Run the AWS CLI, with the ability to run under an assumed role, to access resources and properties missing from the Terraform AWS Provider.
This module requires a couple of additional tools to operate successfully.
-
Amazon Web Service Command Line Interface (
aws
) : This is available in several forms here. As the awscli tool gets updated regularly, any version 2 should be usable, but please try to keep as uptodate as the functionality included in later versions may be what you need when using this module. If you are not getting the functionality you require, please read the AWS CLI V2 Changelog to see if you are just needing to upgrade. -
JSON processor (
jq
) : This is available here. At least versionjq-1.5
is required but has been tested and actively used withjq-1.6
.
If you are using a blue/green style deployment, you would want to create the same number of EC2 instances as you are replacing.
module "current_desired_capacity" {
source = "digitickets/cli/aws"
role_session_name = "GettingDesiredCapacityFor${var.environment}"
aws_cli_commands = ["autoscaling", "describe-auto-scaling-groups"]
aws_cli_query = "AutoScalingGroups[?Tags[?Key==`Name`]|[?Value==`digitickets-${var.environment}-asg-app`]]|[0].DesiredCapacity"
}
You can now set the desired capacity of an aws_autoscaling_group:
desired_capacity = module.current_desired_capacity.result
Extending the first example above, assuming a role is as simple as adding an assume_role_arn
to the module:
module "current_desired_capacity" {
source = "digitickets/cli/aws"
assume_role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/OrganizationAccountAccessRole"
role_session_name = "GettingDesiredCapacityFor${var.environment}"
aws_cli_commands = ["autoscaling", "describe-auto-scaling-groups"]
aws_cli_query = "AutoScalingGroups[?Tags[?Key==`Name`]|[?Value==`digitickets-${var.environment}-asg-app`]]|[0].DesiredCapacity"
}
Extending the example above, you can supply your own profile by adding a profile
to the module:
module "current_desired_capacity" {
source = "digitickets/cli/aws"
assume_role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/OrganizationAccountAccessRole"
role_session_name = "GettingDesiredCapacityFor${var.environment}"
aws_cli_commands = ["autoscaling", "describe-auto-scaling-groups"]
aws_cli_query = "AutoScalingGroups[?Tags[?Key==`Name`]|[?Value==`digitickets-${var.environment}-asg-app`]]|[0].DesiredCapacity"
profile = "your-own-profile"
}
Extending the example above, you can supply your own external ID by adding an external_id
to the module:
module "current_desired_capacity" {
source = "digitickets/cli/aws"
assume_role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/OrganizationAccountAccessRole"
role_session_name = "GettingDesiredCapacityFor${var.environment}"
aws_cli_commands = ["autoscaling", "describe-auto-scaling-groups"]
aws_cli_query = "AutoScalingGroups[?Tags[?Key==`Name`]|[?Value==`digitickets-${var.environment}-asg-app`]]|[0].DesiredCapacity"
profile = "your-own-profile"
external_id = "your-external-id"
}
Further information regarding the use of external IDs can be found here.
Name | Version |
---|---|
terraform | >= 1.6.0 |
external | ~> 2.0 |
local | ~> 2.0 |
Name | Version |
---|---|
external | 2.3.4 |
local | 2.5.2 |
No modules.
Name | Type |
---|---|
external_external.awscli_program | data source |
local_file.awscli_results_file | data source |
Name | Description | Type | Default | Required | Validation |
---|---|---|---|---|---|
alternative_path | Use an alternative path for all files produced internally | string |
"" |
no | None |
assume_role_arn | The ARN of the role being assumed (optional). The optional ARN must match the format documented in https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html. |
string |
"" |
no | The optional ARN must match the format documented in https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html. |
aws_cli_commands | The AWS CLI command, subcommands, and options. For options that can accept a value, then the following examples are both fine to use: 1. "--option", "value" 2. "--option=value" In the event that the value contains a space, it must be wrapped with quotes. 1. "--option", "'value with a space wrapped in single quotes'" 2. "--option='value with a space wrapped in single quotes'" |
list(string) |
n/a | yes | None |
aws_cli_query | The --query value for the AWS CLI call.The value for var.aws_cli_query is based upon JMESPath, and you can get good information from https://jmespath.org.If not supplied, then the entire results from the AWS CLI call will be returned. |
string |
"" |
no | None |
external_id | External id for assuming the role (optional). The length of optional external_id, when supplied, must be between 2 and 1224 characters. The optional external_id can only contain upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@- .The optional external_id match the regular expression ^[\w=,.@-]*$ . |
string |
"" |
no | The length of optional external_id, when supplied, must be between 2 and 1224 characters. The optional external_id must match the regular expression '^[\w=,.@-]*$'. |
profile | The specific AWS profile to use (must be configured appropriately and is optional). The optional profile must start with a letter and can only contain letters, numbers, hyphens, and underscores. |
string |
"" |
no | The optional profile must start with a letter and can only contain letters, numbers, hyphens, and underscores. |
region | The specific AWS region to use. The region must start with two letters representing the geographical area, followed by one or more letters or digits representing the specific region within that area. |
string |
"" |
no | The optional region must start with two letters representing the geographical area, followed by one or more letters or digits representing the specific region within that area. |
role_session_name | The role session name that will be used when assuming a role (optional) The length of the optional role session name, when supplied, must be between 2 and 64 characters. The optional role session name can only contain upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@- .The optional role session name match the regular expression ^[\w=,.@-]*$ .If the assume_role_arn is supplied, but the role_session_name is left empty, an internal default of "AssumingRole" will be used. |
string |
"" |
no | The length of the optional role session name, when supplied, must be between 2 and 64 characters. The role session name match the regular expression '^[\w=,.@-]*$'. |
Name | Description |
---|---|
result | The output of the AWS CLI command, if it can be JSON decoded |
result_raw | The raw, non JSON decoded output of the AWS CLI command |
result_was_decoded | Can the output from the AWS CLI command can be JSON decoded |
To help with getting this running in a pipeline that uses Docker, the image digiticketsgroup/terraforming has Terraform, AWSCLI, and jq all ready to go.
If you want to build or adapt your own image, then the Dockerfile below is how that image has been built.
# Based upon https://github.com/aws/aws-cli/blob/2.0.10/docker/Dockerfile
FROM amazonlinux:2 as installer
ARG TERRAFORM_VERSION
RUN yum update -y \
&& yum install -y unzip \
&& curl https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip -o awscli-exe-linux-x86_64.zip \
&& unzip awscli-exe-linux-x86_64.zip \
# The --bin-dir is specified so that we can copy the
# entire bin directory from the installer stage into
# into /usr/local/bin of the final stage without
# accidentally copying over any other executables that
# may be present in /usr/local/bin of the installer stage.
&& ./aws/install --bin-dir /aws-cli-bin/ \
&& curl "https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_amd64.zip" -o terraform.zip \
&& unzip terraform.zip
FROM amazonlinux:2
COPY --from=installer /usr/local/aws-cli/ /usr/local/aws-cli/
COPY --from=installer /aws-cli-bin/ /usr/local/bin/
COPY --from=installer terraform /usr/bin/
RUN yum update -y \
&& yum install -y less groff jq \
&& yum clean all
ENTRYPOINT ["/bin/sh"]