Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Although aws-sdk-go-v2 was released a long time ago, historically until now tfmigrate has used v1 as well as the old Terraform. aws-sdk-go and aws-sdk-go-v2 have different priorities for loading credentials. Specifically, aws-sdk-go v1 prioritizes reading environment variables over profiles. This is a problem when switching between multiple accounts in profile while OIDC authenticating to AWS from GitHub Actions. Up to Terraform v1.5, aws-sdk-go v1 was used for s3 backend authentication via hashicorp/aws-sdk-go-base, but Terraform / OpenTofu v1.6 and later, aws-sdk-go-v2 is used. Up to tfmigrate v0.3, we have been using aws-sdk-go v1 via hashicorp/aws-sdk-go-base for history s3 storage authentication, but will be using aws-sdk-go-v2 after the next tfmigrate v0.4. This is a breaking change, but the goal is to align with the behavior of Terraform / OpenTofu v1.6 and later, so if you are affected, please adjust your AWS authentication settings. At the time of this writing, v2 of hashicorp/aws-sdk-go-base, which uses aws-sdk-go-v2, is still beta, but it is already used in the stable releases of Terraform and OpenTofu. Since there are multiple beta versions of hashicorp/aws-sdk-go-base and slightly different versions in use, the results of my investigation are shown below. - tfmigrate: v0.3.24: v1.1.0 - terraform v1.5.7: v0.7.1 - terraform v1.6.0: v2.0.0-beta.35 - terraform v1.7.0: v2.0.0-beta.43 - terraform v1.8.0: v2.0.0-beta.45 - terraform v1.9.8 (latest): v2.0.0-beta.45 - opentofu v1.6.0: v2.0.0-beta.43 - opentofu v1.8.5 (latest): v2.0.0-beta.43 - terraform-provider-aws v3.76.1: v1.0.0 - terraform-provider-aws v4.0.0: v2.0.0-beta.5 - terraform-provider-aws v5.0.0: v2.0.0-beta.27 - terraform-provider-aws v5.29.0: v2.0.0-beta.43 - terraform-provider-aws v5.31.0: v2.0.0-beta.45 - terraform-provider-aws v5.74.0 (latest): v2.0.0-beta.59 As a special note, use_legacy_workflow has been removed in terraform v1.8.0 and opentofu v1.8.0, but UseLegacyWorkflow has been removed in aws-sdk-go-base in v2.0.0-beta.49. Considering the above, I think v2.0.0-beta.43 or v2.0.0-beta.45 would be reasonable. At this point, I don't see any strong reason to go with v2.0.0-beta.45, so I'm going to go with v2.0.0-beta.43 to align with opentofu. The s3 history storage implementation was rewritten with the aws-sdk-go-v2 migration guide. https://aws.github.io/aws-sdk-go-v2/docs/migrating/ As a tfmigrate user, there are no breaking changes at the configuration file level, but it should be noted that, as mentioned above, AWS credentials have a higher priority in profile than in environment variables. Also, as a side effect, the path to the file that sets the AWS profile is ~/.aws/config by default, but it can now be specified with the environment variable AWS_CONFIG_FILE.
- Loading branch information