search

aws-ia / terraform-aws-control_tower_account_factory

AWS Control Tower Account Factory
Apache License 2.0
605 stars 386 forks source link

Environment variables lost in pre and post-api-helpers.sh #345

Open appleoddity opened 1 year ago

appleoddity commented 1 year ago

AFT Version: 1.10.3 (Latest)

Terraform Version & Provider Versions Please provide the outputs of terraform version and terraform providers from within your AFT environment

terraform version

Terraform v1.4.1
on windows_amd64
+ provider registry.terraform.io/hashicorp/archive v2.3.0
+ provider registry.terraform.io/hashicorp/aws v4.55.0
+ provider registry.terraform.io/hashicorp/local v2.3.0
+ provider registry.terraform.io/hashicorp/random v3.4.3
+ provider registry.terraform.io/hashicorp/time v0.9.1

terraform providers

Providers required by configuration:
.
├── provider[registry.terraform.io/hashicorp/aws]
└── module.aft
    ├── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0, < 5.0.0
    ├── provider[registry.terraform.io/hashicorp/local]
    ├── module.aft_customizations
    │   ├── provider[registry.terraform.io/hashicorp/local]
    │   └── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0
    ├── module.aft_lambda_layer
    │   ├── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0
    │   ├── provider[registry.terraform.io/hashicorp/random]
    │   └── provider[registry.terraform.io/hashicorp/local]
    ├── module.aft_ssm_parameters
    │   ├── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0
    │   └── provider[registry.terraform.io/hashicorp/random]
    ├── module.aft_code_repositories
    │   ├── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0
    │   └── provider[registry.terraform.io/hashicorp/local]
    ├── module.aft_iam_roles
    │   ├── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0
    │   ├── module.ct_management_service_role
    │       └── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0
    │   ├── module.log_archive_exec_role
    │       └── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0
    │   ├── module.log_archive_service_role
    │       └── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0
    │   ├── module.aft_exec_role
    │       └── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0
    │   ├── module.aft_service_role
    │       └── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0
    │   ├── module.audit_exec_role
    │       └── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0
    │   ├── module.audit_service_role
    │       └── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0
    │   └── module.ct_management_exec_role
    │       └── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0
    ├── module.packaging
    │   └── provider[registry.terraform.io/hashicorp/archive]
    ├── module.aft_account_request_framework
    │   ├── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0
    │   └── provider[registry.terraform.io/hashicorp/time]
    ├── module.aft_backend
    │   └── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0
    ├── module.aft_feature_options
    │   └── provider[registry.terraform.io/hashicorp/aws] >= 4.27.0
    └── module.aft_account_provisioning_framework
        └── provider[registry.terraform.io/hashicorp/aws] >= 4.9.0

Providers required by state:

    provider[registry.terraform.io/hashicorp/aws]

    provider[registry.terraform.io/hashicorp/archive]

    provider[registry.terraform.io/hashicorp/local]

    provider[registry.terraform.io/hashicorp/random]

    provider[registry.terraform.io/hashicorp/time]

Bug Description The customizations Codebuild projects' buildspec definitions that use the pre_build and post_build execution of pre-api-helpers.sh and post-api-helpers.sh does not dot-source the script and any environment variables defined within these api-helper scripts are unavailable to other steps in the codebuild project.

To Reproduce Steps to reproduce the behavior:

  1. Export a variable in the pre-api-helpers.sh script: export test="test variable"
  2. In the codebuild project buildspec add the following command after the pre-api-helpers.sh execution step: env
  3. Observe that the test environment variable is not present in the output.

Expected behavior Environment variables defined in the pre and post api helper scripts should be retained for the following build steps.

Additional context If we attempt to define TF_VAR environment variables in the pre/post-api-helpers.sh scripts those are lost in the following Terraform execution steps. To solve this problem we need to dot-source the scripts in the buildspec, i.e.: . $DEFAULT_PATH/$CUSTOMIZATION/api_helpers/pre-api-helpers.sh

balltrev commented 1 year ago

Thanks @appleoddity for calling this out. We've got an internal backlog already tracking this enhancement, I'll add your issue for further context during prioritization.

noahtrillingds commented 1 year ago

Any update on this? Being unable to set environment variables during the terraform execution makes it difficult to provision other terraform providers which depend on secrets (API keys, etc)

femenezes commented 9 months ago

+1 on this issue. I'm trying to use a 3rd party provider, being able to set credentials in environment variables would be much more secure and practical.

mikeplem commented 4 months ago

I am not sure if this will solve the problems you are encountering but I successfully worked around this problem by doing this in my account customizations pre-api-helpers.sh script.

echo "Appending custom variables to terraform.tfvars"
cat << EOF >> "${DEFAULT_PATH}/${CUSTOMIZATION}/terraform/terraform.tfvars"
vpc_name = "${VPC_NAME}"
vpc_ipam_type = "${IPAM_TYPE}"
vpc_region = "${VPC_REGION}"
vpc_az_count = ${VPC_AZ_COUNT}
EOF