feat: Add support for assuming an AWS IAM role from the provider. (#486)

This pull request proposes a solution for #263 --------- Co-authored-by: Cyril Gaudin <[email protected]>
cyrilgdn · Nov 7, 2024 · 95d8d6d · 95d8d6d
1 parent b202448
commit 95d8d6d
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 2 deletions.
diff --git a/postgresql/provider.go b/postgresql/provider.go
@@ -3,6 +3,8 @@ package postgresql
 import (
 	"context"
 	"fmt"
+	"github.com/aws/aws-sdk-go-v2/credentials"
+	"github.com/aws/aws-sdk-go-v2/service/sts"
 	"os"
 
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
@@ -90,6 +92,13 @@ func Provider() *schema.Provider {
 				Description: "AWS region to use for IAM auth",
 			},
 
+			"aws_rds_iam_provider_role_arn": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Default:     "",
+				Description: "AWS IAM role to assume for IAM auth",
+			},
+
 			"azure_identity_auth": {
 				Type:     schema.TypeBool,
 				Optional: true,
@@ -227,7 +236,7 @@ func validateExpectedVersion(v interface{}, key string) (warnings []string, erro
 	return
 }
 
-func getRDSAuthToken(region string, profile string, username string, host string, port int) (string, error) {
+func getRDSAuthToken(region string, profile string, role string, username string, host string, port int) (string, error) {
 	endpoint := fmt.Sprintf("%s:%d", host, port)
 
 	ctx := context.Background()
@@ -246,6 +255,32 @@ func getRDSAuthToken(region string, profile string, username string, host string
 		return "", err
 	}
 
+	if role != "" {
+		stsClient := sts.NewFromConfig(awscfg)
+		roleInput := &sts.AssumeRoleInput{
+			RoleArn:         aws.String(role),
+			RoleSessionName: aws.String("TerraformPostgresqlProvider"),
+		}
+
+		roleOutput, err := stsClient.AssumeRole(ctx, roleInput)
+		if err != nil {
+			return "", fmt.Errorf("could not assume AWS role: %w", err)
+		}
+
+		awscfg, err = awsConfig.LoadDefaultConfig(ctx,
+			awsConfig.WithCredentialsProvider(
+				aws.NewCredentialsCache(credentials.NewStaticCredentialsProvider(
+					*roleOutput.Credentials.AccessKeyId,
+					*roleOutput.Credentials.SecretAccessKey,
+					*roleOutput.Credentials.SessionToken,
+				)),
+			),
+		)
+		if err != nil {
+			return "", fmt.Errorf("could not load AWS default config: %w", err)
+		}
+	}
+
 	token, err := auth.BuildAuthToken(ctx, endpoint, awscfg.Region, username, awscfg.Credentials)
 
 	return token, err
@@ -312,8 +347,9 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
 	if d.Get("aws_rds_iam_auth").(bool) {
 		profile := d.Get("aws_rds_iam_profile").(string)
 		region := d.Get("aws_rds_iam_region").(string)
+		role := d.Get("aws_rds_iam_provider_role_arn").(string)
 		var err error
-		password, err = getRDSAuthToken(region, profile, username, host, port)
+		password, err = getRDSAuthToken(region, profile, role, username, host, port)
 		if err != nil {
 			return nil, err
 		}

diff --git a/website/docs/index.html.markdown b/website/docs/index.html.markdown
@@ -183,6 +183,7 @@ The following arguments are supported:
   from the environment (or the given profile, see `aws_rds_iam_profile`)
 * `aws_rds_iam_profile` - (Optional) The AWS IAM Profile to use while using AWS RDS IAM Auth.
 * `aws_rds_iam_region` - (Optional) The AWS region to use while using AWS RDS IAM Auth.
+* `aws_rds_iam_provider_role_arn` - (Optional) AWS IAM role to assume while using AWS RDS IAM Auth.
 * `azure_identity_auth` - (Optional) If set to `true`, call the Azure OAuth token endpoint for temporary token
 * `azure_tenant_id` - (Optional) (Required if `azure_identity_auth` is `true`) Azure tenant ID [read more](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config.html)