Skip to content
/ terraform-provider-appflow Public

AWS provider for Appflow, introducing several improvements compared to the official AWS provider by Hashicorp. Use this provider with SAP OData and S3 connectors.

registry.terraform.io/providers/cloudbuzzbyone/appflow

License

MPL-2.0 license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

cloudbuzzbyone/terraform-provider-appflow

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits
.github/workflows
.github/workflows
 
 
docs
docs
 
 
internal
internal
 
 
names
names
 
 
version
version
 
 
.gitignore
.gitignore
 
 
.goreleaser.yml
.goreleaser.yml
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 
terraform-registry-manifest.json
terraform-registry-manifest.json
 
 

Repository files navigation

layout page_title description
aws
Provider: Appflow for AWS
AWS provider for Appflow, introducing several improvements compared to the official AWS provider by Hashicorp. Use this provider with SAP OData and S3 connectors.

🇮🇱 AWS Provider for Appflow 🇮🇱

AWS provider for Appflow, introducing several improvements compared to the official AWS provider by Hashicorp.
Use this provider with SAP OData and S3 connectors.


Cloudbuzz by One: Contact Us

🇮🇱 We Stand with Israel! 🇮🇱

Example Usage

Terraform 0.13 and later:

terraform {
  required_providers {
    aws = {
      source  = "cloudbuzzbyone/appflow"
      version = "~> 0.1"
    }
  }
}

# Configure the AWS Provider
provider "aws" {
  region = "eu-west-1"
}

# Create a flow
resource "aws_flow" "example" {
 flow_name = "example
}

Authentication and Configuration

Configuration for the AWS Provider can be derived from several sources, which are applied in the following order:

  1. Parameters in the provider configuration
  2. Environment variables
  3. Shared credentials files
  4. Shared configuration files
  5. Container credentials
  6. Instance profile credentials and region

This order matches the precedence used by the AWS CLI and the AWS SDKs.

The AWS Provider supports assuming an IAM role, either in the provider configuration block parameter assume_role or in a named profile.

The AWS Provider supports assuming an IAM role using web identity federation and OpenID Connect (OIDC). This can be configured either using environment variables or in a named profile.

When using a named profile, the AWS Provider also supports sourcing credentials from an external process.

Provider Configuration

!> Warning: Hard-coded credentials are not recommended in any Terraform configuration and risks secret leakage should this file ever be committed to a public version control system.

Credentials can be provided by adding an access_key, secret_key, and optionally token, to the aws provider block.

Usage:

provider "aws" {
  region     = "us-west-2"
  access_key = "my-access-key"
  secret_key = "my-secret-key"
}

Other settings related to authorization can be configured, such as:

  • profile
  • shared_config_files
  • shared_credentials_files

Environment Variables

Credentials can be provided by using the AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and optionally AWS_SESSION_TOKEN environment variables. The region can be set using the AWS_REGION or AWS_DEFAULT_REGION environment variables.

For example:

provider "aws" {}
% export AWS_ACCESS_KEY_ID="anaccesskey"
% export AWS_SECRET_ACCESS_KEY="asecretkey"
% export AWS_REGION="us-west-2"
% terraform plan

Other environment variables related to authorization are:

  • AWS_PROFILE
  • AWS_CONFIG_FILE
  • AWS_SHARED_CREDENTIALS_FILE

Shared Configuration and Credentials Files

The AWS Provider can source credentials and other settings from the shared configuration and credentials files. By default, these files are located at $HOME/.aws/config and $HOME/.aws/credentials on Linux and macOS, and "%USERPROFILE%\.aws\config" and "%USERPROFILE%\.aws\credentials" on Windows.

If no named profile is specified, the default profile is used. Use the profile parameter or AWS_PROFILE environment variable to specify a named profile.

The locations of the shared configuration and credentials files can be configured using either the parameters shared_config_files and shared_credentials_files or the environment variables AWS_CONFIG_FILE and AWS_SHARED_CREDENTIALS_FILE.

