户自定义项中本地调用 Terraform 代码，请在 AFT 管理账户中克隆aft-account-customizations 存储库，而不是从 AFT aft-global-account-customizations管理账户 CodeCommit 中克隆存储库。

工具

Amazon Web Services

其他服务

代码

以下是 bash 脚本示例，可在本地运行由 AFT 管理的 Terraform 代码。若要使用此脚本，请按照此模式操作说明部分中的说明操作。

#! /bin/bash
# Version: 1.1 2022-06-24 Unsetting AWS_PROFILE since, when set, it interferes with script operation
#          1.0 2022-02-02 Initial Version
#
# Purpose: For use with AFT: This script runs the local copy of TF code as if it were running within AFT pipeline.
#        * Facilitates testing of what the AFT pipline will do 
#           * Provides the ability to run terraform with custom arguments (like 'plan' or 'move') which are currently not supported within the pipeline.
#
# © 2021 Amazon Web Services, Inc. or its affiliates. All Rights Reserved.
# This AWS Content is provided subject to the terms of the AWS Customer Agreement
# available at http://aws.amazon.com/agreement or other written agreement between
# Customer and either Amazon Web Services, Inc. or Amazon Web Services EMEA SARL or both.
#
# Note: Arguments to this script are passed directly to 'terraform' without parsing nor validation by this script.
#
# Prerequisites:
#    1. local copy of ct GIT repositories
#    2. local backend.tf and aft-providers.tf filled with data for the target account on which terraform is to be run
#       Hint: The contents of above files can be obtain from the logs of a previous execution of the AFT pipeline for the target account.
#    3. 'terraform' binary is available in local PATH
#    4. Recommended: .gitignore file containing 'backend.tf', 'aft_providers.tf' so the local copy of these files are not pushed back to git

readonly credentials=$(aws sts assume-role \
    --role-arn arn:aws:iam::$(aws sts get-caller-identity --query "Account" --output text ):role/AWSAFTAdmin \
    --role-session-name AWSAFT-Session \
    --query Credentials )

unset AWS_PROFILE
export AWS_ACCESS_KEY_ID=$(echo $credentials | jq -r '.AccessKeyId')
export AWS_SECRET_ACCESS_KEY=$(echo $credentials | jq -r '.SecretAccessKey')
export AWS_SESSION_TOKEN=$(echo $credentials | jq -r '.SessionToken')
terraform "$@"

操作说明

export AWS_PROFILE=<aft account profile name>

mkdir my_aft 
cd my_aft

## Autogenerated backend.tf ##
## Updated on: 2022-05-31 16:27:45 ##
terraform {
  required_version = ">= 0.15.0"
  backend "s3" {
    region         = "us-east-2"
    bucket         = "aft-backend-############-primary-region"
    key            = "############-aft-global-customizations/terraform.tfstate"
    dynamodb_table = "aft-backend-############"
    encrypt        = "true"
    kms_key_id     = "cbdc21d6-e04d-4c37-854f-51e199cfcb7c"
    kms_key_id     = "########-####-####-####-############"
    role_arn       = "arn:aws:iam::#############:role/AWSAFTExecution"
  }
}

echo backend.tf >> .gitignore
echo aft-providers.tf >>.gitignore