Merge branch 'terraform-aws-modules:master' into fix/fsx-update-volum…

…e-permissions

.pre-commit-config.yaml

@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.88.0
+    rev: v1.92.0
     hooks:
       - id: terraform_fmt
       - id: terraform_wrapper_module_for_each
@@ -22,10 +22,9 @@ repos:
           - '--args=--only=terraform_required_providers'
           - '--args=--only=terraform_standard_module_structure'
           - '--args=--only=terraform_workspace_remote'
-          - '--args=--only=terraform_unused_required_providers'
       - id: terraform_validate
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.5.0
+    rev: v4.6.0
     hooks:
       - id: check-merge-conflict
       - id: end-of-file-fixer

CHANGELOG.md

@@ -2,6 +2,34 @@
 
 All notable changes to this project will be documented in this file.
 
+## [5.44.0](https://github.com/terraform-aws-modules/terraform-aws-iam/compare/v5.43.0...v5.44.0) (2024-08-08)
+
+
+### Features
+
+* Add support for OIDC policy conditions ([#480](https://github.com/terraform-aws-modules/terraform-aws-iam/issues/480)) ([02a5b7f](https://github.com/terraform-aws-modules/terraform-aws-iam/commit/02a5b7f35ecdd60498d978166ab2033bbdae5013))
+
+## [5.43.0](https://github.com/terraform-aws-modules/terraform-aws-iam/compare/v5.42.0...v5.43.0) (2024-08-05)
+
+
+### Features
+
+* Allow changing iss for the github oidc role ([#507](https://github.com/terraform-aws-modules/terraform-aws-iam/issues/507)) ([56e4364](https://github.com/terraform-aws-modules/terraform-aws-iam/commit/56e436441a2064ddfba6db379993127937aa7f28))
+
+## [5.42.0](https://github.com/terraform-aws-modules/terraform-aws-iam/compare/v5.41.0...v5.42.0) (2024-07-29)
+
+
+### Features
+
+* Add cloudwatch logs policy to vpc-cni for networkpolicy logging ([#504](https://github.com/terraform-aws-modules/terraform-aws-iam/issues/504)) ([88ee443](https://github.com/terraform-aws-modules/terraform-aws-iam/commit/88ee443b60ecaf542ec221eb4aa8a4c4b3bfa70b))
+
+## [5.41.0](https://github.com/terraform-aws-modules/terraform-aws-iam/compare/v5.40.0...v5.41.0) (2024-07-11)
+
+
+### Features
+
+* Adding sse-kms support for Mountpoint S3 CSI driver EKS IRSA ([#493](https://github.com/terraform-aws-modules/terraform-aws-iam/issues/493)) ([5039e10](https://github.com/terraform-aws-modules/terraform-aws-iam/commit/5039e10b5dc3f4129018f3ca19aab68c7e75fbf4))
+
 ## [5.40.0](https://github.com/terraform-aws-modules/terraform-aws-iam/compare/v5.39.1...v5.40.0) (2024-07-05)
 
 

examples/iam-assumable-role-with-oidc/README.md

@@ -32,6 +32,7 @@ No providers.
 |------|--------|---------|
 | <a name="module_iam_assumable_role_admin"></a> [iam\_assumable\_role\_admin](#module\_iam\_assumable\_role\_admin) | ../../modules/iam-assumable-role-with-oidc | n/a |
 | <a name="module_iam_assumable_role_inline_policy"></a> [iam\_assumable\_role\_inline\_policy](#module\_iam\_assumable\_role\_inline\_policy) | ../../modules/iam-assumable-role-with-oidc | n/a |
+| <a name="module_iam_assumable_role_provider_trust_policy_conditions"></a> [iam\_assumable\_role\_provider\_trust\_policy\_conditions](#module\_iam\_assumable\_role\_provider\_trust\_policy\_conditions) | ../../modules/iam-assumable-role-with-oidc | n/a |
 | <a name="module_iam_assumable_role_self_assume"></a> [iam\_assumable\_role\_self\_assume](#module\_iam\_assumable\_role\_self\_assume) | ../../modules/iam-assumable-role-with-oidc | n/a |
 
