Removing aws_caller_identity
Affected versions
- Everyone that generated
config.tfbefore 07.11.2022
Rationale
- Removing
aws_caller_identitywill avoid cyclic dependencies - Adding
allowed_account_ids[]will ensure that IaC only will be applied against a set of account
Related issues
Manual upgrades
Changes to config.tf
Changes in all dev|prod/*/config.tf: add account_id in locals:
Before:
locals {
# Shared variables used by templates and modules:
team_name = "my-team"
environment = "my-team-dev"
region = "eu-west-1"
# Add your own configuration here:
}
After:
locals {
# Shared variables used by templates and modules:
team_name = "my-team"
environment = "my-team-dev"
region = "eu-west-1"
account_id = "1234567890"
# Add your own configuration here:
}
Changes to *.tf
Changes in dev|prod/*/*.tf: add allowed_account_ids in provider "aws" :
Before:
After:
Remove aws_caller_identity
All references to aws_caller_identity in all Terraform files should be
replaced with locals.account_id
Before:
data "aws_caller_identity" "current" {}
locals {
account_id = data.aws_caller_identity.current.account_id
# this leaves 25 characters for your environment before it is truncated
bucket_name = substr("ok-iac-config-${local.account_id}-${local.region}-${local.environment}", 0, 63)
common_tags = {
Team = local.team_name
Environment = local.environment
CreatedBy = "ok-golden-path"
}
}
After:
locals {
# this leaves 25 characters for your environment before it is truncated
bucket_name = substr("ok-iac-config-${local.account_id}-${local.region}-${local.environment}", 0, 63)
common_tags = {
Team = local.team_name
Environment = local.environment
CreatedBy = "ok-golden-path"
}
}
After upgrade
git grep aws_caller_identityshould result in a empty resultterraform planis only possible to do in the account specified bylocals.account_idterraform planis not showing any changes