Merge remote-tracking branch 'upstream/master' into master

* upstream/master: (26 commits)
  Updated CHANGELOG
  fix: Fixed ses_smtp_password_v4 output name
  Updated CHANGELOG
  fix: simplify count statements (terraform-aws-modules#93)
  Updated CHANGELOG
  fix: Allow running on custom AWS partition (incl. govcloud) (terraform-aws-modules#94)
  Updated CHANGELOG
  feat: modules/iam-assumable-role-with-oidc: Support multiple provider URLs (terraform-aws-modules#91)
  Updated CHANGELOG
  feat: Strip https:// from OIDC provider URL if present (terraform-aws-modules#50)
  Updated CHANGELOG
  fix: Allow modules/iam-assumable-role-with-oidc to work in govcloud (terraform-aws-modules#83)
  Updated CHANGELOG
  feat: Added support for sts:ExternalId in modules/iam-assumable-role (terraform-aws-modules#90)
  Updated CHANGELOG
  fix: Delete DEPRECATED ses_smtp_password in iam-user. (terraform-aws-modules#88)
  Updated CHANGELOG
  feat: Support for Terraform v0.13 and AWS provider v3 (terraform-aws-modules#87)
  docs: Updated example in README (terraform-aws-modules#52)
  Updated CHANGELOG
  ...

.pre-commit-config.yaml

@@ -1,10 +1,10 @@
 repos:
   - repo: git://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.27.0
+    rev: v1.39.0
     hooks:
       - id: terraform_fmt
       - id: terraform_docs
   - repo: git://github.com/pre-commit/pre-commit-hooks
-    rev: v2.5.0
+    rev: v3.2.0
     hooks:
       - id: check-merge-conflict

CHANGELOG.md

@@ -7,6 +7,80 @@ All notable changes to this project will be documented in this file.
 
 
 
+<a name="v2.21.0"></a>
+## [v2.21.0] - 2020-09-22
+
+- fix: Fixed ses_smtp_password_v4 output name
+
+
+<a name="v2.20.0"></a>
+## [v2.20.0] - 2020-09-08
+
+- fix: simplify count statements ([#93](https://github.com/terraform-aws-modules/terraform-aws-iam/issues/93))
+
+
+<a name="v2.19.0"></a>
+## [v2.19.0] - 2020-09-08
+
+- fix: Allow running on custom AWS partition (incl. govcloud) ([#94](https://github.com/terraform-aws-modules/terraform-aws-iam/issues/94))
+
+
+<a name="v2.18.0"></a>
+## [v2.18.0] - 2020-08-18
+
+- feat: modules/iam-assumable-role-with-oidc: Support multiple provider URLs ([#91](https://github.com/terraform-aws-modules/terraform-aws-iam/issues/91))
+
+
+<a name="v2.17.0"></a>
+## [v2.17.0] - 2020-08-17
+
+- feat: Strip https:// from OIDC provider URL if present ([#50](https://github.com/terraform-aws-modules/terraform-aws-iam/issues/50))
+
+
+<a name="v2.16.0"></a>
+## [v2.16.0] - 2020-08-17
+
+- fix: Allow modules/iam-assumable-role-with-oidc to work in govcloud ([#83](https://github.com/terraform-aws-modules/terraform-aws-iam/issues/83))
+
+
+<a name="v2.15.0"></a>
+## [v2.15.0] - 2020-08-17
+
+- feat: Added support for sts:ExternalId in modules/iam-assumable-role ([#90](https://github.com/terraform-aws-modules/terraform-aws-iam/issues/90))
+
+
+<a name="v2.14.0"></a>
+## [v2.14.0] - 2020-08-13
+
+- fix: Delete DEPRECATED ses_smtp_password in iam-user. ([#88](https://github.com/terraform-aws-modules/terraform-aws-iam/issues/88))
+
+
+<a name="v2.13.0"></a>
+## [v2.13.0] - 2020-08-13
+
+- feat: Support for Terraform v0.13 and AWS provider v3 ([#87](https://github.com/terraform-aws-modules/terraform-aws-iam/issues/87))
+- docs: Updated example in README ([#52](https://github.com/terraform-aws-modules/terraform-aws-iam/issues/52))
+
+
+<a name="v2.12.0"></a>
+## [v2.12.0] - 2020-06-10
+
+- Updated formatting
+- fix: Fix conditions with multiple subjects in assume role with oidc policy ([#74](https://github.com/terraform-aws-modules/terraform-aws-iam/issues/74))
+
+
+<a name="v2.11.0"></a>
+## [v2.11.0] - 2020-06-10
+
+- feat: Allow to set force_detach_policies on roles ([#68](https://github.com/terraform-aws-modules/terraform-aws-iam/issues/68))
+
+
+<a name="v2.10.0"></a>
+## [v2.10.0] - 2020-05-26
+
+- fix: Allow customisation of trusted_role_actions in iam-assumable-role module ([#76](https://github.com/terraform-aws-modules/terraform-aws-iam/issues/76))
+
+
 <a name="v2.9.0"></a>
 ## [v2.9.0] - 2020-04-23
 
