In landingzone environment i have multiple OU. I have github action workflow and it is authenticated using OIDC. There is no issue with authentication between AWS and github. I also have terraform to deploy resources. I have one requirement to delete default vpc from each member accounts from the landing zone.
Terraform
resource "null_resource" "assume_role" {
provisioner "local-exec" {
command = <<EOT
set -e
ROLE_ARN="arn:aws:iam::12345678:role/OrganizationAccountAccessRole"
eval $(aws sts assume-role --role-arn $ROLE_ARN --role-session-name delete_vpc_session | jq -r '.Credentials | "export AWS_ACCESS_KEY_ID=(.AccessKeyId)nexport AWS_SECRET_ACCESS_KEY=(.SecretAccessKey)nexport AWS_SESSION_TOKEN=(.SessionToken)n"')
chmod +x delete_default_vpc.sh
./delete_default_vpc.sh
EOT
environment = {
AWS_ACCESS_KEY_ID = var.aws_access_key_id
AWS_SECRET_ACCESS_KEY = var.aws_secret_access_key
AWS_SESSION_TOKEN = var.aws_session_token
}
}
}
GihubAction workflow
name: Delete Default VPC
on:
workflow_dispatch:
jobs:
delete-default-vpc:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Configure AWS credentials using OIDC
id: aws-credentials
uses: aws-actions/configure-aws-credentials@v3
with:
role-to-assume: ${{ secrets.AWS_PIPELINE_ROLE_ARN_ABC }}
role-session-name: aws_oidc
aws-region: us-east-1
- name: oide test
uses: actions/github-script@v6
id: script
timeout-minutes: 10
with:
debug: true
script: |
const token = process.env['ACTIONS_RUNTIME_TOKEN']
const runtimeUrl = process.env['ACTIONS_ID_TOKEN_REQUEST_URL']
core.setOutput('TOKEN', token.trim())
core.setOutput('IDTOKENURL', runtimeUrl.trim())
- name: oidc run
run: |
IDTOKEN=$(curl -H "Authorization: bearer ${{ steps.script.outputs.TOKEN }}" ${{ steps.script.outputs.IDTOKENURL }} -H "Accept: application/json; api-version=2.0" -H "Content-Type: application/json" -d "{}" | jq -r '.value')
echo $IDTOKEN
jwtd() {
if [[ -x $(command -v jq) ]]; then
jq -R 'split(".") | .[0],.[1] | @base64d | fromjson' <<< "${1}"
echo "Signature: $(echo "${1}" | awk -F'.' '{print $3}')"
fi
}
jwtd $IDTOKEN
echo "idToken=${IDTOKEN}" >> $GITHUB_OUTPUT
id: tokenid
- name: Set AWS environment variables
run: |
echo "TF_VAR_aws_access_key_id=${{ steps.aws-credentials.outputs.AWS_ACCESS_KEY_ID }}" >> $GITHUB_ENV
echo "TF_VAR_aws_secret_access_key=${{ steps.aws-credentials.outputs.AWS_SECRET_ACCESS_KEY }}" >> $GITHUB_ENV
echo "TF_VAR_aws_session_token=${{ steps.aws-credentials.outputs.AWS_SESSION_TOKEN }}" >> $GITHUB_ENV
- name: Terraform Init
run: terraform init
- name: Terraform Plan
run: terraform plan
- name: Terraform Apply
run: terraform apply --auto-approve
The error i am getting
terraform apply --auto-approve
shell: /usr/bin/bash -e {0}
env:
AWS_DEFAULT_REGION: us-east-1
AWS_REGION: us-east-1
AWS_ACCESS_KEY_ID: ***
AWS_SECRET_ACCESS_KEY: ***
AWS_SESSION_TOKEN: ***
TF_VAR_aws_access_key_id:
TF_VAR_aws_secret_access_key:
TF_VAR_aws_session_token:
Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# null_resource.assume_role will be created
+ resource "null_resource" "assume_role" {
+ id = (known after apply)
}
Plan: 1 to add, 0 to change, 0 to destroy.
null_resource.assume_role: Creating...
null_resource.assume_role: Provisioning with 'local-exec'...
null_resource.assume_role (local-exec): Executing: ["/bin/sh" "-c" " set -en ROLE_ARN="arn:aws:iam::12345678:role/OrganizationAccountAccessRole"n eval $(aws sts assume-role --role-arn $ROLE_ARN --role-session-name delete_vpc_session | jq -r '.Credentials | "export AWS_ACCESS_KEY_ID=\(.AccessKeyId)\nexport AWS_SECRET_ACCESS_KEY=\(.SecretAccessKey)\nexport AWS_SESSION_TOKEN=\(.SessionToken)\n"')n chmod +x delete_default_vpc.shn ./delete_default_vpc.shn"]
null_resource.assume_role (local-exec): Unable to locate credentials. You can configure credentials by running "aws configure".
null_resource.assume_role (local-exec): Unable to locate credentials. You can configure credentials by running "aws configure".
null_resource.assume_role: Creation complete after 2s
Apply complete! Resources: 1 added, 0 changed, 0 destroyed
This is the role “OrganizationAccountAccessRole” I want to use because this role is available in all member accounts. AWS_PIPELINE_ROLE_ARN_ABC role is used to communicate with AWS.
I tried to use below inside terraform null_resources
eval $(aws sts assume-role --role-arn $ROLE_ARN --role-session-name delete_vpc_session | jq -r '.Credentials | "export AWS_ACCESS_KEY_ID=(.AccessKeyId)nexport AWS_SECRET_ACCESS_KEY=(.SecretAccessKey)nexport AWS_SESSION_TOKEN=(.SessionToken)n"')
But I was getting error. Expected result would to use OrganizationAccountAccessRole to delete vpc from all member account in AWS landingzone
New contributor
user24607112 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.