Open fatmcgav opened 4 months ago
OK, after lots of debugging, iteration and head-scratching I've managed to get a working solution:
version: 2.1
orbs:
aws-cli: circleci/aws-cli@4.1.3
commands:
get-target-aws-account-id:
description: Get target AWS Account ID
parameters:
app-env:
type: string
steps:
- run:
name: Get Target AWS Account ID
command: |
export ENV_NAME=<< parameters.app-env >>
account_id_env="${ENV_NAME}_AWS_ACCOUNT_ID"
echo "Looking for ${account_id_env} env"
aws_account_id=$(eval echo \$${account_id_env})
if [ -z "${aws_account_id}" ]; then
echo "Didn't find a matching AWS_ACCOUNT_ID env"
exit 1
else
echo "Found a valid AWS Account ID"
echo "export TARGET_AWS_ACCOUNT_ID='$aws_account_id'" >> "$BASH_ENV"
echo "export TERRAFORM_ADMIN_AWS_ROLE_ARN='arn:aws:iam::${aws_account_id}:role/TerraformAdmin'" >> "$BASH_ENV"
fi
jobs:
check-and-validate:
docker:
- image: hashicorp/terraform:1.5.7
working_directory: ~/src/core
steps:
- checkout:
path: ~/src
- run:
name: Check Terraform fmt
command: terraform fmt -check=true
- run:
name: Run Terraform init for validation
command: terraform init -backend=false
- run:
name: Validate Terraform code
command: terraform validate
- save_cache:
key: v1-dot-terraform-{{ .Environment.CIRCLE_SHA1 }}
paths:
- ~/src/core/.terraform
plan:
parameters:
app-env:
type: string
default: DEV
docker:
- image: hashicorp/terraform:1.5.7
shell: /bin/sh -leo pipefail
environment:
BASH_ENV: /etc/profile
working_directory: ~/src
steps:
- get-target-aws-account-id:
app-env: << parameters.app-env >>
- aws-cli/setup:
region: eu-west-2
role_arn: "arn:aws:iam::<ci account id>:role/CircleCITerraformAuth"
role_session_name: "CircleCI-${CIRCLE_WORKFLOW_ID}-${CIRCLE_JOB}"
profile_name: oidc
- aws-cli/role_arn_setup:
role_arn: "${TERRAFORM_ADMIN_AWS_ROLE_ARN}"
profile_name: default
source_profile: oidc
- checkout
... snipped ...
I'm trying to use this orb to assume a role in a target account using OIDC.
However I'm struggling to get the step to run with a dynamic
role_arn
value.I've tried setting
AWS_ACCOUNT_ID
using$BASH_ENV
redirection, and that works fine for therun
step, but not for theaws-cli/assume_role_with_web_identity
step, which fails with:The
run
command which tests forAWS_ACCOUNT_ID
works fine and prints:I also tried setting the
AWS_CLI_STR_ROLE_ARN
env and comment therole_arn
input, but that complains with:Is there any way I can get this working with a dynamic
role_arn
value?