Hi, I’m facing an issue when running terraform apply using plan files.
What I want to do is:
Run terraform apply using a plan file
Manage AWS resources of multiple AWS accounts using the official AWS Provider
Use different IAM Roles in terraform plan and apply
To manage AWS resources of multiple AWS accounts, I need to assume different IAM Roles by AWS Account.
So I need to define multiple provider blocks and define attributes such as assume_role and assume_role_with_web_identity.
These settings are hardcoded in plan files and I can’t change them while running terraform apply.
If I try to change these settings by input variables for terraform apply, it fails.
$ terraform apply -var foo=foo plan.out
╷
│ Error: Can't set variables when applying a saved plan
│
│ The -var and -var-file options cannot be used when applying a saved plan file, because a saved plan includes the variable
│ values that were set when it was created.
╵
So I can’t change IAM Roles during terraform apply.
How can I resolve this issue?
I think this problem can occur with other providers such as google provider too.
You could avoid hardcoding the provider configuration and set the credentials externally via the standard AWS environment variables, or via the stored credentials for the provider.
You can use an ephemeral variable, which can change between plan and apply.
You could avoid hardcoding the provider configuration and set the credentials externally via the standard AWS environment variables, or via the stored credentials for the provider.
I can’t do this because I need to assume multiple IAM Roles.
To manage AWS resources of multiple AWS accounts, I need to assume different IAM Roles by AWS Account.
So I need to define multiple provider blocks and define attributes such as assume_role and assume_role_with_web_identity.
You can use an ephemeral variable, which can change between plan and apply.
How can I change ephemeral variable between plan and apply?
You must re-supply any ephemeral variables during apply, which means you use the same method you used during plan, so the -var flag, a variable file, or TF_VAR_ environment variables. (if it’s an ephemeral input to a child module, that also then includes new ephemeral resources as well, but that is not typically going to be used for provider configuration)
I think we can’t pass input variables when we run terraform apply with a plan file.
$ terraform apply -var foo=foo plan.out
╷
│ Error: Can't set variables when applying a saved plan
│
│ The -var and -var-file options cannot be used when applying a saved plan file, because a saved plan includes the variable
│ values that were set when it was created.
╵
According to the document, seems like we can’t pass ephemeral values to provider blocks.
You can only reference ephemeral variables in specific contexts or Terraform throws an error. The following are valid contexts for referencing ephemeral variables:
Using it in a provider is perfectly fine, providers are one of the only current endpoints for ephemeral values! Looks like something was lost through the documentation writing process.