Skip IAM/STS validation and metadata check

[renier]

Skip IAM/STS validation and metadata check

• Skip IAM/STS identity validation - For environments or other api
  implementations where there are no IAM/STS endpoints available, this
  option lets you opt out from that provider initialization step.
• Skip metdata api check - For environments in which you know ahead of
  time there isn't going to be a metadta api endpoint, this option lets
  you opt out from that check to save time.

Sample provider config:

provider "aws" {
  region = "us-east-1"
  skip_iam_creds_validation = true
  skip_iam_account_id = true
  skip_metadata_api_check = true
}

[iamatypeofwalrus]

Just saw this PR while looking at references to my own.

Totally agree with the Boolean switch reasoning and happy to close my PR and move forward with this approach.

[radeksimko]

This would cause Terraform to crash if you tried applying any iam_* resource with SkipIamValidation set to true. Is there any reason why not keep it outside of the conditional block?

[radeksimko]

@renier Thanks for the separation. This really helps us reviewing each feature thoroughly and discuss details and effects more easily.

I left you two comments there that may need addressing.
Otherwise this PR is looking pretty good functional/approach-wise.

---

I will probably add a few comments to the docs once we merge this - effects to be aware of. e.g.

• skip_credentials_validation = true doesn't prevent you from managing iam_* resources, but Terraform will still try to reach to the original AWS IAM endpoint which may not be what you want in non-AWS environments
• skip_requesting_account_id = true prevents you from managing any resource that requires Account ID to construct an ARN, namely
  • aws_db_instance
  • aws_db_option_group
  • aws_db_parameter_group
  • aws_db_security_group
  • aws_db_subnet_group
  • aws_elasticache_cluster
  • aws_glacier_vault
  • aws_rds_cluster
  • aws_rds_cluster_instance
  • aws_rds_cluster_parameter_group
  • aws_redshift_cluster
• skip_metadata_api_check = true prevents Terraform from authenticating via Metadata API - i.e. you may need to use other auth methods (static credentials set as ENV vars or config)

[renier]

@radeksimko Thanks for the review. I don't think this would ever be used against real AWS environments, but I think I addressed all your comments with the iam/sts initialization and increased skip choice resolution.

provider "aws" {
  region = "us-east-1"
  skip_iam_creds_validation = true
  skip_iam_account_id = true
  skip_metadata_api_check = true
}

[radeksimko]

👍

Technically credentials or account ID may not always come from the IAM API (but from metadata API), but that's a really a naming nitpick I'm happy to address in a separate PR.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.