Terraform

Working with AWS SSO

Terraform does not yet support AWS SSO authentication. The current workaround I've found is using the aws_sso module after being successfully logged in AWS using your usual .aws/config profile setup:

Example .aws/config:

[personal]
region = eu-west-1
output = json
user = pascal

[profile sandbox]
account = 123455678
profile = personal
sso_start_url = https://123456789.awsapps.com/start#/
sso_region = eu-west-1
sso_account_id = 123455678
sso_role_name = AWSAdministratorAccess

First install the aws-sso-credential-provider :

pip install aws-sso-credential-provider -U

I've written a script that allows both authentication to run by calling it through an alias.

Create a file tools/aws-sso-login.sh :

#!/bin/bash

export AWS_PROFILE=$1

aws configure sso --profile $AWS_PROFILE

python -m aws_sso -p $AWS_PROFILE

export AWS_PROFILE="default"
export AWS_DEFAULT_REGION=$2
EOF

Add an alias to export the file's variables to your prefered profile, e.g. ~/.zshrc :

alias aws-sso-login=". ~/tools/aws-sso-login.sh"'

Finally, calling the script to authenticate

aws-sso-login sandbox eu-west-1

Filter list

Having multiple list and trying to match name with id. In this example, I needed to create 2 separate account list (of ids) under the Organization by matching the name which represents the account type.

data "aws_organizations_organization" "org" {
  provider = aws.core
}

locals {
    traditional_names = [for i in data.aws_organizations_organization.org.accounts[*].name: i if length(regexall("traditional*", i)) > 0]
    native_names = [for i in data.aws_organizations_organization.org.accounts[*].name: i if length(regexall("native*", i)) > 0]

    traditional_ids = matchkeys(data.aws_organizations_organization.org.accounts[*].id, data.aws_organizations_organization.org.accounts[*].name, local.traditional_names)
    native_ids = matchkeys(data.aws_organizations_organization.org.accounts[*].id, data.aws_organizations_organization.org.accounts[*].name, local.native_names)
}