Skip to content

Commit

Permalink
feat: Added variable trusted_role_actions to sub modules as a "Action…
Browse files Browse the repository at this point in the history 
… of STS" (#393)

Co-authored-by: Bryant Biggs <bryantbiggs@gmail.com>
  • Loading branch information
@tcharewicz @bryantbiggs
tcharewicz and bryantbiggs committed Jun 29, 2023
1 parent c1e20a2 commit 5702679
Show file tree
Hide file tree
Showing 16 changed files with 35 additions and 25 deletions.
2 changes: 1 addition & 1 deletion modules/iam-assumable-role-with-saml/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ No modules.
| <a name="input_role_permissions_boundary_arn"></a> [role\_permissions\_boundary\_arn](#input\_role\_permissions\_boundary\_arn) | Permissions boundary ARN to use for IAM role | `string` | `""` | no |
| <a name="input_role_policy_arns"></a> [role\_policy\_arns](#input\_role\_policy\_arns) | List of ARNs of IAM policies to attach to IAM role | `list(string)` | `[]` | no |
| <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to IAM role resources | `map(string)` | `{}` | no |
| <a name="input_trusted_role_actions"></a> [trusted\_role\_actions](#input\_trusted\_role\_actions) | Extra Actions of STS | `list(string)` | <pre>[<br> ""<br>]</pre> | no |
| <a name="input_trusted_role_actions"></a> [trusted\_role\_actions](#input\_trusted\_role\_actions) | Additional role actions | `list(string)` | <pre>[<br> "sts:AssumeRoleWithSAML",<br> "sts:TagSession"<br>]</pre> | no |

## Outputs

Expand Down
3 changes: 1 addition & 2 deletions modules/iam-assumable-role-with-saml/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,8 +37,7 @@ data "aws_iam_policy_document" "assume_role_with_saml" {
actions = compact(distinct(concat(["sts:AssumeRoleWithSAML"], var.trusted_role_actions)))

principals {
type = "Federated"

type = "Federated"
identifiers = local.identifiers
}

Expand Down
4 changes: 2 additions & 2 deletions modules/iam-assumable-role-with-saml/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -89,7 +89,7 @@ variable "allow_self_assume_role" {
}

variable "trusted_role_actions" {
description = "Extra Actions of STS"
description = "Additional role actions"
type = list(string)
default = [""]
default = ["sts:AssumeRoleWithSAML", "sts:TagSession"]
}
2 changes: 1 addition & 1 deletion modules/iam-assumable-role/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ No modules.
| <a name="input_role_session_name"></a> [role\_session\_name](#input\_role\_session\_name) | role\_session\_name for roles which require this parameter when being assumed. By default, you need to set your own username as role\_session\_name | `list(string)` | <pre>[<br> "${aws:username}"<br>]</pre> | no |
| <a name="input_role_sts_externalid"></a> [role\_sts\_externalid](#input\_role\_sts\_externalid) | STS ExternalId condition values to use with a role (when MFA is not required) | `any` | `[]` | no |
| <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to IAM role resources | `map(string)` | `{}` | no |
| <a name="input_trusted_role_actions"></a> [trusted\_role\_actions](#input\_trusted\_role\_actions) | Actions of STS | `list(string)` | <pre>[<br> "sts:AssumeRole"<br>]</pre> | no |
| <a name="input_trusted_role_actions"></a> [trusted\_role\_actions](#input\_trusted\_role\_actions) | Additional trusted role actions | `list(string)` | <pre>[<br> "sts:AssumeRole",<br> "sts:TagSession"<br>]</pre> | no |
| <a name="input_trusted_role_arns"></a> [trusted\_role\_arns](#input\_trusted\_role\_arns) | ARNs of AWS entities who can assume these roles | `list(string)` | `[]` | no |
| <a name="input_trusted_role_services"></a> [trusted\_role\_services](#input\_trusted\_role\_services) | AWS Services that can assume these roles | `list(string)` | `[]` | no |

Expand Down
4 changes: 2 additions & 2 deletions modules/iam-assumable-role/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ data "aws_iam_policy_document" "assume_role" {

statement {
effect = "Allow"
actions = var.trusted_role_actions
actions = compact(distinct(concat(["sts:AssumeRole"], var.trusted_role_actions)))

principals {
type = "AWS"
Expand Down Expand Up @@ -85,7 +85,7 @@ data "aws_iam_policy_document" "assume_role_with_mfa" {

statement {
effect = "Allow"
actions = var.trusted_role_actions
actions = compact(distinct(concat(["sts:AssumeRole"], var.trusted_role_actions)))

