Skip to content

Latest commit

 

History

History
121 lines (103 loc) · 5.33 KB

README.md

File metadata and controls

121 lines (103 loc) · 5.33 KB
Raw

Terraform AWS dynamic provider credentials

This module creates a dynamic credentials setup between AWS and Terraform Cloud (project). It creates an IAM policy, IAM role, and IAM role policy attachment. It also creates a Terraform Cloud variable set with the AWS configurations. For more information on dynamic provider credentials, see Dynamic Provider Credentials.

Usage

// one-time credentials to setup the dynamic credentials
// this is the only time you need to provide credentials
// after this, the dynamic credentials will be used.
// If the setup was successful, `access_key` and `secret_key` should be removed.
provider "aws" {
  region     = var.aws_region
  access_key = var.access_key
  secret_key = var.secret_key
}

module "aws_dynamic_provider_credentials" {
  source  = "tagesspiegel/dynamic-provider-credentials/aws"
  version = "1.0.0"

  tfc_organization = "my-org"
  tfc_project      = "my-project"

  tfc_workspaces = [{
    name_override = "my-project-auth"
    workspace     = "*"
    run_phase     = "*"
    policies = [
      {
        Effect = "Allow"
        Action = [
          "ec2:*"
        ]
        Resource = "*"
      },
      {
        Effect = "Allow"
        Action = [
          "ram:*"
        ]
        Resource = "*"
      },
      {
        Effect = "Allow"
        Action = [
          "cloudwatch:*"
        ]
        Resource = "*"
      },
      {
        Effect = "Allow"
        Action = [
          "logs:*"
        ]
        Resource = "*"
      },
      {
        Effect = "Allow"
        Action = [
          "kms:*"
        ]
        Resource = "*"
      }
    ]
  }]
}

Requirements

Name Version
terraform ~> 1.6
aws ~> 5.59

Providers

Name Version
tfe 0.57.1

Modules

Name Source Version
aws_identity_provider ./modules/iam_identity_provider n/a
aws_tfc_dynamic_credentials_iam_roles ./modules/iam_roles n/a

Resources

Name Type
tfe_project_variable_set.tfc_project resource
tfe_variable.tfe_aws_provider_auth resource
tfe_variable.tfe_aws_provider_auth_arn resource
tfe_variable_set.tfc_aws_dynamic_credentials resource
tfe_project.tfc_project data source

Inputs

Name Description Type Default Required
dynamic_credentials_role_name_override The name of the IAM role to create. If not set, the name will be generated automatically. string "terraform-cloud-dynamic-credentials" no
policies A list of custom policies to attach to the IAM role. By default the provider will be allowed to perform all actions on all ec2 resources. 
set(object({
    Effect   = string
    Action   = set(string)
    Resource = string
  }))
 [] no
statements The list of statements to use for the trust relationship 
set(object({
    org_name     = string
    project_name = string
    workspace    = string
    run_phase    = optional(string, "*")
  }))
 n/a yes
tfc_aws_audience AWS audience string "aws.workload.identity" no
tfc_hostname The hostname of the TFC or TFE instance you'd like to use with AWS string "app.terraform.io" no
tfc_organization Name of the organization string n/a yes
tfc_project Name of the terraform cloud/enterprise project string n/a yes

Outputs

Name Description
aws_tfc_audience n/a
full_name A list of all 'full_name' values
oidc_claims OpenID Claims for trust relationship
role_arns ARN for trust relationship role