Deploy to Multiple AWS Accounts with Terraform

If you’re looking for a way to deploy copies of an infrastructure, or parts of an infrastructure to several AWS accounts simultaneously, there’s an easy way to do this. It’s done by using multiple “provider configurations”.

As you might be aware, the Terraform provider for AWS must be configured with a way to authenticate itself with AWS, in order to perform infrastructure operations. There are many ways to do this.

The AWS provider offers a flexible means of providing credentials for authentication. The following methods are supported, in this order, and explained below:

> Static credentials

> Environment variables

> Shared credentials/configuration file

> CodeBuild, ECS, and EKS Roles

> EC2 Instance Metadata Service (IMDS and IMDSv2)

Authentication — AWS Provider (hashicorp/aws) Documentation

You configure the provider using static credentials like so:

provider "aws" {
  region     = "us-west-2"
  access_key = "my-access-key"
  secret_key = "my-secret-key"

This of course is specific to a single AWS account. Now all you have to do to add another account to your config is to duplicate this provider configuration & provide the other account’s region & keys. You also need to provide something called a “provider alias”. This differentiates multiple configurations of the same provider from each other. The provider configuration without an alias is called the default configuration.

provider "aws" {
  region = "us-west-2"
  access_key = "my-account1-access-key"
  secret_key = "my-account1-secret-key"

provider "aws" {
  alias = "account2"
  region = "us-east-1"
  access_key = "my-account2-access-key"
  secret_key = "my-account2-secret-key"

You can then “refer” to one of the provider configurations in your resources using the provider attribute. The resources without the provider attribute will use the default configuration.

resource "aws_instance" "account1_instance" {
  ami = ...

resource "aws_instance" "account2_instance" {
  provider = "aws.account2"
  ami = ...

The above config will create account1_instance in account 1 & account2_instance in account 2.

The same principle of multiple aliased provider configurations can be used with all other provider authentication methods as well — environment variables, shared credentials, etc.

You can also combine this solution with Terraform workspaces:

A common use for multiple workspaces is to create a parallel, distinct copy of a set of infrastructure in order to test a set of changes before modifying the main production infrastructure. For example, a developer working on a complex set of infrastructure changes might create a new temporary workspace in order to freely experiment with changes without affecting the default workspace.

When to use Multiple Workspaces