From 5702679064861e364aefa909794da440f91f32fc Mon Sep 17 00:00:00 2001 From: Tomasz Charewicz Date: Thu, 29 Jun 2023 16:06:57 +0200 Subject: [PATCH] feat: Added variable trusted_role_actions to sub modules as a "Action of STS" (#393) Co-authored-by: Bryant Biggs --- modules/iam-assumable-role-with-saml/README.md | 2 +- modules/iam-assumable-role-with-saml/main.tf | 3 +-- .../iam-assumable-role-with-saml/variables.tf | 4 ++-- modules/iam-assumable-role/README.md | 2 +- modules/iam-assumable-role/main.tf | 4 ++-- modules/iam-assumable-role/variables.tf | 4 ++-- modules/iam-assumable-roles-with-saml/README.md | 1 + modules/iam-assumable-roles-with-saml/main.tf | 17 ++++++----------- .../iam-assumable-roles-with-saml/variables.tf | 6 ++++++ modules/iam-assumable-roles/README.md | 1 + modules/iam-assumable-roles/main.tf | 4 ++-- modules/iam-assumable-roles/variables.tf | 6 ++++++ wrappers/iam-assumable-role-with-saml/main.tf | 2 +- wrappers/iam-assumable-role/main.tf | 2 +- wrappers/iam-assumable-roles-with-saml/main.tf | 1 + wrappers/iam-assumable-roles/main.tf | 1 + 16 files changed, 35 insertions(+), 25 deletions(-) diff --git a/modules/iam-assumable-role-with-saml/README.md b/modules/iam-assumable-role-with-saml/README.md index f338a3bb..8b101cf4 100644 --- a/modules/iam-assumable-role-with-saml/README.md +++ b/modules/iam-assumable-role-with-saml/README.md @@ -52,7 +52,7 @@ No modules. | [role\_permissions\_boundary\_arn](#input\_role\_permissions\_boundary\_arn) | Permissions boundary ARN to use for IAM role | `string` | `""` | no | | [role\_policy\_arns](#input\_role\_policy\_arns) | List of ARNs of IAM policies to attach to IAM role | `list(string)` | `[]` | no | | [tags](#input\_tags) | A map of tags to add to IAM role resources | `map(string)` | `{}` | no | -| [trusted\_role\_actions](#input\_trusted\_role\_actions) | Extra Actions of STS | `list(string)` |
[
""
]
| no | +| [trusted\_role\_actions](#input\_trusted\_role\_actions) | Additional role actions | `list(string)` |
[
"sts:AssumeRoleWithSAML",
"sts:TagSession"
]
| no | ## Outputs diff --git a/modules/iam-assumable-role-with-saml/main.tf b/modules/iam-assumable-role-with-saml/main.tf index b3606165..e1d1902b 100644 --- a/modules/iam-assumable-role-with-saml/main.tf +++ b/modules/iam-assumable-role-with-saml/main.tf @@ -37,8 +37,7 @@ data "aws_iam_policy_document" "assume_role_with_saml" { actions = compact(distinct(concat(["sts:AssumeRoleWithSAML"], var.trusted_role_actions))) principals { - type = "Federated" - + type = "Federated" identifiers = local.identifiers } diff --git a/modules/iam-assumable-role-with-saml/variables.tf b/modules/iam-assumable-role-with-saml/variables.tf index 7c22048d..42c33647 100644 --- a/modules/iam-assumable-role-with-saml/variables.tf +++ b/modules/iam-assumable-role-with-saml/variables.tf @@ -89,7 +89,7 @@ variable "allow_self_assume_role" { } variable "trusted_role_actions" { - description = "Extra Actions of STS" + description = "Additional role actions" type = list(string) - default = [""] + default = ["sts:AssumeRoleWithSAML", "sts:TagSession"] } diff --git a/modules/iam-assumable-role/README.md b/modules/iam-assumable-role/README.md index 3cc4cab2..b20e0877 100644 --- a/modules/iam-assumable-role/README.md +++ b/modules/iam-assumable-role/README.md @@ -66,7 +66,7 @@ No modules. | [role\_session\_name](#input\_role\_session\_name) | role\_session\_name for roles which require this parameter when being assumed. By default, you need to set your own username as role\_session\_name | `list(string)` |
[
"${aws:username}"
]
