From 667f6aa68682fbac5aa38a99fcda8d97fd562c05 Mon Sep 17 00:00:00 2001
From: Bill Monkman <bmonkman@gmail.com>
Date: Fri, 21 May 2021 15:47:51 -0700
Subject: [PATCH] enhancement: user_access module now supports passing in aws
 account ids to set up trust policies so users in different accounts can
 assume the roles we create

---
 modules/user_access/README.md    |  5 +++--
 modules/user_access/main.tf      |  2 +-
 modules/user_access/variables.tf | 10 ++++++++--
 3 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/modules/user_access/README.md b/modules/user_access/README.md
index 6417c79..c4a0d29 100644
--- a/modules/user_access/README.md
+++ b/modules/user_access/README.md
@@ -22,10 +22,11 @@ Create IAM Roles/Groups and Kubernetes Cluster Roles for user access
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| assumerole\_account\_ids | AWS account IDs that will be allowed to assume the roles we are creating. If left blank, the AWS account you are using will be used | `list(string)` | `[]` | no |
 | environment | The environment (stage/prod) | `any` | n/a | yes |
 | project | Name of the project | `any` | n/a | yes |
-| roles | Role list with policies | <pre>list(object({<br>    name         = string<br>    aws_policy   = string<br>    k8s_policies = list(map(list(string)))<br>  }))</pre> | n/a | yes |
-| users | User list with roles | <pre>list(object({<br>    name  = string<br>    roles = list(string)<br>  }))</pre> | n/a | yes |
+| roles | Roles to create with associated aws and k8s policies | <pre>list(object({<br>    name         = string<br>    aws_policy   = string<br>    k8s_policies = list(map(list(string)))<br>  }))</pre> | n/a | yes |
+| users | Users to create with associated roles, mapping to the ones defined in the roles variable | <pre>list(object({<br>    name  = string<br>    roles = list(string)<br>  }))</pre> | n/a | yes |
 
 ## Outputs
 
diff --git a/modules/user_access/main.tf b/modules/user_access/main.tf
index 014c57e..acdd5e9 100644
--- a/modules/user_access/main.tf
+++ b/modules/user_access/main.tf
@@ -79,7 +79,7 @@ data "aws_iam_policy_document" "access_assumerole_root_policy" {
 
     principals {
       type        = "AWS"
-      identifiers = [local.account_id]
+      identifiers = var.assumerole_account_ids == [] ? [local.account_id] : var.assumerole_account_ids
     }
   }
 }
diff --git a/modules/user_access/variables.tf b/modules/user_access/variables.tf
index 3cdbbdb..4ae4974 100644
--- a/modules/user_access/variables.tf
+++ b/modules/user_access/variables.tf
@@ -7,18 +7,24 @@ variable "environment" {
 }
 
 variable "roles" {
+  description = "Roles to create with associated aws and k8s policies"
   type = list(object({
     name         = string
     aws_policy   = string
     k8s_policies = list(map(list(string)))
   }))
-  description = "Role list with policies"
 }
 
 variable "users" {
+  description = "Users to create with associated roles, mapping to the ones defined in the roles variable"
   type = list(object({
     name  = string
     roles = list(string)
   }))
-  description = "User list with roles"
+}
+
+variable "assumerole_account_ids" {
+  description = "AWS account IDs that will be allowed to assume the roles we are creating. If left blank, the AWS account you are using will be used"
+  type        = list(string)
+  default     = []
 }