From 8e9f300a1a2c07ad89e12a8945ffd9c725a193bb Mon Sep 17 00:00:00 2001 From: Jonathan Schami Date: Tue, 28 Jan 2025 16:14:55 -0500 Subject: [PATCH 1/9] Add support for custom trust policy conditions on `iam-github-oidc-role` --- modules/iam-github-oidc-role/main.tf | 10 ++++++++++ modules/iam-github-oidc-role/variables.tf | 10 ++++++++++ 2 files changed, 20 insertions(+) diff --git a/modules/iam-github-oidc-role/main.tf b/modules/iam-github-oidc-role/main.tf index 048b22a6..8167ebff 100644 --- a/modules/iam-github-oidc-role/main.tf +++ b/modules/iam-github-oidc-role/main.tf @@ -47,6 +47,16 @@ data "aws_iam_policy_document" "this" { # Strip `repo:` to normalize for cases where users may prepend it values = [for subject in var.subjects : "repo:${trimprefix(subject, "repo:")}"] } + + dynamic "condition" { + for_each = var.provider_trust_policy_conditions + + content { + test = condition.value.test + values = condition.value.values + variable = condition.value.variable + } + } } } diff --git a/modules/iam-github-oidc-role/variables.tf b/modules/iam-github-oidc-role/variables.tf index fa44afb6..d0b9a912 100644 --- a/modules/iam-github-oidc-role/variables.tf +++ b/modules/iam-github-oidc-role/variables.tf @@ -85,3 +85,13 @@ variable "provider_url" { type = string default = "token.actions.githubusercontent.com" } + +variable "provider_trust_policy_conditions" { + description = "[Condition constraints](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#condition) applied to the trust policy" + type = list(object({ + test = string + variable = string + values = list(string) + })) + default = [] +} From 0e3087e8634b4d23cc2f740321fe8e3ae594fcdf Mon Sep 17 00:00:00 2001 From: Jonathan Schami Date: Tue, 28 Jan 2025 16:58:45 -0500 Subject: [PATCH 2/9] pre-commit --- modules/iam-github-oidc-role/README.md | 1 + wrappers/iam-github-oidc-role/main.tf | 29 +++++++++++++------------- 2 files changed, 16 insertions(+), 14 deletions(-) diff --git a/modules/iam-github-oidc-role/README.md b/modules/iam-github-oidc-role/README.md index eb26f681..cf3541c9 100644 --- a/modules/iam-github-oidc-role/README.md +++ b/modules/iam-github-oidc-role/README.md @@ -92,6 +92,7 @@ No modules. | [path](#input\_path) | Path of IAM role | `string` | `"/"` | no | | [permissions\_boundary\_arn](#input\_permissions\_boundary\_arn) | Permissions boundary ARN to use for IAM role | `string` | `null` | no | | [policies](#input\_policies) | Policies to attach to the IAM role in `{'static_name' = 'policy_arn'}` format | `map(string)` | `{}` | no | +| [provider\_trust\_policy\_conditions](#input\_provider\_trust\_policy\_conditions) | [Condition constraints](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#condition) applied to the trust policy | 
list(object({
    test     = string
    variable = string
    values   = list(string)
  }))
| `[]` | no | | [provider\_url](#input\_provider\_url) | The URL of the identity provider. Corresponds to the iss claim | `string` | `"token.actions.githubusercontent.com"` | no | | [subject\_condition](#input\_subject\_condition) | Condition to use for the GitHub OIDC role. Defaults to `StringLike` | `string` | `"StringLike"` | no | | [subjects](#input\_subjects) | List of GitHub OIDC subjects that are permitted by the trust policy. You do not need to prefix with `repo:` as this is provided. Example: `['my-org/my-repo:*', 'octo-org/octo-repo:ref:refs/heads/octo-branch']` | `list(string)` | `[]` | no | diff --git a/wrappers/iam-github-oidc-role/main.tf b/wrappers/iam-github-oidc-role/main.tf index b6414447..16ec0680 100644 --- a/wrappers/iam-github-oidc-role/main.tf +++ b/wrappers/iam-github-oidc-role/main.tf @@ -3,18 +3,19 @@ module "wrapper" { for_each = var.items - audience = try(each.value.audience, var.defaults.audience, "sts.amazonaws.com") - create = try(each.value.create, var.defaults.create, true) - description = try(each.value.description, var.defaults.description, null) - force_detach_policies = try(each.value.force_detach_policies, var.defaults.force_detach_policies, true) - max_session_duration = try(each.value.max_session_duration, var.defaults.max_session_duration, null) - name = try(each.value.name, var.defaults.name, null) - name_prefix = try(each.value.name_prefix, var.defaults.name_prefix, null) - path = try(each.value.path, var.defaults.path, "/") - permissions_boundary_arn = try(each.value.permissions_boundary_arn, var.defaults.permissions_boundary_arn, null) - policies = try(each.value.policies, var.defaults.policies, {}) - provider_url = try(each.value.provider_url, var.defaults.provider_url, "token.actions.githubusercontent.com") - subject_condition = try(each.value.subject_condition, var.defaults.subject_condition, "StringLike") - subjects = try(each.value.subjects, var.defaults.subjects, []) - tags = try(each.value.tags, var.defaults.tags, {}) + audience = try(each.value.audience, var.defaults.audience, "sts.amazonaws.com") + create = try(each.value.create, var.defaults.create, true) + description = try(each.value.description, var.defaults.description, null) + force_detach_policies = try(each.value.force_detach_policies, var.defaults.force_detach_policies, true) + max_session_duration = try(each.value.max_session_duration, var.defaults.max_session_duration, null) + name = try(each.value.name, var.defaults.name, null) + name_prefix = try(each.value.name_prefix, var.defaults.name_prefix, null) + path = try(each.value.path, var.defaults.path, "/") + permissions_boundary_arn = try(each.value.permissions_boundary_arn, var.defaults.permissions_boundary_arn, null) + policies = try(each.value.policies, var.defaults.policies, {}) + provider_trust_policy_conditions = try(each.value.provider_trust_policy_conditions, var.defaults.provider_trust_policy_conditions, []) + provider_url = try(each.value.provider_url, var.defaults.provider_url, "token.actions.githubusercontent.com") + subject_condition = try(each.value.subject_condition, var.defaults.subject_condition, "StringLike") + subjects = try(each.value.subjects, var.defaults.subjects, []) + tags = try(each.value.tags, var.defaults.tags, {}) } From 1e8b0acf608e75cb96517b21d1996bcaa4fbb052 Mon Sep 17 00:00:00 2001 From: Jonathan Schami Date: Tue, 28 Jan 2025 17:14:49 -0500 Subject: [PATCH 3/9]
fix for pre-commit --- modules/iam-github-oidc-role/README.md | 34 +++++++++++++------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/modules/iam-github-oidc-role/README.md b/modules/iam-github-oidc-role/README.md index cf3541c9..d8b9202b 100644 --- a/modules/iam-github-oidc-role/README.md +++ b/modules/iam-github-oidc-role/README.md @@ -80,23 +80,23 @@ No modules. ## Inputs -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [audience](#input\_audience) | Audience to use for OIDC role. Defaults to `sts.amazonaws.com` for use with the [official AWS GitHub action](https://github.com/aws-actions/configure-aws-credentials) | `string` | `"sts.amazonaws.com"` | no | -| [create](#input\_create) | Controls if resources should be created (affects all resources) | `bool` | `true` | no | -| [description](#input\_description) | IAM Role description | `string` | `null` | no | -| [force\_detach\_policies](#input\_force\_detach\_policies) | Whether policies should be detached from this role when destroying | `bool` | `true` | no | -| [max\_session\_duration](#input\_max\_session\_duration) | Maximum CLI/API session duration in seconds between 3600 and 43200 | `number` | `null` | no | -| [name](#input\_name) | Name of IAM role | `string` | `null` | no | -| [name\_prefix](#input\_name\_prefix) | IAM role name prefix | `string` | `null` | no | -| [path](#input\_path) | Path of IAM role | `string` | `"/"` | no | -| [permissions\_boundary\_arn](#input\_permissions\_boundary\_arn) | Permissions boundary ARN to use for IAM role | `string` | `null` | no | -| [policies](#input\_policies) | Policies to attach to the IAM role in `{'static_name' = 'policy_arn'}` format | `map(string)` | `{}` | no | -| [provider\_trust\_policy\_conditions](#input\_provider\_trust\_policy\_conditions) | [Condition constraints](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#condition) applied to the trust policy | 
list(object({
    test     = string
    variable = string
    values   = list(string)
  }))
| `[]` | no | -| [provider\_url](#input\_provider\_url) | The URL of the identity provider. Corresponds to the iss claim | `string` | `"token.actions.githubusercontent.com"` | no | -| [subject\_condition](#input\_subject\_condition) | Condition to use for the GitHub OIDC role. Defaults to `StringLike` | `string` | `"StringLike"` | no | -| [subjects](#input\_subjects) | List of GitHub OIDC subjects that are permitted by the trust policy. You do not need to prefix with `repo:` as this is provided. Example: `['my-org/my-repo:*', 'octo-org/octo-repo:ref:refs/heads/octo-branch']` | `list(string)` | `[]` | no | -| [tags](#input\_tags) | A map of tags to add to the resources created | `map(any)` | `{}` | no | +| Name | Description | Type | Default | Required | +|------|-------------|------------------------------------------------------------------------------------------------------------------------|---------|:--------:| +| [audience](#input\_audience) | Audience to use for OIDC role. Defaults to `sts.amazonaws.com` for use with the [official AWS GitHub action](https://github.com/aws-actions/configure-aws-credentials) | `string` | `"sts.amazonaws.com"` | no | +| [create](#input\_create) | Controls if resources should be created (affects all resources) | `bool` | `true` | no | +| [description](#input\_description) | IAM Role description | `string` | `null` | no | +| [force\_detach\_policies](#input\_force\_detach\_policies) | Whether policies should be detached from this role when destroying | `bool` | `true` | no | +| [max\_session\_duration](#input\_max\_session\_duration) | Maximum CLI/API session duration in seconds between 3600 and 43200 | `number` | `null` | no | +| [name](#input\_name) | Name of IAM role | `string` | `null` | no | +| [name\_prefix](#input\_name\_prefix) | IAM role name prefix | `string` | `null` | no | +| [path](#input\_path) | Path of IAM role | `string` | `"/"` | no | +| [permissions\_boundary\_arn](#input\_permissions\_boundary\_arn) | Permissions boundary ARN to use for IAM role | `string` | `null` | no | +| [policies](#input\_policies) | Policies to attach to the IAM role in `{'static_name' = 'policy_arn'}` format | `map(string)` | `{}` | no | +| [provider\_trust\_policy\_conditions](#input\_provider\_trust\_policy\_conditions) | [Condition constraints](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#condition) applied to the trust policy | 
list(object({
    test     = string
    variable = string
    values   = list(string)
  }))
| `[]` | no | +| [provider\_url](#input\_provider\_url) | The URL of the identity provider. Corresponds to the iss claim | `string` | `"token.actions.githubusercontent.com"` | no | +| [subject\_condition](#input\_subject\_condition) | Condition to use for the GitHub OIDC role. Defaults to `StringLike` | `string` | `"StringLike"` | no | +| [subjects](#input\_subjects) | List of GitHub OIDC subjects that are permitted by the trust policy. You do not need to prefix with `repo:` as this is provided. Example: `['my-org/my-repo:*', 'octo-org/octo-repo:ref:refs/heads/octo-branch']` | `list(string)` | `[]` | no | +| [tags](#input\_tags) | A map of tags to add to the resources created | `map(any)` | `{}` | no | ## Outputs From 21f711447fd8d23e74237f83df6c8ae23ce7c2a0 Mon Sep 17 00:00:00 2001 From: Jonathan Schami Date: Tue, 28 Jan 2025 17:24:07 -0500 Subject: [PATCH 4/9]