@@ -162,7 +236,19 @@ All notable changes to this project will be documented in this file.
 - Initial commit
 
 
-[Unreleased]: https://github.com/terraform-aws-modules/terraform-aws-iam/compare/v2.9.0...HEAD
+[Unreleased]: https://github.com/terraform-aws-modules/terraform-aws-iam/compare/v2.21.0...HEAD
+[v2.21.0]: https://github.com/terraform-aws-modules/terraform-aws-iam/compare/v2.20.0...v2.21.0
+[v2.20.0]: https://github.com/terraform-aws-modules/terraform-aws-iam/compare/v2.19.0...v2.20.0
+[v2.19.0]: https://github.com/terraform-aws-modules/terraform-aws-iam/compare/v2.18.0...v2.19.0
+[v2.18.0]: https://github.com/terraform-aws-modules/terraform-aws-iam/compare/v2.17.0...v2.18.0
+[v2.17.0]: https://github.com/terraform-aws-modules/terraform-aws-iam/compare/v2.16.0...v2.17.0
+[v2.16.0]: https://github.com/terraform-aws-modules/terraform-aws-iam/compare/v2.15.0...v2.16.0
+[v2.15.0]: https://github.com/terraform-aws-modules/terraform-aws-iam/compare/v2.14.0...v2.15.0
+[v2.14.0]: https://github.com/terraform-aws-modules/terraform-aws-iam/compare/v2.13.0...v2.14.0
+[v2.13.0]: https://github.com/terraform-aws-modules/terraform-aws-iam/compare/v2.12.0...v2.13.0
+[v2.12.0]: https://github.com/terraform-aws-modules/terraform-aws-iam/compare/v2.11.0...v2.12.0
+[v2.11.0]: https://github.com/terraform-aws-modules/terraform-aws-iam/compare/v2.10.0...v2.11.0
+[v2.10.0]: https://github.com/terraform-aws-modules/terraform-aws-iam/compare/v2.9.0...v2.10.0
 [v2.9.0]: https://github.com/terraform-aws-modules/terraform-aws-iam/compare/v2.8.0...v2.9.0
 [v2.8.0]: https://github.com/terraform-aws-modules/terraform-aws-iam/compare/v2.7.0...v2.8.0
 [v2.7.0]: https://github.com/terraform-aws-modules/terraform-aws-iam/compare/v2.6.0...v2.7.0

examples/iam-assumable-role-with-oidc/main.tf

@@ -16,9 +16,12 @@ module "iam_assumable_role_admin" {
     Role = "role-with-oidc"
   }
 
-  provider_url = "oidc.eks.eu-west-1.amazonaws.com/id/BA9E170D464AF7B92084EF72A69B9DC8"
+  provider_url  = "oidc.eks.eu-west-1.amazonaws.com/id/BA9E170D464AF7B92084EF72A69B9DC8"
+  provider_urls = ["oidc.eks.eu-west-1.amazonaws.com/id/AA9E170D464AF7B92084EF72A69B9DC8"]
 
   role_policy_arns = [
     "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
   ]
+
+  oidc_fully_qualified_subjects = ["system:serviceaccount:default:sa1", "system:serviceaccount:default:sa2"]
 }

examples/iam-assumable-role/main.tf

@@ -48,6 +48,8 @@ module "iam_assumable_role_custom" {
   role_name         = "custom"
   role_requires_mfa = false
 
