Atlantis in ECS Fargate fails to get aws provider - ERROR: failed to get shared config profile

[velinbudinov]

Terraform Version

Terraform version: 1.9.2

Terraform Configuration Files

terraform {
  backend "s3" {
    profile        = "test"
    bucket         = "shared-states"
    dynamodb_table = "shared-states-lock"
    key            = "shared/eu-west-1/atlantis/terraform.tfstate"
    region         = "us-east-1"
    encrypt        = true
  }
}

provider "aws" {
  profile = "test"
  region  = local.aws_region
}

provider "github" {
  token    = local.github_token
  owner    = local.github_owner
  base_url = local.base_url
}

provider "aws" {
  alias   = "security"
  region  = local.aws_region
  profile = "security"
}

provider "aws" {
  alias   = "prod"
  region  = local.aws_region
  profile = "prod"
}

Atlantis deployed with Terraform module with custom image:

Dockerfile:

ARG version=latest
FROM ghcr.io/runatlantis/atlantis:${version}

# Set this to the minor version of Infracost CLI you want to use (e.g., v0.9, v0.10)
ARG cli_version=v0.10

# Install required packages and latest ${cli_version} version of Infracost
USER root

RUN apk --update --no-cache add ca-certificates openssl openssh-client curl git jq aws-cli
RUN \
  curl -s -L "https://infracost.io/downloads/$cli_version/infracost-linux-amd64.tar.gz" | tar xz -C /tmp && \
  mv /tmp/infracost-linux-amd64 /usr/bin/infracost

COPY acm_root_ca.crt /usr/local/share/ca-certificates/
RUN update-ca-certificates

USER atlantis
COPY --chown=atlantis:atlantis config /home/atlantis/.aws/config

config:

[profile test]
region = eu-west-1
role_arn = arn:aws:iam::$TEST_ACCOUNT_ID:role/atlantis
credential_source = EcsContainer

[profile prod]
source_profile=test
role_arn=arn:aws:iam::$PROD_ACCOUNT_ID:role/atlantis

[profile security]
source_profile=test
role_arn=arn:aws:iam::$SECURITY_ACCOUNT_ID:role/atlantis

Debug Output

2024-07-16T12:21:13.228Z [INFO]  Terraform version: 1.9.2
2024-07-16T12:21:13.228Z [DEBUG] using github.com/hashicorp/go-tfe v1.51.0
2024-07-16T12:21:13.229Z [DEBUG] using github.com/hashicorp/hcl/v2 v2.20.0
2024-07-16T12:21:13.229Z [DEBUG] using github.com/hashicorp/terraform-svchost v0.1.1
2024-07-16T12:21:13.229Z [DEBUG] using github.com/zclconf/go-cty v1.14.4
2024-07-16T12:21:13.229Z [INFO]  Go runtime version: go1.22.4
2024-07-16T12:21:13.229Z [INFO]  CLI args: []string{"/home/atlantis/.atlantis/bin/terraform1.9.2", "init", "-input=false"}
2024-07-16T12:21:13.229Z [DEBUG] Attempting to open CLI config file: /home/atlantis/.terraformrc
2024-07-16T12:21:13.229Z [DEBUG] File doesn't exist, but doesn't need to. Ignoring.
2024-07-16T12:21:13.235Z [DEBUG] ignoring non-existing provider search directory terraform.d/plugins
2024-07-16T12:21:13.235Z [DEBUG] ignoring non-existing provider search directory /home/atlantis/.terraform.d/plugins
2024-07-16T12:21:13.235Z [DEBUG] ignoring non-existing provider search directory /home/atlantis/.local/share/terraform/plugins
2024-07-16T12:21:13.235Z [DEBUG] ignoring non-existing provider search directory /usr/local/share/terraform/plugins
2024-07-16T12:21:13.235Z [DEBUG] ignoring non-existing provider search directory /usr/share/terraform/plugins
2024-07-16T12:21:13.236Z [INFO]  CLI command args: []string{"init", "-input=false"}
Initializing the backend...
2024-07-16T12:21:13.254Z [DEBUG] checking for provisioner in "."
2024-07-16T12:21:13.256Z [DEBUG] checking for provisioner in "/home/atlantis/.atlantis/bin"
2024-07-16T12:21:13.257Z [DEBUG] backend-s3.aws-base: Resolving credentials provider: tf_backend.operation=Configure tf_backend.req_id=99685343-8ea3-9299-9ea1-78c85c7a93f5 tf_backend.s3.bucket=shared-states tf_backend.s3.path=shared/eu-west-1/atlantis/terraform.tfstate
2024-07-16T12:21:13.257Z [DEBUG] backend-s3.aws-base: Setting profile: tf_backend.operation=Configure tf_backend.req_id=99685343-8ea3-9299-9ea1-78c85c7a93f5 tf_backend.s3.bucket=shared-states tf_backend.s3.path=shared/eu-west-1/atlantis/terraform.tfstate tf_aws.profile=test tf_aws.profile.source=provider
2024-07-16T12:21:13.257Z [DEBUG] backend-s3.aws-base: Loading configuration: tf_backend.operation=Configure tf_backend.req_id=99685343-8ea3-9299-9ea1-78c85c7a93f5 tf_backend.s3.bucket=shared-states tf_backend.s3.path=shared/eu-west-1/atlantis/terraform.tfstate
Initializing modules...
2024-07-16T12:21:13.264Z [DEBUG] Module installer: begin alb
2024-07-16T12:21:13.298Z [DEBUG] Module installer: begin alb_acm
2024-07-16T12:21:13.312Z [DEBUG] Module installer: begin atlantis
2024-07-16T12:21:13.340Z [DEBUG] Module installer: begin atlantis.acm
2024-07-16T12:21:13.362Z [DEBUG] Module installer: begin atlantis.alb
2024-07-16T12:21:13.398Z [DEBUG] Module installer: begin atlantis.ecs_cluster
2024-07-16T12:21:13.413Z [DEBUG] Module installer: begin atlantis.ecs_service
2024-07-16T12:21:13.448Z [DEBUG] Module installer: begin atlantis.ecs_service.container_definition
2024-07-16T12:21:13.461Z [DEBUG] Module installer: begin atlantis.efs
2024-07-16T12:21:13.478Z [DEBUG] Module installer: begin github_repository_webhooks
2024-07-16T12:21:13.491Z [DEBUG] Module installer: begin secrets_manager
╷
│ Error: failed to get shared config profile, test
│ 
│ 

Expected Behavior

ECS fargate should be able to find the profiles listed in ~/.aws/config

Actual Behavior

│ Error: failed to get shared config profile, test
│ 
│ 

Steps to Reproduce

atlantis plan

Additional Context

No response

References

No response

[crw]

Thanks for this report! We will communicate this to the AWS provider team, who maintains the S3 backend.

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.