ei-grad · December 12, 2022 18:26
diff --git a/main.tf b/main.tf
 provider "aws" {}

 # Add a provider for the new member account
 provider "aws" {
  alias  = "member_account"
  assume_role {
    role_arn = "arn:aws:iam::${aws_organizations_account.member_account.id}:role/${var.member_account_role_name}"
  }
 }
diff --git a/member-account-s3-access.tf b/member-account-s3-access.tf
 # Create an IAM user in the management account
 resource "aws_iam_user" "s3_full_access" {
  name = "s3-full-access"
 }

 data "aws_iam_policy_document" "s3_full_access" {
  statement {
    actions = ["sts:AssumeRole"]
    principal {
      type        = "AWS"
      identifiers = [aws_iam_user.s3_full_access.arn]
    }
  }
 }

 # Create an IAM role in the member account
 resource "aws_iam_role" "s3_full_access" {
  provider = aws.member_account
  name     = "s3-full-access"
  assume_role_policy = data.aws_iam_policy_document.s3_full_access.json
 }

 # Attach an IAM policy to the role that grants full access to S3
 resource "aws_iam_role_policy_attachment" "s3_full_access" {
  provider   = aws.member_account
  role       = aws_iam_role.s3_full_access.name
  policy_arn = "arn:aws:iam::aws:policy/AmazonS3FullAccess"
 }
diff --git a/member-account.tf b/member-account.tf
 # Create a new AWS member account
 resource "aws_organizations_account" "member_account" {
  name       = var.member_account_name
  email      = var.member_account_email
  role_name  = var.member_account_role_name
  depends_on = [aws_organization.org]
 }
diff --git a/variables.tf b/variables.tf
 # Declare the input variables
 variable "member_account_name" {
  type = string
 }

 variable "member_account_email" {
  type = string
 }

 variable "member_account_role_name" {
  type    = string
  default = "OrganizationAccountAccessRole"
 }
	provider "aws" {}

	# Add a provider for the new member account
	provider "aws" {
	alias = "member_account"
	assume_role {
	role_arn = "arn:aws:iam::${aws_organizations_account.member_account.id}:role/${var.member_account_role_name}"
	}
	}
	# Create an IAM user in the management account
	resource "aws_iam_user" "s3_full_access" {
	name = "s3-full-access"
	}

	data "aws_iam_policy_document" "s3_full_access" {
	statement {
	actions = ["sts:AssumeRole"]
	principal {
	type = "AWS"
	identifiers = [aws_iam_user.s3_full_access.arn]
	}
	}
	}

	# Create an IAM role in the member account
	resource "aws_iam_role" "s3_full_access" {
	provider = aws.member_account
	name = "s3-full-access"
	assume_role_policy = data.aws_iam_policy_document.s3_full_access.json
	}

	# Attach an IAM policy to the role that grants full access to S3
	resource "aws_iam_role_policy_attachment" "s3_full_access" {
	provider = aws.member_account
	role = aws_iam_role.s3_full_access.name
	policy_arn = "arn:aws:iam::aws:policy/AmazonS3FullAccess"
	}
	# Create a new AWS member account
	resource "aws_organizations_account" "member_account" {
	name = var.member_account_name
	email = var.member_account_email
	role_name = var.member_account_role_name
	depends_on = [aws_organization.org]
	}
	# Declare the input variables
	variable "member_account_name" {
	type = string
	}

	variable "member_account_email" {
	type = string
	}

	variable "member_account_role_name" {
	type = string
	default = "OrganizationAccountAccessRole"
	}