terraform-aws-control_tower_account_factory icon indicating copy to clipboard operation
terraform-aws-control_tower_account_factory copied to clipboard

Published 20 hours ago verified publisher icon aws-ia

Support Terraform dynamic provider credentials

Open wellsiau-aws opened this issue 1 year ago • 2 comments

Describe the outcome you'd like

Terraform Cloud (TFC) recently announced the new dynamic provider credentials. By using this new feature, you no longer need to store long-lived static AWS credentials as workspace variables. Instead, TFC will AssumeRoleWithWebIdentity via IAM OIDC provider, using the specified role ARN.

Is your feature request related to a problem you are currently experiencing? If so, please describe.

By implementing dynamic provider credentials support in AFT, each AFT managed workspaces no longer need to store static AWS credentials.

Additional positive impact: Terraform Cloud drift detection can run normally, previously this was not possible because AFT provided static AFT credentials will expires.

Additional context

To implement this, AFT needs to inject two environment variables in the workspace:

  • TFC_AWS_RUN_ROLE_ARN set to AWSAFTAdmin role
  • TFC_AWS_PROVIDER_AUTH set to true

Example how to bootstrap OIDC provider: https://github.com/hashicorp/terraform-dynamic-credentials-setup-examples/tree/main/aws

wellsiau-aws avatar Mar 01 '23 07:03 wellsiau-aws

Hi @wellsiau-aws,

Thank you for the enhancement request. I've created a backlog item for the team to explore supporting this TFC feature.

stumins avatar Mar 01 '23 20:03 stumins

Any updates on this @stumins ?

gautambaghel avatar Jul 20 '23 17:07 gautambaghel