fix for pre-commit --- modules/iam-github-oidc-role/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/iam-github-oidc-role/README.md b/modules/iam-github-oidc-role/README.md index d8b9202b..84fc3af0 100644 --- a/modules/iam-github-oidc-role/README.md +++ b/modules/iam-github-oidc-role/README.md @@ -92,7 +92,7 @@ No modules. | [path](#input\_path) | Path of IAM role | `string` | `"/"` | no | | [permissions\_boundary\_arn](#input\_permissions\_boundary\_arn) | Permissions boundary ARN to use for IAM role | `string` | `null` | no | | [policies](#input\_policies) | Policies to attach to the IAM role in `{'static_name' = 'policy_arn'}` format | `map(string)` | `{}` | no | -| [provider\_trust\_policy\_conditions](#input\_provider\_trust\_policy\_conditions) | [Condition constraints](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#condition) applied to the trust policy | 
list(object({
    test     = string
    variable = string
    values   = list(string)
  }))
| `[]` | no | +| [provider\_trust\_policy\_conditions](#input\_provider\_trust\_policy\_conditions) | [Condition constraints](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#condition) applied to the trust policy | 
list(object({   
 test     = string
    variable = string
    values   = list(string)
  }))
| `[]` | no | | [provider\_url](#input\_provider\_url) | The URL of the identity provider. Corresponds to the iss claim | `string` | `"token.actions.githubusercontent.com"` | no | | [subject\_condition](#input\_subject\_condition) | Condition to use for the GitHub OIDC role. Defaults to `StringLike` | `string` | `"StringLike"` | no | | [subjects](#input\_subjects) | List of GitHub OIDC subjects that are permitted by the trust policy. You do not need to prefix with `repo:` as this is provided. Example: `['my-org/my-repo:*', 'octo-org/octo-repo:ref:refs/heads/octo-branch']` | `list(string)` | `[]` | no | From e825e5f9d1d0d7bd707e09e65be6cd0664702aaf Mon Sep 17 00:00:00 2001 From: Jonathan Schami Date: Tue, 28 Jan 2025 21:54:24 -0500 Subject: [PATCH 5/9] disable IDE auto-format and re-run precommit --- modules/iam-github-oidc-role/README.md | 34 +++++++++++++------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/modules/iam-github-oidc-role/README.md b/modules/iam-github-oidc-role/README.md index 84fc3af0..cf3541c9 100644 --- a/modules/iam-github-oidc-role/README.md +++ b/modules/iam-github-oidc-role/README.md @@ -80,23 +80,23 @@ No modules. ## Inputs -| Name | Description | Type | Default | Required | -|------|-------------|------------------------------------------------------------------------------------------------------------------------|---------|:--------:| -| [audience](#input\_audience) | Audience to use for OIDC role. Defaults to `sts.amazonaws.com` for use with the [official AWS GitHub action](https://github.com/aws-actions/configure-aws-credentials) | `string` | `"sts.amazonaws.com"` | no | -| [create](#input\_create) | Controls if resources should be created (affects all resources) | `bool` | `true` | no | -| [description](#input\_description) | IAM Role description | `string` | `null` | no | -| [force\_detach\_policies](#input\_force\_detach\_policies) | Whether policies should be detached from this role when destroying | `bool` | `true` | no | -| [max\_session\_duration](#input\_max\_session\_duration) | Maximum CLI/API session duration in seconds between 3600 and 43200 | `number` | `null` | no | -| [name](#input\_name) | Name of IAM role | `string` | `null` | no | -| [name\_prefix](#input\_name\_prefix) | IAM role name prefix | `string` | `null` | no | -| [path](#input\_path) | Path of IAM role | `string` | `"/"` | no | -| [permissions\_boundary\_arn](#input\_permissions\_boundary\_arn) | Permissions boundary ARN to use for IAM role | `string` | `null` | no | -| [policies](#input\_policies) | Policies to attach to the IAM role in `{'static_name' = 'policy_arn'}` format | `map(string)` | `{}` | no | -| [provider\_trust\_policy\_conditions](#input\_provider\_trust\_policy\_conditions) | [Condition constraints](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#condition) applied to the trust policy | 