 ## Resources

examples/iam-assumable-role-with-oidc/main.tf

@@ -89,3 +89,34 @@ module "iam_assumable_role_inline_policy" {
     }
   ]
 }
+
+#####################################
+# IAM assumable role with policy conditions
+#####################################
+module "iam_assumable_role_provider_trust_policy_conditions" {
+  source = "../../modules/iam-assumable-role-with-oidc"
+
+  create_role = true
+
+  role_name = "role-with-oidc-policy-conditions"
+
+  tags = {
+    Role = "role-with-oidc-policy-conditions"
+  }
+
+  provider_url = "oidc.circleci.com/org/<CIRCLECI_ORG_UUID>"
+
+  oidc_fully_qualified_audiences = ["<CIRCLECI_ORG_UUID>"]
+
+  role_policy_arns = [
+    "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
+  ]
+
+  provider_trust_policy_conditions = [
+    {
+      test     = "StringLike"
+      variable = "aws:RequestTag/Environment"
+      values   = ["example"]
+    }
+  ]
+}

examples/iam-role-for-service-accounts-eks/main.tf

@@ -340,9 +340,10 @@ module "velero_irsa_role" {
 module "vpc_cni_ipv4_irsa_role" {
   source = "../../modules/iam-role-for-service-accounts-eks"
 
-  role_name             = "vpc-cni-ipv4"
-  attach_vpc_cni_policy = true
-  vpc_cni_enable_ipv4   = true
+  role_name                      = "vpc-cni-ipv4"
+  attach_vpc_cni_policy          = true
+  vpc_cni_enable_ipv4            = true
+  vpc_cni_enable_cloudwatch_logs = true
 
   oidc_providers = {
     ex = {

modules/iam-assumable-role-with-oidc/README.md

@@ -50,6 +50,7 @@ No modules.
 | <a name="input_oidc_fully_qualified_audiences"></a> [oidc\_fully\_qualified\_audiences](#input\_oidc\_fully\_qualified\_audiences) | The audience to be added to the role policy. Set to sts.amazonaws.com for cross-account assumable role. Leave empty otherwise. | `set(string)` | `[]` | no |
 | <a name="input_oidc_fully_qualified_subjects"></a> [oidc\_fully\_qualified\_subjects](#input\_oidc\_fully\_qualified\_subjects) | The fully qualified OIDC subjects to be added to the role policy | `set(string)` | `[]` | no |
 | <a name="input_oidc_subjects_with_wildcards"></a> [oidc\_subjects\_with\_wildcards](#input\_oidc\_subjects\_with\_wildcards) | The OIDC subject using wildcards to be added to the role policy | `set(string)` | `[]` | no |
+| <a name="input_provider_trust_policy_conditions"></a> [provider\_trust\_policy\_conditions](#input\_provider\_trust\_policy\_conditions) | [Condition constraints](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#condition) applied to the trust policy | `any` | `[]` | no |
 | <a name="input_provider_url"></a> [provider\_url](#input\_provider\_url) | URL of the OIDC Provider. Use provider\_urls to specify several URLs. | `string` | `""` | no |
 | <a name="input_provider_urls"></a> [provider\_urls](#input\_provider\_urls) | List of URLs of the OIDC Providers | `list(string)` | `[]` | no |
 | <a name="input_role_description"></a> [role\_description](#input\_role\_description) | IAM Role description | `string` | `""` | no |

modules/iam-assumable-role-with-oidc/main.tf

@@ -43,7 +43,7 @@ data "aws_iam_policy_document" "assume_role_with_oidc" {
 
     content {
       effect  = "Allow"
-      actions = ["sts:AssumeRoleWithWebIdentity"]
+      actions = ["sts:AssumeRoleWithWebIdentity", "sts:TagSession"]
 
       principals {
         type = "Federated"
@@ -80,6 +80,16 @@ data "aws_iam_policy_document" "assume_role_with_oidc" {
           values   = var.oidc_fully_qualified_audiences
         }
       }
+
+      dynamic "condition" {
+        for_each = var.provider_trust_policy_conditions
+
+        content {
+          test     = condition.value.test
+          values   = condition.value.values
+          variable = condition.value.variable
+        }
+      }
     }
   }
 }

modules/iam-assumable-role-with-oidc/variables.tf

@@ -111,3 +111,9 @@ variable "allow_self_assume_role" {
   type        = bool
   default     = false
 }
+
+variable "provider_trust_policy_conditions" {
+  description = "[Condition constraints](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#condition) applied to the trust policy"
+  type        = any
+  default     = []
+}

