From 481095ee1282860c913158a0775731cb586e600d Mon Sep 17 00:00:00 2001 From: Enrique Garbi Date: Thu, 31 Aug 2023 15:10:44 +0200 Subject: [PATCH] feat: Add `create_custom_role_trust_policy` to control when a `custom_role_trust_policy` should be used (#321) Co-authored-by: Bryant Biggs --- .pre-commit-config.yaml | 2 +- examples/iam-assumable-role/main.tf | 5 +++-- modules/iam-assumable-role/README.md | 3 ++- modules/iam-assumable-role/main.tf | 15 ++++++++------- modules/iam-assumable-role/variables.tf | 8 +++++++- 5 files changed, 21 insertions(+), 12 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index bce3622f..762423e1 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,6 @@ repos: - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.82.0 + rev: v1.83.0 hooks: - id: terraform_fmt - id: terraform_wrapper_module_for_each diff --git a/examples/iam-assumable-role/main.tf b/examples/iam-assumable-role/main.tf index 41f90f0b..25b227c9 100644 --- a/examples/iam-assumable-role/main.tf +++ b/examples/iam-assumable-role/main.tf @@ -104,8 +104,9 @@ module "iam_assumable_role_custom_trust_policy" { role_name = "iam_assumable_role_custom_trust_policy" - custom_role_trust_policy = data.aws_iam_policy_document.custom_trust_policy.json - custom_role_policy_arns = ["arn:aws:iam::aws:policy/AmazonCognitoReadOnly"] + create_custom_role_trust_policy = true + custom_role_trust_policy = data.aws_iam_policy_document.custom_trust_policy.json + custom_role_policy_arns = ["arn:aws:iam::aws:policy/AmazonCognitoReadOnly"] } data "aws_iam_policy_document" "custom_trust_policy" { diff --git a/modules/iam-assumable-role/README.md b/modules/iam-assumable-role/README.md index b20e0877..6270002c 100644 --- a/modules/iam-assumable-role/README.md +++ b/modules/iam-assumable-role/README.md @@ -46,10 +46,11 @@ No modules. | [attach\_admin\_policy](#input\_attach\_admin\_policy) | Whether to attach an admin policy to a role | `bool` | `false` | no | | [attach\_poweruser\_policy](#input\_attach\_poweruser\_policy) | Whether to attach a poweruser policy to a role | `bool` | `false` | no | | [attach\_readonly\_policy](#input\_attach\_readonly\_policy) | Whether to attach a readonly policy to a role | `bool` | `false` | no | +| [create\_custom\_role\_trust\_policy](#input\_create\_custom\_role\_trust\_policy) | Whether to create a custom\_role\_trust\_policy. Prevent errors with count, when custom\_role\_trust\_policy is computed | `bool` | `false` | no | | [create\_instance\_profile](#input\_create\_instance\_profile) | Whether to create an instance profile | `bool` | `false` | no | | [create\_role](#input\_create\_role) | Whether to create a role | `bool` | `false` | no | | [custom\_role\_policy\_arns](#input\_custom\_role\_policy\_arns) | List of ARNs of IAM policies to attach to IAM role | `list(string)` | `[]` | no | -| [custom\_role\_trust\_policy](#input\_custom\_role\_trust\_policy) | A custom role trust policy | `string` | `""` | no | +| [custom\_role\_trust\_policy](#input\_custom\_role\_trust\_policy) | A custom role trust policy. (Only valid if create\_custom\_role\_trust\_policy = true) | `string` | `""` | no | | [force\_detach\_policies](#input\_force\_detach\_policies) | Whether policies should be detached from this role when destroying | `bool` | `false` | no | | [max\_session\_duration](#input\_max\_session\_duration) | Maximum CLI/API session duration in seconds between 3600 and 43200 | `number` | `3600` | no | | [mfa\_age](#input\_mfa\_age) | Max age of valid MFA (in seconds) for roles which require MFA | `number` | `86400` | no | diff --git a/modules/iam-assumable-role/main.tf b/modules/iam-assumable-role/main.tf index 4176b8f9..f444f066 100644 --- a/modules/iam-assumable-role/main.tf +++ b/modules/iam-assumable-role/main.tf @@ -2,14 +2,15 @@ data "aws_caller_identity" "current" {} data "aws_partition" "current" {} locals { - account_id = data.aws_caller_identity.current.account_id - partition = data.aws_partition.current.partition - role_sts_externalid = flatten([var.role_sts_externalid]) - role_name_condition = var.role_name != null ? var.role_name : "${var.role_name_prefix}*" + account_id = data.aws_caller_identity.current.account_id + partition = data.aws_partition.current.partition + role_sts_externalid = flatten([var.role_sts_externalid]) + role_name_condition = var.role_name != null ? var.role_name : "${var.role_name_prefix}*" + custom_role_trust_policy_condition = var.create_custom_role_trust_policy ? var.custom_role_trust_policy : "" } data "aws_iam_policy_document" "assume_role" { - count = var.custom_role_trust_policy == "" && var.role_requires_mfa ? 0 : 1 + count = !var.create_custom_role_trust_policy && var.role_requires_mfa ? 0 : 1 dynamic "statement" { # https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/ @@ -68,7 +69,7 @@ data "aws_iam_policy_document" "assume_role" { } data "aws_iam_policy_document" "assume_role_with_mfa" { - count = var.custom_role_trust_policy == "" && var.role_requires_mfa ? 1 : 0 + count = !var.create_custom_role_trust_policy && var.role_requires_mfa ? 1 : 0 dynamic "statement" { # https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/ @@ -151,7 +152,7 @@ resource "aws_iam_role" "this" { permissions_boundary = var.role_permissions_boundary_arn assume_role_policy = coalesce( - var.custom_role_trust_policy, + local.custom_role_trust_policy_condition, try(data.aws_iam_policy_document.assume_role_with_mfa[0].json, data.aws_iam_policy_document.assume_role[0].json ) diff --git a/modules/iam-assumable-role/variables.tf b/modules/iam-assumable-role/variables.tf index 29cf337f..908d55b0 100644 --- a/modules/iam-assumable-role/variables.tf +++ b/modules/iam-assumable-role/variables.tf @@ -83,11 +83,17 @@ variable "custom_role_policy_arns" { } variable "custom_role_trust_policy" { - description = "A custom role trust policy" + description = "A custom role trust policy. (Only valid if create_custom_role_trust_policy = true)" type = string default = "" } +variable "create_custom_role_trust_policy" { + description = "Whether to create a custom_role_trust_policy. Prevent errors with count, when custom_role_trust_policy is computed" + type = bool + default = false +} + variable "number_of_custom_role_policy_arns" { description = "Number of IAM policies to attach to IAM role" type = number