digger
digger copied to clipboard
diggerhq
[bug] aws-region config parameter in workflow, not used with project level roles causes GitHub Action failure
When using the following set up:
- no-backend
- multiple projects
- no assume role in workflow
Specifying the region in the digger action does not work and will not be used when populateKeys method is called to get AWS credentials based on the project role. This results in the following error:
Failed to get keys from role: populateKeys: Could not retrieve keys from provider failed to retrieve credentials, operation error STS: AssumeRoleWithWebIdentity, failed to resolve service endpoint, endpoint rule error, Invalid Configuration: Missing Region
failed to fetch AWS keys, Failed to get (state) keys from role: populateKeys: Could not retrieve keys from provider failed to retrieve credentials, operation error STS: AssumeRoleWithWebIdentity, failed to resolve service endpoint, endpoint rule error, Invalid Configuration: Missing Region
digger_workflow.yml
name: Terraform Deployment
on:
pull_request:
branches: [ "main" ]
types: [ opened, synchronize ]
issue_comment:
types: [created]
workflow_dispatch:
jobs:
terraform-deploy:
runs-on: ubuntu-latest
permissions:
contents: write # required to merge PRs
actions: write # required for plan persistence
id-token: write # required for workload-identity-federation
pull-requests: write # required to post PR comments
statuses: write # required to validate combined PR status
steps:
- uses: actions/checkout@v4
- name: Setup GitHub Env
run: |
echo '${{secrets.TF_GIT_CONFIG}}' > ~/.gitconfig
- name: digger run
uses: diggerhq/[email protected]
with:
setup-terraform: true
disable-locking: true
aws-region: us-west-2
no-backend: true
env:
GITHUB_CONTEXT: ${{ toJson(github) }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
With multi-account digger.yml:
telemetry: false
traverse_to_nested_projects: true
projects:
- name: aws-base-dev
dir: dev
include_patterns: ["./modules/**"]
workflow_file: digger_workflow.yml
aws_role_to_assume:
state: arn:aws:iam::xxx:role/xxx-oidc-role
command: arn:aws:iam::xxx:role/xxx-oidc-role
- name: aws-base-prod
dir: prod
include_patterns: ["./modules/**"]
workflow_file: digger_workflow.yml
aws_role_to_assume:
state: arn:aws:iam::xxx:role/xxx-oidc-role
command: arn:aws:iam::xxx:role/xxx-oidc-role
```
The current workaround is adding the AWS_REGION to the environment variable for the workflow so it is picked up by the credential call
See below for an example:
jobs:
terraform-deploy:
runs-on: ubuntu-latest
env:
AWS_REGION: 'us-west-2'
permissions:
contents: write # required to merge PRs
actions: write # required for plan persistence
id-token: write # required for workload-identity-federation
pull-requests: write # required to post PR comments
statuses: write # required to validate combined PR status
steps:
- uses: actions/checkout@v4
- name: Setup GitHub Env
run: |
echo '${{secrets.TF_GIT_CONFIG}}' > ~/.gitconfig
- name: digger run
uses: diggerhq/[email protected]
with:
setup-terraform: true
disable-locking: true
aws-region: us-west-2
no-backend: true
env:
GITHUB_CONTEXT: ${{ toJson(github) }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
```
I think I have seen this behaviour before. Not sure why AWS sts client does not set a default region while setting a role. Need to dig further into it.
One thing I am testing is this in the digger.yml to see if it fills the need without having to change the workflow file. Because if I update the workflow file then I lose the ability to have cross-region support out of the same repo. Where if I can assign it as an env variable in the workflow I can make magic happen
telemetry: false
traverse_to_nested_projects: true
projects:
- name: "{{github.org}}-{{github.repo}}-dev"
dir: dev
include_patterns: [
"./modules/**",
"./config/dev/**",
]
workflow_file: digger_workflow.yml
aws_role_to_assume:
state: {{output.stsStateRoleDev}}
command: {{output.stsCommandRoleDev}}
- name: "{{github.org}}-{{github.repo}}-prod"
dir: prod
include_patterns: [
"./modules/**",
"./config/prod/**",
]
workflow_file: digger_workflow.yml
aws_role_to_assume:
state: {{output.stsStateRoleProd}}
command: {{output.stsCommandRoleProd}}
workflows:
default:
env_vars:
state:
- name: AWS_REGION
value: {{config.region}}
commands:
- name: AWS_REGION
value: {{config.region}}
I finally got around to testing this today and using this technique to set the region did not work:
workflows:
default:
env_vars:
state:
- name: AWS_REGION
value: "us-west-2"
commands:
- name: AWS_REGION
value: "us-west-2"
I think I found the problem, when examining an environment with the workflow vars set when I looked at initialize digger config:
I see this:
Run diggerhq/[email protected]
with:
setup-terraform: true
disable-locking: true
no-backend: true
setup-aws: false
aws-region: us-east-1
setup-google-cloud: false
setup-azure: false
setup-terragrunt: false
setup-opentofu: false
terragrunt-version: v0.[5]
terraform-version: v1.5.5
configure-checkout: true
However, I am passing in us-west-2 and the credentials I have created are not in that region. So maybe this is part of the problem, I am digging in further to see if I can figure anything out.