Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

added role_arn env vars #21718

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

added role_arn env vars #21718

wants to merge 2 commits into from

Conversation

rberlind
Copy link
Contributor

This PR adds 3 environment variables to the S3 backend to make it possible to specify therole_arn, external_id, and session_name attributes with the environment variables AWS_ROLE_ARN, AWS_EXTERNAL_ID, and AWS_SESSION_NAME respectively. All 3 can be used when marking the S3 backend assume a different role. These affect both the actual storage of state via the backend stanza under the terraform block as well as the use of an assumed role in the config block of a terraform_remote_state data source that needs to retrieve outputs from a remote state file.

This has been asked for by a customer who currently uses Jenkins to assume AWS roles and then passes those roles to the terraform OSS binary but is now starting to use Terraform Enterprise (TFE). They cannot pass the assumed roles from Jenkins to the TFE workspaces and want to minimize changes to their existing code. The addition of these environment variables will let them leave their Terraform code unchanged for Terraform OSS plas/applies triggered by Jenkins while letting them add the environment variables when running the same Terraform code in TFE.

I already submitted hashicorp/terraform-provider-aws#8985 to add these environment roles for the AWS provider. This PR adds them to the S3 backend.

I tested this with code that did the following, running it on an EC2 instance without any S3 permissions:

source:

terraform {
  backend "s3" {
    bucket = "roger-tf"
    key    = "source"
    region = "us-east-1"
  }
}

output "a_string" {
  value = "Roger"
}

output "a_number" {
  value = 1
}

consumer:

data "terraform_remote_state" "source" {
  backend = "s3"
  config = {
    bucket = "roger-tf"
    key    = "source"
    region = "us-east-1"
  }
}
output "a_string" {
  value = data.terraform_remote_state.source.outputs.a_string
}

output "a_number" {
  value = data.terraform_remote_state.source.outputs.a_number
}

I was able to run terraform apply in the source directory and see the outputs.
I was then able to run terraform apply in the consumer directory and see the same outputs which were retrieved from the state file of the source configuration in the S3 bucket.

By exporting TF_LOG=TRACE, I was able to see the correct role being assumed in the source and consumer for the provider:

2019/06/13 17:43:57 [INFO] Attempting to AssumeRole arn:aws:iam::753646501470:role/roger-terraform-assumed-role (SessionName: "session-1234", ExternalId: "1234", Policy: "")

I was also able to see the role being assumed for the terraform_remote_state data source:

552 2019/06/13 17:43:57 [TRACE] EvalReadData: working on data.terraform_remote_state.source
 553 2019/06/13 17:43:57 [TRACE] Re-validating config for data.terraform_remote_state.source
 554 2019/06/13 17:43:57 [DEBUG] Initializing remote state backend: s3
 555 2019/06/13 17:43:57 [INFO] Setting AWS metadata API timeout to 100ms
 556 2019/06/13 17:43:57 [INFO] AWS EC2 instance detected via default metadata API endpoint, EC2RoleProvider added to the auth chain
 557 2019/06/13 17:43:57 [INFO] Attempting to AssumeRole arn:aws:iam::753646501470:role/roger-terraform-assumed-role (SessionName: "sessi     on-1234", ExternalId: "1234", Policy: "")
 558 2019/06/13 17:43:57 [INFO] AWS Auth provider used: "EC2RoleProvider"
 559 2019/06/13 17:43:57 [INFO] AWS Auth provider used: "AssumeRoleProvider"

I updated the relevant doc file: website/docs/backends/types/s3.html.md.

@bflad
Copy link
Contributor

bflad commented Jun 13, 2019

Since this change is similar to one that would be implemented in the Terraform AWS Provider for the provider configuration, we are opting to discuss this in that repository for now. Please see: hashicorp/terraform-provider-aws#8985 (comment) 👍

@rberlind
Copy link
Contributor Author

I changed the names of the new environment variables:
TF_AWS_ASSUME_ROLE_ARN for role_arn
TF_AWS_ASSUME_ROLE_EXTERNAL_ID for external_id
TF_AWS_ASSUME_ROLE_SESSION_NAME for session_name.

I re-tested after building based on the 0.11.14 code base which is what my customer is using.

@binlab
Copy link
Contributor

binlab commented May 21, 2020

Any plans when it will be merged? Thanks!

Base automatically changed from master to main February 24, 2021 18:01
@hashicorp-cla
Copy link

hashicorp-cla commented Mar 12, 2022

CLA assistant check
All committers have signed the CLA.

@crw crw added backend/s3 and removed backend/s3 labels Aug 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants