feat: Allow setting custom trust policy in iam-assumable-role (#176)

terraform-aws-modules · Jan 19, 2022 · 095cb29 · 095cb29
1 parent b82cc52
commit 095cb29
Show file tree

Hide file tree

Showing 5 changed files with 72 additions and 3 deletions.
diff --git a/examples/iam-assumable-role/README.md b/examples/iam-assumable-role/README.md
@@ -26,20 +26,25 @@ Run `terraform destroy` when you don't need these resources.
 
 ## Providers
 
-No providers.
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 2.23 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_iam_assumable_role_admin"></a> [iam\_assumable\_role\_admin](#module\_iam\_assumable\_role\_admin) | ../../modules/iam-assumable-role | n/a |
 | <a name="module_iam_assumable_role_custom"></a> [iam\_assumable\_role\_custom](#module\_iam\_assumable\_role\_custom) | ../../modules/iam-assumable-role | n/a |
+| <a name="module_iam_assumable_role_custom_trust_policy"></a> [iam\_assumable\_role\_custom\_trust\_policy](#module\_iam\_assumable\_role\_custom\_trust\_policy) | ../../modules/iam-assumable-role | n/a |
 | <a name="module_iam_assumable_role_sts"></a> [iam\_assumable\_role\_sts](#module\_iam\_assumable\_role\_sts) | ../../modules/iam-assumable-role | n/a |
 | <a name="module_iam_policy"></a> [iam\_policy](#module\_iam\_policy) | ../../modules/iam-policy | n/a |
 
 ## Resources
 
-No resources.
+| Name | Type |
+|------|------|
+| [aws_iam_policy_document.custom_trust_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 
 ## Inputs
 

diff --git a/examples/iam-assumable-role/main.tf b/examples/iam-assumable-role/main.tf
@@ -91,6 +91,54 @@ module "iam_assumable_role_sts" {
   #  number_of_custom_role_policy_arns = 3
 }
 
+#########################################
+# IAM assumable role with custom trust policy
+#########################################
+module "iam_assumable_role_custom_trust_policy" {
+  source = "../../modules/iam-assumable-role"
+
+  create_role = true
+
+  role_name = "iam_assumable_role_custom_trust_policy"
+
+  custom_role_trust_policy = data.aws_iam_policy_document.custom_trust_policy.json
+  custom_role_policy_arns  = ["arn:aws:iam::aws:policy/AmazonCognitoReadOnly"]
+}
+
+data "aws_iam_policy_document" "custom_trust_policy" {
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+
+    condition {
+      test     = "StringEquals"
+      variable = "sts:ExternalId"
+      values   = ["some-ext-id"]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "aws:PrincipalOrgID"
+      values   = ["o-someorgid"]
+    }
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+  }
+
+  statement {
+    effect  = "Deny"
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::111111111111:root"]
+    }
+  }
+}
+
 #########################################
 # IAM policy
 #########################################

diff --git a/modules/iam-assumable-role/README.md b/modules/iam-assumable-role/README.md
@@ -46,6 +46,7 @@ No modules.
 | <a name="input_create_instance_profile"></a> [create\_instance\_profile](#input\_create\_instance\_profile) | Whether to create an instance profile | `bool` | `false` | no |
 | <a name="input_create_role"></a> [create\_role](#input\_create\_role) | Whether to create a role | `bool` | `false` | no |
 | <a name="input_custom_role_policy_arns"></a> [custom\_role\_policy\_arns](#input\_custom\_role\_policy\_arns) | List of ARNs of IAM policies to attach to IAM role | `list(string)` | `[]` | no |
+| <a name="input_custom_role_trust_policy"></a> [custom\_role\_trust\_policy](#input\_custom\_role\_trust\_policy) | A custorm role trust policy | `string` | `""` | no |
 | <a name="input_force_detach_policies"></a> [force\_detach\_policies](#input\_force\_detach\_policies) | Whether policies should be detached from this role when destroying | `bool` | `false` | no |
 | <a name="input_max_session_duration"></a> [max\_session\_duration](#input\_max\_session\_duration) | Maximum CLI/API session duration in seconds between 3600 and 43200 | `number` | `3600` | no |
 | <a name="input_mfa_age"></a> [mfa\_age](#input\_mfa\_age) | Max age of valid MFA (in seconds) for roles which require MFA | `number` | `86400` | no |

diff --git a/modules/iam-assumable-role/main.tf b/modules/iam-assumable-role/main.tf
@@ -3,6 +3,8 @@ locals {
 }
 
 data "aws_iam_policy_document" "assume_role" {
+  count = var.custom_role_trust_policy == "" && var.role_requires_mfa ? 0 : 1
+
   statement {
     effect = "Allow"
 
@@ -30,6 +32,8 @@ data "aws_iam_policy_document" "assume_role" {
 }
 
 data "aws_iam_policy_document" "assume_role_with_mfa" {
+  count = var.custom_role_trust_policy == "" && var.role_requires_mfa ? 1 : 0
+
   statement {
     effect = "Allow"
 
@@ -79,7 +83,12 @@ resource "aws_iam_role" "this" {
   force_detach_policies = var.force_detach_policies
   permissions_boundary  = var.role_permissions_boundary_arn
 
-  assume_role_policy = var.role_requires_mfa ? data.aws_iam_policy_document.assume_role_with_mfa.json : data.aws_iam_policy_document.assume_role.json
+  assume_role_policy = coalesce(
+    var.custom_role_trust_policy,
+    try(data.aws_iam_policy_document.assume_role_with_mfa[0].json,
+      data.aws_iam_policy_document.assume_role[0].json
+    )
+  )
 
   tags = var.tags
 }

diff --git a/modules/iam-assumable-role/variables.tf b/modules/iam-assumable-role/variables.tf
@@ -76,6 +76,12 @@ variable "custom_role_policy_arns" {
   default     = []
 }
 
+variable "custom_role_trust_policy" {
+  description = "A custorm role trust policy"
+  type        = string
+  default     = ""
+}
+
 variable "number_of_custom_role_policy_arns" {
   description = "Number of IAM policies to attach to IAM role"
   type        = number