Terraform AWS dynamic provider credentials

This module creates a dynamic credentials setup between AWS and Terraform Cloud (project). It creates an IAM policy, IAM role, and IAM role policy attachment. It also creates a Terraform Cloud variable set with the AWS configurations. For more information on dynamic provider credentials, see Dynamic Provider Credentials.

Usage

// one-time credentials to setup the dynamic credentials
// this is the only time you need to provide credentials
// after this, the dynamic credentials will be used.
// If the setup was successful, `access_key` and `secret_key` should be removed.
provider "aws" {
  region     = var.aws_region
  access_key = var.access_key
  secret_key = var.secret_key
}

module "aws_dynamic_provider_credentials" {
  source  = "tagesspiegel/dynamic-provider-credentials/aws"
  version = "1.0.0"

  tfc_organization = "my-org"
  tfc_project      = "my-project"

  tfc_workspaces = [{
    name_override = "my-project-auth"
    workspace     = "*"
    run_phase     = "*"
    policies = [
      {
        Effect = "Allow"
        Action = [
          "ec2:*"
        ]
        Resource = "*"
      },
      {
        Effect = "Allow"
        Action = [
          "ram:*"
        ]
        Resource = "*"
      },
      {
        Effect = "Allow"
        Action = [
          "cloudwatch:*"
        ]
        Resource = "*"
      },
      {
        Effect = "Allow"
        Action = [
          "logs:*"
        ]
        Resource = "*"
      },
      {
        Effect = "Allow"
        Action = [
          "kms:*"
        ]
        Resource = "*"
      }
    ]
  }]
}

Requirements

Name	Version
terraform	~> 1.6
aws	~> 5.32

Providers

Name	Version
tfe	0.51.1

Modules

Name	Source	Version
aws_identity_provider	./modules/iam_identity_provider	n/a
aws_tfc_dynamic_credentials_iam_roles	./modules/iam_roles	n/a

Resources

Name	Type
tfe_project_variable_set.tfc_project	resource
tfe_variable.tfe_aws_provider_auth	resource
tfe_variable.tfe_aws_provider_auth_arn	resource
tfe_variable_set.tfc_aws_dynamic_credentials	resource
tfe_project.tfc_project	data source

Inputs

Name	Description	Type	Default	Required
tfc_aws_audience	AWS audience	string	"aws.workload.identity"	no
tfc_hostname	The hostname of the TFC or TFE instance you'd like to use with AWS	string	"app.terraform.io"	no
tfc_organization	Name of the organization	string	n/a	yes
tfc_project	Name of the terraform cloud/enterprise project	string	n/a	yes
tfc_workspaces	List of workspaces to create IAM roles for	list(object({ name_override = string workspace = string run_phase = string policies = list(object({ Effect = string Action = list(string) Resource = string })) }))	n/a	yes

Outputs

Name	Description
aws_tfc_audience	n/a
full_names	A list of all 'full_name' values
oidc_claims	A map of 'full_name' as key and 'openid_claims' as value
role_arns	A map of 'full_name' as key and 'role_arn' as value