Use the Amazon Web Services (AWS) provider to interact with the many resources supported by AWS. You must configure the provider with the proper credentials before you can use it.
Use the navigation to the left to read about the available resources. There are currently 1367 resources and 557 data sources available in the provider.
To learn the basics of Terraform using this provider, follow the hands-on get started tutorials. Interact with AWS services, including Lambda, RDS, and IAM by following the AWS services tutorials.
Terraform 0.13 and later:
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}
# Configure the AWS Provider
provider "aws" {
region = "us-east-1"
}
# Create a VPC
resource "aws_vpc" "example" {
cidr_block = "10.0.0.0/16"
}
Terraform 0.12 and earlier:
# Configure the AWS Provider
provider "aws" {
version = "~> 5.0"
region = "us-east-1"
}
# Create a VPC
resource "aws_vpc" "example" {
cidr_block = "10.0.0.0/16"
}
Configuration for the AWS Provider can be derived from several sources, which are applied in the following order:
This order matches the precedence used by the AWS CLI and the AWS SDKs.
The AWS Provider supports assuming an IAM role, either in
the provider configuration block parameter assume_role
or in a named profile.
The AWS Provider supports assuming an IAM role using web identity federation and OpenID Connect (OIDC). This can be configured either using environment variables or in a named profile.
When using a named profile, the AWS Provider also supports sourcing credentials from an external process.
Credentials can be provided by adding an access_key
, secret_key
, and optionally token
, to the aws
provider block.
Usage:
provider "aws" {
region = "us-west-2"
access_key = "my-access-key"
secret_key = "my-secret-key"
}
Other settings related to authorization can be configured, such as:
profile
shared_config_files
shared_credentials_files
Credentials can be provided by using the AWS_ACCESS_KEY_ID
, AWS_SECRET_ACCESS_KEY
, and optionally AWS_SESSION_TOKEN
environment variables.
The Region can be set using the AWS_REGION
or AWS_DEFAULT_REGION
environment variables.
For example:
provider "aws" {}
% export AWS_ACCESS_KEY_ID="anaccesskey"
% export AWS_SECRET_ACCESS_KEY="asecretkey"
% export AWS_REGION="us-west-2"
% terraform plan
Other environment variables related to authorization are:
AWS_PROFILE
AWS_CONFIG_FILE
AWS_SHARED_CREDENTIALS_FILE
The AWS Provider can source credentials and other settings from the shared configuration and credentials files.
By default, these files are located at $HOME/.aws/config
and $HOME/.aws/credentials
on Linux and macOS,
and "%USERPROFILE%\.aws\config"
and "%USERPROFILE%\.aws\credentials"
on Windows.
If no named profile is specified, the default
profile is used.
Use the profile
parameter or AWS_PROFILE
environment variable to specify a named profile.
The locations of the shared configuration and credentials files can be configured using either
the parameters shared_config_files
and shared_credentials_files
or the environment variables AWS_CONFIG_FILE
and AWS_SHARED_CREDENTIALS_FILE
.
For example:
provider "aws" {
shared_config_files = ["/Users/tf_user/.aws/conf"]
shared_credentials_files = ["/Users/tf_user/.aws/creds"]
profile = "customprofile"
}
If you're running Terraform on CodeBuild or ECS and have configured an IAM Task Role, Terraform can use the container's Task Role. This support is based on the underlying AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
and AWS_CONTAINER_CREDENTIALS_FULL_URI
environment variables being automatically set by those services or manually for advanced usage.
If you're running Terraform on EKS and have configured IAM Roles for Service Accounts (IRSA), Terraform can use the pod's role. This support is based on the underlying AWS_ROLE_ARN
and AWS_WEB_IDENTITY_TOKEN_FILE
environment variables being automatically set by Kubernetes or manually for advanced usage.
When the AWS Provider is running on an EC2 instance with an IAM Instance Profile set, the provider can source credentials from the EC2 Instance Metadata Service. Both IMDS v1 and IMDS v2 are supported.