+  role_sts_externalid = "some-id-goes-here"
+
   custom_role_policy_arns = [
     "arn:aws:iam::aws:policy/AmazonCognitoReadOnly",
     "arn:aws:iam::aws:policy/AlexaForBusinessFullAccess",

examples/iam-user/README.md

@@ -41,7 +41,7 @@ No input.
 | this\_iam\_access\_key\_id | The access key ID |
 | this\_iam\_access\_key\_key\_fingerprint | The fingerprint of the PGP key used to encrypt the secret |
 | this\_iam\_access\_key\_secret | The access key secret |
-| this\_iam\_access\_key\_ses\_smtp\_password | The secret access key converted into an SES SMTP password |
+| this\_iam\_access\_key\_ses\_smtp\_password\_v4 | The secret access key converted into an SES SMTP password |
 | this\_iam\_access\_key\_status | Active or Inactive. Keys are initially active, but can be made inactive by other means. |
 | this\_iam\_user\_arn | The ARN assigned by AWS for this user |
 | this\_iam\_user\_login\_profile\_encrypted\_password | The encrypted password, base64 encoded |

examples/iam-user/outputs.tf

@@ -43,9 +43,9 @@ output "this_iam_access_key_secret" {
   value       = module.iam_user.this_iam_access_key_secret
 }
 
-output "this_iam_access_key_ses_smtp_password" {
+output "this_iam_access_key_ses_smtp_password_v4" {
   description = "The secret access key converted into an SES SMTP password"
-  value       = module.iam_user.this_iam_access_key_ses_smtp_password
+  value       = module.iam_user.this_iam_access_key_ses_smtp_password_v4
 }
 
 output "this_iam_access_key_status" {

modules/iam-account/README.md

@@ -26,14 +26,14 @@ Import successful!
 
 | Name | Version |
 |------|---------|
-| terraform | ~> 0.12.6 |
-| aws | ~> 2.23 |
+| terraform | >= 0.12.6, < 0.14 |
+| aws | >= 2.23, < 4.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| aws | ~> 2.23 |
+| aws | >= 2.23, < 4.0 |
 
 ## Inputs
 

modules/iam-account/versions.tf

@@ -1,7 +1,7 @@
 terraform {
-  required_version = "~> 0.12.6"
+  required_version = ">= 0.12.6, < 0.14"
 
   required_providers {
-    aws = "~> 2.23"
+    aws = ">= 2.23, < 4.0"
   }
 }

modules/iam-assumable-role-with-oidc/README.md

@@ -11,25 +11,27 @@ This module supports IAM Roles for kubernetes service accounts as described in t
 
 | Name | Version |
 |------|---------|
-| terraform | ~> 0.12.6 |
-| aws | ~> 2.23 |
+| terraform | >= 0.12.6, < 0.14 |
+| aws | >= 2.23, < 4.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| aws | ~> 2.23 |
+| aws | >= 2.23, < 4.0 |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| aws\_account\_id | The AWS account ID where the OIDC provider lives, leave empty to use the account fo the AWS provider | `string` | `""` | no |
+| aws\_account\_id | The AWS account ID where the OIDC provider lives, leave empty to use the account for the AWS provider | `string` | `""` | no |
 | create\_role | Whether to create a role | `bool` | `false` | no |
+| force\_detach\_policies | Whether policies should be detached from this role when destroying | `bool` | `false` | no |
 | max\_session\_duration | Maximum CLI/API session duration in seconds between 3600 and 43200 | `number` | `3600` | no |
-| oidc\_fully\_qualified\_subjects | The fully qualified OIDC subjects to be added to the role policy | `list(string)` | `[]` | no |
-| oidc\_subjects\_with\_wildcards | The OIDC subject using wildcards to be added to the role policy | `list(string)` | `[]` | no |
-| provider\_url | URL of the OIDC Provider | `string` | n/a | yes |
+| oidc\_fully\_qualified\_subjects | The fully qualified OIDC subjects to be added to the role policy | `set(string)` | `[]` | no |
+| oidc\_subjects\_with\_wildcards | The OIDC subject using wildcards to be added to the role policy | `set(string)` | `[]` | no |
+| provider\_url | URL of the OIDC Provider. Use provider\_urls to specify several URLs. | `string` | `""` | no |
+| provider\_urls | List of URLs of the OIDC Providers | `list(string)` | `[]` | no |
 | role\_name | IAM role name | `string` | `""` | no |
 | role\_path | Path of IAM role | `string` | `"/"` | no |
 | role\_permissions\_boundary\_arn | Permissions boundary ARN to use for IAM role | `string` | `""` | no |

