Skip to main content
← Back to index page


Possibly breaking change:

In this update, account-map/modules/iam-roles acquired a provider, making it no longer able to be used with count. If you have code like

module "optional_role" {
count = local.optional_role_enabled ? 1 : 0

source = "../account-map/modules/iam-roles"
stage = var.optional_role_stage
context = module.this.context

You will need to rewrite it, removing the count parameter. It will be fine to always instantiate the module. If there are problems with ensuring appropriate settings with the module is disabled, you can always replace them with the component's inputs:

module "optional_role" {
source = "../account-map/modules/iam-roles"
stage = local.optional_role_enabled ? var.optional_role_stage : var.stage
context = module.this.context

The update to components 1.227.0 is huge, and you have options.

  • Enable, or not, dynamic Terraform IAM roles, which allow you to give some people (and Spacelift) the ability to run Terraform plan in some accounts without allowing apply. Note that these users will still have read/write access to Terraform state, but will not have IAM permissions to make changes in accounts. terraform_dynamic_role_enabled
  • Update to new aws-teams team names. The new names are (except for support) distinct from team-roles, making it easier to keep track. Also, the new managers team can run Terraform for identity and root in most (but not all) cases.
  • Update to new aws-team-roles, including new permissions. The custom policies that have been removed are replaced in the aws-team-roles configuration with AWS managed policy ARNs. This is required to add the planner role and support the terraform plan restriction.
  • Update the for all components. Or some of them now, some later. Most components do not require updates, but all of them have updates. The new, when used with dynamic Terraform roles, allows users directly logged into target accounts (rather than having roles in the identity account) to use Terraform in that account, and also allows SuperAdmin to run Terraform in more cases (almost everywhere).

If you do not want any new features, you only need to update account-map to v1.235 or later, to be compatible with future components. Note that when updating account-map this way, you should update the code everywhere (all open PRs and branches) before applying the Terraform changes, because the applied changes break the old code.

If you want all the new features, we recommend updating all of the following to the current release in 1 PR:

  • account-map
  • aws-teams
  • aws-team-roles
  • tfstate-backend
Enable `terraform plan` access via dynamic Terraform roles

Reviewers, please note:

The PR changes a lot of files. In particular, the and therefore the for nearly every component. Therefore it will likely be easier to review this PR one commit at a time.

import_role_arn and import_profile_name have been removed as they are no longer needed. Current versions of Terraform (probably beginning with v1.1.0, but maybe as late as 1.3.0, I have not found authoritative information) can read data sources during plan and so no longer need a role to be explicitly specified while importing. Feel free to perform your own tests to make yourself more comfortable that this is correct.


  • Updates to allow Terraform to dynamically assume a role based on the user, to allow some users to run terraform plan but not terraform apply
    • Deploy standard to all components that need an aws provider
    • Move extra provider configurations to separate file, so that can remain consistent/identical among components and thus be easily updated
    • Create to provide consistent, maintainable implementation
  • Make aws-sso vendor safe
  • Deprecate sso module in favor of aws-saml


  • Allow users to try new code or updated configurations by running terraform plan without giving them permission to make changes with Terraform
  • Make it easier for people directly logged into target accounts to still run Terraform
  • Follow-up to , which updated aws-teams and aws-team-roles, to make aws-sso consistent
  • Reduce confusion by moving deprecated code to deprecated/


Pull Requests