Terraform-provider-aws: AWS provider should use default region set in ~/.aws/config/

Created on 13 Jun 2017 · 6Comments · Source: hashicorp/terraform-provider-aws

_This issue was originally opened by @BGnoinski as hashicorp/terraform#13579. It was migrated here as part of the provider split. The original body of the issue is below._

Terraform Version

terraform -v
Terraform v0.9.2

Affected Resource(s)

Please list the resources as a list, for example:

provider "aws"

Terraform Configuration Files

provider "aws" {}

resource "aws_vpc" "vpc" {
  cidr_block = "10.20.0.0/16"
}

Expected Behavior

If you have
[default]
region=ca-central-1
set in ~/.aws/config the provider "aws" should use it if none set in the terraform config.

Actual Behavior

provider "aws" uses aws_access_key_id= and aws_secret_access_key= from ~/.aws/credentials but ignores ~/.aws/config .

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

terraform plan

terraform plan
provider.aws.region
  The region where AWS operations will take place. Examples
  are us-east-1, us-west-2, etc.

  Default: us-east-1
  Enter a value:

Important Factoids

provider "aws" will respect environment variable AWS_DEFAULT_REGION= if set

AWS_DEFAULT_REGION=ca-central-1 terraform plan

Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.

The Terraform execution plan has been generated and is shown below.
Resources are shown in alphabetical order for quick scanning. Green resources
will be created (or destroyed and then created if an existing resource
exists), yellow resources are being changed in-place, and red resources
will be destroyed. Cyan entries are data sources to be read.

Note: You didn't specify an "-out" parameter to save this plan, so when
"apply" is called, Terraform can't guarantee this is what will execute.

+ aws_vpc.vpc
    assign_generated_ipv6_cidr_block: "false"
    cidr_block:                       "10.20.0.0/16"
    default_network_acl_id:           "<computed>"
    default_route_table_id:           "<computed>"
    default_security_group_id:        "<computed>"
    dhcp_options_id:                  "<computed>"
    enable_classiclink:               "<computed>"
    enable_dns_hostnames:             "<computed>"
    enable_dns_support:               "true"
    instance_tenancy:                 "<computed>"
    ipv6_association_id:              "<computed>"
    ipv6_cidr_block:                  "<computed>"
    main_route_table_id:              "<computed>"


Plan: 1 to add, 0 to change, 0 to destroy.

enhancement provider

Source

hashibot

👍13

Most helpful comment

I'm wondering why this is marked as an enhancement ? Perhaps this isn't the exact issue that I'm looking for a solution.

https://www.terraform.io/docs/providers/aws/index.html#region

I'm looking for a solution where the region is set when the region is defined in the shared credentials file under the defined profile

TechnicalMercenary on 27 Nov 2017

👍3

All 6 comments

I'm wondering why this is marked as an enhancement ? Perhaps this isn't the exact issue that I'm looking for a solution.

https://www.terraform.io/docs/providers/aws/index.html#region

I'm looking for a solution where the region is set when the region is defined in the shared credentials file under the defined profile

TechnicalMercenary on 27 Nov 2017

👍3

Either this should be relabeled as a bug, or the documentation needs to be updated to indicate the implemented functionality. Documentation states shared credentials can be used to determine the default region:

region - (Required) This is the AWS region. It must be provided, but it can also be sourced from the AWS_DEFAULT_REGION environment variables, or via a shared credentials file if profile is specified.

Unfortunately, the region config is actually ignored.

jtaylormayfield on 22 Aug 2018

👍1

The documentation here probably could use some revamping to very clearly define the various pieces and ordering that go into authentication and region selection since both are pretty complex topics.

I believe there is a distinction between what AWS refers to as "shared credentials" (~/.aws/credentials) and "configuration" (~/.aws/config). Configuring the AWS SDK for Go documentation does specifically state this under "Specifying the AWS Region":

Set the AWS_SDK_LOAD_CONFIG environment variable to true to get the region value from the config file in the .aws/ folder in your home directory

Does setting the AWS_SDK_LOAD_CONFIG=true environment variable work in your scenario? It seems like we should explicitly call this out in our documentation or potentially automatically turn it on.

bflad on 23 Aug 2018

@bflad , here's a recent test from cmd:

C:\Some\folder>echo %AWS_SDK_LOAD_CONFIG%
true

C:\Some\folder>terraform plan
provider.aws.region
  The region where AWS operations will take place. Examples
  are us-east-1, us-west-2, etc.

  Default: us-east-1
  Enter a value:

It appears as though the environment variable is ignored by the provider.

jtaylormayfield on 27 Aug 2018

I'm guessing this provider definition code rules out the possibility of defaulting to the region configured in the SDK. It's a required field.

https://github.com/terraform-providers/terraform-provider-aws/blob/585897663c3f508c2d7a256aaa6798f1fa634698/aws/provider.go#L60-L69

jtaylormayfield on 27 Aug 2018

Similar: