You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Although aws-sdk-go-v2 was released a long time ago, historically until
now tfmigrate has used v1 as well as the old Terraform.
aws-sdk-go and aws-sdk-go-v2 have different priorities for loading
credentials. Specifically, aws-sdk-go v1 prioritizes reading environment
variables over profiles. This is a problem when switching between
multiple accounts in profile while OIDC authenticating to AWS from
GitHub Actions.
Up to Terraform v1.5, aws-sdk-go v1 was used for s3 backend
authentication via hashicorp/aws-sdk-go-base, but Terraform / OpenTofu
v1.6 and later, aws-sdk-go-v2 is used.
Up to tfmigrate v0.3, we have been using aws-sdk-go v1 via
hashicorp/aws-sdk-go-base for history s3 storage authentication, but
will be using aws-sdk-go-v2 after the next tfmigrate v0.4. This is a
breaking change, but the goal is to align with the behavior of
Terraform / OpenTofu v1.6 and later, so if you are affected, please
adjust your AWS authentication settings.
At the time of this writing, v2 of hashicorp/aws-sdk-go-base, which uses
aws-sdk-go-v2, is still beta, but it is already used in the stable
releases of Terraform and OpenTofu. Since there are multiple beta
versions of hashicorp/aws-sdk-go-base and slightly different versions in
use, the results of my investigation are shown below.
- tfmigrate: v0.3.24: v1.1.0
- terraform v1.5.7: v0.7.1
- terraform v1.6.0: v2.0.0-beta.35
- terraform v1.7.0: v2.0.0-beta.43
- terraform v1.8.0: v2.0.0-beta.45
- terraform v1.9.8 (latest): v2.0.0-beta.45
- opentofu v1.6.0: v2.0.0-beta.43
- opentofu v1.8.5 (latest): v2.0.0-beta.43
- terraform-provider-aws v3.76.1: v1.0.0
- terraform-provider-aws v4.0.0: v2.0.0-beta.5
- terraform-provider-aws v5.0.0: v2.0.0-beta.27
- terraform-provider-aws v5.29.0: v2.0.0-beta.43
- terraform-provider-aws v5.31.0: v2.0.0-beta.45
- terraform-provider-aws v5.74.0 (latest): v2.0.0-beta.59
As a special note, use_legacy_workflow has been removed in terraform
v1.8.0 and opentofu v1.8.0, but UseLegacyWorkflow has been removed in
aws-sdk-go-base in v2.0.0-beta.49.
Considering the above, I think v2.0.0-beta.43 or v2.0.0-beta.45 would be
reasonable. At this point, I don't see any strong reason to go with
v2.0.0-beta.45, so I'm going to go with v2.0.0-beta.43 to align with
opentofu.
The s3 history storage implementation was rewritten with the
aws-sdk-go-v2 migration guide.
https://aws.github.io/aws-sdk-go-v2/docs/migrating/
As a tfmigrate user, there are no breaking changes at the configuration
file level, but it should be noted that, as mentioned above, AWS
credentials have a higher priority in profile than in environment
variables. Also, as a side effect, the path to the file that sets the
AWS profile is ~/.aws/config by default, but it can now be specified
with the environment variable AWS_CONFIG_FILE.
0 commit comments