list(object({   
 test     = string
    variable = string
    values   = list(string)
  }))
| `[]` | no | -| [provider\_url](#input\_provider\_url) | The URL of the identity provider. Corresponds to the iss claim | `string` | `"token.actions.githubusercontent.com"` | no | -| [subject\_condition](#input\_subject\_condition) | Condition to use for the GitHub OIDC role. Defaults to `StringLike` | `string` | `"StringLike"` | no | -| [subjects](#input\_subjects) | List of GitHub OIDC subjects that are permitted by the trust policy. You do not need to prefix with `repo:` as this is provided. Example: `['my-org/my-repo:*', 'octo-org/octo-repo:ref:refs/heads/octo-branch']` | `list(string)` | `[]` | no | -| [tags](#input\_tags) | A map of tags to add to the resources created | `map(any)` | `{}` | no | +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [audience](#input\_audience) | Audience to use for OIDC role. Defaults to `sts.amazonaws.com` for use with the [official AWS GitHub action](https://github.com/aws-actions/configure-aws-credentials) | `string` | `"sts.amazonaws.com"` | no | +| [create](#input\_create) | Controls if resources should be created (affects all resources) | `bool` | `true` | no | +| [description](#input\_description) | IAM Role description | `string` | `null` | no | +| [force\_detach\_policies](#input\_force\_detach\_policies) | Whether policies should be detached from this role when destroying | `bool` | `true` | no | +| [max\_session\_duration](#input\_max\_session\_duration) | Maximum CLI/API session duration in seconds between 3600 and 43200 | `number` | `null` | no | +| [name](#input\_name) | Name of IAM role | `string` | `null` | no | +| [name\_prefix](#input\_name\_prefix) | IAM role name prefix | `string` | `null` | no | +| [path](#input\_path) | Path of IAM role | `string` | `"/"` | no | +| [permissions\_boundary\_arn](#input\_permissions\_boundary\_arn) | Permissions boundary ARN to use for IAM role | `string` | `null` | no | +| [policies](#input\_policies) | Policies to attach to the IAM role in `{'static_name' = 'policy_arn'}` format | `map(string)` | `{}` | no | +| [provider\_trust\_policy\_conditions](#input\_provider\_trust\_policy\_conditions) | [Condition constraints](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#condition) applied to the trust policy | 
list(object({
    test     = string
    variable = string
    values   = list(string)
  }))
| `[]` | no | +| [provider\_url](#input\_provider\_url) | The URL of the identity provider. Corresponds to the iss claim | `string` | `"token.actions.githubusercontent.com"` | no | +| [subject\_condition](#input\_subject\_condition) | Condition to use for the GitHub OIDC role. Defaults to `StringLike` | `string` | `"StringLike"` | no | +| [subjects](#input\_subjects) | List of GitHub OIDC subjects that are permitted by the trust policy. You do not need to prefix with `repo:` as this is provided. Example: `['my-org/my-repo:*', 'octo-org/octo-repo:ref:refs/heads/octo-branch']` | `list(string)` | `[]` | no | +| [tags](#input\_tags) | A map of tags to add to the resources created | `map(any)` | `{}` | no | ## Outputs From 08492c82ae4fc11d1ad4ddc128ca92d65c52d414 Mon Sep 17 00:00:00 2001 From: Jonathan Schami Date: Tue, 28 Jan 2025 22:03:22 -0500 Subject: [PATCH 6/9] fix
