Allow IAM users to assume team roles via an optional flag

modules/account-map/modules/team-assume-role-policy/README.md

@@ -73,6 +73,7 @@ No requirements.
 | <a name="input_denied_permission_sets"></a> [denied\_permission\_sets](#input\_denied\_permission\_sets) | Map of account:[PermissionSet, PermissionSet...] specifying AWS SSO PermissionSets denied access to the role when coming from specified account | `map(list(string))` | `{}` | no |
 | <a name="input_denied_principal_arns"></a> [denied\_principal\_arns](#input\_denied\_principal\_arns) | List of AWS principal ARNs explicitly denied access to the role. | `list(string)` | `[]` | no |
 | <a name="input_denied_roles"></a> [denied\_roles](#input\_denied\_roles) | Map of account:[role, role...] specifying roles explicitly denied permission to assume the role.<br>Roles are symbolic names like `ops` or `terraform`. Use `*` as role for entire account. | `map(list(string))` | `{}` | no |
+| <a name="input_deny_all_iam_users"></a> [deny\_all\_iam\_users](#input\_deny\_all\_iam\_users) | False if you would like IAM Users to be able to assume the role. | `bool` | `true` | no |
 | <a name="input_descriptor_formats"></a> [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.<br>Map of maps. Keys are names of descriptors. Values are maps of the form<br>`{<br>   format = string<br>   labels = list(string)<br>}`<br>(Type is `any` so the map values can later be enhanced to provide additional options.)<br>`format` is a Terraform format string to be passed to the `format()` function.<br>`labels` is a list of labels, in order, to pass to `format()` function.<br>Label values will be normalized before being passed to `format()` so they will be<br>identical to how they appear in `id`.<br>Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no |
 | <a name="input_enabled"></a> [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no |

modules/account-map/modules/team-assume-role-policy/main.tf

@@ -71,7 +71,7 @@ data "aws_iam_policy_document" "assume_role" {
       condition {
         test     = "StringEquals"
         variable = "aws:PrincipalType"
-        values   = ["AssumedRole"]
+        values   = concat(["AssumedRole"], var.deny_all_iam_users ? [] : ["User"])
       }
       condition {
         test     = "ArnLike"
@@ -88,10 +88,11 @@ data "aws_iam_policy_document" "assume_role" {
     }
   }
 
-  # As a safety measure, we do not allow AWS Users (not Roles) to assume the SAML Teams or Team roles.
+  # As a safety measure, we do not allow AWS Users (not Roles) to assume the SAML Teams or Team roles
+  # unless `deny_all_iam_users` is explicitly set to `false`.
   # In particular, this prevents SuperAdmin from running Terraform on components that should be handled by Spacelift.
   statement {
-    sid = "RoleDenyAllUsersDenyAssumeRole"
+    sid = "RoleDenyAssumeRole"
 
     effect = "Deny"
     actions = [
@@ -102,7 +103,7 @@ data "aws_iam_policy_document" "assume_role" {
     condition {
       test     = "ArnLike"
       variable = "aws:PrincipalArn"
-      values   = concat(["arn:${local.aws_partition}:iam::*:user/*"], local.denied_principals)
+      values   = concat(local.denied_principals, var.deny_all_iam_users ? ["arn:${local.aws_partition}:iam::*:user/*"] : [])
     }
 
     principals {

modules/account-map/modules/team-assume-role-policy/variables.tf

@@ -46,3 +46,9 @@ variable "denied_permission_sets" {
   description = "Map of account:[PermissionSet, PermissionSet...] specifying AWS SSO PermissionSets denied access to the role when coming from specified account"
   default     = {}
 }
+
+variable "deny_all_iam_users" {
+  type        = bool
+  description = "False if you would like IAM Users to be able to assume the role."
+  default     = true
+}