better support for project level oidc role assumption (#906)

* better support for project level oidc role assumption


Former-commit-id: 24f59bd

Author: motatoes

cli/go.sum

@@ -317,8 +317,6 @@ github.com/aws/aws-sdk-go v1.15.78/go.mod h1:E3/ieXAlvM0XWO57iftYVDLLvQ824smPP3A
 github.com/aws/aws-sdk-go v1.31.9/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZveU8YkpAk0=
 github.com/aws/aws-sdk-go v1.37.0/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro=
 github.com/aws/aws-sdk-go v1.44.122/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo=
-github.com/aws/aws-sdk-go v1.48.16 h1:mcj2/9J/MJ55Dov+ocMevhR8Jv6jW/fAxbrn4a1JFc8=
-github.com/aws/aws-sdk-go v1.48.16/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk=
 github.com/aws/aws-sdk-go v1.49.1 h1:Dsamcd8d/nNb3A+bZ0ucfGl0vGZsW5wlRW0vhoYGoeQ=
 github.com/aws/aws-sdk-go v1.49.1/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk=
 github.com/aws/aws-sdk-go v1.49.2 h1:+4BEcm1nPCoDbVd+gg8cdxpa1qJfrvnddy12vpEVWjw=
@@ -463,8 +461,8 @@ github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66D
 github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376/go.mod h1:an3vInlBmSxCcxctByoQdvwPiA7DTK7jaaFDBTtu0ic=
 github.com/go-git/go-billy/v5 v5.5.0 h1:yEY4yhzCDuMGSv83oGxiBotRzhwhNr8VZyphhiu+mTU=
 github.com/go-git/go-billy/v5 v5.5.0/go.mod h1:hmexnoNsr2SJU1Ju67OaNz5ASJY3+sHgFRpCtpDCKow=
-github.com/go-git/go-git/v5 v5.10.1 h1:tu8/D8i+TWxgKpzQ3Vc43e+kkhXqtsZCKI/egajKnxk=
-github.com/go-git/go-git/v5 v5.10.1/go.mod h1:uEuHjxkHap8kAl//V5F/nNWwqIYtP/402ddd05mp0wg=
+github.com/go-git/go-git/v5 v5.11.0 h1:XIZc1p+8YzypNr34itUfSvYJcv+eYdTnTvOZ2vD3cA4=
+github.com/go-git/go-git/v5 v5.11.0/go.mod h1:6GFcX2P3NM7FPBfpePbpLd21XxsgdAt+lKqXmCUiUCY=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
@@ -610,8 +608,6 @@ github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.2.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/google/uuid v1.4.0 h1:MtMxsa51/r9yyhkyLsVeVt0B+BGQZzpQiTQ4eHZ8bc4=
-github.com/google/uuid v1.4.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.5.0 h1:1p67kYwdtXjb0gL0BPiP1Av9wiZPo5A8z2cWkTZ+eyU=
 github.com/google/uuid v1.5.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/enterprise-certificate-proxy v0.0.0-20220520183353-fd19c99a87aa/go.mod h1:17drOmN3MwGY7t0e+Ei9b45FFGA3fBs3x36SsCg1hq8=
@@ -752,8 +748,6 @@ github.com/hashicorp/serf v0.0.0-20160124182025-e4ec8cc423bb/go.mod h1:h/Ru6tmZa
 github.com/hashicorp/terraform v0.15.3 h1:2QWbTj2xJ/8W1gCyIrd0WAqVF4weKPMYjx8nKjbkQjA=
 github.com/hashicorp/terraform v0.15.3/go.mod h1:w4eBEsluZfYumXUTLe834eqHh969AabcLqbj2WAYlM8=
 github.com/hashicorp/terraform-config-inspect v0.0.0-20210209133302-4fd17a0faac2/go.mod h1:Z0Nnk4+3Cy89smEbrq+sl1bxc9198gIP4I7wcQF6Kqs=
-github.com/hashicorp/terraform-config-inspect v0.0.0-20230925220900-5a6f8d18746d h1:g6kHlvZrFPFKeWRj5q/zyJA5gu7rlJGPf17h8hX7LHY=
-github.com/hashicorp/terraform-config-inspect v0.0.0-20230925220900-5a6f8d18746d/go.mod h1:l8HcFPm9cQh6Q0KSWoYPiePqMvRFenybP1CH2MjKdlg=
 github.com/hashicorp/terraform-config-inspect v0.0.0-20231204233900-a34142ec2a72 h1:nZ5gGjbe5o7XUu1d7j+Y5Ztcxlp+yaumTKH9i0D3wlg=
 github.com/hashicorp/terraform-config-inspect v0.0.0-20231204233900-a34142ec2a72/go.mod h1:l8HcFPm9cQh6Q0KSWoYPiePqMvRFenybP1CH2MjKdlg=
 github.com/hashicorp/terraform-registry-address v0.2.0 h1:92LUg03NhfgZv44zpNTLBGIbiyTokQCDcdH5BhVHT3s=
@@ -1067,10 +1061,6 @@ github.com/vmihailenco/msgpack/v5 v5.3.5/go.mod h1:7xyJ9e+0+9SaZT0Wt1RGleJXzli6Q
 github.com/vmihailenco/tagparser v0.1.1/go.mod h1:OeAg3pn3UbLjkWt+rN9oFYB6u/cQgqMEUPoW2WPyhdI=
 github.com/vmihailenco/tagparser/v2 v2.0.0 h1:y09buUbR+b5aycVFQs/g70pqKVZNBmxwAhO7/IwNM9g=
 github.com/vmihailenco/tagparser/v2 v2.0.0/go.mod h1:Wri+At7QHww0WTrCBeu4J6bNtoV6mEfg5OIWRZA9qds=
-github.com/xanzy/go-gitlab v0.95.0 h1:lnYFPDsZuoSWXSC9xPLMcAWlGgndMn+erexGa+jJsS0=
-github.com/xanzy/go-gitlab v0.95.0/go.mod h1:ETg8tcj4OhrB84UEgeE8dSuV/0h4BBL1uOV/qK0vlyI=
-github.com/xanzy/go-gitlab v0.95.1 h1:rQjcmX5Au2Lz9bc3QLTdtSK5ZHdTXLnmhz3CAB/G5So=
-github.com/xanzy/go-gitlab v0.95.1/go.mod h1:ETg8tcj4OhrB84UEgeE8dSuV/0h4BBL1uOV/qK0vlyI=
 github.com/xanzy/go-gitlab v0.95.2 h1:4p0IirHqEp5f0baK/aQqr4TR57IsD+8e4fuyAA1yi88=
 github.com/xanzy/go-gitlab v0.95.2/go.mod h1:ETg8tcj4OhrB84UEgeE8dSuV/0h4BBL1uOV/qK0vlyI=
 github.com/xanzy/ssh-agent v0.2.1/go.mod h1:mLlQY/MoOhWBj+gOGMQkOeiEvkx+8pJSI+0Bx9h2kr4=

