How can I connect to the AWS IAM API in a private VPC?

2
votes

I am trying to run Terraform in a private VPC using the AWS provider. Terraform supports overriding various AWS endpoints and so I have been using VPC Endpoints to expose relevant services in my VPC and overriding those endpoints in my provider configuration.

Unfortunately IAM is not supported by VPC Endpoints - I need this API to create some resource for example AWS roles, so how can I use this API in my private VPC from Terraform?

$ terraform -v
Terraform v0.11.13
+ provider.aws v2.17.0
1
amazon-web-servicesterraformamazon-iamterraform-provider-aws
Do you have to run Terraform from inside the VPC for creating these IAM resources? Does the VPC have to be absolutely private (eg no public subnets or NAT at all)?ydaetskcoR
It can reach the internet via another peered VPC, but I would prefer not to have to configure/support that - I feel there should be a way to access the API without requiring internet accessdippynark
If the endpoint isn't available by VPC endpoints then no you need to be able to access the IAM endpoint over the internet or via a peered VPC that does have access to the internet.ydaetskcoR

1 Answers

0
votes

Cloudformation supports VPC endpoints. So you can make a Cloudformation template that creates the IAM resources. Then apply that cloudformation stack via terraform. Then do another Terraform module that refers to those resources as data sources.

Given the constraints of your problem, it is only possible to solve this indirectly.

Docs: Terraform Docs for Cloudformation Docs for AWS Cloudformation VPC Endpoints