S3 module downloads don't work with AWS IRSA

[jukie]

Terraform Version

Terraform v1.3.2

Terraform Configuration Files

module "some_s3_module" {
  source                           = "s3::https://s3.amazonaws.com/somewhere/terraform-modules/release/something-0.1.0.tgz"
  ...
  some input vars
  ...
}

Debug Output

Have already applied a temp fix internally and shared the issue in the description but can obtain the debug info if necessary

Expected Behavior

S3 modules download when Terraform is being executed from an EKS pod utilizing IRSA

Actual Behavior

Due to the old version of hashicorp/go-getter, it's not looking in the correct place for credentials or the extra environment vars.

Steps to Reproduce

1. terraform init
2. terraform plan

Additional Context

Copying from issue in go-getter, once the fix is merged there we'd need to bump the version in terraform.

IAM roles for service accounts (IRSA) is a feature of EKS to provide IAM role creds to kubernetes pods. The aws-sdk version (v1.15.78) used in the current version of go-getter doesn't support IRSA in its default credential chain. Versions after v1.23.13 are supported (source). To overcome this problem, a recent version of aws-sdk should be used.

The use case: We bumped into this problem while using terraform (via atlantis) in a kubernetes pod.

References

hashicorp/go-getter#383

[kty1965]

I have simailar issues.

[jukie]

The fix for this has been merged into go-getter but still requires a release on the v1 branch.

[kty1965]

Thanks!

[jukie]

@crw @apparentlymart any chance we could get a new release for go-getter soon?

Alternatively, would you be open to updating the version in terraform to a specific commit with the fix instead?

[jukie]

v1.7.0 is out so we can bump the version in terraform now, #32678 will close this.