Skip to content

Commit 3521091

Browse files
chuckleverchucklever
committed
terraform/AWS: Update docs/kdevops-terraform.md
Signed-off-by: Chuck Lever <[email protected]>
1 parent 5dec557 commit 3521091

File tree

1 file changed

+12
-26
lines changed

1 file changed

+12
-26
lines changed

docs/kdevops-terraform.md

Lines changed: 12 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -209,8 +209,8 @@ ssh_config_backup = "true"
209209

210210
### AWS - Amazon Web Services
211211

212-
AWS is supported. For authentication we rely on the shared credentials file,
213-
so you must have the file:
212+
AWS is supported. For authentication, kdevops relies on a shared
213+
credentials file, separate from kdevops' .config:
214214

215215
```
216216
~/.aws/credentials
@@ -224,36 +224,22 @@ aws_access_key_id = SOME_ACCESS_KEY
224224
aws_secret_access_key = SECRET_KEY
225225
```
226226

227-
The profile above is "default", and you can have multiple profiles. By
228-
default our Terraform's AWS vars.tf assumes ~/.aws/credentials as the
229-
default credentials location, and the profile as "default". If this is
230-
different for you, you can override with the variables:
231-
232-
```
233-
aws_shared_credentials_file
234-
aws_profile
235-
```
236-
237-
But if your credentials file is `~/.aws/credentials` and the profile
238-
target is `default`, then your minimum `terraform.tfvars` file should look
239-
something like this:
240-
241-
```
242-
aws_region = "us-west-1"
243-
244-
ssh_config_pubkey_file = "~/.ssh/my-aws.pub"
245-
ssh_config_user = "mcgrof"
246-
ssh_config = "~/.ssh/config"
247-
ssh_config_update = "true"
248-
ssh_config_use_strict_settings = "true"
249-
ssh_config_backup = "true"
250-
```
227+
This file may contain authentication secrets for more than one
228+
user. The TERRAFORM_AWS_PROFILE setting enables you to select which
229+
entry in this file kdevops will use to authenticate.
251230

252231
To read more about shared credentials refer to:
253232

254233
* https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html
255234
* https://docs.aws.amazon.com/powershell/latest/userguide/shared-credentials-in-aws-powershell.html
256235

236+
If you run kdevops on CodeBuild (or ECS), configure an IAM Task Role
237+
for the build container so that kdevops can create AWS resources.
238+
For more information, see:
239+
240+
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html
241+
https://docs.aws.amazon.com/prescriptive-guidance/latest/terraform-aws-provider-best-practices/security.html
242+
257243
### GCE - Google Compute Engine
258244

259245
kdevops can provision Google Compute Engine resources. If you are

0 commit comments

Comments
 (0)