Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SOPS with Terraform Cloud dynamic provider credentials #112

Open
take-five opened this issue Nov 23, 2023 · 0 comments
Open

SOPS with Terraform Cloud dynamic provider credentials #112

take-five opened this issue Nov 23, 2023 · 0 comments

Comments

@take-five
Copy link

take-five commented Nov 23, 2023
edited
Loading

In Terraform Cloud it is possible configure dynamic AWS credentials using OIDC-providers: https://developer.hashicorp.com/terraform/enterprise/workspaces/dynamic-provider-credentials/aws-configuration

For workspaces with multiple AWS provider configurations, TFC would inject variable tfc_aws_dynamic_credentials:

variable "tfc_aws_dynamic_credentials" {
  description = "Object containing AWS dynamic credentials configuration"
  type = object({
    default = object({
      shared_config_file = string
    })
    aliases = map(object({
      shared_config_file = string
    }))
  })
}

To use it in AWS provider you have to use configuration option shared_config_files:

provider "aws" {
  shared_config_files = [var.tfc_aws_dynamic_credentials.default.shared_config_file]
}

provider "aws" {
  alias = "ALIAS1"
  shared_config_files = [var.tfc_aws_dynamic_credentials.aliases["ALIAS1"].shared_config_file]
}

However, sops provider doesn't have an option of configuring AWS (or any other provider, like GCP or Azure) with shared_config_files option, and so it fails to authenticate and assume the correct role with identity token.

Would it be possible to either bake in some configuration options into provider "sops" {} block, or maybe allow setting environment variables for the provider, like this:

provider "sops" {
  environment = {
     AWS_SHARED_CREDENTIALS_FILE = var.tfc_aws_dynamic_credentials.aliases["ALIAS1"].shared_config_file
  }
}
kuzaxak added a commit to x-qdo/terraform-provider-sops that referenced this issue Jun 21, 2024
@kuzaxak
Add optional support for passing env variables into provider
1969d02 
Needed to support dynamic auth as described in [issue][1], as we are
using sops dependency which is using native aws sdk, it will read such
configuration from env variables of the process.

Additionally, I upgraded deprecated terraform SDK such as replacing
`Read` into `ReadContext` and added

[1]: carlpett#112
@kuzaxak kuzaxak mentioned this issue Jun 21, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@take-five