cli/pkg/azure/azure.go

@@ -417,22 +417,24 @@ func ConvertAzureEventToCommands(parseAzureContext Azure, impactedProjects []dig
 
 			prNumber := parseAzureContext.Event.(AzurePrEvent).Resource.PullRequestId
 			stateEnvVars, commandEnvVars := digger_config2.CollectTerraformEnvConfig(workflow.EnvVars)
+			StateEnvProvider, CommandEnvProvider := orchestrator.GetStateAndCommandProviders(project)
 			jobs = append(jobs, orchestrator.Job{
-				ProjectName:       project.Name,
-				ProjectDir:        project.Dir,
-				ProjectWorkspace:  project.Workspace,
-				Terragrunt:        project.Terragrunt,
-				OpenTofu:          project.OpenTofu,
-				Commands:          workflow.Configuration.OnPullRequestPushed,
-				ApplyStage:        orchestrator.ToConfigStage(workflow.Apply),
-				PlanStage:         orchestrator.ToConfigStage(workflow.Plan),
-				PullRequestNumber: &prNumber,
-				EventName:         parseAzureContext.EventType,
-				RequestedBy:       parseAzureContext.BaseUrl,
-				Namespace:         parseAzureContext.BaseUrl + "/" + parseAzureContext.ProjectName,
-				StateEnvVars:      stateEnvVars,
-				CommandEnvVars:    commandEnvVars,
-				AwsRoleToAssume:   project.AwsRoleToAssume,
+				ProjectName:        project.Name,
+				ProjectDir:         project.Dir,
+				ProjectWorkspace:   project.Workspace,
+				Terragrunt:         project.Terragrunt,
+				OpenTofu:           project.OpenTofu,
+				Commands:           workflow.Configuration.OnPullRequestPushed,
+				ApplyStage:         orchestrator.ToConfigStage(workflow.Apply),
+				PlanStage:          orchestrator.ToConfigStage(workflow.Plan),
+				PullRequestNumber:  &prNumber,
+				EventName:          parseAzureContext.EventType,
+				RequestedBy:        parseAzureContext.BaseUrl,
+				Namespace:          parseAzureContext.BaseUrl + "/" + parseAzureContext.ProjectName,
+				StateEnvVars:       stateEnvVars,
+				CommandEnvVars:     commandEnvVars,
+				StateEnvProvider:   StateEnvProvider,
+				CommandEnvProvider: CommandEnvProvider,
 			})
 		}
 		return jobs, true, nil
@@ -445,22 +447,24 @@ func ConvertAzureEventToCommands(parseAzureContext Azure, impactedProjects []dig
 
