azure-pipelines-tasks-terraform icon indicating copy to clipboard operation
azure-pipelines-tasks-terraform copied to clipboard

Published 20 hours ago verified publisher icon jason-johnson

Assume Role setting from AWS Toolkit not respected in Terrafrom init or plan steps

Open alarobric opened this issue 2 years ago • 3 comments

I have the AWS Toolkit setup as suggested, and a service connection with access keys and assume role. My user in question has no privileges whatsoever, just the ability to assumeRole for a terraform role. This role gives access to the S3 and DynamoDb for the backend, and all the other resources provisioned through my terraform.

What I've found is that the assumeRole from the service connection doesn't seem to be getting applied.

If I give the user all the rights, the pipeline works. If instead I manually specify the assume_role in my provider and backend blocks it works also. This seems to indicate it's just not making it from the service conenction and AWS Toolkit through to these terraform commands?

If I run a AWSShellScript task using the same service connection I can see it's using the assumed role though.

  - task: AWSShellScript@1
    inputs:
      awsCredentials: '${{ parameters.awsServiceConnection }}'
      regionName: '${{ parameters.awsRegion }}'
      scriptType: 'inline'
      inlineScript: |
        echo 'Using identity'
        aws sts get-caller-identity

Am I doing something wrong? Is this just not a supported behaviour? I'd prefer to keep that assume role detail in the service connection and out of my terraform code if possible.

alarobric avatar Feb 19 '23 05:02 alarobric

Hi @alarobric, AWSShellScript task contains logic where it extracts the AWS_* environment variables from the service-connection and they are available for the inline script (source) . This is not done in terraform task as it would not know how to handle various different service connections. The alternative would be to set these env variables in the terraform task by referencing them from the service connection but not sure if this is feasible. Would you know @jason-johnson ?

piizei avatar Feb 22 '23 06:02 piizei

We should support awsCredentials on this task as well, so taking it up.

piizei avatar Feb 22 '23 06:02 piizei

I also encountered this issue and used the same workaround - removing the role reference from the service connection and manually specifying the assume_role in the provider and backend blocks. My YAML is using TerraformCLI tasks to reference service connection.

e.g. - task: TerraformCLI@0 displayName: init inputs: command: 'init' workingDirectory: '$(workingDirectory)' commandOptions: '-backend-config="dynamodb_table=$(dynamodb_table)" -backend-config="encrypt=$(encrypt)"' backendType: 'aws' allowTelemetryCollection: true backendServiceAws: 'AWSServiceConnection'

simonmacpherson avatar Aug 02 '23 04:08 simonmacpherson