Skip to content

Commit

Permalink
feat: Add support for condition role_session_name when assuming a role (
Browse files Browse the repository at this point in the history
#379)

Co-authored-by: Christian González <christian.gonzalez@intruder.io>
  • Loading branch information
christiangonre and Christian González authored May 17, 2023
1 parent 1258cba commit 5aabe67
Show file tree
Hide file tree
Showing 3 changed files with 23 additions and 0 deletions.
2 changes: 2 additions & 0 deletions modules/iam-assumable-role/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,8 @@ No modules.
| <a name="input_role_path"></a> [role\_path](#input\_role\_path) | Path of IAM role | `string` | `"/"` | no |
| <a name="input_role_permissions_boundary_arn"></a> [role\_permissions\_boundary\_arn](#input\_role\_permissions\_boundary\_arn) | Permissions boundary ARN to use for IAM role | `string` | `""` | no |
| <a name="input_role_requires_mfa"></a> [role\_requires\_mfa](#input\_role\_requires\_mfa) | Whether role requires MFA | `bool` | `true` | no |
| <a name="input_role_requires_session_name"></a> [role\_requires\_session\_name](#input\_role\_requires\_session\_name) | Determines if the role-session-name variable is needed when assuming a role(https://aws.amazon.com/blogs/security/easily-control-naming-individual-iam-role-sessions/) | `bool` | `false` | no |
| <a name="input_role_session_name"></a> [role\_session\_name](#input\_role\_session\_name) | role\_session\_name for roles which require this parameter when being assumed. By default, you need to set your own username as role\_session\_name | `list(string)` | <pre>[<br> "${aws:username}"<br>]</pre> | no |
| <a name="input_role_sts_externalid"></a> [role\_sts\_externalid](#input\_role\_sts\_externalid) | STS ExternalId condition values to use with a role (when MFA is not required) | `any` | `[]` | no |
| <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to IAM role resources | `map(string)` | `{}` | no |
| <a name="input_trusted_role_actions"></a> [trusted\_role\_actions](#input\_trusted\_role\_actions) | Actions of STS | `list(string)` | <pre>[<br> "sts:AssumeRole"<br>]</pre> | no |
Expand Down
9 changes: 9 additions & 0 deletions modules/iam-assumable-role/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -117,6 +117,15 @@ data "aws_iam_policy_document" "assume_role_with_mfa" {
values = local.role_sts_externalid
}
}

dynamic "condition" {
for_each = var.role_requires_session_name ? [1] : []
content {
test = "StringEquals"
variable = "sts:RoleSessionName"
values = var.role_session_name
}
}
}
}

Expand Down
12 changes: 12 additions & 0 deletions modules/iam-assumable-role/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -154,3 +154,15 @@ variable "allow_self_assume_role" {
type = bool
default = false
}

variable "role_requires_session_name" {
description = "Determines if the role-session-name variable is needed when assuming a role(https://aws.amazon.com/blogs/security/easily-control-naming-individual-iam-role-sessions/)"
type = bool
default = false
}

variable "role_session_name" {
description = "role_session_name for roles which require this parameter when being assumed. By default, you need to set your own username as role_session_name"
type = list(string)
default = ["$${aws:username}"]
}

0 comments on commit 5aabe67

Please sign in to comment.