From 8d9812baf4f8562d1eac14c1764ec1696981de12 Mon Sep 17 00:00:00 2001
From: cloudneutral <haitaopanhq@gmail.com>
Date: Fri, 12 Dec 2025 09:25:26 +0800
Subject: [PATCH] Add option to skip redundant AWS assume role

---
 .../terraform-hcl-standard/aws-cloud/README.md         | 10 ++++++++++
 .../aws-cloud/render_provider_backend.py               |  9 ++++++++-
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/iac-template/terraform-hcl-standard/aws-cloud/README.md b/iac-template/terraform-hcl-standard/aws-cloud/README.md
index 979f5f2d..9c06b63a 100644
--- a/iac-template/terraform-hcl-standard/aws-cloud/README.md
+++ b/iac-template/terraform-hcl-standard/aws-cloud/README.md
@@ -19,6 +19,16 @@ Both modules can be run independently.
 
 Terraform reads AWS credentials through the standard AWS credential chain. You may use either A or B.
 
+If your shell or CI job is **already running under the target IAM role**, set
+`AWS_CLOUD_SKIP_ASSUME_ROLE=true` before rendering/running Terraform to avoid a
+nested `AssumeRole` call:
+
+```
+export AWS_CLOUD_SKIP_ASSUME_ROLE=true
+```
+
+This prevents errors like `AccessDenied` when re-assuming the same deploy role.
+
 ### A. Environment Variables (recommended for local / CI)
 
 ```
diff --git a/iac-template/terraform-hcl-standard/aws-cloud/render_provider_backend.py b/iac-template/terraform-hcl-standard/aws-cloud/render_provider_backend.py
index 43368517..f69ae6fd 100644
--- a/iac-template/terraform-hcl-standard/aws-cloud/render_provider_backend.py
+++ b/iac-template/terraform-hcl-standard/aws-cloud/render_provider_backend.py
@@ -19,11 +19,18 @@ sys.path.append(str(PROJECT_ROOT / "utils"))
 from config_loader import load_merged_config  # noqa: E402
 
 
+def _should_skip_assume_role() -> bool:
+    flag = os.environ.get("AWS_CLOUD_SKIP_ASSUME_ROLE", "").strip().lower()
+    return flag in {"1", "true", "yes", "y"}
+
+
 def build_provider_config(module_name: str, module_config: Dict, account_config: Dict, defaults: Dict) -> Dict:
     region = module_config.get("region") or account_config.get("region")
     if not region:
         raise ValueError(f"Region is required for module {module_name}")
 
+    assume_role_arn = None if _should_skip_assume_role() else account_config.get("role_to_assume")
+
     return {
         "terraform": {
             "required_version": module_config.get("terraform_required_version")
@@ -33,7 +40,7 @@ def build_provider_config(module_name: str, module_config: Dict, account_config:
         },
         "region": region,
         "assume_role_arn": module_config.get("assume_role_arn")
-        or account_config.get("role_to_assume"),
+        or assume_role_arn,
         "session_name": module_config.get("session_name")
         or defaults.get("session_name", "TerraformSession"),
     }