stumins
commented
1 year ago Hi @wellsiau-aws,
Thank you for the enhancement request. I've created a backlog item for the team to explore supporting this TFC feature.
Open wellsiau-aws opened 1 year ago
stumins
commented
1 year ago Hi @wellsiau-aws,
Thank you for the enhancement request. I've created a backlog item for the team to explore supporting this TFC feature.
gautambaghel
commented
1 year ago Any updates on this @stumins ?
Describe the outcome you'd like
Terraform Cloud (TFC) recently announced the new dynamic provider credentials. By using this new feature, you no longer need to store long-lived static AWS credentials as workspace variables. Instead, TFC will AssumeRoleWithWebIdentity via IAM OIDC provider, using the specified role ARN.
Is your feature request related to a problem you are currently experiencing? If so, please describe.
By implementing dynamic provider credentials support in AFT, each AFT managed workspaces no longer need to store static AWS credentials.
Additional positive impact: Terraform Cloud drift detection can run normally, previously this was not possible because AFT provided static AFT credentials will expires.
Additional context
To implement this, AFT needs to inject two environment variables in the workspace:
TFC_AWS_RUN_ROLE_ARNset toAWSAFTAdminroleTFC_AWS_PROVIDER_AUTHset totrueExample how to bootstrap OIDC provider: https://github.com/hashicorp/terraform-dynamic-credentials-setup-examples/tree/main/aws