Support for SSO authentication

[sjourdan]

Description
A user requested support for AWS SSO authentication in driftctl.

While we could replicate a working use case manually in a lab (AWS CLI v2 works well with this since November '19), it currently can't work with driftctl directly, because it depends on both the SSO feature integration in the Go SDK and then in the Terraform AWS provider.

In December 2020, priority was high for the Go SDK team (as read in a Terraform AWS provider issue).

Sources:

• Terraform Issue: Support AWS CLI v2 AWS Single Sign-On hashicorp/terraform-provider-aws#10851

[wbeuil]

We now have a clearer vision of what's the problem is about the SSO support.

I explained it in this here.

TLDR, to enabling SSO support we need to bump aws-sdk and terraform-provider-aws to respectively v1.37.0+ and v3.26.0+.

[cageyv]

Requirements for AWS SSO support:

• terraform 0.14.6+
• aws cli 2.1.24+
• terraform-aws-provider 3.26.0+
• aws-sdk-go to 1.37.0+ AWS Single Sign-On (SSO) Provider Support aws/aws-sdk-go#3755

Temporary solution:

• aws2-wrap
• aws-vault

Example with aws2-wrap:

[profile name-sso-source]
sso_start_url = __SSO_START_URL__
sso_region = __SSO_REGION__
sso_account_id = __SSO_ACCOUNT_ID__
sso_role_name = __SSO_ROLE_NAME__
region = us-east-1
output = json

[profile name-sso]
credential_process = aws2-wrap --process --profile name-sso-source
region = us-east-1
output = json

It works for me

[rjcoelho]

Terraform plan and apply is working, but driftctl scan --from tfstate://./terraform.tfstate I get

error configuring Terraform AWS Provider: no valid credential sources for Terraform AWS Provider found.

Please see https://registry.terraform.io/providers/hashicorp/aws
for more information about providing credentials.

Error: NoCredentialProviders: no valid providers in chain. Deprecated.
        For verbose messaging see aws.Config.CredentialsChainVerboseErrors
        ```

[eliecharra]

@rjcoelho Internally driftctl use terraform 0.14.0 and aws provider 3.19.5, maybe it is working in your terraform side as you use newer version of terraform and aws provider which support SSO ?

To be transparent, we are working on this actively. But updating terraform version and aws provider version implies a lot of work due to the actual architecture of the project.
We are refactoring the core of driftctl to make it work with any version of any terraform provider dynamically, but it will takes us a couple of weeks 🙏🏻

[rjcoelho]

@eliecharra that's probably it. Anyway great project and looking forward to using it.

[rjcoelho]

Btw workaround for me was

aws-vault exec MYAWS_SSO_PROFILE -- driftctl scan --from tfstate://./terraform.tfstate

[sjourdan]

AWS tf provider needed: 3.26+

LGTM! (demo by @wbeuil )