modules/iam-github-oidc-role/main.tf

@@ -31,8 +31,8 @@ data "aws_iam_policy_document" "this" {
 
     condition {
       test     = "ForAllValues:StringEquals"
-      variable = "token.actions.githubusercontent.com:iss"
-      values   = ["https://token.actions.githubusercontent.com"]
+      variable = "${local.provider_url}:iss"
+      values   = ["https://${local.provider_url}"]
     }
 
     condition {

modules/iam-role-for-service-accounts-eks/README.md

@@ -233,6 +233,7 @@ No modules.
 | <a name="input_load_balancer_controller_targetgroup_arns"></a> [load\_balancer\_controller\_targetgroup\_arns](#input\_load\_balancer\_controller\_targetgroup\_arns) | List of Target groups ARNs using Load Balancer Controller | `list(string)` | <pre>[<br>  "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*"<br>]</pre> | no |
 | <a name="input_max_session_duration"></a> [max\_session\_duration](#input\_max\_session\_duration) | Maximum CLI/API session duration in seconds between 3600 and 43200 | `number` | `null` | no |
 | <a name="input_mountpoint_s3_csi_bucket_arns"></a> [mountpoint\_s3\_csi\_bucket\_arns](#input\_mountpoint\_s3\_csi\_bucket\_arns) | S3 bucket ARNs to allow Mountpoint S3 CSI to list buckets | `list(string)` | `[]` | no |
+| <a name="input_mountpoint_s3_csi_kms_arns"></a> [mountpoint\_s3\_csi\_kms\_arns](#input\_mountpoint\_s3\_csi\_kms\_arns) | KMS Key ARNs to allow Mountpoint S3 CSI driver to download and upload Objects of a S3 bucket using `aws:kms` SSE | `list(string)` | `[]` | no |
 | <a name="input_mountpoint_s3_csi_path_arns"></a> [mountpoint\_s3\_csi\_path\_arns](#input\_mountpoint\_s3\_csi\_path\_arns) | S3 path ARNs to allow Mountpoint S3 CSI driver to manage items at the provided path(s). This is required if `attach_mountpoint_s3_csi_policy = true` | `list(string)` | `[]` | no |
 | <a name="input_node_termination_handler_sqs_queue_arns"></a> [node\_termination\_handler\_sqs\_queue\_arns](#input\_node\_termination\_handler\_sqs\_queue\_arns) | List of SQS ARNs that contain node termination events | `list(string)` | <pre>[<br>  "*"<br>]</pre> | no |
 | <a name="input_oidc_providers"></a> [oidc\_providers](#input\_oidc\_providers) | Map of OIDC providers where each provider map should contain the `provider_arn` and `namespace_service_accounts` | `any` | `{}` | no |
@@ -245,6 +246,7 @@ No modules.
 | <a name="input_role_policy_arns"></a> [role\_policy\_arns](#input\_role\_policy\_arns) | ARNs of any policies to attach to the IAM role | `map(string)` | `{}` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add the the IAM role | `map(any)` | `{}` | no |
 | <a name="input_velero_s3_bucket_arns"></a> [velero\_s3\_bucket\_arns](#input\_velero\_s3\_bucket\_arns) | List of S3 Bucket ARNs that Velero needs access to in order to backup and restore cluster resources | `list(string)` | <pre>[<br>  "*"<br>]</pre> | no |
+| <a name="input_vpc_cni_enable_cloudwatch_logs"></a> [vpc\_cni\_enable\_cloudwatch\_logs](#input\_vpc\_cni\_enable\_cloudwatch\_logs) | Determines whether to enable VPC CNI permission to create CloudWatch Log groups and publish network policy events | `bool` | `false` | no |
 | <a name="input_vpc_cni_enable_ipv4"></a> [vpc\_cni\_enable\_ipv4](#input\_vpc\_cni\_enable\_ipv4) | Determines whether to enable IPv4 permissions for VPC CNI policy | `bool` | `false` | no |
 | <a name="input_vpc_cni_enable_ipv6"></a> [vpc\_cni\_enable\_ipv6](#input\_vpc\_cni\_enable\_ipv6) | Determines whether to enable IPv6 permissions for VPC CNI policy | `bool` | `false` | no |
 