A custom endpoint for the metadata service can be provided using the ec2_metadata_service_endpoint
parameter or the AWS_EC2_METADATA_SERVICE_ENDPOINT
environment variable.
If provided with a role ARN, the AWS Provider will attempt to assume this role using the supplied credentials.
Usage:
provider "aws" {
assume_role {
role_arn = "arn:aws:iam::123456789012:role/ROLE_NAME"
session_name = "SESSION_NAME"
external_id = "EXTERNAL_ID"
}
}
Hands-on: Try the Use AssumeRole to Provision AWS Resources Across Accounts tutorial.
If provided with a role ARN and a token from a web identity provider, the AWS Provider will attempt to assume this role using the supplied credentials.
Usage:
provider "aws" {
assume_role_with_web_identity {
role_arn = "arn:aws:iam::123456789012:role/ROLE_NAME"
session_name = "SESSION_NAME"
web_identity_token_file = "/Users/tf_user/secrets/web-identity-token"
}
}
To use an external process to source credentials,
the process must be configured in a named profile, including the default
profile.
The profile is configured in a shared configuration file.
For example:
provider "aws" {
profile = "customprofile"
}
[profile customprofile]
credential_process = custom-process --username jdoe
Setting | Provider | Environment Variable | Shared Config |
---|---|---|---|
Access Key ID | access_key |AWS_ACCESS_KEY_ID |aws_access_key_id |
||
Secret Access Key | secret_key |AWS_SECRET_ACCESS_KEY |aws_secret_access_key |
||
Session Token | token |AWS_SESSION_TOKEN |aws_session_token |
||
Region | region |AWS_REGION or AWS_DEFAULT_REGION |region |
||
Custom CA Bundle | custom_ca_bundle |AWS_CA_BUNDLE |ca_bundle |
||
EC2 IMDS Endpoint | ec2_metadata_service_endpoint |AWS_EC2_METADATA_SERVICE_ENDPOINT |N/A |
||
EC2 IMDS Endpoint Mode | ec2_metadata_service_endpoint_mode |AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE |N/A |
||
Disable EC2 IMDS | skip_metadata_api_check |AWS_EC2_METADATA_DISABLED |N/A |
||
HTTP Proxy | http_proxy |HTTP_PROXY or http_proxy |N/A |
||
HTTPS Proxy | https_proxy |HTTPS_PROXY or https_proxy |N/A |
||
Non-Proxied Hosts | no_proxy |NO_PROXY or no_proxy |N/A |
||
Max Retries | max_retries |AWS_MAX_ATTEMPTS |max_attempts |
||
Profile | profile |AWS_PROFILE or AWS_DEFAULT_PROFILE |N/A |
||
Retry Mode | retry_mode |AWS_RETRY_MODE |retry_mode |
||
Shared Config Files | shared_config_files |AWS_CONFIG_FILE |N/A |
||
Shared Credentials Files | shared_credentials_files |AWS_SHARED_CREDENTIALS_FILE |N/A |
||
S3 Use Regional Endpoint for us-east-1 |s3_us_east_1_regional_endpoint |AWS_S3_US_EAST_1_REGIONAL_ENDPOINT |s3_us_east_1_regional_endpoint |
|||
Use DualStack Endpoints | use_dualstack_endpoint |AWS_USE_DUALSTACK_ENDPOINT |use_dualstack_endpoint |
||
Use FIPS Endpoints | use_fips_endpoint |AWS_USE_FIPS_ENDPOINT |use_fips_endpoint |
Configuation for assuming an IAM role can be done using provider configuration or a named profile in shared configuration files.
In the provider, all parameters for assuming an IAM role are set in the assume_role
block.
Note that environment variables are not supported for assuming IAM roles.
See the assume role documentation for more information.
