amazon-web-servicesamazon-s3terraformtest-kitcheninspec

Handling Terraform provider credentials in distributed environment with InSpec and remote state


Does anyone have any cool ideas on how to handle Terraform provider credentials for AWS given these use cases:

My current workflow requires changing the AWS_ACCESS_KEY and AWS_SECRET_KEY depending on the operation:

Ideas


Solution

  • You will need the main account to be able to assume a role on each env account to perform the changes, while the remote main account will keep all states. This is a good way to work with terraform worspaces Assuming you have two workspaces, prod and dev, you can try something like this:

    variable "workspace_roles" {
      default = {
        dev  = "arn:aws:iam::<dev account id>:role/terra_role"
        prod = "arn:aws:iam::<prodaccount id>:role/terra_role"
      }
    }
    
    provider "aws" {
     assume_role = var.workspace_roles[terraform.workspace]
    }