# AWS

## Requirements

For each AWS Account you'd like to enroll

| Name           | Description                                                                                                                                                                    |
| -------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| Teleskope Role | Create an IAM role for Teleskope to assume using [Terraform](#create-a-teleskope-role-using-terraform) or on the [AWS Console](#create-a-teleskope-role-using-the-aws-console) |

### Create a Teleskope Role using Terraform

| Variable                 | Description                                                                                         | Example        |
| ------------------------ | --------------------------------------------------------------------------------------------------- | -------------- |
| origin\_aws\_account\_id | (Required) AWS Account ID where Teleskope is deployed that the Teleskope team will provide you with | "012345678912" |

```
##################################################################
# The role Teleskope will assume from the origin AWS account. #
##################################################################

resource "aws_iam_role" "teleskope" {
  name               = "TeleskopeRole"
  assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json
}

data "aws_iam_policy_document" "assume_role_policy" {
  statement {
    actions = ["sts:AssumeRole"]

    principals {
      type        = "AWS"
      identifiers = ["arn:aws:iam::{origin_aws_account_id}:root"]
    }
  }
}

resource "aws_iam_role_policy" "account_policy" {
  role   = aws_iam_role.teleskope.id
  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeRegions",
        "ec2:DescribeSecurityGroups"
      ],
      "Resource": "*"
    }
  ]
}
EOF
}
```

### Create a Teleskope Role using the AWS Console

1. Sign in to the AWS Management Console and open the IAM console at <https://console.aws.amazon.com/iam/>
2. In the navigation pane of the console, choose Roles and then choose Create role
3. Choose Custom Trust Policy as the Trusted Entity Type
4. Replace the custom trust policy with:

   ```json
   {    
       "Version": "2012-10-17",
       "Statement": [
           {
               "Effect": "Allow",
               "Principal": {
                   "AWS": "arn:aws:iam::{origin_aws_account_id}:root"
               },
               "Action": "sts:AssumeRole"
           }
       ]
   }
   ```
5. Create a custom inline policy with:

   ```json
   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Effect": "Allow",
         "Action": [
           "ec2:DescribeRegions",
           "ec2:DescribeSecurityGroups"
         ],
         "Resource": "*"
       }
     ]
   }
   ```

## Enrollment

In Teleskope, enroll the AWS account:

1. Provide the AWS Account ID
2. Provide a name for your AWS Account
3. Provide the previously created role name exactly as it appears