v6.1.0 - 2024/01/31

- Added testing for Terraform 1.7+ - FIX : If `var.profile` and `var.assume_role_arn` are used, then continuing to use `var.profile` invalidates the assumed role. The `aws_cli_runner.sh` now no longer uses `var.profile` when a role has been successfully assumed. Thank you [Garrett Blinkhorn](#11).
digitickets · Jan 31, 2024 · e5fc992 · e5fc992
1 parent c5afc98
commit e5fc992
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 4 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -9,7 +9,16 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        terraform_version: [1.6.6, 1.6.5, 1.6.4, 1.6.3, 1.6.2, 1.6.1, 1.6.0]
+        terraform_version:
+          - 1.7.1
+          - 1.7.0
+          - 1.6.6
+          - 1.6.5
+          - 1.6.4
+          - 1.6.3
+          - 1.6.2
+          - 1.6.1
+          - 1.6.0
 
     steps:
       - name: Checkout code
@@ -31,7 +40,7 @@ jobs:
           tests/tests.sh
 
       - name: Capture logs
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         if: always()
         with:
           name: logs-${{ matrix.terraform_version }}

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,11 @@
 # Changelog
 
+# v6.1.0 - 2024/01/31
+- Added testing for Terraform 1.7+
+- FIX : If `var.profile` and `var.assume_role_arn` are used, then continuing to use `var.profile` invalidates the
+  assumed role. The `aws_cli_runner.sh` now no longer uses `var.profile` when a role has been successfully assumed.
+  Thank you [Garrett Blinkhorn](https://github.com/digitickets/terraform-aws-cli/issues/11).
+
 # v6.0.2 - 2024/01/31
 - FIX : Typo in `aws_cli_runner.sh` when running assuming a role. Thank you [Garrett Blinkhorn](https://github.com/digitickets/terraform-aws-cli/issues/11).
 

diff --git a/scripts/aws_cli_runner.sh b/scripts/aws_cli_runner.sh
@@ -95,6 +95,13 @@ if [ -n "${ASSUME_ROLE_ARN}" ]; then
   export AWS_ACCESS_KEY_ID=$(jq -r '.Credentials.AccessKeyId' "$AWS_STS_JSON")
   export AWS_SECRET_ACCESS_KEY=$(jq -r '.Credentials.SecretAccessKey' "$AWS_STS_JSON")
   export AWS_SESSION_TOKEN=$(jq -r '.Credentials.SessionToken' "$AWS_STS_JSON")
+
+  ### Having assumed a role, drop the profile as that will override any credentials retrieved by the assumed role when
+  ### reused as part of the AWS CLI call.
+  ### References :
+  ### 1. https://github.com/digitickets/terraform-aws-cli/issues/11 - Thank you Garrett Blinkhorn.
+  ### 2. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html#using-temp-creds-sdk-cli
+  unset AWS_CLI_PROFILE_PARAM
 fi
 
 # Do we have a query?

diff --git a/tests/common.sh b/tests/common.sh
@@ -137,7 +137,7 @@ function run_function() {
   fi
 }
 
-function  common_setup() {
+function common_setup() {
   TEST_PATH=$(dirname "${1}")
   TEST_NAME=$(basename "${TEST_PATH}")
 
@@ -190,7 +190,7 @@ function  common_setup() {
   export MODULE_TERRAFORM_AWS_CLI_RETAIN_LOGS=true
 }
 
-function  run_test() {
+function run_test() {
   if [ "${ALLOW_PLAN}" == "true" ]; then
     # Turn off coloured Terraform output (makes logs a little easier to read in an IDE)
     export TF_CLI_ARGS="-no-color"