The upstream AWS provider supports AWS role assumption. It would be nice for this to work with the route53 dns_challenge for the acme_certificate resource.

Reference: https://www.terraform.io/docs/providers/aws/#assume-role

Hey @tdewitt, you've kind of encountered a bit of a quirk with how this provider works versus the AWS provider, and one of the reasons why hashicorp/terraform#7058 was never merged. Particularly, we are not necessarily doing anything other than passing off environment variables to one of lego's DNS providers.

However, I have been thinking about ways we could possibly tap into other provider's settings to make this kind of thing happen, which may or may not make this kind of thing possible. For now though, it's not.

Going to leave this one open until I have had enough time to do sufficient fact finding on it.

Understandable. I can probably Bad Hack my way around it but it would definitely be useful to have as part of the plugin. Nice work, regardless.

@tdewitt - I was able to get it to work like this:

  dns_challenge {
    provider = "route53"

    config {
      AWS_PROFILE        = "${var.aws_profile}"
      AWS_DEFAULT_REGION = "${var.aws_region}"
    }
  }

Then use the ~/.aws/config to set up assume role: https://docs.aws.amazon.com/cli/latest/userguide/cli-roles.html

I've been giving this more thought over the last couple of weeks and I haven't come up with any real easy way to hook into external Terraform providers without drastically breaking this provider's portability, hence I don't think this is going to be possible.

It should be said that when we sync this provider with lego at any particular point in time, the state of the DNS providers gets inherited too, including any improvements to the interface on those DNS providers. So ultimately, the best way to get this kind of support into the ACME provider would be requesting the functionality or making a pull request on xenolf/lego.

Sorry for the delay on a decision on this one!