From 5aabe67c945a9a1cb05bb5d3820e6e54e4ef8f81 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Gonz=C3=A1lez?= Date: Wed, 17 May 2023 15:12:12 +0200 Subject: [PATCH] feat: Add support for condition role_session_name when assuming a role (#379) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Christian González --- modules/iam-assumable-role/README.md | 2 ++ modules/iam-assumable-role/main.tf | 9 +++++++++ modules/iam-assumable-role/variables.tf | 12 ++++++++++++ 3 files changed, 23 insertions(+) diff --git a/modules/iam-assumable-role/README.md b/modules/iam-assumable-role/README.md index 3e7ec50a..3cc4cab2 100644 --- a/modules/iam-assumable-role/README.md +++ b/modules/iam-assumable-role/README.md @@ -62,6 +62,8 @@ No modules. | [role\_path](#input\_role\_path) | Path of IAM role | `string` | `"/"` | no | | [role\_permissions\_boundary\_arn](#input\_role\_permissions\_boundary\_arn) | Permissions boundary ARN to use for IAM role | `string` | `""` | no | | [role\_requires\_mfa](#input\_role\_requires\_mfa) | Whether role requires MFA | `bool` | `true` | no | +| [role\_requires\_session\_name](#input\_role\_requires\_session\_name) | Determines if the role-session-name variable is needed when assuming a role(https://aws.amazon.com/blogs/security/easily-control-naming-individual-iam-role-sessions/) | `bool` | `false` | no | +| [role\_session\_name](#input\_role\_session\_name) | role\_session\_name for roles which require this parameter when being assumed. By default, you need to set your own username as role\_session\_name | `list(string)` |
[
"${aws:username}"
]
| no | | [role\_sts\_externalid](#input\_role\_sts\_externalid) | STS ExternalId condition values to use with a role (when MFA is not required) | `any` | `[]` | no | | [tags](#input\_tags) | A map of tags to add to IAM role resources | `map(string)` | `{}` | no | | [trusted\_role\_actions](#input\_trusted\_role\_actions) | Actions of STS | `list(string)` |
[
"sts:AssumeRole"
]
| no | diff --git a/modules/iam-assumable-role/main.tf b/modules/iam-assumable-role/main.tf index ea6ec8c0..8974d1fc 100644 --- a/modules/iam-assumable-role/main.tf +++ b/modules/iam-assumable-role/main.tf @@ -117,6 +117,15 @@ data "aws_iam_policy_document" "assume_role_with_mfa" { values = local.role_sts_externalid } } + + dynamic "condition" { + for_each = var.role_requires_session_name ? [1] : [] + content { + test = "StringEquals" + variable = "sts:RoleSessionName" + values = var.role_session_name + } + } } } diff --git a/modules/iam-assumable-role/variables.tf b/modules/iam-assumable-role/variables.tf index 2f411404..38c6318a 100644 --- a/modules/iam-assumable-role/variables.tf +++ b/modules/iam-assumable-role/variables.tf @@ -154,3 +154,15 @@ variable "allow_self_assume_role" { type = bool default = false } + +variable "role_requires_session_name" { + description = "Determines if the role-session-name variable is needed when assuming a role(https://aws.amazon.com/blogs/security/easily-control-naming-individual-iam-role-sessions/)" + type = bool + default = false +} + +variable "role_session_name" { + description = "role_session_name for roles which require this parameter when being assumed. By default, you need to set your own username as role_session_name" + type = list(string) + default = ["$${aws:username}"] +}