search

diggerhq / digger

Digger is an open source IaC orchestration tool. Digger allows you to run IaC in your existing CI pipeline ⚡️
https://digger.dev
Apache License 2.0
4.29k stars 577 forks source link

Terragrunt - AwsAssumeRole does not work on generate_projects / blocks configuration - Community Edition #1714

Closed ben-of-codecraft closed 1 month ago

ben-of-codecraft commented 1 month ago

Issue

When using backendless action inputs:

      - name: digger run
        uses: diggerhq/digger@v0.6.39
        with:
            setup-aws: false
            setup-terragrunt: true
            setup-checkov: false
            disable-locking: true
            no-backend: true
            terragrunt-version: 0.50.2

The command/state role assumes do not get used correctly when set on the blocks like as follows

generate_projects
    blocks:
      - block_name: dev
        terragrunt: true
        root_dir: "dev/"
        workflow: default
        workflow_file: digger_workflow.yml
        aws_role_to_assume:
           aws_role_region: "us-east-1"
           command: "xxxx"

Expected Behavior

AWSRole identity provider is used and passed into Terragrunt run similar to to how Terraform works.

ben-of-codecraft commented 1 month ago

Have narrowed down the problem to likely being this function not apply thing AwsAssumeRole struct when creating the projectYaml

https://github.com/diggerhq/digger/blob/develop/libs/digger_config/digger_config.go#L409

ben-of-codecraft commented 1 month ago

What I discovered:

  1. StateEnvVars do not copy from CommandEnvVars anymore
  2. passing backend-config for AWS credentials and using Env credentials for the same will cause a request to init --reconfigure
  3. Init and plan use different mechanisms for passing AWS permissions when handling AWS Assume role
  4. AwsAssumeRole on Blocks is not captured into projects in current version