For example:

provider "aws" {
  shared_config_files      = ["/Users/tf_user/.aws/conf"]
  shared_credentials_files = ["/Users/tf_user/.aws/creds"]
  profile                  = "customprofile"
}

Container Credentials

If you're running Terraform on CodeBuild or ECS and have configured an IAM Task Role, Terraform can use the container's Task Role. This support is based on the underlying AWS_CONTAINER_CREDENTIALS_RELATIVE_URI and AWS_CONTAINER_CREDENTIALS_FULL_URI environment variables being automatically set by those services or manually for advanced usage.

If you're running Terraform on EKS and have configured IAM Roles for Service Accounts (IRSA), Terraform can use the pod's role. This support is based on the underlying AWS_ROLE_ARN and AWS_WEB_IDENTITY_TOKEN_FILE environment variables being automatically set by Kubernetes or manually for advanced usage.

Instance profile credentials and region

When the AWS Provider is running on an EC2 instance with an IAM Instance Profile set, the provider can source credentials from the EC2 Instance Metadata Service. Both IMDS v1 and IMDS v2 are supported.

A custom endpoint for the metadata service can be provided using the ec2_metadata_service_endpoint parameter or the AWS_EC2_METADATA_SERVICE_ENDPOINT environment variable.

Assuming an IAM Role

If provided with a role ARN, the AWS Provider will attempt to assume this role using the supplied credentials.

Usage:

provider "aws" {
  assume_role {
    role_arn     = "arn:aws:iam::123456789012:role/ROLE_NAME"
    session_name = "SESSION_NAME"
    external_id  = "EXTERNAL_ID"
  }
}

Hands-on: Try the Use AssumeRole to Provision AWS Resources Across Accounts tutorial.

Assuming an IAM Role Using A Web Identity

If provided with a role ARN and a token from a web identity provider, the AWS Provider will attempt to assume this role using the supplied credentials.

Usage:

provider "aws" {
  assume_role_with_web_identity {
    role_arn                = "arn:aws:iam::123456789012:role/ROLE_NAME"
    session_name            = "SESSION_NAME"
    web_identity_token_file = "/Users/tf_user/secrets/web-identity-token"
  }
}

Using an External Credentials Process

To use an external process to source credentials, the process must be configured in a named profile, including the default profile. The profile is configured in a shared configuration file.

For example:

provider "aws" {
  profile = "customprofile"
}
[profile customprofile]
credential_process = custom-process --username jdoe

AWS Configuration Reference

Setting Provider Environment Variable Shared Config
Access Key ID access_key AWS_ACCESS_KEY_ID aws_access_key_id
Secret Access Key secret_key AWS_SECRET_ACCESS_KEY aws_secret_access_key
Session Token token AWS_SESSION_TOKEN aws_session_token
Region region AWS_REGION or AWS_DEFAULT_REGION region
Custom CA Bundle custom_ca_bundle AWS_CA_BUNDLE ca_bundle
EC2 IMDS Endpoint ec2_metadata_service_endpoint AWS_EC2_METADATA_SERVICE_ENDPOINT N/A
EC2 IMDS Endpoint Mode ec2_metadata_service_endpoint_mode AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE N/A
Disable EC2 IMDS skip_metadata_api_check AWS_EC2_METADATA_DISABLED N/A
HTTP Proxy http_proxy HTTP_PROXY or HTTPS_PROXY N/A
Max Retries max_retries AWS_MAX_ATTEMPTS max_attempts
Profile profile AWS_PROFILE or AWS_DEFAULT_PROFILE N/A
Retry Mode retry_mode AWS_RETRY_MODE retry_mode
Shared Config Files shared_config_files AWS_CONFIG_FILE N/A
Shared Credentials Files shared_credentials_files AWS_SHARED_CREDENTIALS_FILE N/A
S3 Use Regional Endpoint for eu-west-1 s3_eu_west_1_regional_endpoint AWS_S3_eu_west_1_REGIONAL_ENDPOINT s3_eu_west_1_regional_endpoint
Use DualStack Endpoints use_dualstack_endpoint AWS_USE_DUALSTACK_ENDPOINT use_dualstack_endpoint
Use FIPS Endpoints use_fips_endpoint AWS_USE_FIPS_ENDPOINT use_fips_endpoint

Assume Role Configuration Reference

Configuation for assuming an IAM role can be done using provider configuration or a named profile in shared configuration files. In the provider, all parameters for assuming an IAM role are set in the assume_role block.