principals {
type = "AWS"
Expand Down
4 changes: 2 additions & 2 deletions modules/iam-assumable-role/variables.tf
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
variable "trusted_role_actions" {
description = "Actions of STS"
description = "Additional trusted role actions"
type = list(string)
default = ["sts:AssumeRole"]
default = ["sts:AssumeRole", "sts:TagSession"]
}

variable "trusted_role_arns" {
Expand Down
1 change: 1 addition & 0 deletions modules/iam-assumable-roles-with-saml/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,7 @@ No modules.
| <a name="input_readonly_role_permissions_boundary_arn"></a> [readonly\_role\_permissions\_boundary\_arn](#input\_readonly\_role\_permissions\_boundary\_arn) | Permissions boundary ARN to use for readonly role | `string` | `""` | no |
| <a name="input_readonly_role_policy_arns"></a> [readonly\_role\_policy\_arns](#input\_readonly\_role\_policy\_arns) | List of policy ARNs to use for readonly role | `list(string)` | <pre>[<br> "arn:aws:iam::aws:policy/ReadOnlyAccess"<br>]</pre> | no |
| <a name="input_readonly_role_tags"></a> [readonly\_role\_tags](#input\_readonly\_role\_tags) | A map of tags to add to readonly role resource. | `map(string)` | `{}` | no |
| <a name="input_trusted_role_actions"></a> [trusted\_role\_actions](#input\_trusted\_role\_actions) | Additional role actions | `list(string)` | <pre>[<br> "sts:AssumeRoleWithSAML",<br> "sts:TagSession"<br>]</pre> | no |

## Outputs

Expand Down
17 changes: 6 additions & 11 deletions modules/iam-assumable-roles-with-saml/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,13 +75,11 @@ data "aws_iam_policy_document" "assume_role_with_saml" {
}

statement {
effect = "Allow"

actions = ["sts:AssumeRoleWithSAML"]
effect = "Allow"
actions = compact(distinct(concat(["sts:AssumeRoleWithSAML"], var.trusted_role_actions)))

principals {
type = "Federated"

type = "Federated"
identifiers = local.identifiers
}

Expand All @@ -103,8 +101,7 @@ resource "aws_iam_role" "admin" {

force_detach_policies = var.force_detach_policies
permissions_boundary = var.admin_role_permissions_boundary_arn

assume_role_policy = data.aws_iam_policy_document.assume_role_with_saml.json
assume_role_policy = data.aws_iam_policy_document.assume_role_with_saml.json

tags = var.admin_role_tags
}
Expand All @@ -126,8 +123,7 @@ resource "aws_iam_role" "poweruser" {

force_detach_policies = var.force_detach_policies
permissions_boundary = var.poweruser_role_permissions_boundary_arn

assume_role_policy = data.aws_iam_policy_document.assume_role_with_saml.json
assume_role_policy = data.aws_iam_policy_document.assume_role_with_saml.json

tags = var.poweruser_role_tags
}
Expand All @@ -149,8 +145,7 @@ resource "aws_iam_role" "readonly" {

force_detach_policies = var.force_detach_policies
permissions_boundary = var.readonly_role_permissions_boundary_arn

assume_role_policy = data.aws_iam_policy_document.assume_role_with_saml.json
assume_role_policy = data.aws_iam_policy_document.assume_role_with_saml.json

tags = var.readonly_role_tags
}
Expand Down
6 changes: 6 additions & 0 deletions modules/iam-assumable-roles-with-saml/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,12 @@ variable "allow_self_assume_role" {
default = false
}

variable "trusted_role_actions" {
description = "Additional role actions"
type = list(string)
default = ["sts:AssumeRoleWithSAML", "sts:TagSession"]
}

# Admin
variable "create_admin_role" {
description = "Whether to create admin role"
Expand Down
1 change: 1 addition & 0 deletions modules/iam-assumable-roles/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,7 @@ No modules.
| <a name="input_readonly_role_policy_arns"></a> [readonly\_role\_policy\_arns](#input\_readonly\_role\_policy\_arns) | List of policy ARNs to use for readonly role | `list(string)` | <pre>[<br> "arn:aws:iam::aws:policy/ReadOnlyAccess"<br>]</pre> | no |
| <a name="input_readonly_role_requires_mfa"></a> [readonly\_role\_requires\_mfa](#input\_readonly\_role\_requires\_mfa) | Whether readonly role requires MFA | `bool` | `true` | no |
| <a name="input_readonly_role_tags"></a> [readonly\_role\_tags](#input\_readonly\_role\_tags) | A map of tags to add to readonly role resource. | `map(string)` | `{}` | no |
| <a name="input_trusted_role_actions"></a> [trusted\_role\_actions](#input\_trusted\_role\_actions) | Additional trusted role actions | `list(string)` | <pre>[<br> "sts:AssumeRole",<br> "sts:TagSession"<br>]</pre> | no |
| <a name="input_trusted_role_arns"></a> [trusted\_role\_arns](#input\_trusted\_role\_arns) | ARNs of AWS entities who can assume these roles | `list(string)` | `[]` | no |
| <a name="input_trusted_role_services"></a> [trusted\_role\_services](#input\_trusted\_role\_services) | AWS Services that can assume these roles | `list(string)` | `[]` | no |

