mirror of
https://github.com/thegeeklab/wp-opentofu.git
synced 2024-11-22 00:30:40 +00:00
allow assume role before running terraform commands
This commit is contained in:
parent
371076e773
commit
90a46bd02c
20
DOCS.md
20
DOCS.md
@ -8,6 +8,7 @@ Use the Terraform plugin to apply the infrastructure configuration contained wit
|
|||||||
<key>=<value>` option.
|
<key>=<value>` option.
|
||||||
* `ca_cert` - ca cert to add to your environment to allow terraform to use internal/private resources
|
* `ca_cert` - ca cert to add to your environment to allow terraform to use internal/private resources
|
||||||
* `sensitive` (default: `false`) - Whether or not to suppress terraform commands to stdout.
|
* `sensitive` (default: `false`) - Whether or not to suppress terraform commands to stdout.
|
||||||
|
* `role_arn_to_assume` - A role to assume before running the terraform commands
|
||||||
|
|
||||||
The following is a sample Terraform configuration in your .drone.yml file:
|
The following is a sample Terraform configuration in your .drone.yml file:
|
||||||
|
|
||||||
@ -73,3 +74,22 @@ deploy:
|
|||||||
app_name: my-project
|
app_name: my-project
|
||||||
app_version: 1.0.0
|
app_version: 1.0.0
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Assume Role ARN
|
||||||
|
You may want to assume another role before running the terraform commands. This is useful for cross account access, where a central account ahs privileges to assume roles in other accounts. Using the current credentials, this role will be assumed and exported to environment variables. See [the discussion](https://github.com/hashicorp/terraform/issues/1275) in the Terraform issues.
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
deploy:
|
||||||
|
terraform:
|
||||||
|
plan: false
|
||||||
|
remote:
|
||||||
|
backend: S3
|
||||||
|
config:
|
||||||
|
bucket: my-terraform-config-bucket
|
||||||
|
key: tf-states/my-project
|
||||||
|
region: us-east-1
|
||||||
|
vars:
|
||||||
|
app_name: my-project
|
||||||
|
app_version: 1.0.0
|
||||||
|
role_arn_to_assume: arn:aws:iam::account-of-role-to-assume:role/name-of-role
|
||||||
|
```
|
||||||
|
34
main.go
34
main.go
@ -6,8 +6,12 @@ import (
|
|||||||
"os"
|
"os"
|
||||||
"os/exec"
|
"os/exec"
|
||||||
"strings"
|
"strings"
|
||||||
|
"time"
|
||||||
"github.com/drone/drone-plugin-go/plugin"
|
"github.com/aws/aws-sdk-go/aws/credentials"
|
||||||
|
"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
|
||||||
|
"github.com/aws/aws-sdk-go/aws/session"
|
||||||
|
"github.com/aws/aws-sdk-go/service/sts"
|
||||||
|
"github.com/drone/drone-plugin-go/plugin"
|
||||||
)
|
)
|
||||||
|
|
||||||
var (
|
var (
|
||||||
@ -20,6 +24,7 @@ type terraform struct {
|
|||||||
Vars map[string]string `json:"vars"`
|
Vars map[string]string `json:"vars"`
|
||||||
Cacert string `json:"ca_cert"`
|
Cacert string `json:"ca_cert"`
|
||||||
Sensitive bool `json:"sensitive"`
|
Sensitive bool `json:"sensitive"`
|
||||||
|
RoleARN string `json:"role_arn_to_assume"`
|
||||||
}
|
}
|
||||||
|
|
||||||
type remote struct {
|
type remote struct {
|
||||||
@ -37,6 +42,10 @@ func main() {
|
|||||||
plugin.Param("vargs", &vargs)
|
plugin.Param("vargs", &vargs)
|
||||||
plugin.MustParse()
|
plugin.MustParse()
|
||||||
|
|
||||||
|
if vargs.RoleARN != "" {
|
||||||
|
assumeRole(vargs.RoleARN)
|
||||||
|
}
|
||||||
|
|
||||||
var commands []*exec.Cmd
|
var commands []*exec.Cmd
|
||||||
remote := vargs.Remote
|
remote := vargs.Remote
|
||||||
if vargs.Cacert != "" {
|
if vargs.Cacert != "" {
|
||||||
@ -125,6 +134,27 @@ func applyCommand() *exec.Cmd {
|
|||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func assumeRole(roleArn string) {
|
||||||
|
client := sts.New(session.New())
|
||||||
|
duration := time.Hour * 1
|
||||||
|
stsProvider := &stscreds.AssumeRoleProvider{
|
||||||
|
Client: client,
|
||||||
|
Duration: duration,
|
||||||
|
RoleARN: roleArn,
|
||||||
|
RoleSessionName: "drone",
|
||||||
|
}
|
||||||
|
|
||||||
|
value, err := credentials.NewCredentials(stsProvider).Get()
|
||||||
|
if err != nil {
|
||||||
|
fmt.Println("Error assuming role!")
|
||||||
|
fmt.Println(err)
|
||||||
|
os.Exit(1)
|
||||||
|
}
|
||||||
|
os.Setenv("AWS_ACCESS_KEY_ID",value.AccessKeyID)
|
||||||
|
os.Setenv("AWS_SECRET_ACCESS_KEY",value.SecretAccessKey)
|
||||||
|
os.Setenv("AWS_SESSION_TOKEN",value.SessionToken)
|
||||||
|
}
|
||||||
|
|
||||||
func trace(cmd *exec.Cmd) {
|
func trace(cmd *exec.Cmd) {
|
||||||
fmt.Println("$", strings.Join(cmd.Args, " "))
|
fmt.Println("$", strings.Join(cmd.Args, " "))
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user