Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Getting IAM username in terraform

Tags:

amazon-web-services

amazon-ec2

terraform

We have many IAM users, all creating self-serve infrastructure on EC2 using Terraform. Users don't necessarily set the key for their instances, so it's hard to tie an instance to a particular user. I realize we could dig through CloudTrail to find out which users are creating instances, but it seems like it would be simpler to tag the instances with the current IAM username.

The problem is Terraform doesn't appear to expose this - I can use aws_caller_identity or aws_canonical_user_id, but they both appear to return the organization account, not the specific IAM username. Is there a data source in Terraform that will return the IAM user creating the instances?

like image 339
alanctgardner Avatar asked Feb 18 '17 03:02

alanctgardner

1 Answers

It looks like aws_caller_identity doesn't actually call the STS GetCallerId endpoint which would be able to provide the information you need - specifically the UserId and the Arn of the user running the command.

Instead it takes the simpler option and simply uses the accountid that the AWS client has already defined and simply returns that.

So you have a couple of options here. You could raise a pull request to have the aws_caller_identity data source actually call the STS GetCallerId endpoint or you could shell out using a local provisioner and use that to tag your resources.

Obviously if people are writing Terraform to directly use the raw resources that Terraform provides then you can't really enforce this other than having something kill anything that's not tagged but that still leaves the issue of people tagging things using someone else's UserId or Arn.

If instead you have a bunch of modules that people then source to use those instead then you could do something ugly like this in the modules that create the EC2 instances:

resource "aws_instance" "instance" {
    ami = "ami-123456"
    instance_type = "t2.micro"
    tags {
        Name = "HelloWorld"
    }
    lifecycle {
        ignore_changes = [ "tags.Owner" ]
    }
    provisioner "local-exec" {
        command = <<EOF
owner=`aws sts get-caller-identity --output text --query 'Arn' | cut -d"/" -f2`
aws ec2 create-tags --resources ${self.id} --tags Key=Owner,Value=$${owner}
EOF
    }
}

The above Terraform will create an EC2 instance as normal but then ignore the "Owner" tag. After creating the instance it will run a local shell script that fetches the IAM account name/role for the user and then create an "Owner" tag for the instance using that value.

like image 196
ydaetskcoR Avatar answered Oct 09 '22 08:10

ydaetskcoR
Sign in to Comment

Related questions

Is Mutual auth with aws api gateway possible?
Sign API Gateway Request With AWS SDK
AWS Elastic BeansTalk Django cronjob post request returning 403 error
AWS SNS not sending Subscription Confirmation
high cpu in redis 2.8 (elasticache) cache.r3.large
java : Use Server-Side Encryption in Amazon S3 using vfs s3 plugin
How to use AWS roles with Packer to create AMIs
AttributeError: 'module' object has no attribute 'sslwrap'
Amazon S3 hardcode my bucket URL
Can not connect web socket with javascript
AWS Lambda and MongoDB
How to make AWS Lambda stop execution?
Using aws credentials profiles with spark scala app
How can I edit a phone number of a user in user pool of `AWS cognito` before the user is authenticated?
Create api-gateway lambda integration using aws-cli
Limit TCP connections to target behind AWS Application Load Balancer
AWS Lambda and Gateway API Integration, returns status code 500
Serverless compute on Windows in AWS
kerberos authentication in lambda function
aws s3 buckets are not showing on web console

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!