AWS Account

The aws_account resource provisions AWS accounts for lab environments. It creates sandboxed AWS accounts with controlled access, user management, and service restrictions suitable for educational and training purposes.

HCL Syntax

Basic Syntax

1
resource "aws_account" "name" {
2
  regions = ["us-east-1"]
3
  services = ["ec2", "s3"]
4
}

Full Syntax

1
resource "aws_account" "name" {
2
  regions = ["us-east-1", "us-west-2"]
3
  services = ["ec2", "s3", "iam", "cloudformation"]
4

5
  tags = {
6
    Environment = "Training"
7
    Purpose = "Lab"
8
    Team = "Education"
9
  }
10

11
  user "admin" {
12
    iam_policy = file("./policies/admin-policy.json")
13
    managed_policies = [
14
      "arn:aws:iam::aws:policy/PowerUserAccess",
15
      "arn:aws:iam::aws:policy/IAMReadOnlyAccess"
16
    ]
17
  }
18

19
  user "developer" {
20
    iam_policy = file("./policies/dev-policy.json")
21
    managed_policies = [
22
      "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess"
23
    ]
24
  }
25

26
  scp_policy = file("./policies/lab-restrictions.json")
27
}

Fields

Field	Type	Description
regions	list(string)	AWS regions where resources can be provisioned (default: [])
services	list(string)	AWS services that users can access (default: [])
tags	map(string)	Tags to apply to the AWS account (default: {})
user	block	IAM users to create (repeatable)
scp_policy	string	Service Control Policy to apply to the account

User Configuration

IAM user settings within the AWS account.

Field	Type	Required	Description
user	block	No	-
↳ name	label	✓	Username for the IAM user
↳ iam_policy	string		Custom IAM policy JSON for the user
↳ managed_policies	list(string)		AWS managed policy ARNs to attach (default: [])

Computed Attributes

These attributes are set by the system after account provisioning:

Field	Type	Description
account_id	string	AWS account ID
account_name	string	AWS account name

User Computed Attributes

For each user block, these attributes are computed:

Field	Type	Description
username	string	IAM username
password	string	Console password for the user
access_key_id	string	AWS access key ID
secret_access_key	string	AWS secret access key

Validation Rules

Region names must be valid AWS regions
Service names must be valid AWS service identifiers
IAM policies must be valid JSON
Managed policy ARNs must be valid AWS policy ARNs
SCP policies must be valid Service Control Policy JSON

Examples

Basic Development Account

1
resource "aws_account" "dev" {
2
  regions = ["us-east-1"]
3
  services = ["ec2", "s3", "iam"]
4

5
  tags = {
6
    Environment = "Development"
7
    CostCenter = "Training"
8
  }
9

10
  user "student" {
11
    managed_policies = [
12
      "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess",
13
      "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
14
    ]
15
  }
16
}

Multi-User Training Environment

1
resource "aws_account" "training" {
2
  regions = ["us-east-1", "us-west-2"]
3
  services = [
4
    "ec2",
5
    "s3",
6
    "iam",
7
    "cloudformation",
8
    "lambda",
9
    "apigateway"
10
  ]
11

12
  tags = {
13
    Environment = "Training"
14
    Course = "AWS Solutions Architect"
15
    Instructor = "Jane Doe"
16
  }
17

18
  # Administrator user
19
  user "instructor" {
20
    iam_policy = file("./policies/instructor-policy.json")
21
    managed_policies = [
22
      "arn:aws:iam::aws:policy/PowerUserAccess",
23
      "arn:aws:iam::aws:policy/IAMFullAccess"
24
    ]
25
  }
26

27
  # Student user with limited permissions
28
  user "student" {
29
    iam_policy = file("./policies/student-policy.json")
30
    managed_policies = [
31
      "arn:aws:iam::aws:policy/AmazonEC2FullAccess",
32
      "arn:aws:iam::aws:policy/AmazonS3FullAccess"
33
    ]
34
  }
35

36
  # Read-only user for observers
37
  user "observer" {
38
    managed_policies = [
39
      "arn:aws:iam::aws:policy/ReadOnlyAccess"
40
    ]
41
  }
42

43
  scp_policy = file("./policies/training-restrictions.json")
44
}

Serverless Development Account

1
resource "aws_account" "serverless" {
2
  regions = ["us-east-1"]
3
  services = [
4
    "lambda",
5
    "apigateway",
6
    "dynamodb",
7
    "s3",
8
    "cloudwatch",
9
    "iam"
10
  ]
11

12
  tags = {
13
    Environment = "Serverless-Lab"
14
    Technology = "Lambda"
15
  }
16

17
  user "developer" {
18
    iam_policy = jsonencode({
19
      Version = "2012-10-17"
20
      Statement = [
21
        {
22
          Effect = "Allow"
23
          Action = [
24
            "lambda:*",
25
            "apigateway:*",
26
            "dynamodb:*",
27
            "s3:*",
28
            "logs:*"
29
          ]
30
          Resource = "*"
31
        }
32
      ]
33
    })
34
  }
35
}

