search

phillbaker / terraform-provider-elasticsearch

An elasticsearch provider for terraform
https://registry.terraform.io/providers/phillbaker/elasticsearch
Mozilla Public License 2.0
306 stars 134 forks source link

Option to pass external id when using aws_assume_role_arn #346

Open senthilvael opened 1 year ago

senthilvael commented 1 year ago

Hi Team, We are using the "phillbaker/elasticsearch" module in our TF code. Our pipeline and the terraform execution role are in 2 different aws accounts. When we pass the aws_assume_role_arn, we are getting an access denied error. As the terraform-privilaged role is having an external id in the sts policy. If we remove that external id condition in the sts policy, the code works as expected.

terraform
provider "elasticsearch" {
  healthcheck = false
  sniff       = false
  url         = "https://${module.dev_logs.elasticsearch.endpoint}"
  aws_assume_role_arn = "arn:aws:iam::${var.AWS_ACCOUNT_ID}:role/terraform-privilaged"

Error

"errorCode": "AccessDenied",
    "errorMessage": "User: arn:aws:sts::<PIPE_LINE_AWS>:assumed-role/gitlab-runner/1679911173656119075 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::<CLUSTER_RESIDING_AWS>:role/terraform-privilaged",

Is there a way to pass the external id in the provider.tf? Like the aws provider? 

terraform
provider "aws" {
  region = "us-east-2"

  assume_role {
    role_arn    = "arn:aws:iam::${var.AWS_ACCOUNT_ID}:role/terraform-privilaged"
    external_id = var.EXTERNAL_ID
  }
}
phillbaker commented 1 year ago

Can you link to upstream AWS regarding the external ID? Are other providers also using this identifier?

phillbaker commented 1 year ago

Docs: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html

9rnt commented 1 year ago

Any updates on this feature ?