| no | | [role\_sts\_externalid](#input\_role\_sts\_externalid) | STS ExternalId condition values to use with a role (when MFA is not required) | `any` | `[]` | no | | [tags](#input\_tags) | A map of tags to add to IAM role resources | `map(string)` | `{}` | no | -| [trusted\_role\_actions](#input\_trusted\_role\_actions) | Actions of STS | `list(string)` |
[
"sts:AssumeRole"
]
| no | +| [trusted\_role\_actions](#input\_trusted\_role\_actions) | Additional trusted role actions | `list(string)` |
[
"sts:AssumeRole",
"sts:TagSession"
]
| no | | [trusted\_role\_arns](#input\_trusted\_role\_arns) | ARNs of AWS entities who can assume these roles | `list(string)` | `[]` | no | | [trusted\_role\_services](#input\_trusted\_role\_services) | AWS Services that can assume these roles | `list(string)` | `[]` | no | diff --git a/modules/iam-assumable-role/main.tf b/modules/iam-assumable-role/main.tf index 8974d1fc..f4405b19 100644 --- a/modules/iam-assumable-role/main.tf +++ b/modules/iam-assumable-role/main.tf @@ -35,7 +35,7 @@ data "aws_iam_policy_document" "assume_role" { statement { effect = "Allow" - actions = var.trusted_role_actions + actions = compact(distinct(concat(["sts:AssumeRole"], var.trusted_role_actions))) principals { type = "AWS" @@ -85,7 +85,7 @@ data "aws_iam_policy_document" "assume_role_with_mfa" { statement { effect = "Allow" - actions = var.trusted_role_actions + actions = compact(distinct(concat(["sts:AssumeRole"], var.trusted_role_actions))) principals { type = "AWS" diff --git a/modules/iam-assumable-role/variables.tf b/modules/iam-assumable-role/variables.tf index 38c6318a..29cf337f 100644 --- a/modules/iam-assumable-role/variables.tf +++ b/modules/iam-assumable-role/variables.tf @@ -1,7 +1,7 @@ variable "trusted_role_actions" { - description = "Actions of STS" + description = "Additional trusted role actions" type = list(string) - default = ["sts:AssumeRole"] + default = ["sts:AssumeRole", "sts:TagSession"] } variable "trusted_role_arns" { diff --git a/modules/iam-assumable-roles-with-saml/README.md b/modules/iam-assumable-roles-with-saml/README.md index df3da709..4092c896 100644 --- a/modules/iam-assumable-roles-with-saml/README.md +++ b/modules/iam-assumable-roles-with-saml/README.md @@ -66,6 +66,7 @@ No modules. | [readonly\_role\_permissions\_boundary\_arn](#input\_readonly\_role\_permissions\_boundary\_arn) | Permissions boundary ARN to use for readonly role | `string` | `""` | no | | [readonly\_role\_policy\_arns](#input\_readonly\_role\_policy\_arns) | List of policy ARNs to use for readonly role | `list(string)` |
[
"arn:aws:iam::aws:policy/ReadOnlyAccess"
]
| no | | [readonly\_role\_tags](#input\_readonly\_role\_tags) | A map of tags to add to readonly role resource. | `map(string)` | `{}` | no | +| [trusted\_role\_actions](#input\_trusted\_role\_actions) | Additional role actions | `list(string)` |
[
"sts:AssumeRoleWithSAML",
"sts:TagSession"
]
| no | ## Outputs diff --git a/modules/iam-assumable-roles-with-saml/main.tf b/modules/iam-assumable-roles-with-saml/main.tf index 1675c2de..2b113237 100644 --- a/modules/iam-assumable-roles-with-saml/main.tf +++ b/modules/iam-assumable-roles-with-saml/main.tf @@ -75,13 +75,11 @@ data "aws_iam_policy_document" "assume_role_with_saml" { } statement { - effect = "Allow" - - actions = ["sts:AssumeRoleWithSAML"] + effect = "Allow" + actions = compact(distinct(concat(["sts:AssumeRoleWithSAML"], var.trusted_role_actions))) principals { - type = "Federated" - + type = "Federated" identifiers = local.identifiers } @@ -103,8 +101,7 @@ resource "aws_iam_role" "admin" { force_detach_policies = var.force_detach_policies permissions_boundary = var.admin_role_permissions_boundary_arn - - assume_role_policy = data.aws_iam_policy_document.assume_role_with_saml.json + assume_role_policy = data.aws_iam_policy_document.assume_role_with_saml.json tags = var.admin_role_tags } @@ -126,8 +123,7 @@ resource "aws_iam_role" "poweruser" { force_detach_policies = var.force_detach_policies permissions_boundary = var.poweruser_role_permissions_boundary_arn - - assume_role_policy = data.aws_iam_policy_document.assume_role_with_saml.json + assume_role_policy = data.aws_iam_policy_document.assume_role_with_saml.json tags = var.poweruser_role_tags } @@ -149,8 +145,7 @@ resource "aws_iam_role" "readonly" { force_detach_policies = var.force_detach_policies permissions_boundary = var.readonly_role_permissions_boundary_arn - - assume_role_policy = data.aws_iam_policy_document.assume_role_with_saml.json + assume_role_policy = data.aws_iam_policy_document.assume_role_with_saml.json tags = var.readonly_role_tags } diff --git a/modules/iam-assumable-roles-with-saml/variables.tf b/modules/iam-assumable-roles-with-saml/variables.tf index cfe635e0..520af86c 100644 --- a/modules/iam-assumable-roles-with-saml/variables.tf +++ b/modules/iam-assumable-roles-with-saml/variables.tf @@ -22,6 +22,12 @@ variable "allow_self_assume_role" { default = false } +variable "trusted_role_actions" { + description = "Additional role actions" + type = list(string) + default = ["sts:AssumeRoleWithSAML", "sts:TagSession"] +} + # Admin variable "create_admin_role" { description = "Whether to create admin role" diff --git a/modules/iam-assumable-roles/README.md b/modules/iam-assumable-roles/README.md index d5721cac..e74991af 100644 --- a/modules/iam-assumable-roles/README.md +++ b/modules/iam-assumable-roles/README.md @@ -66,6 +66,7 @@ No modules. | [readonly\_role\_policy\_arns](#input\_readonly\_role\_policy\_arns) | List of policy ARNs to use for readonly role | `list(string)` |
[
"arn:aws:iam::aws:policy/ReadOnlyAccess"
]
| no | | [readonly\_role\_requires\_mfa](#input\_readonly\_role\_requires\_mfa) | Whether readonly role requires MFA | `bool` | `true` | no | | [readonly\_role\_tags](#input\_readonly\_role\_tags) | A map of tags to add to readonly role resource. | `map(string)` | `{}` | no | +| [trusted\_role\_actions](#input\_trusted\_role\_actions) | Additional trusted role actions | `list(string)` |
[
"sts:AssumeRole",
"sts:TagSession"
]
| no | | [trusted\_role\_arns](#input\_trusted\_role\_arns) | ARNs of AWS entities who can assume these roles | `list(string)` | `[]` | no | | [trusted\_role\_services](#input\_trusted\_role\_services) | AWS Services that can assume these roles | `list(string)` | `[]` | no | diff --git a/modules/iam-assumable-roles/main.tf b/modules/iam-assumable-roles/main.tf index a4af12e7..73dd7986 100644 --- a/modules/iam-assumable-roles/main.tf +++ b/modules/iam-assumable-roles/main.tf @@ -75,7 +75,7 @@ data "aws_iam_policy_document" "assume_role" { statement { effect = "Allow" - actions = ["sts:AssumeRole"] + actions = compact(distinct(concat(["sts:AssumeRole"], var.trusted_role_actions))) principals { type = "AWS" @@ -158,7 +158,7 @@ data "aws_iam_policy_document" "assume_role_with_mfa" { statement { effect = "Allow" - actions = ["sts:AssumeRole"] + actions = compact(distinct(concat(["sts:AssumeRole"], var.trusted_role_actions))) principals { type = "AWS" diff --git a/modules/iam-assumable-roles/variables.tf b/modules/iam-assumable-roles/variables.tf index b0bc2352..83f8907e 100644 --- a/modules/iam-assumable-roles/variables.tf +++ b/modules/iam-assumable-roles/variables.tf @@ -1,3 +1,9 @@ +variable "trusted_role_actions" { + description = "Additional trusted role actions" + type = list(string) + default = ["sts:AssumeRole", "sts:TagSession"] +} + variable "trusted_role_arns" { description = "ARNs of AWS entities who can assume these roles" type = list(string) diff --git a/wrappers/iam-assumable-role-with-saml/main.tf b/wrappers/iam-assumable-role-with-saml/main.tf index 38b231f6..a856fe77 100644 --- a/wrappers/iam-assumable-role-with-saml/main.tf +++ b/wrappers/iam-assumable-role-with-saml/main.tf @@ -18,5 +18,5 @@ module "wrapper" { number_of_role_policy_arns = try(each.value.number_of_role_policy_arns, var.defaults.number_of_role_policy_arns, null) force_detach_policies = try(each.value.force_detach_policies, var.defaults.force_detach_policies, false) allow_self_assume_role = try(each.value.allow_self_assume_role, var.defaults.allow_self_assume_role, false) - trusted_role_actions = try(each.value.trusted_role_actions, var.defaults.trusted_role_actions, [""]) + trusted_role_actions = try(each.value.trusted_role_actions, var.defaults.trusted_role_actions, ["sts:AssumeRoleWithSAML", "sts:TagSession"]) } diff --git a/wrappers/iam-assumable-role/main.tf b/wrappers/iam-assumable-role/main.tf index 14f835cb..3418c762 100644 --- a/wrappers/iam-assumable-role/main.tf +++ b/wrappers/iam-assumable-role/main.tf @@ -3,7 +3,7 @@ module "wrapper" { for_each = var.items - trusted_role_actions = try(each.value.trusted_role_actions, var.defaults.trusted_role_actions, ["sts:AssumeRole"]) + trusted_role_actions = try(each.value.trusted_role_actions, var.defaults.trusted_role_actions, ["sts:AssumeRole", "sts:TagSession"]) trusted_role_arns = try(each.value.trusted_role_arns, var.defaults.trusted_role_arns, []) trusted_role_services = try(each.value.trusted_role_services, var.defaults.trusted_role_services, []) mfa_age = try(each.value.mfa_age, var.defaults.mfa_age, 86400) diff --git a/wrappers/iam-assumable-roles-with-saml/main.tf b/wrappers/iam-assumable-roles-with-saml/main.tf index b206973e..c03e2516 100644 --- a/wrappers/iam-assumable-roles-with-saml/main.tf +++ b/wrappers/iam-assumable-roles-with-saml/main.tf @@ -7,6 +7,7 @@ module "wrapper" { provider_ids = try(each.value.provider_ids, var.defaults.provider_ids, []) aws_saml_endpoint = try(each.value.aws_saml_endpoint, var.defaults.aws_saml_endpoint, "https://signin.aws.amazon.com/saml") allow_self_assume_role = try(each.value.allow_self_assume_role, var.defaults.allow_self_assume_role, false) + trusted_role_actions = try(each.value.trusted_role_actions, var.defaults.trusted_role_actions, ["sts:AssumeRoleWithSAML", "sts:TagSession"]) create_admin_role = try(each.value.create_admin_role, var.defaults.create_admin_role, false) admin_role_name = try(each.value.admin_role_name, var.defaults.admin_role_name, "admin") admin_role_path = try(each.value.admin_role_path, var.defaults.admin_role_path, "/") diff --git a/wrappers/iam-assumable-roles/main.tf b/wrappers/iam-assumable-roles/main.tf index 5bd7274b..9012155f 100644 --- a/wrappers/iam-assumable-roles/main.tf +++ b/wrappers/iam-assumable-roles/main.tf @@ -3,6 +3,7 @@ module "wrapper" { for_each = var.items + trusted_role_actions = try(each.value.trusted_role_actions, var.defaults.trusted_role_actions, ["sts:AssumeRole", "sts:TagSession"]) trusted_role_arns = try(each.value.trusted_role_arns, var.defaults.trusted_role_arns, []) trusted_role_services = try(each.value.trusted_role_services, var.defaults.trusted_role_services, []) mfa_age = try(each.value.mfa_age, var.defaults.mfa_age, 86400)