Skip to content

Run the AWS CLI, with the ability to run under an assumed role, to access resources and properties missing from the Terraform AWS Provider.

Notifications You must be signed in to change notification settings

GarrettBlinkhorn/terraform-aws-cli

 
 

Repository files navigation

Build Status GitHub issues

terraform-aws-cli

Run the AWS CLI, with the ability to run under an assumed role, to access resources and properties missing from the Terraform AWS Provider.

Requirements

This module requires a couple of additional resources to operate successfully.

  1. Amazon Web Service Command Line Interface (awscli) : This is available in several forms here.

  2. JSON processor (jq) : This is available here.

Examples

1. Get the desired capacity of an autoscaling group.

If you are using a blue/green style deployment, you would want to create the same number of EC2 instances as you are replacing.

module "current_desired_capacity" {
  source            = "digitickets/cli/aws"
  role_session_name = "GettingDesiredCapacityFor${var.environment}"
  aws_cli_commands  = ["autoscaling", "describe-auto-scaling-groups"]
  aws_cli_query     = "AutoScalingGroups[?Tags[?Key==`Name`]|[?Value==`digitickets-${var.environment}-asg-app`]]|[0].DesiredCapacity"
}

You can now set the desired capacity of an aws_autoscaling_group:

  desired_capacity = module.current_desired_capacity.result

2. Assuming a role.

Extending the first example above, assuming a role is as simple as adding an assume_role_arn to the module:

module "current_desired_capacity" {
  source            = "digitickets/cli/aws"
  assume_role_arn   = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/OrganizationAccountAccessRole"
  role_session_name = "GettingDesiredCapacityFor${var.environment}"
  aws_cli_commands  = ["autoscaling", "describe-auto-scaling-groups"]
  aws_cli_query     = "AutoScalingGroups[?Tags[?Key==`Name`]|[?Value==`digitickets-${var.environment}-asg-app`]]|[0].DesiredCapacity"
}

3. Adding your own profile.

Extending the example above, you can supply your own profile by adding a profile to the module:

module "current_desired_capacity" {
   source            = "digitickets/cli/aws"
   assume_role_arn   = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/OrganizationAccountAccessRole"
   role_session_name = "GettingDesiredCapacityFor${var.environment}"
   aws_cli_commands  = ["autoscaling", "describe-auto-scaling-groups"]
   aws_cli_query     = "AutoScalingGroups[?Tags[?Key==`Name`]|[?Value==`digitickets-${var.environment}-asg-app`]]|[0].DesiredCapacity"
   profile           = "your-own-profile"
}

4. Adding your external ID.

Extending the example above, you can supply your own external ID by adding an external_id to the module:

module "current_desired_capacity" {
  source            = "digitickets/cli/aws"
  assume_role_arn   = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/OrganizationAccountAccessRole"
  role_session_name = "GettingDesiredCapacityFor${var.environment}"
  aws_cli_commands  = ["autoscaling", "describe-auto-scaling-groups"]
  aws_cli_query     = "AutoScalingGroups[?Tags[?Key==`Name`]|[?Value==`digitickets-${var.environment}-asg-app`]]|[0].DesiredCapacity"
  profile           = "your-own-profile"
  external_id       = "your-external-id"
}

Further information regarding the use of external IDs can be found here.

Requirements

Name Version
terraform >= 0.15
external ~> 2.0
local ~> 2.0

Providers

Name Version
external 2.3.2
local 2.4.0

Modules

No modules.

Resources

Name Type
external_external.awscli_program data source
local_file.awscli_results_file data source

Inputs

Name Description Type Default Required
assume_role_arn The ARN of the role being assumed (optional) string "" no
aws_cli_commands The AWS CLI command and subcommands list(string) n/a yes
aws_cli_query The --query value string "" no
debug_log_filename Generate a debug log if a debug_log_filename is supplied string "" no
external_id External id for assuming the role (optional) string "" no
profile The specific AWS profile to use (must be configured appropriately) string "" no
region The specific AWS region to use string "" no
role_session_name The role session name string "" no

Outputs

Name Description
result The output of the AWS CLI command

Docker

To help with getting this running in a pipeline that uses Docker, the image digiticketsgroup/terraforming has Terraform, AWSCLI, and jq all ready to go.

If you want to build or adapt your own image, then the Dockerfile below is how that image has been built.

# Based upon https://github.com/aws/aws-cli/blob/2.0.10/docker/Dockerfile
FROM amazonlinux:2 as installer
ARG TERRAFORM_VERSION
RUN yum update -y \
  && yum install -y unzip \
  && curl https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip -o awscli-exe-linux-x86_64.zip \
  && unzip awscli-exe-linux-x86_64.zip \
  # The --bin-dir is specified so that we can copy the
  # entire bin directory from the installer stage into
  # into /usr/local/bin of the final stage without
  # accidentally copying over any other executables that
  # may be present in /usr/local/bin of the installer stage.
  && ./aws/install --bin-dir /aws-cli-bin/ \
  && curl "https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_amd64.zip" -o terraform.zip \
  && unzip terraform.zip

FROM amazonlinux:2
COPY --from=installer /usr/local/aws-cli/ /usr/local/aws-cli/
COPY --from=installer /aws-cli-bin/ /usr/local/bin/
COPY --from=installer terraform /usr/bin/
RUN yum update -y \
  && yum install -y less groff jq \
  && yum clean all

ENTRYPOINT ["/bin/sh"]

About

Run the AWS CLI, with the ability to run under an assumed role, to access resources and properties missing from the Terraform AWS Provider.

Resources

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Shell 62.5%
  • HCL 37.5%