only fetch oidc keys once both apply and plan phases

libs/orchestrator/aws.go

@@ -15,8 +15,9 @@ import (
 	"os"
 )
 
-func populateBackendConfig(args []string, provider stscreds.WebIdentityRoleProvider) ([]string, error) {
+func populateretrieveBackendConfigArgs(provider stscreds.WebIdentityRoleProvider) ([]string, error) {
 	creds, err := provider.Retrieve()
+	var args []string
 	if err != nil {
 		return args, fmt.Errorf("populateKeys: Could not retrieve keys from provider %v", err)
 	}
@@ -43,17 +44,19 @@ func (job *Job) PopulateAwsCredentialsEnvVarsForJob() error {
 	if job.StateEnvProvider != nil {
 		log.Printf("Project-level AWS role detected, Assuming role: %v for project run: %v", job.ProjectName)
 		var err error
-		if job.PlanStage != nil {
-			// TODO: check that the first step is infact the terraform "init" step
-			job.PlanStage.Steps[0].ExtraArgs, err = populateBackendConfig(job.PlanStage.Steps[0].ExtraArgs, *job.StateEnvProvider)
-		}
+		backendConfigArgs, err := populateretrieveBackendConfigArgs(*job.StateEnvProvider)
 		if err != nil {
 			log.Printf("Failed to get keys from role: %v", err)
 			return fmt.Errorf("Failed to get (state) keys from role: %v", err)
 		}
+
+		if job.PlanStage != nil {
+			// TODO: check that the first step is infact the terraform "init" step
+			job.PlanStage.Steps[0].ExtraArgs = append(job.PlanStage.Steps[0].ExtraArgs, backendConfigArgs...)
+		}
 		if job.ApplyStage != nil {
 			// TODO: check that the first step is infact the terraform "init" step
-			job.ApplyStage.Steps[0].ExtraArgs, err = populateBackendConfig(job.ApplyStage.Steps[0].ExtraArgs, *job.StateEnvProvider)
+			job.ApplyStage.Steps[0].ExtraArgs = append(job.ApplyStage.Steps[0].ExtraArgs, backendConfigArgs...)
 		}
 		if err != nil {
 			log.Printf("Failed to get keys from role: %v", err)