without IDE auto-format --- modules/iam-github-oidc-role/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/iam-github-oidc-role/README.md b/modules/iam-github-oidc-role/README.md index cf3541c9..4f43d92e 100644 --- a/modules/iam-github-oidc-role/README.md +++ b/modules/iam-github-oidc-role/README.md @@ -92,7 +92,7 @@ No modules. | [path](#input\_path) | Path of IAM role | `string` | `"/"` | no | | [permissions\_boundary\_arn](#input\_permissions\_boundary\_arn) | Permissions boundary ARN to use for IAM role | `string` | `null` | no | | [policies](#input\_policies) | Policies to attach to the IAM role in `{'static_name' = 'policy_arn'}` format | `map(string)` | `{}` | no | -| [provider\_trust\_policy\_conditions](#input\_provider\_trust\_policy\_conditions) | [Condition constraints](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#condition) applied to the trust policy | 
list(object({
    test     = string
    variable = string
    values   = list(string)
  }))
| `[]` | no | +| [provider\_trust\_policy\_conditions](#input\_provider\_trust\_policy\_conditions) | [Condition constraints](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#condition) applied to the trust policy | 
list(object({
    test     = string
    variable = string
    values   = list(string)
  }))
| `[]` | no | | [provider\_url](#input\_provider\_url) | The URL of the identity provider. Corresponds to the iss claim | `string` | `"token.actions.githubusercontent.com"` | no | | [subject\_condition](#input\_subject\_condition) | Condition to use for the GitHub OIDC role. Defaults to `StringLike` | `string` | `"StringLike"` | no | | [subjects](#input\_subjects) | List of GitHub OIDC subjects that are permitted by the trust policy. You do not need to prefix with `repo:` as this is provided. Example: `['my-org/my-repo:*', 'octo-org/octo-repo:ref:refs/heads/octo-branch']` | `list(string)` | `[]` | no | From 9389b989176247e7fc06382707651130ea0e2e36 Mon Sep 17 00:00:00 2001 From: Jonathan Schami Date: Wed, 29 Jan 2025 10:52:40 -0500 Subject: [PATCH 7/9] update naming and add example --- examples/iam-github-oidc/main.tf | 12 +++++++++ modules/iam-github-oidc-role/README.md | 2 +- modules/iam-github-oidc-role/main.tf | 2 +- modules/iam-github-oidc-role/variables.tf | 2 +- wrappers/iam-github-oidc-role/main.tf | 30 +++++++++++------------ 5 files changed, 30 insertions(+), 18 deletions(-) diff --git a/examples/iam-github-oidc/main.tf b/examples/iam-github-oidc/main.tf index a03cc88c..874bf8bc 100644 --- a/examples/iam-github-oidc/main.tf +++ b/examples/iam-github-oidc/main.tf @@ -46,6 +46,18 @@ module "iam_github_oidc_role" { "terraform-aws-modules/terraform-aws-iam:ref:refs/heads/master", ] + # This ensures that the OIDC token GitHub uses to assume the AWS IAM role has the correct + # `actor` scope. Any other GitHub OIDC claims can be used as well. + additional_provider_trust_policy_conditions = [ + { + test = "ForAllValues:StringEquals" + variable = "${module.iam_github_oidc_provider.url}:actor" + # This should be the list of GitHub usernames for which you want to restrict + # access to the role. + values = ["username"] + } + ] + policies = { additional = aws_iam_policy.additional.arn S3ReadOnly = "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess" diff --git a/modules/iam-github-oidc-role/README.md b/modules/iam-github-oidc-role/README.md index 4f43d92e..7616e0ed 100644 --- a/modules/iam-github-oidc-role/README.md +++ b/modules/iam-github-oidc-role/README.md @@ -82,6 +82,7 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| [additional\_provider\_trust\_policy\_conditions](#input\_additional\_provider\_trust\_policy\_conditions) | [Condition constraints](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#condition) applied to the trust policy | 
list(object({
    test     = string
    variable = string
    values   = list(string)
  }))
| `[]` | no | | [audience](#input\_audience) | Audience to use for OIDC role. Defaults to `sts.amazonaws.com` for use with the [official AWS GitHub action](https://github.com/aws-actions/configure-aws-credentials) | `string` | `"sts.amazonaws.com"` | no | | [create](#input\_create) | Controls if resources should be created (affects all resources) | `bool` | `true` | no | | [description](#input\_description) | IAM Role description | `string` | `null` | no | @@ -92,7 +93,6 @@ No modules. | [path](#input\_path) | Path of IAM role | `string` | `"/"` | no | | [permissions\_boundary\_arn](#input\_permissions\_boundary\_arn) | Permissions boundary ARN to use for IAM role | `string` | `null` | no | | [policies](#input\_policies) | Policies to attach to the IAM role in `{'static_name' = 'policy_arn'}` format | `map(string)` | `{}` | no | -| [provider\_trust\_policy\_conditions](#input\_provider\_trust\_policy\_conditions) | [Condition constraints](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#condition) applied to the trust policy | 
list(object({
    test     = string
    variable = string
    values   = list(string)
  }))
| `[]` | no | | [provider\_url](#input\_provider\_url) | The URL of the identity provider. Corresponds to the iss claim | `string` | `"token.actions.githubusercontent.com"` | no | | [subject\_condition](#input\_subject\_condition) | Condition to use for the GitHub OIDC role. Defaults to `StringLike` | `string` | `"StringLike"` | no | | [subjects](#input\_subjects) | List of GitHub OIDC subjects that are permitted by the trust policy. You do not need to prefix with `repo:` as this is provided. Example: `['my-org/my-repo:*', 'octo-org/octo-repo:ref:refs/heads/octo-branch']` | `list(string)` | `[]` | no | diff --git a/modules/iam-github-oidc-role/main.tf b/modules/iam-github-oidc-role/main.tf index 8167ebff..1dafe0d2 100644 --- a/modules/iam-github-oidc-role/main.tf +++ b/modules/iam-github-oidc-role/main.tf @@ -49,7 +49,7 @@ data "aws_iam_policy_document" "this" { } dynamic "condition" { - for_each = var.provider_trust_policy_conditions + for_each = var.additional_provider_trust_policy_conditions content { test = condition.value.test diff --git a/modules/iam-github-oidc-role/variables.tf b/modules/iam-github-oidc-role/variables.tf index d0b9a912..a2e0d848 100644 --- a/modules/iam-github-oidc-role/variables.tf +++ b/modules/iam-github-oidc-role/variables.tf @@ -86,7 +86,7 @@ variable "provider_url" { default = "token.actions.githubusercontent.com" } -variable "provider_trust_policy_conditions" { +variable "additional_provider_trust_policy_conditions" { description = "[Condition constraints](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#condition) applied to the trust policy" type = list(object({ test = string diff --git a/wrappers/iam-github-oidc-role/main.tf b/wrappers/iam-github-oidc-role/main.tf index 16ec0680..75e9794e 100644 --- a/wrappers/iam-github-oidc-role/main.tf +++ b/wrappers/iam-github-oidc-role/main.tf @@ -3,19 +3,19 @@ module "wrapper" { for_each = var.items - audience = try(each.value.audience, var.defaults.audience, "sts.amazonaws.com") - create = try(each.value.create, var.defaults.create, true) - description = try(each.value.description, var.defaults.description, null) - force_detach_policies = try(each.value.force_detach_policies, var.defaults.force_detach_policies, true) - max_session_duration = try(each.value.max_session_duration, var.defaults.max_session_duration, null) - name = try(each.value.name, var.defaults.name, null) - name_prefix = try(each.value.name_prefix, var.defaults.name_prefix, null) - path = try(each.value.path, var.defaults.path, "/") - permissions_boundary_arn = try(each.value.permissions_boundary_arn, var.defaults.permissions_boundary_arn, null) - policies = try(each.value.policies, var.defaults.policies, {}) - provider_trust_policy_conditions = try(each.value.provider_trust_policy_conditions, var.defaults.provider_trust_policy_conditions, []) - provider_url = try(each.value.provider_url, var.defaults.provider_url, "token.actions.githubusercontent.com") - subject_condition = try(each.value.subject_condition, var.defaults.subject_condition, "StringLike") - subjects = try(each.value.subjects, var.defaults.subjects, []) - tags = try(each.value.tags, var.defaults.tags, {}) + additional_provider_trust_policy_conditions = try(each.value.additional_provider_trust_policy_conditions, var.defaults.additional_provider_trust_policy_conditions, []) + audience = try(each.value.audience, var.defaults.audience, "sts.amazonaws.com") + create = try(each.value.create, var.defaults.create, true) + description = try(each.value.description, var.defaults.description, null) + force_detach_policies = try(each.value.force_detach_policies, var.defaults.force_detach_policies, true) + max_session_duration = try(each.value.max_session_duration, var.defaults.max_session_duration, null) + name = try(each.value.name, var.defaults.name, null) + name_prefix = try(each.value.name_prefix, var.defaults.name_prefix, null) + path = try(each.value.path, var.defaults.path, "/") + permissions_boundary_arn = try(each.value.permissions_boundary_arn, var.defaults.permissions_boundary_arn, null) + policies = try(each.value.policies, var.defaults.policies, {}) + provider_url = try(each.value.provider_url, var.defaults.provider_url, "token.actions.githubusercontent.com") + subject_condition = try(each.value.subject_condition, var.defaults.subject_condition, "StringLike") + subjects = try(each.value.subjects, var.defaults.subjects, []) + tags = try(each.value.tags, var.defaults.tags, {}) } From 6e60386040861793307de9ff7bf778ee3bf3eb67 Mon Sep 17 00:00:00 2001 From: Jonathan Schami Date: Wed, 29 Jan 2025 11:03:15 -0500 Subject: [PATCH 8/9] condition should be StringEquals --- examples/iam-github-oidc/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/iam-github-oidc/main.tf b/examples/iam-github-oidc/main.tf index 874bf8bc..c1b3ae61 100644 --- a/examples/iam-github-oidc/main.tf +++ b/examples/iam-github-oidc/main.tf @@ -50,7 +50,7 @@ module "iam_github_oidc_role" { # `actor` scope. Any other GitHub OIDC claims can be used as well. additional_provider_trust_policy_conditions = [ { - test = "ForAllValues:StringEquals" + test = "StringEquals" variable = "${module.iam_github_oidc_provider.url}:actor" # This should be the list of GitHub usernames for which you want to restrict # access to the role. From 7eeddc467fbf8bf74aa12f27f6aff7bdee71cca5 Mon Sep 17 00:00:00 2001 From: Jonathan Schami Date: Wed, 29 Jan 2025 11:37:56 -0500 Subject: [PATCH 9/9] pre-commit nonsense... --- modules/iam-github-oidc-role/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/iam-github-oidc-role/README.md b/modules/iam-github-oidc-role/README.md index 7616e0ed..0c0f7cd2 100644 --- a/modules/iam-github-oidc-role/README.md +++ b/modules/iam-github-oidc-role/README.md @@ -82,7 +82,7 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [additional\_provider\_trust\_policy\_conditions](#input\_additional\_provider\_trust\_policy\_conditions) | [Condition constraints](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#condition) applied to the trust policy | 
list(object({
    test     = string
    variable = string
    values   = list(string)
  }))
| `[]` | no | +| [additional\_provider\_trust\_policy\_conditions](#input\_additional\_provider\_trust\_policy\_conditions) | [Condition constraints](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#condition) applied to the trust policy | 
list(object({
    test     = string
    variable = string
    values   = list(string)
  }))
| `[]` | no | | [audience](#input\_audience) | Audience to use for OIDC role. Defaults to `sts.amazonaws.com` for use with the [official AWS GitHub action](https://github.com/aws-actions/configure-aws-credentials) | `string` | `"sts.amazonaws.com"` | no | | [create](#input\_create) | Controls if resources should be created (affects all resources) | `bool` | `true` | no | | [description](#input\_description) | IAM Role description | `string` | `null` | no |