Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds 3 environment variables to the S3 backend to make it possible to specify the
role_arn
,external_id
, andsession_name
attributes with the environment variablesAWS_ROLE_ARN
,AWS_EXTERNAL_ID
, andAWS_SESSION_NAME
respectively. All 3 can be used when marking the S3 backend assume a different role. These affect both the actual storage of state via thebackend
stanza under theterraform
block as well as the use of an assumed role in theconfig
block of aterraform_remote_state
data source that needs to retrieve outputs from a remote state file.This has been asked for by a customer who currently uses Jenkins to assume AWS roles and then passes those roles to the terraform OSS binary but is now starting to use Terraform Enterprise (TFE). They cannot pass the assumed roles from Jenkins to the TFE workspaces and want to minimize changes to their existing code. The addition of these environment variables will let them leave their Terraform code unchanged for Terraform OSS plas/applies triggered by Jenkins while letting them add the environment variables when running the same Terraform code in TFE.
I already submitted hashicorp/terraform-provider-aws#8985 to add these environment roles for the AWS provider. This PR adds them to the S3 backend.
I tested this with code that did the following, running it on an EC2 instance without any S3 permissions:
source:
consumer:
I was able to run
terraform apply
in the source directory and see the outputs.I was then able to run
terraform apply
in the consumer directory and see the same outputs which were retrieved from the state file of the source configuration in the S3 bucket.By exporting TF_LOG=TRACE, I was able to see the correct role being assumed in the source and consumer for the provider:
I was also able to see the role being assumed for the terraform_remote_state data source:
I updated the relevant doc file: website/docs/backends/types/s3.html.md.