modules/iam-assumable-role-with-oidc/main.tf

@@ -1,5 +1,14 @@
 locals {
   aws_account_id = var.aws_account_id != "" ? var.aws_account_id : data.aws_caller_identity.current.account_id
+  # clean URLs of https:// prefix
+  urls = [
+    for url in distinct(concat(var.provider_urls, [var.provider_url])) :
+    replace(url, "https://", "")
+  ]
+  identifiers = [
+    for url in local.urls :
+    "arn:${data.aws_partition.current.partition}:iam::${local.aws_account_id}:oidc-provider/${url}"
+  ]
 }
 
 terraform {
@@ -9,6 +18,8 @@ terraform {
 
 data "aws_caller_identity" "current" {}
 
+data "aws_partition" "current" {}
+
 data "aws_iam_policy_document" "assume_role_with_oidc" {
   count = var.create_role ? 1 : 0
 
@@ -20,26 +31,25 @@ data "aws_iam_policy_document" "assume_role_with_oidc" {
     principals {
       type = "Federated"
 
-      identifiers = [
-        "arn:aws:iam::${local.aws_account_id}:oidc-provider/${var.provider_url}"
-      ]
+      identifiers = local.identifiers
     }
 
     dynamic "condition" {
-      for_each = var.oidc_fully_qualified_subjects
+      for_each = length(var.oidc_fully_qualified_subjects) > 0 ? local.urls : []
       content {
         test     = "StringEquals"
-        variable = "${var.provider_url}:sub"
-        values   = [condition.value]
+        variable = "${condition.value}:sub"
+        values   = var.oidc_fully_qualified_subjects
       }
     }
 
+
     dynamic "condition" {
-      for_each = var.oidc_subjects_with_wildcards
+      for_each = length(var.oidc_subjects_with_wildcards) > 0 ? local.urls : []
       content {
         test     = "StringLike"
-        variable = "${var.provider_url}:sub"
-        values   = [condition.value]
+        variable = "${condition.value}:sub"
+        values   = var.oidc_subjects_with_wildcards
       }
     }
   }
@@ -52,15 +62,16 @@ resource "aws_iam_role" "this" {
   path                 = var.role_path
   max_session_duration = var.max_session_duration
 
-  permissions_boundary = var.role_permissions_boundary_arn
+  force_detach_policies = var.force_detach_policies
+  permissions_boundary  = var.role_permissions_boundary_arn
 
   assume_role_policy = join("", data.aws_iam_policy_document.assume_role_with_oidc.*.json)
 
   tags = var.tags
 }
 
 resource "aws_iam_role_policy_attachment" "custom" {
-  count = var.create_role && length(var.role_policy_arns) > 0 ? length(var.role_policy_arns) : 0
+  count = var.create_role ? length(var.role_policy_arns) : 0
 
   role       = join("", aws_iam_role.this.*.name)
   policy_arn = var.role_policy_arns[count.index]

modules/iam-assumable-role-with-oidc/variables.tf

@@ -5,12 +5,19 @@ variable "create_role" {
 }
 
 variable "provider_url" {
-  description = "URL of the OIDC Provider"
+  description = "URL of the OIDC Provider. Use provider_urls to specify several URLs."
   type        = string
+  default     = ""
+}
+
+variable "provider_urls" {
+  description = "List of URLs of the OIDC Providers"
+  type        = list(string)
+  default     = []
 }
 
