Add support for AssumeRoleWithWebIdentity

[partcyborg]

Description

Add support for STS AssumeRoleWithWebIdentity.

Includes new config option iam_web_identity_token which takes either a WebIdentity token (designed to be passed in with get_env()), or a path to a file containing a WebIdentity token.

Fixes #2585.

TODOs

Read the Gruntwork contribution guidelines.

• Update the docs.
• Run the relevant tests successfully, including pre-commit checks.
• Ensure any 3rd party code adheres with our license policy or delete this line if its not applicable.
• Include release notes. If this PR is backward incompatible, include a migration guide.

Release Notes (draft)

Added attribute iam_web_identity_token to support AssumeRoleWithWebIdentity

Migration Guide

[partcyborg]

FYI: I also tested this using gitlab's OIDC integration and it worked correctly, both with iam_web_identity_token set to the value of a token (using get_env()) and with it set to the path to a token on disk.

[partcyborg]

Sorry, I have no idea how this got closed. I certainly did not intend to.

[denis256]

aws_helper/config.go:5:2: SA1019: "io/ioutil" has been deprecated since Go 1.19: As of Go 1.16, the same functionality is now provided by package [io] or package [os], and those implementations should be preferred in new code. See the specific function documentation for details. (staticcheck)
        "io/ioutil"
        ^

[partcyborg]

aws_helper/config.go:5:2: SA1019: "io/ioutil" has been deprecated since Go 1.19: As of Go 1.16, the same functionality is now provided by package [io] or package [os], and those implementations should be preferred in new code. See the specific function documentation for details. (staticcheck)
        "io/ioutil"
        ^

Thanks for the review! I have replaced calls to ioutil.ReadFile with calls to os.ReadFile.

[partcyborg]

@denis256 any chance I could get a followup review? I addressed the comments you left previously. Thanks in advance!

[denis256]

Hi,
returning to this PR, looks like there are conflicts with master

cli/app_test.go
cli/commands/flags.go

[partcyborg]

Hi @denis256 thanks for picking this up again.

I have resolved the merge conflicts (and updated the new flag name per the new naming convention).

Please take another look.

[partcyborg]

Synced this branch against master again, resolving a small merge conflict.

Hey @denis256 I would really appreciate a followup review so I don't have to keep checking syncing this to avoid merge conflicts. Please and thank you!

[denis256]

I think else is not required since return is used

[partcyborg]

Thanks for the review. I have removed the unnecessary else clause

[denis256]

It is possible to implement integration tests to track that this functionality will work over time?

[partcyborg]

It is possible to implement integration tests to track that this functionality will work over time?

Yes, depending on your CI environment. For example, we will be using this functionality to replace shell script calls to aws sts assume-role-with-web-identity in our CI/CD environment.

Do you have integration tests for the current iam_role functionality? I would happily modify them for this, but I don't see anything in the repo that uses it.

In order to do this, you need to

• Setup an AWS IAM OpenID Connect provider in the account
• Setup an IAM role for your terragrunt to execute under
• Grant AssumeRole permission to the OpenID Connect provider using an AssumeRolePolicyDocument entry that looks like this

{
    "Effect": "Allow",
    "Principal": {
        "Federated": "arn:aws:iam::<account>:oidc-provider/<name>"
    },
    "Action": "sts:AssumeRoleWithWebIdentity",
    "Condition": {
        "StringLike": {
            "<OIDC provider>:sub": "<repo path from your provider documentation>"
        }
    }
}

Then point iam_role at the above IAM role, and iam_web_identity_token at the either environment variable or filepath provided by the provider.

Here are the docs for setting this up in gitlab: https://docs.gitlab.com/ee/ci/cloud_services/aws/

Here are the docs for setting this up in github: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services

Here are the docs for setting this up in circleci: https://circleci.com/docs/openid-connect-tokens/

[sonarcloud]

Quality Gate passed

Issues
2 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.1% Duplication on New Code

See analysis details on SonarCloud

[denis256]

Hello,
then this PR should be extended with integration tests which will use AssumeRoleWithWebIdentity, in the minimal implementation, required IAM role can be read from environment variables, similar to TestTerragruntAssumeRoleDuration.

In CircleCI we can add later required env variable.

[yhakbar]

To be clear, @partcyborg , we don't need these tests to be running in our CircleCI configuration for this pull request.

This integration test only has to work in the context of your CI system. Run it there, show the configurations you used (masking any account identifiers, etc), and share the test output with us so that we can consider this functionality tested.

They should require the minimum set of dependencies like an environment variable and an IAM role. It should also be accompanied with example CI setups in the docs that we can share with the community.

Once we have these, we can independently verify the tests, then merge this PR. In a subsequent PR, we can setup the integration tests into the CI configurations for this repository.

[partcyborg]

To be clear, @partcyborg , we don't need these tests to be running in our CircleCI configuration for this pull request.

This integration test only has to work in the context of your CI system. Run it there, show the configurations you used (masking any account identifiers, etc), and share the test output with us so that we can consider this functionality tested.

They should require the minimum set of dependencies like an environment variable and an IAM role. It should also be accompanied with example CI setups in the docs that we can share with the community.

Once we have these, we can independently verify the tests, then merge this PR. In a subsequent PR, we can setup the integration tests into the CI configurations for this repository.

Thanks for the more detailed explanation @yhakbar

Just to be sure I understand, you want me to

• Create a new integration test (in the test directory) that makes use of iam_role with iam_web_identity_token
• Setup a CI pipeline in our CI infrastructure that runs this test

Is this correct?