Setting | Provider | Shared Config |
---|---|---|
Role ARN | role_arn |role_arn |
|
Duration | duration |duration_seconds |
|
External ID | external_id |external_id |
|
Policy | policy |N/A |
|
Policy ARNs | policy_arns |N/A |
|
Session Name | session_name |role_session_name |
|
Source Identity | source_identity |N/A |
|
Tags | tags |N/A |
|
Transitive Tag Keys | transitive_tag_keys |N/A |
Configuration for assuming an IAM role using web identify federation can be done using provider configuration, environment variables, or a named profile in shared configuration files.
In the provider, all parameters for assuming an IAM role are set in the assume_role_with_web_identity
block.
See the assume role documentation section on web identities for more information.
Setting | Provider | Environment Variable | Shared Config |
---|---|---|---|
Role ARN | role_arn |AWS_ROLE_ARN |role_arn |
||
Web Identity Token | web_identity_token |N/A |
N/A | |
Web Identity Token File | web_identity_token_file |AWS_WEB_IDENTITY_TOKEN_FILE |web_identity_token_file |
||
Duration | duration |N/A |
duration_seconds |
|
Policy | policy |N/A |
policy |
|
Policy ARNs | policy_arns |N/A |
policy_arns |
|
Session Name | session_name |AWS_ROLE_SESSION_NAME |role_session_name |
By default, the underlying AWS client used by the Terraform AWS Provider creates requests with User-Agent headers including information about Terraform and AWS SDK for Go versions. To provide additional information in the User-Agent headers, the TF_APPEND_USER_AGENT
environment variable can be set and its value will be directly added to HTTP requests. E.g.,
% export TF_APPEND_USER_AGENT="JenkinsAgent/i-12345678 BuildID/1234 (Optional Extra Information)"
In addition to generic provider
arguments
(e.g., alias
and version
), the following arguments are supported in the AWS
provider
block:
access_key
- (Optional) AWS access key. Can also be set with the AWS_ACCESS_KEY_ID
environment variable, or via a shared credentials file if profile
is specified. See also secret_key
.allowed_account_ids
- (Optional) List of allowed AWS account IDs to prevent you from mistakenly using an incorrect one (and potentially end up destroying a live environment). Conflicts with forbidden_account_ids
.assume_role
- (Optional) Configuration block for assuming an IAM role. See the assume_role
Configuration Block section below. Only one assume_role
block may be in the configuration.assume_role_with_web_identity
- (Optional) Configuration block for assuming an IAM role using a web identity. See the assume_role_with_web_identity
Configuration Block section below. Only one assume_role_with_web_identity
block may be in the configuration.custom_ca_bundle
- (Optional) File containing custom root and intermediate certificates.
Can also be set using the AWS_CA_BUNDLE
environment variable.
Setting ca_bundle
in the shared config file is not supported.default_tags
- (Optional) Configuration block with resource tag settings to apply across all resources handled by this provider (see the Terraform multiple provider instances documentation for more information about additional provider configurations). This is designed to replace redundant per-resource tags
configurations. Provider tags can be overridden with new values, but not excluded from specific resources. To override provider tag values, use the tags
argument within a resource to configure new tag values for matching keys. See the default_tags
Configuration Block section below for example usage and available arguments. This functionality is supported in all resources that implement tags
, with the exception of the aws_autoscaling_group
resource.ec2_metadata_service_endpoint
- (Optional) Address of the EC2 metadata service (IMDS) endpoint to use. Can also be set with the AWS_EC2_METADATA_SERVICE_ENDPOINT
environment variable.ec2_metadata_service_endpoint_mode
- (Optional) Mode to use in communicating with the metadata service. Valid values are IPv4
and IPv6
. Can also be set with the AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE
environment variable.endpoints
- (Optional) Configuration block for customizing service endpoints. See the Custom Service Endpoints Guide for more information about connecting to alternate AWS endpoints or AWS compatible solutions. See also use_fips_endpoint
.forbidden_account_ids
- (Optional) List of forbidden AWS account IDs to prevent you from mistakenly using the wrong one (and potentially end up destroying a live environment). Conflicts with allowed_account_ids
.http_proxy
- (Optional) URL of a proxy to use for HTTP requests when accessing the AWS API.
