Merge pull request #191 from cloud-neutral-toolkit/codex/fix-iam-role-assumption-error-in-terraform

Allow skipping AWS assume role when already using deploy role
2025-12-12 09:30:48 +08:00 · 2025-12-12 09:30:48 +08:00 · 2100b786f4
commit 2100b786f4
parent 5e4bec6b74 8d9812baf4
2 changed files with 18 additions and 1 deletions
--- a/iac-template/terraform-hcl-standard/aws-cloud/README.md
+++ b/iac-template/terraform-hcl-standard/aws-cloud/README.md
@ -19,6 +19,16 @@ Both modules can be run independently.

 Terraform reads AWS credentials through the standard AWS credential chain. You may use either A or B.

+If your shell or CI job is **already running under the target IAM role**, set
+`AWS_CLOUD_SKIP_ASSUME_ROLE=true` before rendering/running Terraform to avoid a
+nested `AssumeRole` call:
+
+```
+export AWS_CLOUD_SKIP_ASSUME_ROLE=true
+```
+
+This prevents errors like `AccessDenied` when re-assuming the same deploy role.
+
 ### A. Environment Variables (recommended for local / CI)

 ```
--- a/iac-template/terraform-hcl-standard/aws-cloud/render_provider_backend.py
+++ b/iac-template/terraform-hcl-standard/aws-cloud/render_provider_backend.py
@ -19,11 +19,18 @@ sys.path.append(str(PROJECT_ROOT / "utils"))
 from config_loader import load_merged_config  # noqa: E402


+def _should_skip_assume_role() -> bool:
+    flag = os.environ.get("AWS_CLOUD_SKIP_ASSUME_ROLE", "").strip().lower()
+    return flag in {"1", "true", "yes", "y"}
+
+
 def build_provider_config(module_name: str, module_config: Dict, account_config: Dict, defaults: Dict) -> Dict:
    region = module_config.get("region") or account_config.get("region")
    if not region:
        raise ValueError(f"Region is required for module {module_name}")

+    assume_role_arn = None if _should_skip_assume_role() else account_config.get("role_to_assume")
+
    return {
        "terraform": {
            "required_version": module_config.get("terraform_required_version")
@ -33,7 +40,7 @@ def build_provider_config(module_name: str, module_config: Dict, account_config:
        },
        "region": region,
        "assume_role_arn": module_config.get("assume_role_arn")
-        or account_config.get("role_to_assume"),
+        or assume_role_arn,
        "session_name": module_config.get("session_name")
        or defaults.get("session_name", "TerraformSession"),
    }