Note that environment variables are not supported for assuming IAM roles.

See the assume role documentation for more information.

Setting Provider Shared Config
Role ARN role_arn role_arn
Duration duration duration_seconds
External ID external_id external_id
Policy policy N/A
Policy ARNs policy_arns N/A
Session Name session_name role_session_name
Source Identity source_identity N/A
Tags tags N/A
Transitive Tag Keys transitive_tag_keys N/A

Assume Role with Web Identity Configuration Reference

Configuration for assuming an IAM role using web identify federation can be done using provider configuration, environment variables, or a named profile in shared configuration files. In the provider, all parameters for assuming an IAM role are set in the assume_role_with_web_identity block.

See the assume role documentation section on web identities for more information.

Setting Provider Environment Variable Shared Config
Role ARN role_arn AWS_ROLE_ARN role_arn
Web Identity Token web_identity_token N/A N/A
Web Identity Token File web_identity_token_file AWS_WEB_IDENTITY_TOKEN_FILE web_identity_token_file
Duration duration N/A duration_seconds
Policy policy N/A policy
Policy ARNs policy_arns N/A policy_arns
Session Name session_name AWS_ROLE_SESSION_NAME role_session_name

Custom User-Agent Information

By default, the underlying AWS client used by the Terraform AWS Provider creates requests with User-Agent headers including information about Terraform and AWS SDK for Go versions. To provide additional information in the User-Agent headers, the TF_APPEND_USER_AGENT environment variable can be set and its value will be directly added to HTTP requests. E.g.,

% export TF_APPEND_USER_AGENT="JenkinsAgent/i-12345678 BuildID/1234 (Optional Extra Information)"

Argument Reference

In addition to generic provider arguments (e.g., alias and version), the following arguments are supported in the AWS provider block:

  • access_key - (Optional) AWS access key. Can also be set with the AWS_ACCESS_KEY_ID environment variable, or via a shared credentials file if profile is specified. See also secret_key.
  • allowed_account_ids - (Optional) List of allowed AWS account IDs to prevent you from mistakenly using an incorrect one (and potentially end up destroying a live environment). Conflicts with forbidden_account_ids.
  • assume_role - (Optional) Configuration block for assuming an IAM role. See the assume_role Configuration Block section below. Only one assume_role block may be in the configuration.
  • assume_role_with_web_identity - (Optional) Configuration block for assuming an IAM role using a web identity. See the assume_role_with_web_identity Configuration Block section below. Only one assume_role_with_web_identity block may be in the configuration.
  • custom_ca_bundle - (Optional) File containing custom root and intermediate certificates. Can also be set using the AWS_CA_BUNDLE environment variable. Setting ca_bundle in the shared config file is not supported.
  • default_tags - (Optional) Configuration block with resource tag settings to apply across all resources handled by this provider (see the Terraform multiple provider instances documentation for more information about additional provider configurations). This is designed to replace redundant per-resource tags configurations. Provider tags can be overridden with new values, but not excluded from specific resources. To override provider tag values, use the tags argument within a resource to configure new tag values for matching keys. See the default_tags Configuration Block section below for example usage and available arguments. This functionality is supported in all resources that implement tags, with the exception of the aws_autoscaling_group resource.
  • ec2_metadata_service_endpoint - (Optional) Address of the EC2 metadata service (IMDS) endpoint to use. Can also be set with the AWS_EC2_METADATA_SERVICE_ENDPOINT environment variable.
  • ec2_metadata_service_endpoint_mode - (Optional) Mode to use in communicating with the metadata service. Valid values are IPv4 and IPv6. Can also be set with the AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE environment variable.
  • endpoints - (Optional) Configuration block for customizing service endpoints. See the Custom Service Endpoints Guide for more information about connecting to alternate AWS endpoints or AWS compatible solutions. See also use_fips_endpoint.
  • forbidden_account_ids - (Optional) List of forbidden AWS account IDs to prevent you from mistakenly using the wrong one (and potentially end up destroying a live environment). Conflicts with allowed_account_ids.
  • http_proxy - (Optional) Address of an HTTP proxy to use when accessing the AWS API. Can also be set using the HTTP_PROXY or HTTPS_PROXY environment variables.
  • ignore_tags - (Optional) Configuration block with resource tag settings to ignore across all resources handled by this provider (except any individual service tag resources such as aws_ec2_tag) for situations where external systems are managing certain resource tags. Arguments to the configuration block are described below in the ignore_tags Configuration Block section. See the Terraform multiple provider instances documentation for more information about additional provider configurations.
  • insecure - (Optional) Whether to explicitly allow the provider to perform "insecure" SSL requests. If omitted, the default value is false.
  • max_retries - (Optional) Maximum number of times an API call is retried when AWS throttles requests or you experience transient failures. The delay between the subsequent API calls increases exponentially. If omitted, the default value is 25. Can also be set using the environment variable AWS_MAX_ATTEMPTS and the shared configuration parameter max_attempts.
  • profile - (Optional) AWS profile name as set in the shared configuration and credentials files. Can also be set using either the environment variables AWS_PROFILE or AWS_DEFAULT_PROFILE.
  • region - (Optional) AWS region where the provider will operate. The region must be set. Can also be set with either the AWS_REGION or AWS_DEFAULT_REGION environment variables, or via a shared config file parameter region if profile is used. If credentials are retrieved from the EC2 Instance Metadata Service, the region can also be retrieved from the metadata.
  • retry_mode - (Optional) Specifies how retries are attempted. Valid values are standard and adaptive. Can also be configured using the AWS_RETRY_MODE environment variable or the shared config file parameter retry_mode.
  • s3_use_path_style - (Optional) Whether to enable the request to use path-style addressing, i.e., https://s3.amazonaws.com/BUCKET/KEY. By default, the S3 client will use virtual hosted bucket addressing, https://BUCKET.s3.amazonaws.com/KEY, when possible. Specific to the Amazon S3 service.
  • s3_eu_west_1_regional_endpoint - (Optional) Specifies whether S3 API calls in the eu-west-1 region use the legacy global endpoint or a regional endpoint. Valid values are legacy or regional. Can also be configured using the AWS_S3_eu_west_1_REGIONAL_ENDPOINT environment variable or the s3_eu_west_1_regional_endpoint shared config file parameter. Specific to the Amazon S3 service.
  • secret_key - (Optional) AWS secret key. Can also be set with the AWS_SECRET_ACCESS_KEY environment variable, or via a shared configuration and credentials files if profile is used. See also access_key.
  • shared_config_files - (Optional) List of paths to AWS shared config files. If not set, the default is [~/.aws/config]. A single value can also be set with the AWS_CONFIG_FILE environment variable.
  • shared_credentials_files - (Optional) List of paths to the shared credentials file. If not set and a profile is used, the default value is [~/.aws/credentials]. A single value can also be set with the AWS_SHARED_CREDENTIALS_FILE environment variable.
  • skip_credentials_validation - (Optional) Whether to skip credentials validation via the STS API. This can be useful for testing and for AWS API implementations that do not have STS available.
  • skip_metadata_api_check - (Optional) Whether to skip the AWS Metadata API check. Useful for AWS API implementations that do not have a metadata API endpoint. Setting to true prevents Terraform from authenticating via the Metadata API. You may need to use other authentication methods like static credentials, configuration variables, or environment variables.
  • skip_region_validation - (Optional) Whether to skip validating the region. Useful for AWS-like implementations that use their own region names or to bypass the validation for regions that aren't publicly available yet.
  • skip_requesting_account_id - (Optional) Whether to skip requesting the account ID. Useful for AWS API implementations that do not have the IAM, STS API, or metadata API. When set to true and not determined previously, returns an empty account ID when manually constructing ARN attributes with the following:
  • token - (Optional) Session token for validating temporary credentials. Typically provided after successful identity federation or Multi-Factor Authentication (MFA) login. With MFA login, this is the session token provided afterward, not the 6 digit MFA code used to get temporary credentials. Can also be set with the AWS_SESSION_TOKEN environment variable.
  • use_dualstack_endpoint - (Optional) Force the provider to resolve endpoints with DualStack capability. Can also be set with the AWS_USE_DUALSTACK_ENDPOINT environment variable or in a shared config file (use_dualstack_endpoint).
  • use_fips_endpoint - (Optional) Force the provider to resolve endpoints with FIPS capability. Can also be set with the AWS_USE_FIPS_ENDPOINT environment variable or in a shared config file (use_fips_endpoint).

