-
Notifications
You must be signed in to change notification settings - Fork 69
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cant use provider on a null_resource #3
Comments
Any decent workarounds? |
Thank you for opening this feature request! Can you please share your specific use-case for this feature? What aws cli commands do you need to run? In some cases, you can use the local-exec provisioner, but without knowing your specific case I don't know if that's helpful to you or not. Thanks again! |
@gtmtech shared a use-case for this in a comment on the original issue that unfortunately doesn't get copied over when an issue is migrated from another repository by hashibot. (I lost track of this issue after it moved over here; sorry about that.) My summarized understanding of the use-case was the intent to give provisioner scripts access to the credentials in the configured AWS provider. Architecturally that isn't addressed by "supporting This sort of situation is why we tend to recommend putting your AWS (and other) credentials in the standard credentials environment variables or files that are used by both Terraform CLI and the official AWS CLI (along with numerous other tools): that way you can mix tools and have everything be able to access the required credentials. In the comment on the other issue it looks like the credentials themselves already are separated out of the Terraform configuration, which is good. The need there seems to be to ensure that the correct role ARN is selected when running the Unfortunately it doesn't look like the AWS CLI has a way to specify directly a role ARN on the command line. Instead, it requires having a named profile configured in If the AWS CLI instead had an data "aws_caller_identity" "current" {
provider = "aws.account1"
}
resource "null_resource" "example" {
provisioner "local-exec" {
command = "aws --assume-role ${data.aws_caller_identity.current.arn} route53 example foo"
}
} Although that particular usage isn't currently possible due to AWS CLI limitations, the solution space for this problem is around having the AWS provider export necessary information via its own data sources rather than any change to the null provider. The null provider itself is not actually involved in running provisioners at all, it just provides You could perhaps open an issue for this use-case (that of making the AWS provider's credentials available for use outside of the AWS provider itself) in the AWS provider repository, since that is where such a change would need to happen. I suspect that the provider is intentionally not exposing its credentials for such use, but the AWS provider repository is the right place to discuss the possibility of changing that policy. No change to the |
@apparentlymart I think your conclusion about responsibilities of
None of this is possible, because (as far as I can tell), the aws provider doesn't export the keys or the profile. I am not wholly convinced that having everything go back to the Essentially, tf aws provider includes everything you need to: use creds, use a profile, assume a role, have multiple creds/roles, etc., for resources or data in tf to consume them. The right approach would appear to be to pass them on to consuming
Thanks |
Thanks @apparentlymart for continuing my issue! Still a sorely missed feature, but for now, my workaround is to use a provisioner local-exec which uses a script wrapper, which takes the role arn from the datasource as described above: Code snippet:
wrap-aws looks a bit like this (excuse the bash (s)kills). Requires jq, but could be made to work with just bash:
All this being said, you could profoundly make life easier by having more variables available on the datasource for aws_caller_identity. |
Also in answer to @mildwonkey , I do lots of terraform cross-account stuff, involving the use of multiple providers. Unforuntately many aws features dont yet fully exist in terraform, so to use newer features, heavy use of the cli is sometimes involved. I want an easy way to tap into the already-assumed-roles that terraform has set up as part of its |
As far as I know the AWS provider does not currently export the specific credentials it is using for interpolation elsewhere, and I believe that was an intentional decision to avoid sprawl of those credentials. That was why I was suggesting opening an AWS provider issue to share the use-case, to see if that justifies some changes to that existing policy. |
I opened this issue 2 days ago. Hoping someone sees it. |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
This issue was originally opened by @gtmtech as hashicorp/terraform#12916. It was migrated here as part of the provider split. The original body of the issue is below.
Terraform 0.8.7
a null_resource doesnt support provider. How frustrating!
So when terraform doesnt support some aws functionality which I could do with a local-exec of aws cli stuff, then I have to all kinds of equivalent sts assume-role stuff first, because terraform cant supply provider based creds in the environment prior to running the null_resource.
I would assume this is a simple fix?
The text was updated successfully, but these errors were encountered: