deliveryhero · max-rocket-internet · Feb 10, 2021 · Feb 8, 2021 · Feb 9, 2021 · Feb 10, 2021
diff --git a/README.md b/README.md
@@ -6,6 +6,7 @@ Creates an Identity Provider, assume role policy and default roles in IAM to be
 
 ```hcl
 module "google_sso" {
+  saml_provider_name = "google"
   source             = "git@github.com:deliveryhero/tf-aws-saml-sso.git?ref=0.1"
   idp_data_file_path = "path/to/GoogleIDPMetadata-my-domain.com.xml"
 }
@@ -28,30 +29,45 @@ terraform-docs md ./ | cat -s | tail -r | tail -n +2 | tail -r > README.md
 ```
 
 ## License
+
 MIT Licensed. See [LICENSE](https://github.com/deliveryhero/tf-ssh-bastion/tree/master/LICENSE) for full details.
 
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| aws | n/a |
+
 ## Inputs
 
 | Name | Description | Type | Default | Required |
-|------|-------------|:----:|:-----:|:-----:|
-| extra_policies_administrator | Any extra policy ARNs to attach to the administrator role | list | `<list>` | no |
-| extra_policies_developer | Any extra policy ARNs to attach to the developer role | list | `<list>` | no |
-| extra_policies_ec2fullaccess | Any extra policy ARNs to attach to the EC2 full access role | list | `<list>` | no |
-| extra_policies_poweruser | Any extra policy ARNs to attach to the power user role | list | `<list>` | no |
-| extra_policies_readonly | Any extra policy ARNs to attach to the read only role | list | `<list>` | no |
-| extra_policies_sysadmin | Any extra policy ARNs to attach to the sysadmin role | list | `<list>` | no |
-| idp_data_file_path | Path to your IDP meta data file | string | - | yes |
-| role_max_session_duration | Max session duration in seconds | string | `43200` | no |
-| saml_provider_name | Name of the provider. Visible in IAM console. | string | `google` | no |
+|------|-------------|------|---------|:--------:|
+| extra\_policies\_administrator | Any extra policy ARNs to attach to the administrator role | `list` | `[]` | no |
+| extra\_policies\_developer | Any extra policy ARNs to attach to the developer role | `list` | `[]` | no |
+| extra\_policies\_ec2fullaccess | Any extra policy ARNs to attach to the EC2 full access role | `list` | `[]` | no |
+| extra\_policies\_poweruser | Any extra policy ARNs to attach to the power user role | `list` | `[]` | no |
+| extra\_policies\_readonly | Any extra policy ARNs to attach to the read only role | `list` | `[]` | no |
+| extra\_policies\_sysadmin | Any extra policy ARNs to attach to the sysadmin role | `list` | `[]` | no |
+| iam\_assume\_role\_extra\_identifiers | ARNs for additional federated identity providers that can assume the roles | `list` | `[]` | no |
+| iam\_role\_path | Path of the IAM roles. | `string` | `"/sso/"` | no |
+| iam\_role\_prefix | A string prefixed to all role names | `string` | `"sso-"` | no |
+| idp\_data\_file\_path | Path to your IDP meta data file | `string` | n/a | yes |
+| role\_max\_session\_duration | Max session duration in seconds | `string` | `"43200"` | no |
+| saml\_provider\_name | Name of the provider. Visible in IAM console. | `string` | n/a | yes |
+| tags | A map of tags to add to all resources. | `map(string)` | `{}` | no |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
-| administrator_role_arn | Adminstrator role ARN |
-| developer_role_arn | Developer role ARN |
-| ec2fullaccess_role_arn | EC2 full access role ARN |
-| poweruser_role_arn | Poweruser role ARN |
-| readonly_role_arn | Read only role ARN |
-| saml_provider_arn | ARN of the SAML provider |
-| sysadmin_role_arn | Sysadmin role ARN |
+| administrator\_role\_arn | Adminstrator role ARN |
+| developer\_role\_arn | Developer role ARN |
+| ec2fullaccess\_role\_arn | EC2 full access role ARN |
+| poweruser\_role\_arn | Poweruser role ARN |
+| readonly\_role\_arn | Read only role ARN |
+| saml\_provider\_arn | ARN of the SAML provider |
+| sysadmin\_role\_arn | Sysadmin role ARN |
diff --git a/iam.tf b/iam.tf
@@ -4,7 +4,7 @@ data "aws_iam_policy_document" "sso_assume_role_policy" {
 
     principals {
       type        = "Federated"
-      identifiers = [aws_iam_saml_provider.main.arn]
+      identifiers = compact(concat([aws_iam_saml_provider.main.arn], var.iam_assume_role_extra_identifiers))
     }
 
     condition {
@@ -17,8 +17,8 @@ data "aws_iam_policy_document" "sso_assume_role_policy" {
 
 # AdministratorAccess
 resource "aws_iam_role" "administrator" {
-  name                 = "sso-administrator"
-  path                 = "/sso/"
+  name                 = "${var.iam_role_prefix}administrator"
+  path                 = var.iam_role_path
   assume_role_policy   = data.aws_iam_policy_document.sso_assume_role_policy.json
   max_session_duration = var.role_max_session_duration
   tags                 = var.tags
@@ -37,8 +37,8 @@ resource "aws_iam_role_policy_attachment" "administrator_extra" {
 
 # ReadOnlyAccess
 resource "aws_iam_role" "readonly" {
-  name                 = "sso-readonly"
-  path                 = "/sso/"
+  name                 = "${var.iam_role_prefix}readonly"
+  path                 = var.iam_role_path
   assume_role_policy   = data.aws_iam_policy_document.sso_assume_role_policy.json
   max_session_duration = var.role_max_session_duration
   tags                 = var.tags
@@ -57,8 +57,8 @@ resource "aws_iam_role_policy_attachment" "readonly_extra" {
 
 # AmazonEC2FullAccess
 resource "aws_iam_role" "ec2fullaccess" {
-  name                 = "sso-ec2fullaccess"
-  path                 = "/sso/"
+  name                 = "${var.iam_role_prefix}ec2fullaccess"
+  path                 = var.iam_role_path
   assume_role_policy   = data.aws_iam_policy_document.sso_assume_role_policy.json
   max_session_duration = var.role_max_session_duration
   tags                 = var.tags
@@ -77,8 +77,8 @@ resource "aws_iam_role_policy_attachment" "ec2fullaccess_extra" {
 
 # SystemAdministrator
 resource "aws_iam_role" "sysadmin" {
-  name                 = "sso-sysadmin"
-  path                 = "/sso/"
+  name                 = "${var.iam_role_prefix}sysadmin"
+  path                 = var.iam_role_path
   assume_role_policy   = data.aws_iam_policy_document.sso_assume_role_policy.json
   max_session_duration = var.role_max_session_duration
   tags                 = var.tags
@@ -97,8 +97,8 @@ resource "aws_iam_role_policy_attachment" "developer_sysadmin" {
 
 # Developer
 resource "aws_iam_role" "developer" {
-  name                 = "sso-developer"
-  path                 = "/sso/"
+  name                 = "${var.iam_role_prefix}developer"
+  path                 = var.iam_role_path
   assume_role_policy   = data.aws_iam_policy_document.sso_assume_role_policy.json
   max_session_duration = var.role_max_session_duration
   tags                 = var.tags
@@ -132,8 +132,8 @@ resource "aws_iam_role_policy_attachment" "developer_extra" {
 
 # PowerUser
 resource "aws_iam_role" "poweruser" {
-  name                 = "sso-poweruser"
-  path                 = "/sso/"
+  name                 = "${var.iam_role_prefix}poweruser"
+  path                 = var.iam_role_path
   assume_role_policy   = data.aws_iam_policy_document.sso_assume_role_policy.json
   max_session_duration = var.role_max_session_duration
   tags                 = var.tags

diff --git a/outputs.tf b/outputs.tf
@@ -1,34 +1,34 @@
 output "saml_provider_arn" {
-  value = aws_iam_saml_provider.main.arn
+  value       = aws_iam_saml_provider.main.arn
   description = "ARN of the SAML provider"
 }
 
 output "administrator_role_arn" {
-  value = aws_iam_role.administrator.arn
+  value       = aws_iam_role.administrator.arn
   description = "Adminstrator role ARN"
 }
 
 output "readonly_role_arn" {
-  value = aws_iam_role.readonly.arn
+  value       = aws_iam_role.readonly.arn
   description = "Read only role ARN"
 }
 
 output "ec2fullaccess_role_arn" {
-  value = aws_iam_role.ec2fullaccess.arn
+  value       = aws_iam_role.ec2fullaccess.arn
   description = "EC2 full access role ARN"
 }
 
 output "sysadmin_role_arn" {
-  value = aws_iam_role.sysadmin.arn
+  value       = aws_iam_role.sysadmin.arn
   description = "Sysadmin role ARN"
 }
 
 output "developer_role_arn" {
-  value = aws_iam_role.developer.arn
+  value       = aws_iam_role.developer.arn
   description = "Developer role ARN"
 }
 
 output "poweruser_role_arn" {
-  value = aws_iam_role.poweruser.arn
+  value       = aws_iam_role.poweruser.arn
   description = "Poweruser role ARN"
 }
diff --git a/variables.tf b/variables.tf
@@ -3,9 +3,26 @@ variable "idp_data_file_path" {
   description = "Path to your IDP meta data file"
 }
 
+variable "iam_role_prefix" {
+  type        = string
+  default     = "sso-"
+  description = "A string prefixed to all role names"
+}
+
+variable "iam_role_path" {
+  type        = string
+  default     = "/sso/"
+  description = "Path of the IAM roles."
+}
+
+variable "iam_assume_role_extra_identifiers" {
+  type        = list(any)
+  default     = []
+  description = "ARNs for additional federated identity providers that can assume the roles"
+}
+
 variable "saml_provider_name" {
   type        = string
-  default     = "google"
   description = "Name of the provider. Visible in IAM console."
 }
 
@@ -16,37 +33,37 @@ variable "role_max_session_duration" {
 }
 
 variable "extra_policies_administrator" {
-  type        = list
+  type        = list(any)
   description = "Any extra policy ARNs to attach to the administrator role"
   default     = []
 }
 
 variable "extra_policies_readonly" {
-  type        = list
+  type        = list(any)
   description = "Any extra policy ARNs to attach to the read only role"
   default     = []
 }
 
 variable "extra_policies_ec2fullaccess" {
-  type        = list
+  type        = list(any)
   description = "Any extra policy ARNs to attach to the EC2 full access role"
   default     = []
 }
 
 variable "extra_policies_sysadmin" {
-  type        = list
+  type        = list(any)
   description = "Any extra policy ARNs to attach to the sysadmin role"
   default     = []
 }
 
 variable "extra_policies_developer" {
-  type        = list
+  type        = list(any)
   description = "Any extra policy ARNs to attach to the developer role"
   default     = []
 }
 
 variable "extra_policies_poweruser" {
-  type        = list
+  type        = list(any)
   description = "Any extra policy ARNs to attach to the power user role"
   default     = []
 }

diff --git a/versions.tf b/versions.tf
@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    aws = {
+      source = "hashicorp/aws"
+    }
+  }
+  required_version = ">= 0.13"
+}