Skip to content

Commit

Permalink
feat: Add create_custom_role_trust_policy to control when a `custom…
Browse files Browse the repository at this point in the history
…_role_trust_policy` should be used (#321)

Co-authored-by: Bryant Biggs <bryantbiggs@gmail.com>
  • Loading branch information
egarbi and bryantbiggs authored Aug 31, 2023
1 parent cbc6dfa commit 481095e
Show file tree
Hide file tree
Showing 5 changed files with 21 additions and 12 deletions.
2 changes: 1 addition & 1 deletion .pre-commit-config.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
repos:
- repo: https://github.com/antonbabenko/pre-commit-terraform
rev: v1.82.0
rev: v1.83.0
hooks:
- id: terraform_fmt
- id: terraform_wrapper_module_for_each
Expand Down
5 changes: 3 additions & 2 deletions examples/iam-assumable-role/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -104,8 +104,9 @@ module "iam_assumable_role_custom_trust_policy" {

role_name = "iam_assumable_role_custom_trust_policy"

custom_role_trust_policy = data.aws_iam_policy_document.custom_trust_policy.json
custom_role_policy_arns = ["arn:aws:iam::aws:policy/AmazonCognitoReadOnly"]
create_custom_role_trust_policy = true
custom_role_trust_policy = data.aws_iam_policy_document.custom_trust_policy.json
custom_role_policy_arns = ["arn:aws:iam::aws:policy/AmazonCognitoReadOnly"]
}

data "aws_iam_policy_document" "custom_trust_policy" {
Expand Down
3 changes: 2 additions & 1 deletion modules/iam-assumable-role/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -46,10 +46,11 @@ No modules.
| <a name="input_attach_admin_policy"></a> [attach\_admin\_policy](#input\_attach\_admin\_policy) | Whether to attach an admin policy to a role | `bool` | `false` | no |
| <a name="input_attach_poweruser_policy"></a> [attach\_poweruser\_policy](#input\_attach\_poweruser\_policy) | Whether to attach a poweruser policy to a role | `bool` | `false` | no |
| <a name="input_attach_readonly_policy"></a> [attach\_readonly\_policy](#input\_attach\_readonly\_policy) | Whether to attach a readonly policy to a role | `bool` | `false` | no |
| <a name="input_create_custom_role_trust_policy"></a> [create\_custom\_role\_trust\_policy](#input\_create\_custom\_role\_trust\_policy) | Whether to create a custom\_role\_trust\_policy. Prevent errors with count, when custom\_role\_trust\_policy is computed | `bool` | `false` | no |
| <a name="input_create_instance_profile"></a> [create\_instance\_profile](#input\_create\_instance\_profile) | Whether to create an instance profile | `bool` | `false` | no |
| <a name="input_create_role"></a> [create\_role](#input\_create\_role) | Whether to create a role | `bool` | `false` | no |
| <a name="input_custom_role_policy_arns"></a> [custom\_role\_policy\_arns](#input\_custom\_role\_policy\_arns) | List of ARNs of IAM policies to attach to IAM role | `list(string)` | `[]` | no |
| <a name="input_custom_role_trust_policy"></a> [custom\_role\_trust\_policy](#input\_custom\_role\_trust\_policy) | A custom role trust policy | `string` | `""` | no |
| <a name="input_custom_role_trust_policy"></a> [custom\_role\_trust\_policy](#input\_custom\_role\_trust\_policy) | A custom role trust policy. (Only valid if create\_custom\_role\_trust\_policy = true) | `string` | `""` | no |
| <a name="input_force_detach_policies"></a> [force\_detach\_policies](#input\_force\_detach\_policies) | Whether policies should be detached from this role when destroying | `bool` | `false` | no |
| <a name="input_max_session_duration"></a> [max\_session\_duration](#input\_max\_session\_duration) | Maximum CLI/API session duration in seconds between 3600 and 43200 | `number` | `3600` | no |
| <a name="input_mfa_age"></a> [mfa\_age](#input\_mfa\_age) | Max age of valid MFA (in seconds) for roles which require MFA | `number` | `86400` | no |
Expand Down
15 changes: 8 additions & 7 deletions modules/iam-assumable-role/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -2,14 +2,15 @@ data "aws_caller_identity" "current" {}
data "aws_partition" "current" {}

locals {
account_id = data.aws_caller_identity.current.account_id
partition = data.aws_partition.current.partition
role_sts_externalid = flatten([var.role_sts_externalid])
role_name_condition = var.role_name != null ? var.role_name : "${var.role_name_prefix}*"
account_id = data.aws_caller_identity.current.account_id
partition = data.aws_partition.current.partition
role_sts_externalid = flatten([var.role_sts_externalid])
role_name_condition = var.role_name != null ? var.role_name : "${var.role_name_prefix}*"
custom_role_trust_policy_condition = var.create_custom_role_trust_policy ? var.custom_role_trust_policy : ""
}

data "aws_iam_policy_document" "assume_role" {
count = var.custom_role_trust_policy == "" && var.role_requires_mfa ? 0 : 1
count = !var.create_custom_role_trust_policy && var.role_requires_mfa ? 0 : 1

dynamic "statement" {
# https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/
Expand Down Expand Up @@ -68,7 +69,7 @@ data "aws_iam_policy_document" "assume_role" {
}

data "aws_iam_policy_document" "assume_role_with_mfa" {
count = var.custom_role_trust_policy == "" && var.role_requires_mfa ? 1 : 0
count = !var.create_custom_role_trust_policy && var.role_requires_mfa ? 1 : 0

dynamic "statement" {
# https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/
Expand Down Expand Up @@ -151,7 +152,7 @@ resource "aws_iam_role" "this" {
permissions_boundary = var.role_permissions_boundary_arn

assume_role_policy = coalesce(
var.custom_role_trust_policy,
local.custom_role_trust_policy_condition,
try(data.aws_iam_policy_document.assume_role_with_mfa[0].json,
data.aws_iam_policy_document.assume_role[0].json
)
Expand Down
8 changes: 7 additions & 1 deletion modules/iam-assumable-role/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -83,11 +83,17 @@ variable "custom_role_policy_arns" {
}

variable "custom_role_trust_policy" {
description = "A custom role trust policy"
description = "A custom role trust policy. (Only valid if create_custom_role_trust_policy = true)"
type = string
default = ""
}

variable "create_custom_role_trust_policy" {
description = "Whether to create a custom_role_trust_policy. Prevent errors with count, when custom_role_trust_policy is computed"
type = bool
default = false
}

variable "number_of_custom_role_policy_arns" {
description = "Number of IAM policies to attach to IAM role"
type = number
Expand Down

0 comments on commit 481095e

Please sign in to comment.