Can also be set using the HTTP_PROXY
or http_proxy
environment variables.https_proxy
- (Optional) URL of a proxy to use for HTTPS requests when accessing the AWS API.
Can also be set using the HTTPS_PROXY
or https_proxy
environment variables.
To use an HTTP proxy without an HTTPS proxy, set https_proxy
to an empty string (""
).ignore_tags
- (Optional) Configuration block with resource tag settings to ignore across all resources handled by this provider (except any individual service tag resources such as aws_ec2_tag
) for situations where external systems are managing certain resource tags. Arguments to the configuration block are described below in the ignore_tags
Configuration Block section. See the Terraform multiple provider instances documentation for more information about additional provider configurations.insecure
- (Optional) Whether to explicitly allow the provider to perform "insecure" SSL requests. If omitted, the default value is false
.max_retries
- (Optional) Maximum number of times an API call is retried when AWS throttles requests or you experience transient failures.
The delay between the subsequent API calls increases exponentially.
If omitted, the default value is 25
.
Can also be set using the environment variable AWS_MAX_ATTEMPTS
and the shared configuration parameter max_attempts
.no_proxy
- (Optional) Comma-separated list of hosts that should not use HTTP or HTTPS proxies.
Each value can be one of:
*
), to indicate that no proxying should be performed
Domain name and IP address values can also include a port number.
Can also be set using the NO_PROXY
or no_proxy
environment variables.profile
- (Optional) AWS profile name as set in the shared configuration and credentials files.
Can also be set using either the environment variables AWS_PROFILE
or AWS_DEFAULT_PROFILE
.region
- (Optional) AWS Region where the provider will operate. The Region must be set.
Can also be set with either the AWS_REGION
or AWS_DEFAULT_REGION
environment variables,
or via a shared config file parameter region
if profile
is used.
If credentials are retrieved from the EC2 Instance Metadata Service, the Region can also be retrieved from the metadata.retry_mode
- (Optional) Specifies how retries are attempted.
Valid values are standard
and adaptive
.
Can also be configured using the AWS_RETRY_MODE
environment variable or the shared config file parameter retry_mode
.s3_use_path_style
- (Optional) Whether to enable the request to use path-style addressing, i.e., https://s3.amazonaws.com/BUCKET/KEY
.
By default, the S3 client will use virtual hosted bucket addressing, https://BUCKET.s3.amazonaws.com/KEY
, when possible.
Specific to the Amazon S3 service.s3_us_east_1_regional_endpoint
- (Optional) Specifies whether S3 API calls in the us-east-1
Region use the legacy global endpoint or a regional endpoint.
Valid values are legacy
or regional
.
If omitted, the default behavior in the us-east-1
Region is to use the global endpoint for general purpose buckets and the regional endpoint for directory buckets.
Can also be configured using the AWS_S3_US_EAST_1_REGIONAL_ENDPOINT
environment variable or the s3_us_east_1_regional_endpoint
shared config file parameter.
