-
Notifications
You must be signed in to change notification settings - Fork 9.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
d/aws_credentials: New Data Source #16453
d/aws_credentials: New Data Source #16453
Conversation
Changes: ` * **New Data Source:** `aws_credentials` ` Output from acceptance testing: ` make testacc TESTARGS='-run=TestAccAWSCredentials_' ==> Checking that code complies with gofmt requirements... TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAWSCredentials_ -timeout 120m === RUN TestAccAWSCredentials_basic === PAUSE TestAccAWSCredentials_basic === CONT TestAccAWSCredentials_basic --- PASS: TestAccAWSCredentials_basic (62.60s) PASS ok github.com/terraform-providers/terraform-provider-aws/aws 64.457s `
4ef61a8
to
d8bef0b
Compare
This would be extremely useful when paired with https://registry.terraform.io/providers/vancluever/acme/latest/docs/guides/dns-providers-route53 if you're assuming a role. |
Hi @Omarimcblack 👋 Thank you for submitting this. In the security-minded interest of the community, the maintainers are hesitant to make it easy to exfiltrate active AWS credentials from a Terraform run in a manner such as this. There are valid use cases within Terraform as in the referenced issue, but those credentials may be then used completely outside of Terraform's context (e.g. if they are visible to CI logging then anyone with CI log access can see and use them locally). While implementing a data source like this is opt-in for practitioners, setting up controls/policies to block its usage is also opt-in and the need for these controls/policies has to be known either before or during the provider upgrade that includes the data source. Given those implications, having this ability within an officially released Terraform AWS Provider binary would not be acceptable in many organizations. Rather than providing any sort of false hope with this particular implementation, I'm going to close this. Let's continue the discussion in #8242 as there are likely other ways we (the broader Terraform + AWS community) can solve this issue. 👍 |
FWIW if you really need this functionality and since you have written the code, you can create a separate provider that reads the same information and contains this data source and then publish it on the registry. |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
Community Note
Relates #8242
Release note for CHANGELOG:
Output from acceptance testing: