Made sure external_id and session_name are respected when assuming a …

…role
blichev · Feb 24, 2020 · 243224d · 243224d
1 parent 4ea6377
commit 243224d
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 2 deletions.
diff --git a/aws_helper/config.go b/aws_helper/config.go
@@ -22,6 +22,8 @@ type AwsSessionConfig struct {
 	CredsFilename           string
 	S3ForcePathStyle        bool
 	DisableComputeChecksums bool
+	ExternalID              string
+	SessionName             string
 }
 
 // Returns an AWS session object for the given config region (required), profile name (optional), and IAM role to assume
@@ -61,10 +63,19 @@ func CreateAwsSession(config *AwsSessionConfig, terragruntOptions *options.Terra
 		return nil, errors.WithStackTraceAndPrefix(err, "Error initializing session")
 	}
 
+	credentialsOptFn := func(p *stscreds.AssumeRoleProvider) {
+		if config.ExternalID != "" {
+			p.ExternalID = aws.String(config.ExternalID)
+		}
+		if config.SessionName != "" {
+			p.RoleSessionName = config.SessionName
+		}
+	}
+
 	if config.RoleArn != "" {
-		sess.Config.Credentials = stscreds.NewCredentials(sess, config.RoleArn)
+		sess.Config.Credentials = stscreds.NewCredentials(sess, config.RoleArn, credentialsOptFn)
 	} else if terragruntOptions.IamRole != "" {
-		sess.Config.Credentials = stscreds.NewCredentials(sess, terragruntOptions.IamRole)
+		sess.Config.Credentials = stscreds.NewCredentials(sess, terragruntOptions.IamRole, credentialsOptFn)
 	}
 
 	if _, err = sess.Config.Credentials.Get(); err != nil {

diff --git a/remote/remote_state_s3.go b/remote/remote_state_s3.go
@@ -59,6 +59,8 @@ type RemoteStateConfigS3 struct {
 	Endpoint         string `mapstructure:"endpoint"`
 	Profile          string `mapstructure:"profile"`
 	RoleArn          string `mapstructure:"role_arn"`
+	ExternalID       string `mapstructure:"external_id"`
+	SessionName      string `mapstructure:"session_name"`
 	LockTable        string `mapstructure:"lock_table"`
 	DynamoDBTable    string `mapstructure:"dynamodb_table"`
 	CredsFilename    string `mapstructure:"shared_credentials_file"`
@@ -72,6 +74,8 @@ func (c *ExtendedRemoteStateConfigS3) GetAwsSessionConfig() *aws_helper.AwsSessi
 		CustomS3Endpoint:        c.remoteStateConfigS3.Endpoint,
 		Profile:                 c.remoteStateConfigS3.Profile,
 		RoleArn:                 c.remoteStateConfigS3.RoleArn,
+		ExternalID:              c.remoteStateConfigS3.ExternalID,
+		SessionName:             c.remoteStateConfigS3.SessionName,
 		CredsFilename:           c.remoteStateConfigS3.CredsFilename,
 		S3ForcePathStyle:        c.remoteStateConfigS3.S3ForcePathStyle,
 		DisableComputeChecksums: c.DisableAWSClientChecksums,