Specific to the Amazon S3 service.secret_key
- (Optional) AWS secret key. Can also be set with the AWS_SECRET_ACCESS_KEY
environment variable, or via a shared configuration and credentials files if profile
is used. See also access_key
.shared_config_files
- (Optional) List of paths to AWS shared config files. If not set, the default is [~/.aws/config]
. A single value can also be set with the AWS_CONFIG_FILE
environment variable.shared_credentials_files
- (Optional) List of paths to the shared credentials file. If not set and a profile is used, the default value is [~/.aws/credentials]
. A single value can also be set with the AWS_SHARED_CREDENTIALS_FILE
environment variable.skip_credentials_validation
- (Optional) Whether to skip credentials validation via the STS API. This can be useful for testing and for AWS API implementations that do not have STS available.skip_metadata_api_check
- (Optional) Whether to skip the AWS Metadata API check. Useful for AWS API implementations that do not have a metadata API endpoint. Setting to true
prevents Terraform from authenticating via the Metadata API. You may need to use other authentication methods like static credentials, configuration variables, or environment variables.skip_region_validation
- (Optional) Whether to skip validating the Region. Useful for AWS-like implementations that use their own Region names or to bypass the validation for Regions that aren't publicly available yet.skip_requesting_account_id
- (Optional) Whether to skip requesting the account ID. Useful for AWS API implementations that do not have the IAM, STS API, or metadata API. When set to true
and not determined previously, returns an empty account ID when manually constructing ARN attributes with the following:
aws_api_gateway_deployment
resourceaws_api_gateway_rest_api
resourceaws_api_gateway_stage
resourceaws_apigatewayv2_api
data sourceaws_apigatewayv2_api
resourceaws_apigatewayv2_stage
resourceaws_appconfig_application
resourceaws_appconfig_configuration_profile
resourceaws_appconfig_deployment
resourceaws_appconfig_deployment_strategy
resourceaws_appconfig_environment
resourceaws_appconfig_hosted_configuration_version
resourceaws_athena_workgroup
resourceaws_budgets_budget
resourceaws_codedeploy_app
resourceaws_codedeploy_deployment_group
resourceaws_cognito_identity_pool
resourceaws_cognito_user_pools
data sourceaws_default_vpc_dhcp_options
aws_dms_event_subscription
resourceaws_dms_replication_subnet_group
resourceaws_dx_connection
resourceaws_dx_hosted_private_virtual_interface_accepter
resourceaws_dx_hosted_private_virtual_interface
resourceaws_dx_hosted_public_virtual_interface_accepter
resourceaws_dx_hosted_public_virtual_interface
resourceaws_dx_hosted_transit_virtual_interface_accepter
resourceaws_dx_hosted_transit_virtual_interface
resourceaws_dx_lag
resourceaws_dx_private_virtual_interface
resourceaws_dx_public_virtual_interface
resourceaws_dx_transit_virtual_interface
resourceaws_ebs_volume
data sourceaws_ec2_client_vpn_endpoint
resourceaws_ec2_traffic_mirror_filter
resourceaws_ec2_traffic_mirror_filter_rule
resourceaws_ec2_traffic_mirror_session
resourceaws_ec2_traffic_mirror_target
resourceaws_ec2_transit_gateway_route_table
data sourceaws_ec2_transit_gateway_route_table
resourceaws_ecs_capacity_provider
resource (import)aws_ecs_cluster
resource (import)aws_ecs_service
resource (import)aws_customer_gateway
data sourceaws_customer_gateway
resourceaws_efs_access_point
data sourceaws_efs_access_point
resourceaws_efs_file_system
data sourceaws_efs_file_system
resourceaws_efs_mount_target
data sourceaws_efs_mount_target
resourceaws_elasticache_cluster
data sourceaws_elasticache_cluster
resourceaws_elb
data sourceaws_elb
resourceaws_finspace_kx_dataview
resourceaws_flow_log
resourceaws_glue_catalog_database
resourceaws_glue_catalog_table
resourceaws_glue_connection
resourceaws_glue_crawler
resourceaws_glue_job
resourceaws_glue_ml_transform
resourceaws_glue_trigger
resourceaws_glue_user_defined_function
resourceaws_glue_workflow
resourceaws_guardduty_detector
resourceaws_guardduty_ipset
resourceaws_guardduty_threatintelset
resourceaws_instance
data sourceaws_instance
resourceaws_key_pair
resourceaws_launch_template
data sourceaws_launch_template
resourceaws_placement_group
resourceaws_redshift_cluster
resourceaws_redshift_event_subscription
