Terraform Access Provisioning for AWS

Use AWS Terraform as a way to provision access to your AWS storage buckets.

Terraform is an infrastructure service from HashiCorp that enables administrators to configure and provision resources. Terraform has a wide flexibility for implementations, while allows users to design and configure their terraform scripts in a variety of ways.

330

This topic describes how to use an AWS Terraform provider to help automate the steps to provision ChaosSearch access to your AWS cloud storage buckets.

Prerequisites

Before you get started with the Terraform access configuration scripts, make sure that you have the following:

  • You AWS profile name and region where the cloud storage buckets are located
  • Your AWS account number
  • The list of the AWS bucket names and the AWS region where they are located (these are the buckets to which you are granting ChaosSearch read and list access)
  • Your ChaosSearch external ID

Your workstation must also have an installed version of Terraform.

Obtaining the AWS Terraform Templates

Contact ChaosSearch Customer Success to obtain the Terraform package with the files needed to use the AWS Terraform access provisioning. The package is typically a tarfile package of several Terraform definition files.

As a good practice, extract the Terraform files to a new empty folder on your workstation, and change to that folder for the next steps.

Set the Environment Variables

Run the following commands to set and export the following environment variables:

export AWS_PROFILE=<Your AWS_PROFILE>
export AWS_REGION=<Your AWS region>

Create the Terraform Variables File

In the directory where you extracted the Terraform files for the AWS access example kit, create a variables.tfvars text file with the following contents:

cs_external_id = "CS_ACCOUNT_ID_FROM_CHAOSSEARCH"
data_bucket_name = "<see below>"
aws_account_number = YOUR_AWS_ACCOUNT_NUMBER

For the data_bucket_name field, you can type one AWS S3 bucket name to grant ChaosSearch read access to that bucket. You can then use the AWS IAM interface to update the policy to add other buckets following the steps in IAM role Policy Permissions. You could also use the string "*" to grant read access to all buckets, but this is not recommended for most production environments. Currently this Terraform example does not support multiple bucket names in the data_bucket_name field.

Run the Terraform Steps

To use the AWS Terraform example to provision access for ChaosSearch:

  1. Run the terraform init command to set up the Terraform environment.
  2. Optionally run terraform plan to check for errors or issues in the files.
  3. Run the terraform apply -var-file="variables.tfvars" command to provision the AWS access role and policy to grant read access to the specified bucket for ChaosSearch.

The output of the terraform scripts is the role ARN that you must supply in the AWS Credentials page of the ChaosSearch console.