Policy Examples

Custom IAM Policy File

1
{
2
  "Version": "2012-10-17",
3
  "Statement": [
4
    {
5
      "Effect": "Allow",
6
      "Action": [
7
        "ec2:DescribeInstances",
8
        "ec2:DescribeImages",
9
        "ec2:RunInstances",
10
        "ec2:TerminateInstances"
11
      ],
12
      "Resource": "*",
13
      "Condition": {
14
        "StringEquals": {
15
          "ec2:InstanceType": ["t2.micro", "t3.micro"]
16
        }
17
      }
18
    },
19
    {
20
      "Effect": "Allow",
21
      "Action": [
22
        "s3:GetObject",
23
        "s3:PutObject"
24
      ],
25
      "Resource": "arn:aws:s3:::student-bucket/*"
26
    }
27
  ]
28
}

Service Control Policy

1
{
2
  "Version": "2012-10-17",
3
  "Statement": [
4
    {
5
      "Effect": "Deny",
6
      "Action": [
7
        "organizations:*",
8
        "account:*"
9
      ],
10
      "Resource": "*"
11
    },
12
    {
13
      "Effect": "Deny",
14
      "Action": "ec2:RunInstances",
15
      "Resource": "arn:aws:ec2:*:*:instance/*",
16
      "Condition": {
17
        "ForAllValues:StringNotEquals": {
18
          "ec2:InstanceType": [
19
            "t2.micro",
20
            "t2.small",
21
            "t3.micro",
22
            "t3.small"
23
          ]
24
        }
25
      }
26
    }
27
  ]
28
}

Using Account Credentials

1
resource "aws_account" "lab" {
2
  regions = ["us-east-1"]
3
  services = ["ec2", "s3"]
4

5
  user "student" {
6
    managed_policies = [
7
      "arn:aws:iam::aws:policy/AmazonEC2FullAccess"
8
    ]
9
  }
10
}
11

12
# Export credentials for use in other tools
13
resource "template" "aws_credentials" {
14
  source = <<-EOF
15
    [default]
16
    aws_access_key_id = ${resource.aws_account.lab.users["student"].access_key_id}
17
    aws_secret_access_key = ${resource.aws_account.lab.users["student"].secret_access_key}
18
    region = us-east-1
19
  EOF
20

21
  destination = "./aws-credentials"
22
}
23

24
# Use in container environment
25
resource "container" "aws_cli" {
26
  image {
27
    name = "amazon/aws-cli:latest"
28
  }
29

30
  environment = {
31
    AWS_ACCESS_KEY_ID = resource.aws_account.lab.users["student"].access_key_id
32
    AWS_SECRET_ACCESS_KEY = resource.aws_account.lab.users["student"].secret_access_key
33
    AWS_DEFAULT_REGION = "us-east-1"
34
  }
35

36
  command = ["aws", "ec2", "describe-instances"]
37
}

Multi-Region Setup

1
resource "aws_account" "global" {
2
  regions = [
3
    "us-east-1",      # N. Virginia
4
    "us-west-2",      # Oregon
5
    "eu-west-1",      # Ireland
6
    "ap-southeast-1"  # Singapore
7
  ]
8

9
  services = [
10
    "ec2",
11
    "s3",
12
    "cloudfront",
13
    "route53"
14
  ]
15

16
  tags = {
17
    Environment = "Multi-Region-Lab"
18
    Purpose = "Global Infrastructure Training"
19
  }
20

21
  user "architect" {
22
    iam_policy = jsonencode({
23
      Version = "2012-10-17"
24
      Statement = [
25
        {
26
          Effect = "Allow"
27
          Action = [
28
            "ec2:*",
29
            "s3:*",
30
            "cloudfront:*",
31
            "route53:*"
32
          ]
33
          Resource = "*"
34
        }
35
      ]
36
    })
37
  }
38
}

Security Considerations

Access Control

1
resource "aws_account" "secure_lab" {
2
  regions = ["us-east-1"]
3
  services = ["ec2", "s3"]
4

5
  # Principle of least privilege
6
  user "student" {
7
    iam_policy = jsonencode({
8
      Version = "2012-10-17"
9
      Statement = [
10
        {
11
          Effect = "Allow"
12
          Action = [
13
            "ec2:DescribeInstances",
14
            "ec2:RunInstances",
15
            "ec2:TerminateInstances"
16
          ]
17
          Resource = "*"
18
          Condition = {
19
            StringEquals = {
20
              "aws:RequestedRegion" = ["us-east-1"]
21
            }
22
          }
23
        }
24
      ]
25
    })
26
  }
27

28
  # Restrictive SCP
29
  scp_policy = jsonencode({
30
    Version = "2012-10-17"
31
    Statement = [
32
      {
33
        Effect = "Deny"
34
        Action = [
35
          "iam:CreateRole",
36
          "iam:DeleteRole",
37
          "iam:AttachRolePolicy"
38
        ]
39
        Resource = "*"
40
      }
41
    ]
42
  })
43
}

Best Practices

Least Privilege: Grant only the minimum permissions required
Service Restrictions: Limit services to those needed for the lab
Region Constraints: Restrict to specific regions to control costs
Policy Management: Use external policy files for complex permissions
SCP Usage: Apply Service Control Policies to enforce boundaries
Tagging Strategy: Consistent tagging for cost tracking and management
User Separation: Create role-specific users (student, instructor, observer)

Common Use Cases

Training Environments: Sandboxed accounts for AWS training courses
Development Labs: Controlled environments for application development
Certification Prep: Practice environments for AWS certification exams
Proof of Concepts: Isolated accounts for testing new services
Multi-User Workshops: Shared accounts with multiple user roles
Cost-Controlled Learning: Restricted environments to prevent unexpected charges