search

hashicorp / terraform

Terraform enables you to safely and predictably create, change, and improve infrastructure. It is a source-available tool that codifies APIs into declarative configuration files that can be shared amongst team members, treated as code, edited, reviewed, and versioned.
https://www.terraform.io/
Other
42.44k stars 9.51k forks source link

backend/s3: `assume_role_with_web_identity` ignores related environment variables #33803

Open jar-b opened 1 year ago

jar-b commented 1 year ago

Terraform Version

v1.6.0-beta1

Terraform Configuration Files

terraform {
  backend "s3" {
    bucket = "jb-test"
    key    = "path/to/statefiles"
    region = "us-east-1"
  }
}

Debug Output

https://github.com/hashicorp/terraform/pull/31276#issuecomment-1703530574

Expected Behavior

The assume_role_with_web_identity block should respect the corresponding AWS environment variables.

Actual Behavior

Role assumption flow fails.

Steps to Reproduce

  1. Set the AWS_ROLE_ARN and AWS_WEB_IDENTITY_TOKEN_FILE environment variables.
  2. terraform init
  3. Observe failure

Additional Context

Originally reported in this comment: https://github.com/hashicorp/terraform/pull/31276#issuecomment-1703530574

References

Relates #31276 Relates #33730

gdavison commented 1 year ago

@manobi this should actually work, since the AWS SDK for Go handles the environment variables. I've created a branch that (re-)enables API request logging for the authentication flow at https://github.com/hashicorp/terraform/tree/s3/log-base.

Can you try again using that branch and with the environment variable TF_LOG set to DEBUG and share the log, please?

Can you also please share your backend configuration, please?

manobi commented 1 year ago

I would love to help with this test, but I only have this trust relationship for my CI/CD runners.

I can't try it until it's published as a docker image on docker hub or something like it.

gdavison commented 1 year ago

The logging update should be released in v1.6.0-beta2

manobi commented 1 year ago

Have it already being released to public docker registries?

crw commented 1 year ago

No, v1.6.0-beta2 has not yet been built and released at all, thus it is not in Dockerhub. See also: https://hub.docker.com/r/hashicorp/terraform/tags

gdavison commented 1 year ago

Hi @manobi, v1.6.0-beta3 is now on Dockerhub

gdavison commented 11 months ago

Hi @manobi. Now that v1.6 has been released, are you still seeing this problem? If so, can you please share your backend configuration and a debug log generated by setting the environment variable TF_LOG to DEBUG

marshallford commented 10 months ago

I'm seeing a similar issue with v1.6.5, however the steps to reproduce are a bit different (set AWS_WEB_IDENTITY_TOKEN_FILE env var, set role_arn in backend config). 

Initializing the backend...
╷
│ Error: Missing Required Value
│ 
│   on main.tf line 9, in terraform:
│    9:   backend "s3" {
│ 
│ Exactly one of web_identity_token, web_identity_token_file must be set.
╵

Perhaps I'm barking up the wrong tree and this is a SDK issue, similar to: https://github.com/hashicorp/terraform-provider-aws/issues/27019.