diff --git a/aws_helper/config.go b/aws_helper/config.go index 98262930dd..d107d150d2 100644 --- a/aws_helper/config.go +++ b/aws_helper/config.go @@ -22,6 +22,8 @@ type AwsSessionConfig struct { CredsFilename string S3ForcePathStyle bool DisableComputeChecksums bool + ExternalID string + SessionName string } // Returns an AWS session object for the given config region (required), profile name (optional), and IAM role to assume @@ -61,10 +63,19 @@ func CreateAwsSession(config *AwsSessionConfig, terragruntOptions *options.Terra return nil, errors.WithStackTraceAndPrefix(err, "Error initializing session") } + credentialsOptFn := func(p *stscreds.AssumeRoleProvider) { + if config.ExternalID != "" { + p.ExternalID = aws.String(config.ExternalID) + } + if config.SessionName != "" { + p.RoleSessionName = config.SessionName + } + } + if config.RoleArn != "" { - sess.Config.Credentials = stscreds.NewCredentials(sess, config.RoleArn) + sess.Config.Credentials = stscreds.NewCredentials(sess, config.RoleArn, credentialsOptFn) } else if terragruntOptions.IamRole != "" { - sess.Config.Credentials = stscreds.NewCredentials(sess, terragruntOptions.IamRole) + sess.Config.Credentials = stscreds.NewCredentials(sess, terragruntOptions.IamRole, credentialsOptFn) } if _, err = sess.Config.Credentials.Get(); err != nil { diff --git a/docs/_docs/04_reference/config-blocks-and-attributes.md b/docs/_docs/04_reference/config-blocks-and-attributes.md index 0958d1dce5..ce887fc6b3 100644 --- a/docs/_docs/04_reference/config-blocks-and-attributes.md +++ b/docs/_docs/04_reference/config-blocks-and-attributes.md @@ -201,6 +201,15 @@ supports additional keys that are used to configure the automatic initialization For the `s3` backend, the following additional properties are supported in the `config` attribute: +- `region` - (Optional) The region of the S3 bucket. +- `profile` - (Optional) This is the AWS profile name as set in the shared credentials file. +- `endpoint` - (Optional) A custom endpoint for the S3 API. +- `encrypt` - (Optional) Whether to enable server side encryption of the state file. +- `role_arn` - (Optional) The role to be assumed. +- `shared_credentials_file` - (Optional) This is the path to the shared credentials file. If this is not set and a profile is specified, `~/.aws/credentials` will be used. +- `external_id` - (Optional) The external ID to use when assuming the role. +- `session_name` - (Optional) The session name to use when assuming the role. +- `dynamodb_table` - (Optional) The name of a DynamoDB table to use for state locking and consistency. The table must have a primary key named LockID. If not present, locking will be disabled. - `skip_bucket_versioning`: When `true`, the S3 bucket that is created to store the state will not be versioned. - `skip_bucket_ssencryption`: When `true`, the S3 bucket that is created to store the state will not be configured with server-side encryption. - `skip_bucket_accesslogging`: When `true`, the S3 bucket that is created to store the state will not be configured with diff --git a/remote/remote_state_s3.go b/remote/remote_state_s3.go index edb57db0e9..a0f026452c 100644 --- a/remote/remote_state_s3.go +++ b/remote/remote_state_s3.go @@ -59,6 +59,8 @@ type RemoteStateConfigS3 struct { Endpoint string `mapstructure:"endpoint"` Profile string `mapstructure:"profile"` RoleArn string `mapstructure:"role_arn"` + ExternalID string `mapstructure:"external_id"` + SessionName string `mapstructure:"session_name"` LockTable string `mapstructure:"lock_table"` DynamoDBTable string `mapstructure:"dynamodb_table"` CredsFilename string `mapstructure:"shared_credentials_file"` @@ -72,6 +74,8 @@ func (c *ExtendedRemoteStateConfigS3) GetAwsSessionConfig() *aws_helper.AwsSessi CustomS3Endpoint: c.remoteStateConfigS3.Endpoint, Profile: c.remoteStateConfigS3.Profile, RoleArn: c.remoteStateConfigS3.RoleArn, + ExternalID: c.remoteStateConfigS3.ExternalID, + SessionName: c.remoteStateConfigS3.SessionName, CredsFilename: c.remoteStateConfigS3.CredsFilename, S3ForcePathStyle: c.remoteStateConfigS3.S3ForcePathStyle, DisableComputeChecksums: c.DisableAWSClientChecksums,