How to create a flexible AWS Provider block?

Howdy. I’d like my Terraform users to be able to:

  • Use IAM ‘assume_role’ in automated runs (like in a CI system, running on an EC2 instance with an EC2 Instance Profile/Role)
  • Use AWS CLI ‘profiles’ for local workstation Terraform runs.

However, AFAICT, I can’t use conditionals to optionally add a ‘assume_role’ block or not, based on, say, TF_VAR_ environment variables, or similar.

What are some patterns folks are using to permit the use of ‘assume_role’ blocks in the AWS provider or 'profile = ’ without modifying HCL code? Or is that the only path? I’d love to be able to just set (or unset) a shell environment variable (like “TF_VAR_is_ci”) to control this.

Thanks in advance! :slight_smile:

P.S. I’m also using Terragrunt, but I don’t want to cloud this discussion, because I don’t think it is a problem for Terragrunt, per-se.

Hi @boldandbusted,

By far the most flexible setup here is to leave all of the settings related to authentication unspecified in your Terraform configuration and set them using the various standard AWS client mechanisms instead. In practice that typically means that your provider "aws" blocks will only have region set, and everything else unspecified.

Then you can use the various different ways that AWS clients can be configured for authentication. For example:

  • Set AWS_PROFILE to choose a profile from your credentials file.
  • Set AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY to directly specify fixed credentials.
  • Run Terraform on an EC2 instance with an instance profile and have the AWS provider assume the instance profile role.

The AWS provider allows setting authentication settings in the provider "aws" block for more complex situations where you need to use more interesting permutations, such as multiple provider configurations with different roles or such, but unless you need to do that I’d always recommend to let a provider configuration be focused only on what Terraform is managing and not who or what is running Terraform, because that then gives the most flexibility to run Terraform in different contexts which have different modes of authentication.

1 Like

Thank you @apparentlymart ! (So amazing to have such a luminary coder and architect of Terraform answering! :slight_smile: )

So, a little scope-creep on the question… If we add to the scenario that the Terraform code needs to access multiple AWS accounts for a successful Apply, is there a preferred approach? Apologies in advance if this is covered elsewhere - but links are welcome. :smiley: Cheers.