How to make provider assume_role block conditional

Question

I have a provider block which I want to give an assume_role property but only if it is not running on my local machine.

I have defined a variable islocal in all the environment .tfvars files, with only the local file having the value true.

This is the provider block:

provider "aws" {
    region = var.region1
    profile = var.islocal == true ? "default" : null # ONLY USED LOCALLY
    
    assume_role {       # NOT TO BE USED LOCALLY
        role_arn = var.terraform_execution_role
    }
}

Questions:

If I set the role_arn property to null does this make the assume_role block ineffective? (ie: the same as not being there)
If the assume_role block does have an impact, even when the role_arn value is null, how can I completely remove it when var.islocal is true?

I have considered a dynamic block but I'm not sure how to structure it.

Not sure about the first question - the second one could be achieved with a `dynamic` block. — luk2302, Mar 04 '21 at 10:39

score 5 · Accepted Answer · answered Mar 04 '21 at 10:42

You can use dynamic blocks in your provider:

provider "aws" {
    region = var.region1
    profile = var.islocal == true ? "default" : null # ONLY USED LOCALLY
    
  dynamic "assume_role" {    
    for_each = var.islocal == true ? [] : [1]  
    content {      
        role_arn = var.terraform_execution_role
    }  
  }
}

How to make provider assume_role block conditional

1 Answers1

Linked