This repo uses a modified version of iamlive
that supports the --aws-redirect-host
argument, which causes the iamlive
proxy to forward requests to the specified host rather than AWS.
In this case, we make use of --aws-redirect-host
to forward AWS requests to Localstack. This allows you to use the localstack services with the AWS SDK without any modification.
This repo provides a Terraform container for running terraform scripts on Localstack and getting IAM Policies from Iamlive.
It also provides an AWS cli container, but that container does not automatically add Iamlives certs to the containers trust certificate. That must be done to make it work fully.
Clone the repository and navigate to the example directory:
git clone git@github.com:rulio/iamlive-localstack.git && cd iamlive-localstack
Copy sample.env
to .env
and modify as needed:
cp sample.env .env
Set the TERRAFORM_TEMPLATES_DIR
and other environment variables in .env
to the path of the Terraform templates directory.
Build the iamlive
binary:
docker-compose build
Start the Localstack services:
docker-compose up
Connect to the terraform
container:
docker-compose exec terraform sh
Now you can run Terraform commands in the terraform
container:
Generate a plan
terraform plan
Apply the scripts
terraform apply
Write out the IAM policies
docker-compose exec iamlive kill -HUP 1
The IAM policies will be written to the ./iamlive/volumes/iam.policy
file.
There are a few gotchas when using with terraform and they have to do with the provider configuration. Thie setup does not do authentication and it expects S3 requests to use Path style instead of Virtual Host syle requests.
That means you need to include the following settings in your provider configuration:
provider "aws" {
...
skip_credentials_validation = true
skip_metadata_api_check = true
skip_requesting_account_id = true
s3_use_path_style = true
}
If you don't include these settings you may see terraform apply
and terraform plan
hang as they wait for validation or the account id.
Instead you can set the account id to with the IAMLIVE_AWS_ACCOUNT_ID
environment variable in the docker-compose.yaml
file.
If you see this error when starting the iamlive
container, it may mean that ca.pem
and ca.key
files were not created successfully. Do the following:
- Stop the containers with
docker-compose down
- remove the
ca.pem
andca.key
files from the./iamlive/volumes
directory - Start the containers with
docker-compose up
This usually happens if the cert was not properly installed in the terraform container. docker-compose down
followed by docker-compose up
usually solves this issue. The terraform container is setup to import certs from iamlive then update its trust container. But if the certs are not yet created when the update cert command is run, it may need to be run again.