resourceaws_redshift_parameter_group
resourceaws_redshift_snapshot_copy_grant
resourceaws_redshift_snapshot_schedule
resourceaws_redshift_subnet_group
resourceaws_s3_account_public_access_block
resourceaws_ses_active_receipt_rule_set
resourceaws_ses_configuration_set
resourceaws_ses_domain_identity_verification
resourceaws_ses_domain_identity
resourceaws_ses_email_identity
resourceaws_ses_event_destination
resourceaws_ses_receipt_filter
resourceaws_ses_receipt_rule
resourceaws_ses_template
resourceaws_ssm_document
data sourceaws_ssm_document
resourceaws_ssm_parameter
data sourceaws_ssm_parameter
resourceaws_synthetics_canary
resourceaws_vpc_endpoint_service
data sourceaws_vpc_endpoint_service
resourceaws_vpn_connection
resourceaws_vpn_gateway
data sourceaws_vpn_gateway
resourceaws_waf_geo_match_set
resourceaws_waf_ipset
resourceaws_waf_rate_based_rule
resourceaws_waf_regex_match_set
resourceaws_waf_regex_pattern_set
resourceaws_wafregional_ipset
resourceaws_wafregional_rate_based_rule
resourceaws_wafregional_rule
resourceaws_wafregional_rule_group
resourceaws_wafregional_web_acl
resourceaws_waf_rule
resourceaws_waf_rule_group
resourceaws_waf_size_constraint_set
resourceaws_waf_web_acl
resourceaws_waf_xss_match_set
resourcests_region
- (Optional) AWS Region for STS. If unset, AWS will use the same Region for STS as other non-STS operations.token
- (Optional) Session token for validating temporary credentials. Typically provided after successful identity federation or Multi-Factor Authentication (MFA) login. With MFA login, this is the session token provided afterward, not the 6 digit MFA code used to get temporary credentials. Can also be set with the AWS_SESSION_TOKEN
environment variable.token_bucket_rate_limiter_capacity
- (Optional) The capacity of the AWS SDK's token bucket retry rate limiter. If no value is specified then client-side rate limiting is disabled. If a value is specified there is a greater likelihood of retry quota exceeded
errors being raised.use_dualstack_endpoint
- (Optional) Force the provider to resolve endpoints with DualStack capability. Can also be set with the AWS_USE_DUALSTACK_ENDPOINT
environment variable or in a shared config file (use_dualstack_endpoint
).use_fips_endpoint
- (Optional) Force the provider to resolve endpoints with FIPS capability. Can also be set with the AWS_USE_FIPS_ENDPOINT
environment variable or in a shared config file (use_fips_endpoint
).The assume_role
configuration block supports the following arguments:
duration
- (Optional) Duration of the assume role session. You can provide a value from 15 minutes up to the maximum session duration setting for the role. Represented by a string such as 1h
, 2h45m
, or 30m15s
.external_id
- (Optional) External identifier to use when assuming the role.policy
- (Optional) IAM Policy JSON describing further restricting permissions for the IAM Role being assumed.policy_arns
- (Optional) Set of Amazon Resource Names (ARNs) of IAM Policies describing further restricting permissions for the IAM Role being assumed.role_arn
- (Required) ARN of the IAM Role to assume.session_name
- (Optional) Session name to use when assuming the role.source_identity
- (Optional) Source identity specified by the principal assuming the role.tags
- (Optional) Map of assume role session tags.transitive_tag_keys
- (Optional) Set of assume role session tag keys to pass to any subsequent sessions.The assume_role_with_web_identity
configuration block supports the following arguments:
duration
- (Optional) Duration of the assume role session.
You can provide a value from 15 minutes up to the maximum session duration setting for the role.
Represented by a string such as 1h
, 2h45m
, or 30m15s
.policy
- (Optional) IAM Policy JSON describing further restricting permissions for the IAM Role being assumed.policy_arns
- (Optional) Set of Amazon Resource Names (ARNs) of IAM Policies describing further restricting permissions for the IAM Role being assumed.role_arn
- (Required) ARN of the IAM Role to assume.
Can also be set with the AWS_ROLE_ARN
environment variable.session_name
- (Optional) Session name to use when assuming the role.
Can also be set with the AWS_ROLE_SESSION_NAME
environment variable.web_identity_token
- (Optional) Value of a web identity token from an OpenID Connect (OIDC) or OAuth provider.
