How to use aws-iam-authenticator with remote Terraform Cloud Runs?

amazon-web-services terraform kubernetes amazon-iam

Terraform Cloud docs cover this, and it is not forbidden, but it is not exactly encouraged either. There are 2 methods mentioned in those docs, using a local-exec provisioner (the use of which is described as a "last resort" and potentially problematic), or using a submodule. The docs also mention that only "Standalone Binaries" should be used. Thankfully aws-iam-authenticator is indeed available as a static standalone binary for many systems. Unfortunately the documentation, beyond a mention of submodules, does not cover the steps needed to make this work.

Hopefully Hashicorp will provide a less hacky and more supported way to customize these environments in future, but until then...

First, we need a compatible binary, and although we do not know exactly what OS/Image is being run by the Terraform Cloud instances, we know from the documentation that it is Linux x86_64 compatible. Therefore, since the aws-iam-authenticator is available as a standalone static binary for Linux x86_64, what we need to do is introduce that binary into the environment, and then make it available to the instance generally (since we do not control how it is called specifically).

Terraform Cloud allows you to manipulate the environment variables, we can achieve this by manipulating the $PATH variable once we have the binary on the host. The simplest way to do this would be to just add the binary to the config inside a folder, however if you would like to use this for multiple configs without having to manage the binary separately in each (imagine having to update them all separately), I'd recommend doing this as a sub-module in your git repository.

Here's an example of a public repo containing the binary, you would add this to your repo as a submodule as follows:

git submodule add https://github.com/comerford/tc-tools.git

You can then commit/push as usual, making sure that your version control settings for your workspace are set to clone submodules as below:

submodule cloning enabled

Finally, to make sure that no matter how the binary is called that it works, you need to make the changes to the PATH environment variable so that it will see your new binary, but also not break anything. Here's the ENV variable that worked for me given the above submodule:

Working PATH Variable on Terraform Cloud

To give that string in a more usable format:

"~/tc-tools:/home/terraform/tc-tools:./tc-tools:/usr/bin:/usr/local/bin:/bin:$PATH"

It's taking a guess at the likely paths, and I am not 100% sure which one works because I didn't want to cause broken runs for the sake of a few characters.

Although this is specifically for the aws-iam-authenticator binary, it should work as a generic method for any such Linux x86_64 static binary that you happen to need.

Related

Unable to connect to the server: x509: certificate signed by unknown authority
Unable to run Wildfly 8.1.0 as Service on Windows Server 2012 - Extended Attributes are Inconsistent?
Why do Access Control Lists in IP forwarding use an Inverse Mask?
How to «leave» Google Cloud Platform project?
Block port on Docker containers using iptables
why is this DMARC failing verification?
Using PHPMailer on Hostgator (timeout when try to login into SMTP server)
AWS CLI copy life-cycle configuration between buckets
How to overcome the Weaker MD4 hash issue with samba
How do I set current Unix time in milliseconds?
Your request failed. Use a different payment method, or contact us. Learn more [OR-CCSEH-21] Google Cloud
Windows server 2016 Security Log - Remove extra description text?