Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

d/aws_credentials: New Data Source #16453

Closed
wants to merge 1 commit into from
Closed

d/aws_credentials: New Data Source #16453

wants to merge 1 commit into from

Conversation

Omarimcblack
Copy link
Contributor

Community Note

  • Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for pull request followers and do not help prioritize the request

Relates #8242

Release note for CHANGELOG:

* **New Data Source:** `aws_credentials`

Output from acceptance testing:

$ make testacc TESTARGS='-run=TestAccAWSCredentials_'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20
-run=TestAccAWSCredentials_ -timeout 120m
=== RUN   TestAccAWSCredentials_basic
=== PAUSE TestAccAWSCredentials_basic
=== CONT  TestAccAWSCredentials_basic
--- PASS: TestAccAWSCredentials_basic (62.60s)
PASS
ok      github.com/terraform-providers/terraform-provider-aws/aws
64.457s

...

@Omarimcblack Omarimcblack requested a review from a team as a code owner November 27, 2020 00:45
@ghost ghost added size/L Managed by automation to categorize the size of a PR. provider Pertains to the provider itself, rather than any interaction with AWS. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure. labels Nov 27, 2020
@github-actions github-actions bot added the needs-triage Waiting for first response or review from a maintainer. label Nov 27, 2020
@Omarimcblack Omarimcblack marked this pull request as draft November 27, 2020 00:46
@Omarimcblack
New Data Source: aws_credentials
d8bef0b 
Changes:
`
* **New Data Source:** `aws_credentials`
`

Output from acceptance testing:
`
make testacc TESTARGS='-run=TestAccAWSCredentials_'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20
-run=TestAccAWSCredentials_ -timeout 120m
=== RUN   TestAccAWSCredentials_basic
=== PAUSE TestAccAWSCredentials_basic
=== CONT  TestAccAWSCredentials_basic
--- PASS: TestAccAWSCredentials_basic (62.60s)
PASS
ok      github.com/terraform-providers/terraform-provider-aws/aws
64.457s
`
@Omarimcblack Omarimcblack mentioned this pull request Nov 27, 2020
Closed
@bflad bflad added the proposal Proposes new design or functionality. label Nov 30, 2020
@keeleysam
Copy link

This would be extremely useful when paired with https://registry.terraform.io/providers/vancluever/acme/latest/docs/guides/dns-providers-route53 if you're assuming a role.

@bflad
Copy link
Contributor

bflad commented Jan 6, 2021

Hi @Omarimcblack 👋 Thank you for submitting this.

In the security-minded interest of the community, the maintainers are hesitant to make it easy to exfiltrate active AWS credentials from a Terraform run in a manner such as this. There are valid use cases within Terraform as in the referenced issue, but those credentials may be then used completely outside of Terraform's context (e.g. if they are visible to CI logging then anyone with CI log access can see and use them locally). While implementing a data source like this is opt-in for practitioners, setting up controls/policies to block its usage is also opt-in and the need for these controls/policies has to be known either before or during the provider upgrade that includes the data source. Given those implications, having this ability within an officially released Terraform AWS Provider binary would not be acceptable in many organizations.

Rather than providing any sort of false hope with this particular implementation, I'm going to close this. Let's continue the discussion in #8242 as there are likely other ways we (the broader Terraform + AWS community) can solve this issue. 👍

@bflad bflad closed this Jan 6, 2021
@paultyng
Copy link
Contributor

paultyng commented Jan 6, 2021

FWIW if you really need this functionality and since you have written the code, you can create a separate provider that reads the same information and contains this data source and then publish it on the registry.

@ghost
Copy link

ghost commented Feb 5, 2021

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked as resolved and limited conversation to collaborators Feb 5, 2021
@breathingdust breathingdust removed the needs-triage Waiting for first response or review from a maintainer. label Sep 17, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
proposal Proposes new design or functionality. provider Pertains to the provider itself, rather than any interaction with AWS. size/L Managed by automation to categorize the size of a PR. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@Omarimcblack @keeleysam @bflad @paultyng @breathingdust