 variable "aws_account_id" {
-  description = "The AWS account ID where the OIDC provider lives, leave empty to use the account fo the AWS provider"
+  description = "The AWS account ID where the OIDC provider lives, leave empty to use the account for the AWS provider"
   type        = string
   default     = ""
 }
@@ -53,13 +60,19 @@ variable "role_policy_arns" {
 
 variable "oidc_fully_qualified_subjects" {
   description = "The fully qualified OIDC subjects to be added to the role policy"
-  type        = list(string)
+  type        = set(string)
   default     = []
 }
 
 variable "oidc_subjects_with_wildcards" {
   description = "The OIDC subject using wildcards to be added to the role policy"
-  type        = list(string)
+  type        = set(string)
   default     = []
 }
 
+variable "force_detach_policies" {
+  description = "Whether policies should be detached from this role when destroying"
+  type        = bool
+  default     = false
+}
+

modules/iam-assumable-role-with-oidc/versions.tf

@@ -1,7 +1,7 @@
 terraform {
-  required_version = "~> 0.12.6"
+  required_version = ">= 0.12.6, < 0.14"
 
   required_providers {
-    aws = "~> 2.23"
+    aws = ">= 2.23, < 4.0"
   }
 }

modules/iam-assumable-role/README.md

@@ -9,14 +9,14 @@ Trusted resources can be any [IAM ARNs](https://docs.aws.amazon.com/IAM/latest/U
 
 | Name | Version |
 |------|---------|
-| terraform | ~> 0.12.6 |
-| aws | ~> 2.23 |
+| terraform | >= 0.12.6, < 0.14 |
+| aws | >= 2.23, < 4.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| aws | ~> 2.23 |
+| aws | >= 2.23, < 4.0 |
 
 ## Inputs
 
@@ -29,6 +29,7 @@ Trusted resources can be any [IAM ARNs](https://docs.aws.amazon.com/IAM/latest/U
 | create\_instance\_profile | Whether to create an instance profile | `bool` | `false` | no |
 | create\_role | Whether to create a role | `bool` | `false` | no |
 | custom\_role\_policy\_arns | List of ARNs of IAM policies to attach to IAM role | `list(string)` | `[]` | no |
+| force\_detach\_policies | Whether policies should be detached from this role when destroying | `bool` | `false` | no |
 | max\_session\_duration | Maximum CLI/API session duration in seconds between 3600 and 43200 | `number` | `3600` | no |
 | mfa\_age | Max age of valid MFA (in seconds) for roles which require MFA | `number` | `86400` | no |
 | poweruser\_role\_policy\_arn | Policy ARN to use for poweruser role | `string` | `"arn:aws:iam::aws:policy/PowerUserAccess"` | no |
@@ -38,7 +39,9 @@ Trusted resources can be any [IAM ARNs](https://docs.aws.amazon.com/IAM/latest/U
 | role\_path | Path of IAM role | `string` | `"/"` | no |
 | role\_permissions\_boundary\_arn | Permissions boundary ARN to use for IAM role | `string` | `""` | no |
 | role\_requires\_mfa | Whether role requires MFA | `bool` | `true` | no |
+| role\_sts\_externalid | STS ExternalId condition value to use with a role (when MFA is not required) | `string` | `null` | no |
 | tags | A map of tags to add to IAM role resources | `map(string)` | `{}` | no |
+| trusted\_role\_actions | Actions of STS | `list(string)` | <pre>[<br>  "sts:AssumeRole"<br>]</pre> | no |
 | trusted\_role\_arns | ARNs of AWS entities who can assume these roles | `list(string)` | `[]` | no |
 | trusted\_role\_services | AWS Services that can assume these roles | `list(string)` | `[]` | no |
 
@@ -47,6 +50,7 @@ Trusted resources can be any [IAM ARNs](https://docs.aws.amazon.com/IAM/latest/U
 | Name | Description |
 |------|-------------|
 | role\_requires\_mfa | Whether IAM role requires MFA |
+| role\_sts\_externalid | STS ExternalId condition value to use with a role |
 | this\_iam\_instance\_profile\_arn | ARN of IAM instance profile |
 | this\_iam\_instance\_profile\_name | Name of IAM instance profile |
 | this\_iam\_instance\_profile\_path | Path of IAM instance profile |