feat: add sts:ExternalId

- Add support of sts:ExternalId https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html
terraform-aws-modules · Aug 14, 2020 · 0d9507a · 0d9507a
1 parent 4b2a189
commit 0d9507a
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 0 deletions.
diff --git a/modules/iam-assumable-role/README.md b/modules/iam-assumable-role/README.md
@@ -39,6 +39,7 @@ Trusted resources can be any [IAM ARNs](https://docs.aws.amazon.com/IAM/latest/U
 | role\_path | Path of IAM role | `string` | `"/"` | no |
 | role\_permissions\_boundary\_arn | Permissions boundary ARN to use for IAM role | `string` | `""` | no |
 | role\_requires\_mfa | Whether role requires MFA | `bool` | `true` | no |
+| sts\_externalid | STS ExternalId condition value | `string` | `""` | no |
 | tags | A map of tags to add to IAM role resources | `map(string)` | `{}` | no |
 | trusted\_role\_actions | Actions of STS | `list(string)` | <pre>[<br>  "sts:AssumeRole"<br>]</pre> | no |
 | trusted\_role\_arns | ARNs of AWS entities who can assume these roles | `list(string)` | `[]` | no |
@@ -49,6 +50,7 @@ Trusted resources can be any [IAM ARNs](https://docs.aws.amazon.com/IAM/latest/U
 | Name | Description |
 |------|-------------|
 | role\_requires\_mfa | Whether IAM role requires MFA |
+| role\_sts\_externalid | STS ExternalId condition value |
 | this\_iam\_instance\_profile\_arn | ARN of IAM instance profile |
 | this\_iam\_instance\_profile\_name | Name of IAM instance profile |
 | this\_iam\_instance\_profile\_path | Path of IAM instance profile |

diff --git a/modules/iam-assumable-role/main.tf b/modules/iam-assumable-role/main.tf
@@ -13,6 +13,15 @@ data "aws_iam_policy_document" "assume_role" {
       type        = "Service"
       identifiers = var.trusted_role_services
     }
+
+    dynamic "condition" {
+      for_each = length(var.sts_externalid) > 0 ? [1] : []
+      content {
+        test     = "StringEquals"
+        variable = "sts:ExternalId"
+        values   = [var.sts_externalid]
+      }
+    }
   }
 }
 

diff --git a/modules/iam-assumable-role/outputs.tf b/modules/iam-assumable-role/outputs.tf
@@ -32,3 +32,9 @@ output "this_iam_instance_profile_path" {
   description = "Path of IAM instance profile"
   value       = element(concat(aws_iam_instance_profile.this.*.path, [""]), 0)
 }
+
+output "role_sts_externalid" {
+  description = "STS ExternalId condition value"
+  value       = var.sts_externalid
+}
+
diff --git a/modules/iam-assumable-role/variables.tf b/modules/iam-assumable-role/variables.tf
@@ -125,3 +125,9 @@ variable "role_description" {
   default     = ""
 }
 
+variable "sts_externalid" {
+  description = "STS ExternalId condition value"
+  type        = string
+  default     = ""
+}
+