search

hashicorp / terraform

Terraform enables you to safely and predictably create, change, and improve infrastructure. It is a source-available tool that codifies APIs into declarative configuration files that can be shared amongst team members, treated as code, edited, reviewed, and versioned.
https://www.terraform.io/
Other
41.69k stars 9.41k forks source link

Terraform doesn't work with AWS CLI profiles that have quotes #35091

Open evanstucker-hates-2fa opened 2 months ago

evanstucker-hates-2fa commented 2 months ago

Terraform Version

Terraform v1.8.1
on linux_arm64
+ provider registry.terraform.io/cyrilgdn/postgresql v1.22.0
+ provider registry.terraform.io/hashicorp/aws v5.40.0
+ provider registry.terraform.io/hashicorp/random v3.6.0

Your version of Terraform is out of date! The latest version
is 1.8.2. You can update by downloading from https://www.terraform.io/downloads.html

Terraform Configuration Files

Not applicable

Debug Output

Not applicable

Expected Behavior

Workaround: Remove quotes in AWS CLI profile names, and instead use \ to escape any spaces in profile names:

$ grep project-dev_Admin ~/.aws/config 
[profile project-dev_Admin] 
$ aws sts get-caller-identity 
{
    "UserId": "AROAREDACTEDREDACTED:evans@my.org",
    "Account": "99999999999",
    "Arn": "arn:aws:sts::99999999999:assumed-role/AWSReservedSSO_Admin_d33b4f06d3936657/evans@my.org"
}

$ terraform plan
Acquiring state lock. This may take a few moments...
...
Plan: 16 to add, 2 to change, 0 to destroy.
...

Actual Behavior

Problem: Terraform doesn't work with AWS CLI profiles that have quotes:

$ grep project-dev_Admin ~/.aws/config 
[profile "project-dev_Admin"]
$ aws sts get-caller-identity 
{
    "UserId": "AROAREDACTEDREDACTED:evans@my.org",
    "Account": "99999999999",
    "Arn": "arn:aws:sts::99999999999:assumed-role/AWSReservedSSO_Admin_d33b4f06d3936657/evans@my.org"
}
$ terraform plan
╷
│ Error: failed to get shared config profile, project-dev_Admin

Steps to Reproduce

  1. Add quotes to one of the profile names in ${HOME}/.aws/config
  2. Run terraform plan - it doesn't work.

Additional Context

Desired Solution: Update Terraform so that it can handle quoted AWS CLI profiles.

References

No response

crw commented 2 months ago

Thanks for filing this request! It has been brought to the attention of the AWS Provider maintainer team at HashiCorp, who also maintain the S3 Backend.

If you are viewing this issue and would like to indicate your interest, please use the 👍 reaction on the issue description to upvote this issue. We also welcome additional use case descriptions. Thanks again!

bschaatsbergen commented 1 month ago

Hey @evanstucker-hates-2fa, thanks for taking the time to raise this request. I'd like to take a look at this, but I'm curious if you added the quotes yourself or if these credentials were generated with the quotes. Is this new behavior from aws configure --profile in that case?

utilimatt commented 1 week ago

I run into this every year or so: AWS allows account names with spaces in them. If you dynamically generate your config file from the raw name strings for AWS accounts and they have spaces in them the easiest way to keep everything as close to the same as possible is to just wrap the profile names in quotes. Since the workarounds are near arbitrary (like coming up with some sort of character substitution with underscores, etc...) it's not super important, but this would be very much appreciated.