DEVHIDE
Login Or Sign up

Terraform backend with aliased providers - fail to get workspace

73 Views Asked by At

I have an infra in Terraform that manages resources of two accounts: a main one and a child one (sandbox). The goal is to write cross-account policies & roles to allow export of resources from ACM, Route53 etc.

Here is my backend and provider configuration:

terraform {
  required_version = "~> 1.7.0"
  backend "s3" {
  # Backend lives in main account
    bucket         = "test-bucket-backend"
    key            = "terraform.tfstate"
    region         = "us-east-1"
    encrypt        = true
    dynamodb_table = "test-bucket-backend"
  }
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.34.0"
    }
  }
}

provider "aws" {
# Main account 
  shared_config_files      = [var.identity_center_config_files]
  shared_credentials_files = [var.identity_center_credentials_files]
  profile    = var.identity_center_main_profile_name
}

provider "aws" {
# Child account 
  alias                    = "sandbox"
  shared_config_files      = [var.identity_center_config_files]
  shared_credentials_files = [var.identity_center_credentials_files]
  profile                  = var.identity_center_sandbox_name
}

If I run terraform init with this I get the following result:


Initializing the backend...
╷
│ Error: Failed to get existing workspaces: Unable to list objects in S3 bucket "test-bucket-backend": operation error S3: ListObjectsV2, https response error StatusCode: 403, RequestID: <REDACTED>, HostID: <REDACTED>, api error AccessDenied: Access Denied

Now if I change this snippet to include the credentials of the main account in my backend configuration like this:

terraform {
  required_version = "~> 1.7.0"
  backend "s3" {
    bucket         = "test-bucket-backend"
    key            = "terraform.tfstate"
    region         = "us-east-1"
    encrypt        = true
    dynamodb_table = "test-bucket-backend"
    access_key = "ACCESS_KEY"
    secret_key = "SECRET_KEY"
  }
    ... // the rest of the config
}

Then it does init as intended. However I don't want to have to use this configuration because a. it defeats the purpose of using AWS Identity Center (since I have to setup credentials of a traditional IAM role anyways) and b. I could export them as environment variables but my goal is to have minimum prerequisites for my colleagues.

When I run aws sts get-caller-identity I get a random user (I believe this is due to Identity Center as I use aws sso login --profile <main/sandbox>).

How can I modify my config so that I don't have to set IAM keys in the backend?

amazon-web-services terraform terraform-provider-aws aws-iam-identity-center
Original Q&A
0

There are 0 best solutions below

Related Questions in AMAZON-WEB-SERVICES

Related Questions in TERRAFORM

Related Questions in TERRAFORM-PROVIDER-AWS

Related Questions in AWS-IAM-IDENTITY-CENTER

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.