modules/iam-role-for-service-accounts-eks/policies.tf

@@ -447,6 +447,18 @@ data "aws_iam_policy_document" "mountpoint_s3_csi" {
     ]
     resources = var.mountpoint_s3_csi_path_arns
   }
+
+  dynamic "statement" {
+    for_each = length(var.mountpoint_s3_csi_kms_arns) > 0 ? [1] : []
+    content {
+      actions = [
+        "kms:GenerateDataKey",
+        "kms:Decrypt"
+      ]
+
+      resources = var.mountpoint_s3_csi_kms_arns
+    }
+  }
 }
 
 resource "aws_iam_policy" "mountpoint_s3_csi" {
@@ -1469,6 +1481,21 @@ data "aws_iam_policy_document" "vpc_cni" {
     }
   }
 
+  # https://docs.aws.amazon.com/eks/latest/userguide/cni-network-policy.html#cni-network-policy-setup
+  dynamic "statement" {
+    for_each = var.vpc_cni_enable_cloudwatch_logs ? [1] : []
+    content {
+      sid = "CloudWatchLogs"
+      actions = [
+        "logs:DescribeLogGroups",
+        "logs:CreateLogGroup",
+        "logs:CreateLogStream",
+        "logs:PutLogEvents",
+      ]
+      resources = ["*"]
+    }
+  }
+
   statement {
     sid       = "CreateTags"
     actions   = ["ec2:CreateTags"]

modules/iam-role-for-service-accounts-eks/variables.tf

@@ -158,6 +158,12 @@ variable "mountpoint_s3_csi_bucket_arns" {
   default     = []
 }
 
+variable "mountpoint_s3_csi_kms_arns" {
+  description = "KMS Key ARNs to allow Mountpoint S3 CSI driver to download and upload Objects of a S3 bucket using `aws:kms` SSE"
+  type        = list(string)
+  default     = []
+}
+
 variable "mountpoint_s3_csi_path_arns" {
   description = "S3 path ARNs to allow Mountpoint S3 CSI driver to manage items at the provided path(s). This is required if `attach_mountpoint_s3_csi_policy = true`"
   type        = list(string)
@@ -345,6 +351,12 @@ variable "attach_vpc_cni_policy" {
   default     = false
 }
 
+variable "vpc_cni_enable_cloudwatch_logs" {
+  description = "Determines whether to enable VPC CNI permission to create CloudWatch Log groups and publish network policy events"
+  type        = bool
+  default     = false
+}
+
 variable "vpc_cni_enable_ipv4" {
   description = "Determines whether to enable IPv4 permissions for VPC CNI policy"
   type        = bool

wrappers/iam-account/versions.tf

@@ -1,3 +1,10 @@
 terraform {
-  required_version = ">= 0.13.1"
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.0"
+    }
+  }
 }

