Trouble with using assumed roles in external modules. How to add providers to external modules?

Question

Cheers I´m trying to figure out how I can define providers with role definitions explicit when using external providers. As I believe this gives me errors when I try to make one role assume another and for specifically modules I get errors. When I use an SSO role which has the correct permission in the same account as where I try to execute terraform I works. Basically: Goal make super platform roles that can apply to a broad range of environments.

Initial errors for modules. When using a role that does not has direct permissions and is dependant on assumption. "The assumable role has Administrator in the env to apply"

staticAssets_foundations_dev  │ Error: reading S3 Bucket (di-static-assets-dev-***): operation error S3: HeadBucket, https response error StatusCode: 403, RequestID: 0XWPD9AT06B2P7RS, HostID: eC6Qs4f8EjPo6QWCzloe9qdqyh+8nBu3dY9BHhgIL4MyZQ8ClD6Ta6qKRzyS0rSG2DH7SR0X8js=, api error Forbidden: Forbidden
                              │
                              │   with aws_s3_bucket.cloudfrontS3_cloudfrontS3Bucket_DB901A19 (cloudfrontS3/cloudfrontS3Bucket),
                              │   on cdk.tf.json line 325, in resource.aws_s3_bucket.cloudfrontS3_cloudfrontS3Bucket_DB901A19 (cloudfrontS3/cloudfrontS3Bucket):
                              │  325:       }
                              │
                              ╵
staticAssets_foundations_dev  ╷
                              │ Error: reading Amazon CloudFront Origin Access Identity (EC5UYRVYS0TS8): AccessDenied: Access Denied.
                              │     status code: 403, request id: 5dcbf0bd-1e6e-4174-9d27-3b2ab52006ee
                              │
                              │   with module.cloudfrontS3_407A5D96.aws_cloudfront_origin_access_identity.this["s3_bucket_one"],
                              │   on .terraform/modules/cloudfrontS3_407A5D96/main.tf line 6, in resource "aws_cloudfront_origin_access_identity" "this":
                              │    6: resource "aws_cloudfront_origin_access_identity" "this" {
                              │

No errors when using a role that both has the permission directly and is allowed to assume the same role. (an env specific SSO role) I wonder if I might need to pass the providers specifically to the module (cloudfront). But if so, I dont understand how.

import { TerraformOutput } from "cdktf";
import { S3BucketPolicy } from "@cdktf/provider-aws/lib/s3-bucket-policy";
import { AwsProvider } from "@cdktf/provider-aws/lib/provider";
import { TerraformProvider } from "cdktf/lib/terraform-provider";
----



export class CloudfrontS3Construct extends Construct {
    public distribution: Cloudfront;
    public certificate: AcmCertificate;
    constructor(scope: Construct, name: string, props: CloudfrontS3Props) {

        super(scope, name);

        const usEastProvider = new AwsProvider(this, 'usEastProvider', {
            region: 'us-east-1',
            roleToAssume: 'some-fancy-role'

        });

        const cloudfrontS3Bucket = new S3Bucket(this, "cloudfrontS3Bucket", {
            bucket: props.s3OverrideName ?? `di-${props.tags.Application}-${props.env}-${props.accountNumber}`,
            tags: props.tags,

        });

        let domainName = props.hostedZoneName;
        if (props.recordName !== props.hostedZoneName) {
            domainName = `${props.recordName}.${props.hostedZoneName}`;
        }

        this.certificate = new AcmCertificate(this, "certificate", {
            domainName: domainName,
            validationMethod: "DNS",
            tags: props.tags,
            //provider: usEastProvider,
            subjectAlternativeNames: [domainName],
        });

        const CLOUDFRONT_ORGIN_ACCESS_COMMENT = "Terraform managed origin s3 bucket";

        this.distribution = new Cloudfront(this, name, {
            providers: [
                usEastProvider as TerraformProvider,  ## WHere the error shows up.
            ],`

Give error when trying to define the provider.

Type 'TerraformProvider' is not assignable to type 'TerraformProvider | TerraformModuleProvider'. Type 'import("/Users//di-cdktf-ts-lib/src/node_modules/cdktf/lib/terraform-provider").TerraformProvider' is not assignable to type 'import("/Users//git/com.github/**/di-cdktf-ts-lib/node_modules/cdktf/lib/terraform-provider").TerraformProvider'. Property 'synthesizeAttributes' is protected but type 'TerraformProvider' is not a class derived from 'TerraformProvider'.ts(2322)

Deploying cloudfront module with terraform using a role in another account, using assume role logic in the module. What happens, is that I get errors of denial, when the assumable role should have all accesses. I have tried adding the provider explicit for modules. But I dont understand how to do that in CDKTF.

Answer 1

Found the issue. What we did by mistake, was getting rid of default terraform aws providers, by introducing the "alias" field in the default provider. Because we had the need to specify aliases programatically. Making only the sso context the valid "provider". An important documentation piece in terraform

Default Provider Configurations A provider block without an alias argument is the default configuration for that provider. Resources that don't set the provider meta-argument will use the default provider configuration that matches the first word of the resource type name. (For example, an aws_instance resource uses the default aws provider configuration unless otherwise stated.)

If every explicit configuration of a provider has an alias, Terraform uses the implied empty configuration as that provider's default configuration. (If the provider has any required configuration arguments, Terraform will raise an error when resources default to the empty configuration.)