AWS Assume Role Plugin

There are cases when an AWS IAM role needs to be assumed and for that the org.ysb33r.iac.aws.assumerole plugin is useful.

Although this can be used for assuming a role before Terraform or OpenTofu starts, it is not recommended. It is better to use the assume_role functionality in the S3 backend, the AWS provider and the terraform_remote_state data resource.

If you need, for some reason, to use this with Terraform or OpenTofu, you can do the following.

import org.ysb33r.gradle.iac.aws.secrets.AwsAssumeRoleSecrets

terraform {
  secrets {
    awsAcct1(AwsAssumeRoleSecrets) {
      useAccessKeyId('1234567890')  (1)
      useSecretAccessKey('abcdefghijklmn')

      useRoleArn('arn:.......')
      useRegion('us-east-1')
      durationSeconds = 240
    }
  }
  sourceSets {
    main {
        fromSecretsProvider(opentofu.secrets.awsAcct1) (2)
    }
  }

  backends {  (3)
    s3(S3Backend) {
      fromSecretsProvider(opentofu.secrets.awsAcct1) (4)
    }
  }
}

1	Credentials can be read from providers.
2	Place the correct environment variables at the time the tool executes.
3	If you are using the S3 backend for remote state, you can pass the same credentials to the backend.

The above example is for Terraform, but for OpenTofu, just replace terraform with opentofu.

The API for this class is AwsAssumeRoleSecrets.

You can instantiate a class for other usages using

final aswSecrets = project.objects.newInstance('my-aws-secrets')