wrappers/iam-assumable-role-with-oidc/main.tf

@@ -3,23 +3,24 @@ module "wrapper" {
 
   for_each = var.items
 
-  allow_self_assume_role         = try(each.value.allow_self_assume_role, var.defaults.allow_self_assume_role, false)
-  aws_account_id                 = try(each.value.aws_account_id, var.defaults.aws_account_id, "")
-  create_role                    = try(each.value.create_role, var.defaults.create_role, false)
-  force_detach_policies          = try(each.value.force_detach_policies, var.defaults.force_detach_policies, false)
-  inline_policy_statements       = try(each.value.inline_policy_statements, var.defaults.inline_policy_statements, [])
-  max_session_duration           = try(each.value.max_session_duration, var.defaults.max_session_duration, 3600)
-  number_of_role_policy_arns     = try(each.value.number_of_role_policy_arns, var.defaults.number_of_role_policy_arns, null)
-  oidc_fully_qualified_audiences = try(each.value.oidc_fully_qualified_audiences, var.defaults.oidc_fully_qualified_audiences, [])
-  oidc_fully_qualified_subjects  = try(each.value.oidc_fully_qualified_subjects, var.defaults.oidc_fully_qualified_subjects, [])
-  oidc_subjects_with_wildcards   = try(each.value.oidc_subjects_with_wildcards, var.defaults.oidc_subjects_with_wildcards, [])
-  provider_url                   = try(each.value.provider_url, var.defaults.provider_url, "")
-  provider_urls                  = try(each.value.provider_urls, var.defaults.provider_urls, [])
-  role_description               = try(each.value.role_description, var.defaults.role_description, "")
-  role_name                      = try(each.value.role_name, var.defaults.role_name, null)
-  role_name_prefix               = try(each.value.role_name_prefix, var.defaults.role_name_prefix, null)
-  role_path                      = try(each.value.role_path, var.defaults.role_path, "/")
-  role_permissions_boundary_arn  = try(each.value.role_permissions_boundary_arn, var.defaults.role_permissions_boundary_arn, "")
-  role_policy_arns               = try(each.value.role_policy_arns, var.defaults.role_policy_arns, [])
-  tags                           = try(each.value.tags, var.defaults.tags, {})
+  allow_self_assume_role           = try(each.value.allow_self_assume_role, var.defaults.allow_self_assume_role, false)
+  aws_account_id                   = try(each.value.aws_account_id, var.defaults.aws_account_id, "")
+  create_role                      = try(each.value.create_role, var.defaults.create_role, false)
+  force_detach_policies            = try(each.value.force_detach_policies, var.defaults.force_detach_policies, false)
+  inline_policy_statements         = try(each.value.inline_policy_statements, var.defaults.inline_policy_statements, [])
+  max_session_duration             = try(each.value.max_session_duration, var.defaults.max_session_duration, 3600)
+  number_of_role_policy_arns       = try(each.value.number_of_role_policy_arns, var.defaults.number_of_role_policy_arns, null)
+  oidc_fully_qualified_audiences   = try(each.value.oidc_fully_qualified_audiences, var.defaults.oidc_fully_qualified_audiences, [])
+  oidc_fully_qualified_subjects    = try(each.value.oidc_fully_qualified_subjects, var.defaults.oidc_fully_qualified_subjects, [])
+  oidc_subjects_with_wildcards     = try(each.value.oidc_subjects_with_wildcards, var.defaults.oidc_subjects_with_wildcards, [])
+  provider_trust_policy_conditions = try(each.value.provider_trust_policy_conditions, var.defaults.provider_trust_policy_conditions, [])
+  provider_url                     = try(each.value.provider_url, var.defaults.provider_url, "")
+  provider_urls                    = try(each.value.provider_urls, var.defaults.provider_urls, [])
+  role_description                 = try(each.value.role_description, var.defaults.role_description, "")
+  role_name                        = try(each.value.role_name, var.defaults.role_name, null)
+  role_name_prefix                 = try(each.value.role_name_prefix, var.defaults.role_name_prefix, null)
+  role_path                        = try(each.value.role_path, var.defaults.role_path, "/")
+  role_permissions_boundary_arn    = try(each.value.role_permissions_boundary_arn, var.defaults.role_permissions_boundary_arn, "")
+  role_policy_arns                 = try(each.value.role_policy_arns, var.defaults.role_policy_arns, [])
+  tags                             = try(each.value.tags, var.defaults.tags, {})
 }

wrappers/iam-assumable-role-with-oidc/versions.tf

@@ -1,3 +1,10 @@
 terraform {
-  required_version = ">= 0.13.1"
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.0"
+    }
+  }
 }

wrappers/iam-assumable-role-with-saml/versions.tf

@@ -1,3 +1,10 @@
 terraform {
-  required_version = ">= 0.13.1"
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.0"
+    }
+  }
 }

wrappers/iam-assumable-role/versions.tf

@@ -1,3 +1,10 @@
 terraform {
-  required_version = ">= 0.13.1"
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.0"
+    }
+  }
 }

wrappers/iam-assumable-roles-with-saml/versions.tf

@@ -1,3 +1,10 @@
 terraform {
-  required_version = ">= 0.13.1"
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.0"
+    }
+  }
 }

wrappers/iam-assumable-roles/versions.tf

@@ -1,3 +1,10 @@
 terraform {
-  required_version = ">= 0.13.1"
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.0"
+    }
+  }
 }

wrappers/iam-eks-role/versions.tf

@@ -1,3 +1,10 @@
 terraform {
-  required_version = ">= 0.13.1"
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.0"
+    }
+  }
 }

wrappers/iam-github-oidc-provider/versions.tf

@@ -1,3 +1,14 @@
 terraform {
-  required_version = ">= 0.13.1"
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.0"
+    }
+    tls = {
+      source  = "hashicorp/tls"
+      version = ">= 3.0"
+    }
+  }
 }