search

carlpett / terraform-provider-sops

A Terraform provider for reading Mozilla sops files
Mozilla Public License 2.0
482 stars 64 forks source link

SOPS with Terraform Cloud dynamic provider credentials #112

Open take-five opened 9 months ago

take-five commented 9 months ago

In Terraform Cloud it is possible configure dynamic AWS credentials using OIDC-providers: https://developer.hashicorp.com/terraform/enterprise/workspaces/dynamic-provider-credentials/aws-configuration

For workspaces with multiple AWS provider configurations, TFC would inject variable tfc_aws_dynamic_credentials:

variable "tfc_aws_dynamic_credentials" {
  description = "Object containing AWS dynamic credentials configuration"
  type = object({
    default = object({
      shared_config_file = string
    })
    aliases = map(object({
      shared_config_file = string
    }))
  })
}

To use it in AWS provider you have to use configuration option shared_config_files:

provider "aws" {
  shared_config_files = [var.tfc_aws_dynamic_credentials.default.shared_config_file]
}

provider "aws" {
  alias = "ALIAS1"
  shared_config_files = [var.tfc_aws_dynamic_credentials.aliases["ALIAS1"].shared_config_file]
}

However, sops provider doesn't have an option of configuring AWS (or any other provider, like GCP or Azure) with shared_config_files option, and so it fails to authenticate and assume the correct role with identity token.

Would it be possible to either bake in some configuration options into provider "sops" {} block, or maybe allow setting environment variables for the provider, like this:

provider "sops" {
  environment = {
     AWS_SHARED_CREDENTIALS_FILE = var.tfc_aws_dynamic_credentials.aliases["ALIAS1"].shared_config_file
  }
}