assume_role Configuration Block

The assume_role configuration block supports the following arguments:

  • duration - (Optional) Duration of the assume role session. You can provide a value from 15 minutes up to the maximum session duration setting for the role. Represented by a string such as 1h, 2h45m, or 30m15s.
  • external_id - (Optional) External identifier to use when assuming the role.
  • policy - (Optional) IAM Policy JSON describing further restricting permissions for the IAM Role being assumed.
  • policy_arns - (Optional) Set of Amazon Resource Names (ARNs) of IAM Policies describing further restricting permissions for the IAM Role being assumed.
  • role_arn - (Required) ARN of the IAM Role to assume.
  • session_name - (Optional) Session name to use when assuming the role.
  • source_identity - (Optional) Source identity specified by the principal assuming the role.
  • tags - (Optional) Map of assume role session tags.
  • transitive_tag_keys - (Optional) Set of assume role session tag keys to pass to any subsequent sessions.

assume_role_with_web_identity Configuration Block

The assume_role_with_web_identity configuration block supports the following arguments:

  • duration - (Optional) Duration of the assume role session. You can provide a value from 15 minutes up to the maximum session duration setting for the role. Represented by a string such as 1h, 2h45m, or 30m15s.
  • policy - (Optional) IAM Policy JSON describing further restricting permissions for the IAM Role being assumed.
  • policy_arns - (Optional) Set of Amazon Resource Names (ARNs) of IAM Policies describing further restricting permissions for the IAM Role being assumed.
  • role_arn - (Required) ARN of the IAM Role to assume. Can also be set with the AWS_ROLE_ARN environment variable.
  • session_name - (Optional) Session name to use when assuming the role. Can also be set with the AWS_ROLE_SESSION_NAME environment variable.
  • web_identity_token - (Optional) Value of a web identity token from an OpenID Connect (OIDC) or OAuth provider. One of web_identity_token or web_identity_token_file is required.
  • web_identity_token_file - (Optional) File containing a web identity token from an OpenID Connect (OIDC) or OAuth provider. One of web_identity_token_file or web_identity_token is required. Can also be set with the AWS_WEB_IDENTITY_TOKEN_FILE environment variable.

default_tags Configuration Block

Hands-on: Try the Configure Default Tags for AWS Resources tutorial.

