Discuss additional use cases that should be tested

[timoguin]

First off, thank you for starting work on this. It seems desperately needed.

My primary needs for this are assuming roles via Terraform, so that is primarily where my head is at. I've attempted to include other methods I can think of, and to order the list(s) by precedence. I'd like for us to get all the test cases at least written down, so it's easier to contribute. I've included all the use cases I can think off.

Assume role via Terraform backend, provider, and remote state configs

These options should all assume the configured role(s) when the assume role blocks and/or arguments are passed. Terraform should be using it's own libraries (aws-sdk-go-base) to do the role assumption.

Credentials can be passed from the following sources:

• Terraform config arguments
• Terraform -var or -var-file CLI flags
• Terraform TF_VAR_ env vars
• Standard AWS env vars (AWS_ACCESS_KEY_ID, etc)
• ECS container metadata endpoint (must also respect the ECS_CONTAINER_METADATA_FILE and AWS_CONTAINER_CREDENTIALS_RELATIVE_URI env vars)
• EC2 instance metadata endpoint (must also respect the AWS_METADATA_URL env var
• Shared credentials file
• Alternate shared credentials file (AWS_SHARED_CREDENTIALS_FILE env var)
• credential_process option in AWS config/credentials files

These should all work from both standard IAM credentials as well as temporary session credentials.

AWS_PROFILE env var

There is also the AWS_PROFILE env var that has to be handled a bit differently. This can be passed to Terraform the with the following config methods:

• Terraform config arguments
• CLI flags
• TFVAR env vars
• AWS env vars

The AWS_PROFILE option is ignored if the AWS credentials are specified. To load the profile from env vars, Terraform also requires the AWS_SDK_LOAD_CONFIG var set to a truthy value.

Static credentials

These should all use the normal AWS SDK order of precedence, while also preferring the Terraform config options:

• Terraform static config arguments
• Terraform -var and -var-file CLI args
• Terraform TFVAR env vars
• AWS env vars
• etc.

References:

• https://docs.aws.amazon.com/sdk-for-go/api/aws/defaults/#CredChain
• https://docs.aws.amazon.com/cli/latest/topic/config-vars.html
• https://docs.aws.amazon.com/AmazonECS/latest/developerguide/container-metadata.html
• https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html
• https://www.terraform.io/docs/backends/types/s3.html
• https://www.terraform.io/docs/providers/aws/index.html

[YakDriver]

Thank you for the meaty response! If you have the chance to contribute any specific tests, that would be much appreciated. Otherwise, I'll work to tease out the various stories here - in time. 👍

[timoguin]

Thanks! I'm hoping to contribute, just wanted to organize my thoughts here a bit and make sure I wasn't too far off!

[YakDriver]

No, you're right on target. I'm currently adding a few more tests so, hopefully, there will be enough to given plenty of examples. I'm using Makefiles per test to make running more consistent with the idea of adding an automation layer at some point. Thanks for your thoughts!