Expand Down
4 changes: 2 additions & 2 deletions modules/iam-assumable-roles/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@ data "aws_iam_policy_document" "assume_role" {

statement {
effect = "Allow"
actions = ["sts:AssumeRole"]
actions = compact(distinct(concat(["sts:AssumeRole"], var.trusted_role_actions)))

principals {
type = "AWS"
Expand Down Expand Up @@ -158,7 +158,7 @@ data "aws_iam_policy_document" "assume_role_with_mfa" {

statement {
effect = "Allow"
actions = ["sts:AssumeRole"]
actions = compact(distinct(concat(["sts:AssumeRole"], var.trusted_role_actions)))

principals {
type = "AWS"
Expand Down
6 changes: 6 additions & 0 deletions modules/iam-assumable-roles/variables.tf
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,9 @@
variable "trusted_role_actions" {
description = "Additional trusted role actions"
type = list(string)
default = ["sts:AssumeRole", "sts:TagSession"]
}

variable "trusted_role_arns" {
description = "ARNs of AWS entities who can assume these roles"
type = list(string)
Expand Down
2 changes: 1 addition & 1 deletion wrappers/iam-assumable-role-with-saml/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,5 +18,5 @@ module "wrapper" {
number_of_role_policy_arns = try(each.value.number_of_role_policy_arns, var.defaults.number_of_role_policy_arns, null)
force_detach_policies = try(each.value.force_detach_policies, var.defaults.force_detach_policies, false)
allow_self_assume_role = try(each.value.allow_self_assume_role, var.defaults.allow_self_assume_role, false)
trusted_role_actions = try(each.value.trusted_role_actions, var.defaults.trusted_role_actions, [""])
trusted_role_actions = try(each.value.trusted_role_actions, var.defaults.trusted_role_actions, ["sts:AssumeRoleWithSAML", "sts:TagSession"])
}
2 changes: 1 addition & 1 deletion wrappers/iam-assumable-role/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ module "wrapper" {

for_each = var.items

trusted_role_actions = try(each.value.trusted_role_actions, var.defaults.trusted_role_actions, ["sts:AssumeRole"])
trusted_role_actions = try(each.value.trusted_role_actions, var.defaults.trusted_role_actions, ["sts:AssumeRole", "sts:TagSession"])
trusted_role_arns = try(each.value.trusted_role_arns, var.defaults.trusted_role_arns, [])
trusted_role_services = try(each.value.trusted_role_services, var.defaults.trusted_role_services, [])
mfa_age = try(each.value.mfa_age, var.defaults.mfa_age, 86400)
Expand Down
1 change: 1 addition & 0 deletions wrappers/iam-assumable-roles-with-saml/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ module "wrapper" {
provider_ids = try(each.value.provider_ids, var.defaults.provider_ids, [])
aws_saml_endpoint = try(each.value.aws_saml_endpoint, var.defaults.aws_saml_endpoint, "https://signin.aws.amazon.com/saml")
allow_self_assume_role = try(each.value.allow_self_assume_role, var.defaults.allow_self_assume_role, false)
trusted_role_actions = try(each.value.trusted_role_actions, var.defaults.trusted_role_actions, ["sts:AssumeRoleWithSAML", "sts:TagSession"])
create_admin_role = try(each.value.create_admin_role, var.defaults.create_admin_role, false)
admin_role_name = try(each.value.admin_role_name, var.defaults.admin_role_name, "admin")
admin_role_path = try(each.value.admin_role_path, var.defaults.admin_role_path, "/")
Expand Down
1 change: 1 addition & 0 deletions wrappers/iam-assumable-roles/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ module "wrapper" {

for_each = var.items

trusted_role_actions = try(each.value.trusted_role_actions, var.defaults.trusted_role_actions, ["sts:AssumeRole", "sts:TagSession"])
trusted_role_arns = try(each.value.trusted_role_arns, var.defaults.trusted_role_arns, [])
trusted_role_services = try(each.value.trusted_role_services, var.defaults.trusted_role_services, [])
mfa_age = try(each.value.mfa_age, var.defaults.mfa_age, 86400)
Expand Down

0 comments on commit 5702679

Please sign in to comment.