Aws_caller_identity for two providers inside a module

frcmoyam · November 19, 2021, 11:05pm

I am facing an issue trying to get the account id of an aws provider that is not the provider where the resource will be deployed. This is my scenario:

main.tf (root directory)

terraform {
  backend "s3" {
    [Omitted]
  }
}

module "ASDF" {
  source = "./modules/asdf"
  providers = {
    aws-account1 = aws.acc1
    aws-account2  = aws.acc2
  }
}

providers.tf (root directory)

provider "aws" {
  alias   = "acc1"
  profile = "profile-acc1"
  region  = "eu-west-1"
}

provider "aws" {
  alias   = "acc2"
  profile = "profile-acc2"
  region  = "eu-west-1"
}

main.tf (asdf module)

terraform {
  required_providers {
    aws-account1 = {
      source  = "hashicorp/aws"
      version = "~> 3.65.0"
    }
    aws-account2 = {
      source  = "hashicorp/aws"
      version = "~> 3.65.0"
    }
  }
}

data.tf (asdf module)

data "aws_caller_identity" "account1" {
  provider = aws-account1
}
data "aws_caller_identity" "account2" {
  provider = aws-account2
}

lambda.tf (asdf module)

resource "aws_lambda_function" "asdfLambda" {
  provider = aws-account1
  role = aws_iam_role.asdfLambdaExecutionRole.arn
  [Omitted]
}

resource "aws_iam_role" "asdfLambdaExecutionRole" {
  provider = aws-account1
  [Omitted]
}

resource "aws_lambda_permission" "asdfLambdaApiGatewayPermission" {
  provider = aws-account1

  action = "lambda:InvokeFunction"
  function_name = aws_lambda_function.asdfLambda.function_name
  principal = "apigateway.amazonaws.com"
  source_account = data.aws_caller_identity.account2.account_id
  source_arn = [APIGateway arn in account2]
}

With this terraform files, in the source_account in asdfLambdaApiGatewayPermission I am getting the account1 id instead of account2 id as I want (and need). The api gateway that invoke this lambda is in another account, so I need all the information about this second provider (accountid, region, etc.)

I came across to this GitHub issue (Allow aws_caller_identity to use "provider" argument · Issue #1078 · hashicorp/terraform-provider-aws · GitHub) that is similar to my problem, but in my case the problem is inside a module, as stated in the answer in the GitHub topic said I might get some problems

Do you know how I can achive this?? I know that I could use a variable with the accountID but I would like to get the account id in a dynamic way (in my case I use profiles in my .aws/config), instead of force the user to write each accountID in variables.

frcmoyam · November 22, 2021, 6:24am

This is the answer, in case someone needs it. Following Hashicorp documentation, the main.tf file of the child (asdf) module should be:

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 3.65.0"
      configuration_aliases = [ aws-account1, aws-account2]
    }
  }
}