 			prNumber := parseAzureContext.Event.(AzurePrEvent).Resource.PullRequestId
 			stateEnvVars, commandEnvVars := digger_config2.CollectTerraformEnvConfig(workflow.EnvVars)
+			StateEnvProvider, CommandEnvProvider := orchestrator.GetStateAndCommandProviders(project)
 			jobs = append(jobs, orchestrator.Job{
-				ProjectName:       project.Name,
-				ProjectDir:        project.Dir,
-				ProjectWorkspace:  project.Workspace,
-				Terragrunt:        project.Terragrunt,
-				OpenTofu:          project.OpenTofu,
-				Commands:          workflow.Configuration.OnPullRequestClosed,
-				ApplyStage:        orchestrator.ToConfigStage(workflow.Apply),
-				PlanStage:         orchestrator.ToConfigStage(workflow.Plan),
-				PullRequestNumber: &prNumber,
-				EventName:         parseAzureContext.EventType,
-				RequestedBy:       parseAzureContext.BaseUrl,
-				Namespace:         parseAzureContext.BaseUrl + "/" + parseAzureContext.ProjectName,
-				StateEnvVars:      stateEnvVars,
-				CommandEnvVars:    commandEnvVars,
-				AwsRoleToAssume:   project.AwsRoleToAssume,
+				ProjectName:        project.Name,
+				ProjectDir:         project.Dir,
+				ProjectWorkspace:   project.Workspace,
+				Terragrunt:         project.Terragrunt,
+				OpenTofu:           project.OpenTofu,
+				Commands:           workflow.Configuration.OnPullRequestClosed,
+				ApplyStage:         orchestrator.ToConfigStage(workflow.Apply),
+				PlanStage:          orchestrator.ToConfigStage(workflow.Plan),
+				PullRequestNumber:  &prNumber,
+				EventName:          parseAzureContext.EventType,
+				RequestedBy:        parseAzureContext.BaseUrl,
+				Namespace:          parseAzureContext.BaseUrl + "/" + parseAzureContext.ProjectName,
+				StateEnvVars:       stateEnvVars,
+				CommandEnvVars:     commandEnvVars,
+				StateEnvProvider:   StateEnvProvider,
+				CommandEnvProvider: CommandEnvProvider,
 			})
 		}
 		return jobs, true, nil
@@ -473,22 +477,24 @@ func ConvertAzureEventToCommands(parseAzureContext Azure, impactedProjects []dig
 					return nil, false, fmt.Errorf("failed to find workflow digger_config '%s' for project '%s'", project.Workflow, project.Name)
 				}
 				stateEnvVars, commandEnvVars := digger_config2.CollectTerraformEnvConfig(workflow.EnvVars)
+				StateEnvProvider, CommandEnvProvider := orchestrator.GetStateAndCommandProviders(project)
 				jobs = append(jobs, orchestrator.Job{
-					ProjectName:       project.Name,
-					ProjectDir:        project.Dir,
-					ProjectWorkspace:  project.Workspace,
-					Terragrunt:        project.Terragrunt,
-					OpenTofu:          project.OpenTofu,
-					Commands:          workflow.Configuration.OnCommitToDefault,
-					ApplyStage:        orchestrator.ToConfigStage(workflow.Apply),
-					PlanStage:         orchestrator.ToConfigStage(workflow.Plan),
-					PullRequestNumber: &prNumber,
-					EventName:         parseAzureContext.EventType,
-					RequestedBy:       parseAzureContext.BaseUrl,
-					Namespace:         parseAzureContext.BaseUrl + "/" + parseAzureContext.ProjectName,
