Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allows alternate profile for S3 refs. #316

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Allows alternate profile for S3 refs. #316

wants to merge 1 commit into from

Conversation

nl-brett-stime
Copy link
Contributor

@nl-brett-stime nl-brett-stime commented Mar 31, 2021
edited
Loading

Allows e.g., Terraform modules to be pulled from a different account than the one where the S3 backend is being initialized.

Some organizations use multiple accounts for security isolation between e.g., dev, test and production environments. Custom modules may be defined in another, distinct account for build / CICD / artifact repository purposes.

By default, the AWS SDK will look for credentials in a section of ~/.aws/credentials when the AWS_PROFILE environment is set with the name of the section. In order to pull modules from one account and apply them another, it would be useful to specify different different profiles for the source and target accounts. This patch allows setting a different environment key (per module reference) to indicate which profile to use for the source account (the application-target account can keep using the default key of AWS_PROFILE).

E.g.,

main.tf

terraform {
  // Uses profile set via `AWS_PROFILE`
  backend "s3" {
    region               = "eu-west-2"
    dynamodb_table       = "tf-backend"
    bucket               = "tf-backend"
    workspace_key_prefix = "my-project"
    key                  = "tfstate"
  }
}

module "some" {
  source = "s3::https://s3-eu-west-1.amazonaws.com/example-team-terraform-modules/some-module.2.0.0.zip?aws_profile_env_key=TEAM_MODULES_AWS_PROFILE"

  some_attr = "my_value"
}

module "other" {
  source = "s3::https://s3-us-east-1.amazonaws.com/examplecorp-assets/terraform-modules/other-module.zip?aws_profile_env_key=CORP_MODULES_AWS_PROFILE"

  some_other_attr = "my_other_value"
}

Command:

TEAM_MODULES_AWS_PROFILE=myTeamArtifacts CORP_MODULES_AWS_PROFILE=corporateAssets AWS_PROFILE=testAccount terraform init

@hashicorp-cla
Copy link

CLA assistant check

Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement

Learn more about why HashiCorp requires a CLA and what the CLA includes

Have you signed the CLA already but the status is still pending? Recheck it.

@nl-brett-stime
Copy link
Contributor Author

FWIW, I think this addresses issues similar to those addressed by #275

@nl-brett-stime
Copy link
Contributor Author

I've tried to use the form to sign the CLA but it says "You have signed the CLA for multiple repositories or organizations"--probably from when I submitted #300 . When I try to load it from this PR, the form is grayed out.

@nl-brett-stime
Copy link
Contributor Author

@radeksimko , @megan07 , @schmichael , @picatz .

I've tried to use the form to sign the CLA but it says "You have signed the CLA for multiple repositories or organizations"--probably from when I submitted #300 . When I try to load it from this PR, the form is grayed out.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@nl-brett-stime @hashicorp-cla @b-stime