One of web_identity_token
or web_identity_token_file
is required.web_identity_token_file
- (Optional) File containing a web identity token from an OpenID Connect (OIDC) or OAuth provider.
One of web_identity_token_file
or web_identity_token
is required.
Can also be set with the AWS_WEB_IDENTITY_TOKEN_FILE
environment variable.Hands-on: Try the Configure Default Tags for AWS Resources tutorial.
Example: Resource with provider default tags
provider "aws" {
default_tags {
tags = {
Environment = "Test"
Name = "Provider Tag"
}
}
}
resource "aws_vpc" "example" {
# ..other configuration...
}
output "vpc_resource_level_tags" {
value = aws_vpc.example.tags
}
output "vpc_all_tags" {
value = aws_vpc.example.tags_all
}
Outputs:
$ terraform apply
...
Outputs:
vpc_all_tags = tomap({
"Environment" = "Test"
"Name" = "Provider Tag"
})
Example: Resource with tags and provider default tags
provider "aws" {
default_tags {
tags = {
Environment = "Test"
Name = "Provider Tag"
}
}
}
resource "aws_vpc" "example" {
# ..other configuration...
tags = {
Owner = "example"
}
}
output "vpc_resource_level_tags" {
value = aws_vpc.example.tags
}
output "vpc_all_tags" {
value = aws_vpc.example.tags_all
}
Outputs:
$ terraform apply
...
Outputs:
vpc_all_tags = tomap({
"Environment" = "Test"
"Name" = "Provider Tag"
"Owner" = "example"
})
vpc_resource_level_tags = tomap({
"Owner" = "example"
})
Example: Resource overriding provider default tags
provider "aws" {
default_tags {
tags = {
Environment = "Test"
Name = "Provider Tag"
}
}
}
resource "aws_vpc" "example" {
# ..other configuration...
tags = {
Environment = "Production"
}
}
output "vpc_resource_level_tags" {
value = aws_vpc.example.tags
}
output "vpc_all_tags" {
value = aws_vpc.example.tags_all
}
Outputs:
$ terraform apply
...
Outputs:
vpc_all_tags = tomap({
"Environment" = "Production"
"Name" = "Provider Tag"
})
vpc_resource_level_tags = tomap({
"Environment" = "Production"
})
The default_tags
configuration block supports the following argument:
tags
- (Optional) Key-value map of tags to apply to all resources.Example:
provider "aws" {
ignore_tags {
keys = ["TagKey1"]
}
}
The ignore_tags
configuration block supports the following arguments:
keys
- (Optional) List of exact resource tag keys to ignore across all resources handled by this provider. This configuration prevents Terraform from returning the tag in any tags
attributes and displaying any configuration difference for the tag value. If any resource configuration still has this tag key configured in the tags
argument, it will display a perpetual difference until the tag is removed from the argument or ignore_changes
is also used.key_prefixes
- (Optional) List of resource tag key prefixes to ignore across all resources handled by this provider. This configuration prevents Terraform from returning any tag key matching the prefixes in any tags
attributes and displaying any configuration difference for those tag values. If any resource configuration still has a tag matching one of the prefixes configured in the tags
argument, it will display a perpetual difference until the tag is removed from the argument or ignore_changes
is also used.If you use either allowed_account_ids
or forbidden_account_ids
,
Terraform uses several approaches to get the actual account ID
in order to compare it with allowed or forbidden IDs.
Approaches differ per authentication providers:
0.6.16
.iam:GetUser
- Typically useful for IAM Users. It also means
that each user needs to be privileged to call iam:GetUser
for themselves.sts:GetCallerIdentity
- _Should_ work for both IAM Users and federated IAM Roles,
introduced in Terraform 0.6.16
.iam:ListRoles
- This is specifically useful for IdP-federated profiles
which cannot use iam:GetUser
. It also means that each federated user
need to be _assuming_ an IAM role which allows iam:ListRoles
.
Used in Terraform 0.6.16+
.
There used to be no better way to get account ID out of the API
when using the federated account until sts:GetCallerIdentity
was introduced.