This module creates an AWS IAM role which uses OpenID Connect to authorize Terraform Cloud to perform operations in your AWS account. The module is intended for use with the stacks private preview.
- Take a note of your Terraform Cloud organization's ID. You can find this at the top of the organization settings page. It begins with
org-. - Create a workspace using this repository (or a fork) as the VCS source.
- Fill in the required variables (which will include your organization ID from step 1). If you don't want to fiddle with permissions, you can set
allowed_actionsto["*"]. - Authenticate your workspace to your AWS account, likely using
doormat aws tf-push. - Start a workspace run, check the plan, and apply it.
- Look at the run or workspace outputs to see the
role_arnvalue. You'll use this in your stack configuration to configure the AWS provider.
If your AWS account is already configured for dynamic provider credentials (i.e., you already have an IAM OIDC provider for app.terraform.io), this configuration will fail to apply because only one OIDC provider per URL is allowed.
Workaround:
-
Replace the
aws_iam_openid_connect_providerresource in this configuration with:data "aws_iam_openid_connect_provider" "stacks" { url = "https://app.terraform.io" }
-
Update the policy in the
aws_iam_role.stacksresource to refer to the data source instead:aws_iam_openid_connect_provider.stacks.arn-->data.aws_iam_openid_connect_provider.stacks.arn. -
When configuring your stacks deployments (
*.tfdeploy.hclfile), set the audience to the value from your current OIDC configuration (likelyaws.workload.identity).