Terraform AWS dynamic provider credentials

This module creates a dynamic credentials setup between AWS and Terraform Cloud (project). It creates an IAM policy, IAM role, and IAM role policy attachment. It also creates a Terraform Cloud variable set with the AWS configurations. For more information on dynamic provider credentials, see Dynamic Provider Credentials.

Usage

// one-time credentials to setup the dynamic credentials
// this is the only time you need to provide credentials
// after this, the dynamic credentials will be used.
// If the setup was successful, `access_key` and `secret_key` should be removed.
provider "aws" {
  region     = var.aws_region
  access_key = var.access_key
  secret_key = var.secret_key
}

module "aws_dynamic_provider_credentials" {
  source  = "tagesspiegel/dynamic-provider-credentials/aws"
  version = "1.0.0"

  tfc_organization = "my-org"
  tfc_project      = "my-project"

  tfc_workspaces = [{
    name_override = "my-project-auth"
    workspace     = "*"
    run_phase     = "*"
    policies = [
      {
        Effect = "Allow"
        Action = [
          "ec2:*"
        ]
        Resource = "*"
      },
      {
        Effect = "Allow"
        Action = [
          "ram:*"
        ]
        Resource = "*"
      },
      {
        Effect = "Allow"
        Action = [
          "cloudwatch:*"
        ]
        Resource = "*"
      },
      {
        Effect = "Allow"
        Action = [
          "logs:*"
        ]
        Resource = "*"
      },
      {
        Effect = "Allow"
        Action = [
          "kms:*"
        ]
        Resource = "*"
      }
    ]
  }]
}

Requirements

Name	Version
terraform	~> 1.6
aws	~> 5.59

Providers

Name	Version
tfe	0.57.1

Modules

Name	Source	Version
aws_identity_provider	./modules/iam_identity_provider	n/a
aws_tfc_dynamic_credentials_iam_roles	./modules/iam_roles	n/a

Resources

Name	Type
tfe_project_variable_set.tfc_project	resource
tfe_variable.tfe_aws_provider_auth	resource
tfe_variable.tfe_aws_provider_auth_arn	resource
tfe_variable_set.tfc_aws_dynamic_credentials	resource
tfe_project.tfc_project	data source

Inputs

Name	Description	Type	Default	Required
dynamic_credentials_role_name_override	The name of the IAM role to create. If not set, the name will be generated automatically.	string	"terraform-cloud-dynamic-credentials"	no
policies	A list of custom policies to attach to the IAM role. By default the provider will be allowed to perform all actions on all ec2 resources.	set(object({ Effect = string Action = set(string) Resource = string }))	[]	no
statements	The list of statements to use for the trust relationship	set(object({ org_name = string project_name = string workspace = string run_phase = optional(string, "*") }))	n/a	yes
tfc_aws_audience	AWS audience	string	"aws.workload.identity"	no
tfc_hostname	The hostname of the TFC or TFE instance you'd like to use with AWS	string	"app.terraform.io"	no
tfc_organization	Name of the organization	string	n/a	yes
tfc_project	Name of the terraform cloud/enterprise project	string	n/a	yes

Outputs

Name	Description
aws_tfc_audience	n/a
full_name	A list of all 'full_name' values
oidc_claims	OpenID Claims for trust relationship
role_arns	ARN for trust relationship role