-					StateEnvVars:      stateEnvVars,
-					CommandEnvVars:    commandEnvVars,
-					AwsRoleToAssume:   project.AwsRoleToAssume,
+					ProjectName:        project.Name,
+					ProjectDir:         project.Dir,
+					ProjectWorkspace:   project.Workspace,
+					Terragrunt:         project.Terragrunt,
+					OpenTofu:           project.OpenTofu,
+					Commands:           workflow.Configuration.OnCommitToDefault,
+					ApplyStage:         orchestrator.ToConfigStage(workflow.Apply),
+					PlanStage:          orchestrator.ToConfigStage(workflow.Plan),
+					PullRequestNumber:  &prNumber,
+					EventName:          parseAzureContext.EventType,
+					RequestedBy:        parseAzureContext.BaseUrl,
+					Namespace:          parseAzureContext.BaseUrl + "/" + parseAzureContext.ProjectName,
+					StateEnvVars:       stateEnvVars,
+					CommandEnvVars:     commandEnvVars,
+					StateEnvProvider:   StateEnvProvider,
+					CommandEnvProvider: CommandEnvProvider,
 				})
 			}
 			return jobs, true, nil
@@ -526,23 +532,24 @@ func ConvertAzureEventToCommands(parseAzureContext Azure, impactedProjects []dig
 						return nil, false, fmt.Errorf("failed to find workflow digger_config '%s' for project '%s'", project.Workflow, project.Name)
 					}
 					stateEnvVars, commandEnvVars := digger_config2.CollectTerraformEnvConfig(workflow.EnvVars)
-
+					StateEnvProvider, CommandEnvProvider := orchestrator.GetStateAndCommandProviders(project)
 					jobs = append(jobs, orchestrator.Job{
-						ProjectName:       project.Name,
-						ProjectDir:        project.Dir,
-						ProjectWorkspace:  workspace,
-						Terragrunt:        project.Terragrunt,
-						OpenTofu:          project.OpenTofu,
-						Commands:          []string{command},
-						ApplyStage:        orchestrator.ToConfigStage(workflow.Apply),
-						PlanStage:         orchestrator.ToConfigStage(workflow.Plan),
-						PullRequestNumber: &prNumber,
-						EventName:         parseAzureContext.EventType,
-						RequestedBy:       parseAzureContext.BaseUrl,
-						Namespace:         parseAzureContext.BaseUrl + "/" + parseAzureContext.ProjectName,
-						StateEnvVars:      stateEnvVars,
-						CommandEnvVars:    commandEnvVars,
-						AwsRoleToAssume:   project.AwsRoleToAssume,
+						ProjectName:        project.Name,
+						ProjectDir:         project.Dir,
+						ProjectWorkspace:   workspace,
+						Terragrunt:         project.Terragrunt,
+						OpenTofu:           project.OpenTofu,
+						Commands:           []string{command},
+						ApplyStage:         orchestrator.ToConfigStage(workflow.Apply),
+						PlanStage:          orchestrator.ToConfigStage(workflow.Plan),
+						PullRequestNumber:  &prNumber,
+						EventName:          parseAzureContext.EventType,
+						RequestedBy:        parseAzureContext.BaseUrl,
+						Namespace:          parseAzureContext.BaseUrl + "/" + parseAzureContext.ProjectName,
+						StateEnvVars:       stateEnvVars,
+						CommandEnvVars:     commandEnvVars,
+						StateEnvProvider:   StateEnvProvider,
+						CommandEnvProvider: CommandEnvProvider,
 					})
 				}
 			}

