# Copyright (c) HashiCorp, Inc.# SPDX-License-Identifier: MPL-2.0provider"aws"{}# Data source used to grab the TLS certificate for Terraform Cloud.## https://registry.terraform.io/providers/hashicorp/tls/latest/docs/data-sources/certificatedata"tls_certificate""tfc_certificate"{url="https://${var.tfc_hostname}"}# Creates an OIDC provider which is restricted to## https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_openid_connect_providerresource"aws_iam_openid_connect_provider""tfc_provider"{url=data.tls_certificate.tfc_certificate.urlclient_id_list=[var.tfc_aws_audience]thumbprint_list=[data.tls_certificate.tfc_certificate.certificates[0].sha1_fingerprint]}# Creates a role which can only be used by the specified Terraform# cloud workspace.## https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_roleresource"aws_iam_role""tfc_role"{name="tfc-role"assume_role_policy=<<EOF{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "${aws_iam_openid_connect_provider.tfc_provider.arn}" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "${var.tfc_hostname}:aud": "${one(aws_iam_openid_connect_provider.tfc_provider.client_id_list)}" }, "StringLike": { "${var.tfc_hostname}:sub": "organization:${var.tfc_organization_name}:project:${var.tfc_project_name}:workspace:${var.tfc_workspace_name}:run_phase:*" } } } ]}EOF}# Creates a policy that will be used to define the permissions that# the previously created role has within AWS.## https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policyresource"aws_iam_policy""tfc_policy"{name="tfc-policy"description="TFC run policy"policy=<<EOF{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": "*" } ]}EOF}# Creates an attachment to associate the above policy with the# previously created role.## https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachmentresource"aws_iam_role_policy_attachment""tfc_policy_attachment"{role=aws_iam_role.tfc_role.namepolicy_arn=aws_iam_policy.tfc_policy.arn}
上記のコードは、AWS IAM ロールとポリシーを作成し、HCP Terraform のワークスペースに関連付ける例です。 この IAM ロールを実行時に利用するには、次のようにTFC_AWS_PROVIDER_AUTHとTFC_AWS_RUN_ROLE_ARNの環境変数をワークスペースに設定する必要があります。
# Copyright (c) HashiCorp, Inc.# SPDX-License-Identifier: MPL-2.0provider"tfe"{hostname=var.tfc_hostname}# Data source used to grab the project under which a workspace will be created.## https://registry.terraform.io/providers/hashicorp/tfe/latest/docs/data-sources/projectdata"tfe_project""tfc_project"{name=var.tfc_project_nameorganization=var.tfc_organization_name}# Runs in this workspace will be automatically authenticated# to AWS with the permissions set in the AWS policy.## https://registry.terraform.io/providers/hashicorp/tfe/latest/docs/resources/workspaceresource"tfe_workspace""my_workspace"{name=var.tfc_workspace_nameorganization=var.tfc_organization_nameproject_id=data.tfe_project.tfc_project.id}# The following variables must be set to allow runs# to authenticate to AWS.## https://registry.terraform.io/providers/hashicorp/tfe/latest/docs/resources/variableresource"tfe_variable""enable_aws_provider_auth"{workspace_id=tfe_workspace.my_workspace.idkey="TFC_AWS_PROVIDER_AUTH"value="true"category="env"description="Enable the Workload Identity integration for AWS."}resource"tfe_variable""tfc_aws_role_arn"{workspace_id=tfe_workspace.my_workspace.idkey="TFC_AWS_RUN_ROLE_ARN"value=aws_iam_role.tfc_role.arncategory="env"description="The AWS role arn runs will use to authenticate."}# The following variables are optional; uncomment the ones you need!# resource "tfe_variable" "tfc_aws_audience" {# workspace_id = tfe_workspace.my_workspace.id# key = "TFC_AWS_WORKLOAD_IDENTITY_AUDIENCE"# value = var.tfc_aws_audience# category = "env"# description = "The value to use as the audience claim in run identity tokens"# }# The following is an example of the naming format used to define variables for# additional configurations. Additional required configuration values must also# be supplied in this same format, as well as any desired optional configuration# values.## Additional configurations can be used to uniquely authenticate multiple aliases# of the same provider in a workspace, with different roles/permissions in different# accounts or regions.## See https://developer.hashicorp.com/terraform/cloud-docs/workspaces/dynamic-provider-credentials/specifying-multiple-configurations# for more details on specifying multiple configurations.## See https://developer.hashicorp.com/terraform/cloud-docs/workspaces/dynamic-provider-credentials/aws-configuration#specifying-multiple-configurations# for specific requirements and details for the AWS provider.# resource "tfe_variable" "enable_aws_provider_auth_other_config" {# workspace_id = tfe_workspace.my_workspace.id# key = "TFC_AWS_PROVIDER_AUTH_other_config"# value = "true"# category = "env"# description = "Enable the Workload Identity integration for AWS for an additional configuration named other_config."# }