-
Notifications
You must be signed in to change notification settings - Fork 9
/
providers.tf
82 lines (77 loc) · 2.27 KB
/
providers.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
# This is the "default" provider that is used assume the roles in the
# other providers. It uses the credentials of the caller. It is also
# used to assume the roles required to access remote state in the
# Terraform backend.
provider "aws" {
default_tags {
tags = var.tags
}
region = var.aws_region
}
# The provider that uses the ACM role to modify certificate resources.
provider "aws" {
alias = "acmresourcechange"
assume_role {
role_arn = aws_iam_role.acmresourcechange_role.arn
session_name = local.caller_user_name
}
default_tags {
tags = var.tags
}
region = var.aws_region
}
# The provider used to create new public hosted zones.
provider "aws" {
alias = "dnsprovisionaccount"
assume_role {
role_arn = data.terraform_remote_state.dns.outputs.provisionaccount_role.arn
session_name = local.caller_user_name
}
default_tags {
tags = var.tags
}
region = var.aws_region
}
# The provider used to lookup account IDs. See locals.
provider "aws" {
alias = "organizationsreadonly"
assume_role {
role_arn = data.terraform_remote_state.master.outputs.organizationsreadonly_role.arn
session_name = local.caller_user_name
}
default_tags {
tags = var.tags
}
region = var.aws_region
}
# The provider that uses the newly-created role to modify zone resources.
provider "aws" {
alias = "route53resourcechange"
assume_role {
role_arn = aws_iam_role.route53resourcechange_role.arn
session_name = local.caller_user_name
}
default_tags {
tags = var.tags
}
region = var.aws_region
}
# The provider used to create the role allowing read-only access to this
# project's Terraform state in the Terraform account.
provider "aws" {
alias = "terraformprovisionaccount"
assume_role {
role_arn = data.terraform_remote_state.terraform.outputs.provisionaccount_role.arn
session_name = local.caller_user_name
}
default_tags {
# It makes no sense to associate a "Workspace" tag with the
# Terraform read role, since it can read the state from any
# workspace.
#
# Such a tag will also flip flop as one switches from staging to
# production or vice versa, which is highly annoying.
tags = { for k, v in var.tags : k => v if k != "Workspace" }
}
region = var.aws_region
}