cli/pkg/core/terraform/tf.go

@@ -28,15 +28,19 @@ func (tf Terraform) Init(params []string, envs map[string]string) (string, strin
 	params = append(params, "-input=false")
 	params = append(params, "-no-color")
 	stdout, stderr, _, err := tf.runTerraformCommand(true, "init", envs, params...)
+
+	// switch to workspace for next step
+	// TODO: make this an individual and isolated step
+	werr := tf.switchToWorkspace(envs)
+	if werr != nil {
+		log.Printf("Fatal: Error terraform switch to workspace %v", err)
+		return "", "", werr
+	}
+
 	return stdout, stderr, err
 }
 
 func (tf Terraform) Apply(params []string, plan *string, envs map[string]string) (string, string, error) {
-	err := tf.switchToWorkspace(envs)
-	if err != nil {
-		log.Printf("Fatal: Error terraform to workspace %v", err)
-		return "", "", err
-	}
 	params = append(append(append(params, "-input=false"), "-no-color"), "-auto-approve")
 	if plan != nil {
 		params = append(params, *plan)
@@ -46,11 +50,6 @@ func (tf Terraform) Apply(params []string, plan *string, envs map[string]string)
 }
 
 func (tf Terraform) Destroy(params []string, envs map[string]string) (string, string, error) {
-	err := tf.switchToWorkspace(envs)
-	if err != nil {
-		log.Printf("Fatal: Error terraform to workspace %v", err)
-		return "", "", err
-	}
 	params = append(append(append(params, "-input=false"), "-no-color"), "-auto-approve")
 	stdout, stderr, _, err := tf.runTerraformCommand(true, "destroy", envs, params...)
 	return stdout, stderr, err
@@ -135,23 +134,6 @@ func (tf Terraform) formatTerraformWorkspaces(list string) string {
 }
 
 func (tf Terraform) Plan(params []string, envs map[string]string) (bool, string, string, error) {
-
-	workspaces, _, _, err := tf.runTerraformCommand(false, "workspace", envs, "list")
-	if err != nil {
-		return false, "", "", err
-	}
-	workspaces = tf.formatTerraformWorkspaces(workspaces)
-	if strings.Contains(workspaces, tf.Workspace) {
-		_, _, _, err := tf.runTerraformCommand(true, "workspace", envs, "select", tf.Workspace)
-		if err != nil {
-			return false, "", "", err
-		}
-	} else {
-		_, _, _, err := tf.runTerraformCommand(true, "workspace", envs, "new", tf.Workspace)
-		if err != nil {
-			return false, "", "", err
-		}
-	}
 	params = append(append(append(params, "-input=false"), "-no-color"), "-detailed-exitcode")
 	stdout, stderr, statusCode, err := tf.runTerraformCommand(true, "plan", envs, params...)
 	if err != nil && statusCode != 2 {

cli/pkg/digger/digger.go

@@ -158,7 +158,7 @@ func run(command string, job orchestrator.Job, policyChecker policy.Checker, org
 		return msg, errors.New(msg)
 	}
 
-	job, err = PopulateAwsCredentialsEnvVarsForJob(&job, nil)
+	err = job.PopulateAwsCredentialsEnvVarsForJob()
 	if err != nil {
 		log.Fatalf("failed to fetch AWS keys, %v", err)
 	}