Does anyone have any cool ideas on how to handle Terraform provider credentials for AWS given these use cases:
My current workflow requires changing the AWS_ACCESS_KEY
and AWS_SECRET_KEY
depending on the operation:
terraform init
- requires access to S3 backend remote stateterraform plan/apply
- requires access to specific environment + remote state
kitchen converge
- requires access to test environment + remote state
kitchen verify
- requires access to test environment.Ideas
backend
configuration.You will need the main account to be able to assume a role on each env account to perform the changes, while the remote main account will keep all states. This is a good way to work with terraform worspaces Assuming you have two workspaces, prod and dev, you can try something like this:
variable "workspace_roles" {
default = {
dev = "arn:aws:iam::<dev account id>:role/terra_role"
prod = "arn:aws:iam::<prodaccount id>:role/terra_role"
}
}
provider "aws" {
assume_role = var.workspace_roles[terraform.workspace]
}