Terraform AWS Newrelic Integration with IAM Role

0
votes

My Requirement is to integrate our AWS account with NewRelic with Terraform, i am able to link AWS account with NewRelic using Console Access, as a pre-requisite i need to Create IAM role with Inclusion of Trusted Entity with New-Relic Account, following steps listed below

  1. Go to infrastructure.newrelic.com > AWS. Click on one of the available service tiles to get started.

  2. From the IAM console , click Create role, then click Another AWS account.

  3. For Account ID, use 7XXXXXXXXXX. Check the Require external ID box. For External ID, enter your New Relic account ID.

  4. Do not enable the setting to Require MFA (multi-factor authentication). Attach the Policy: Search for ReadOnlyAccess, select the checkbox for the policy named ReadOnlyAccess, then click Next: Review. Alternatively, you can create your own managed policy and limit the permissions you grant New Relic according to the AWS services you want to monitor. For the Role name, enter NewRelicInfrastructure-Integrations, then click Create role.

My requirement is to do same with Terraform Script, i explored https://www.terraform.io/docs/providers/aws/r/iam_role.html, but unable to find some relevant options which can work same as above listed steps ( Like Inclusion of Another AWS account ).

1
amazon-web-servicesterraformamazon-iamnewrelic
are you not allowed in your company to paste here some snippets? Code snippets are helpful to give you a fix on top of it.Abdennour TOUMI

1 Answers

2
votes

Terraform offers an aws_iam_policy_document data source that may be useful. I believe the following configuration may help you:

data "aws_iam_policy_document" "assume_role" {
  statement {
    actions = [
      "sts:AssumeRole"
    ]

    condition {
      test = "StringEquals"

      values = [
        "New Relic Account ID"
      ]

      variable = "sts:ExternalId"
    }

    effect = "Allow"

    principals {
      identifiers = [
        "7XXXXXXXXXX"
      ]

      type = "AWS"
    }
  }
}

resource "aws_iam_role" "new_relic" {
  assume_role_policy = data.aws_iam_policy_document.assume_role.json
  name               = "NewRelicInfrastructure-Integrations"
}

resource "aws_iam_role_policy_attachment" "read_only_access" {
  policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
  role       = aws_iam_role.new_relic.name
}

Essentially it creates a role named NewRelicInfrastructure-Integrations with two IAM policies associated with it.

The first policy allows invoking the sts:AssumeRole action and verifies that the ExternalId matches the New Relic Account ID.

The second policy grants ReadOnlyAccess to the assumed role.