Example: Resource with provider default tags

provider "aws" {
  default_tags {
    tags = {
      Environment = "Test"
      Name        = "Provider Tag"
    }
  }
}

resource "aws_vpc" "example" {
  # ..other configuration...
}

output "vpc_resource_level_tags" {
  value = aws_vpc.example.tags
}

output "vpc_all_tags" {
  value = aws_vpc.example.tags_all
}

Outputs:

$ terraform apply
...
Outputs:

vpc_all_tags = tomap({
  "Environment" = "Test"
  "Name" = "Provider Tag"
})

Example: Resource with tags and provider default tags

provider "aws" {
  default_tags {
    tags = {
      Environment = "Test"
      Name        = "Provider Tag"
    }
  }
}

resource "aws_vpc" "example" {
  # ..other configuration...
  tags = {
    Owner = "example"
  }
}

output "vpc_resource_level_tags" {
  value = aws_vpc.example.tags
}

output "vpc_all_tags" {
  value = aws_vpc.example.tags_all
}

Outputs:

$ terraform apply
...
Outputs:

vpc_all_tags = tomap({
  "Environment" = "Test"
  "Name" = "Provider Tag"
  "Owner" = "example"
})
vpc_resource_level_tags = tomap({
  "Owner" = "example"
})

Example: Resource overriding provider default tags

provider "aws" {
  default_tags {
    tags = {
      Environment = "Test"
      Name        = "Provider Tag"
    }
  }
}

resource "aws_vpc" "example" {
  # ..other configuration...
  tags = {
    Environment = "Production"
  }
}

output "vpc_resource_level_tags" {
  value = aws_vpc.example.tags
}

output "vpc_all_tags" {
  value = aws_vpc.example.tags_all
}

Outputs:

$ terraform apply
...
Outputs:

vpc_all_tags = tomap({
  "Environment" = "Production"
  "Name" = "Provider Tag"
})
vpc_resource_level_tags = tomap({
  "Environment" = "Production"
})

The default_tags configuration block supports the following argument:

  • tags - (Optional) Key-value map of tags to apply to all resources.

ignore_tags Configuration Block

Example:

provider "aws" {
  ignore_tags {
    keys = ["TagKey1"]
  }
}

The ignore_tags configuration block supports the following arguments:

  • keys - (Optional) List of exact resource tag keys to ignore across all resources handled by this provider. This configuration prevents Terraform from returning the tag in any tags attributes and displaying any configuration difference for the tag value. If any resource configuration still has this tag key configured in the tags argument, it will display a perpetual difference until the tag is removed from the argument or ignore_changes is also used.
  • key_prefixes - (Optional) List of resource tag key prefixes to ignore across all resources handled by this provider. This configuration prevents Terraform from returning any tag key matching the prefixes in any tags attributes and displaying any configuration difference for those tag values. If any resource configuration still has a tag matching one of the prefixes configured in the tags argument, it will display a perpetual difference until the tag is removed from the argument or ignore_changes is also used.

Getting the Account ID

If you use either allowed_account_ids or forbidden_account_ids, Terraform uses several approaches to get the actual account ID in order to compare it with allowed or forbidden IDs.

Approaches differ per authentication providers:

  • EC2 instance w/ IAM Instance Profile - Metadata API is always used. Introduced in Terraform 0.6.16.
  • All other providers (environment variable, shared credentials file, ...) will try three approaches in the following order
    • iam:GetUser - Typically useful for IAM Users. It also means that each user needs to be privileged to call iam:GetUser for themselves.
    • sts:GetCallerIdentity - Should work for both IAM Users and federated IAM Roles, introduced in Terraform 0.6.16.
    • iam:ListRoles - This is specifically useful for IdP-federated profiles which cannot use iam:GetUser. It also means that each federated user need to be assuming an IAM role which allows iam:ListRoles. Used in Terraform 0.6.16+. There used to be no better way to get account ID out of the API when using the federated account until sts:GetCallerIdentity was introduced.

About

AWS provider for Appflow, introducing several improvements compared to the official AWS provider by Hashicorp. Use this provider with SAP OData and S3 connectors.

registry.terraform.io/providers/cloudbuzzbyone/appflow

Topics

aws terraform appflow

Resources

Readme

License

MPL-2.0 license
Activity
Custom properties

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases 5

v0.1.4 Latest
Nov 8, 2023
+ 4 releases

Packages

No packages published

Languages