Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Use IAM session context data source to resolve the identities role when using assumed_role #2347

Merged
merged 1 commit into from
Dec 17, 2022
Merged

fix: Use IAM session context data source to resolve the identities role when using assumed_role #2347

merged 1 commit into from
Dec 17, 2022

Conversation

bryantbiggs
Copy link
Member

Description

  • Use IAM session context data source to resolve the identities role when using assumed_role

Motivation and Context

Breaking Changes

  • No, this is backwards compatible

How Has This Been Tested?

  • I have updated at least one of the examples/* to demonstrate and validate my change(s)
  • I have tested and validated these changes using one or more of the provided examples/* projects
  • I have executed pre-commit run -a on my pull request

antonbabenko
antonbabenko approved these changes Dec 17, 2022
View reviewed changes
main.tf
@@ -1,6 +1,14 @@
data "aws_partition" "current" {}
data "aws_caller_identity" "current" {}

data "aws_iam_session_context" "current" {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we consider using this resource instead of an existing one in other modules also? WDYT?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, I think anywhere that we are using data.aws_caller_identity.current.arn to get the current identity's ARN, we should use this session context data source to ensure we are getting the true ARN and not the ARN of the STS session

@bryantbiggs bryantbiggs merged commit 71b8eca into terraform-aws-modules:master Dec 17, 2022
@bryantbiggs bryantbiggs deleted the fix/assumed-role branch December 17, 2022 12:32
antonbabenko pushed a commit that referenced this pull request Dec 17, 2022
@semantic-release-bot
chore(release): version 19.1.1 [skip ci]
f0abb25 
### [19.1.1](v19.1.0...v19.1.1) (2022-12-17)

### Bug Fixes

* Use IAM session context data source to resolve the identities role when using `assumed_role` ([#2347](#2347)) ([71b8eca](71b8eca))
@antonbabenko
Copy link
Member

This PR is included in version 19.1.1 🎉

FernandoMiguel
FernandoMiguel reviewed Dec 17, 2022
View reviewed changes
main.tf
@@ -122,7 +130,7 @@ module "kms" {
# Policy
enable_default_policy = var.kms_key_enable_default_policy
key_owners = var.kms_key_owners
key_administrators = coalescelist(var.kms_key_administrators, [data.aws_caller_identity.current.arn])
key_administrators = coalescelist(var.kms_key_administrators, [data.aws_iam_session_context.current.issuer_arn])
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

great... this should fix the constant drift we are seeing for a ephemeral session

spr-mweber3 pushed a commit to spring-media/terraform-aws-eks that referenced this pull request Jan 4, 2023
@bryantbiggs @spr-mweber3
fix: Use IAM session context data source to resolve the identities ro…
0f4bf0a 
…le when using `assumed_role` (terraform-aws-modules#2347)
spr-mweber3 pushed a commit to spring-media/terraform-aws-eks that referenced this pull request Jan 4, 2023
@semantic-release-bot @spr-mweber3
chore(release): version 19.1.1 [skip ci]
d9e8f31 
### [19.1.1](terraform-aws-modules/terraform-aws-eks@v19.1.0...v19.1.1) (2022-12-17)

### Bug Fixes

* Use IAM session context data source to resolve the identities role when using `assumed_role` ([terraform-aws-modules#2347](terraform-aws-modules#2347)) ([71b8eca](terraform-aws-modules@71b8eca))
@github-actions
Copy link

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jan 18, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@FernandoMiguel FernandoMiguel FernandoMiguel left review comments

@antonbabenko antonbabenko antonbabenko approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@bryantbiggs @antonbabenko @FernandoMiguel