From b26b1a9f32a25ccce226f4347e1a815d8e659fec Mon Sep 17 00:00:00 2001 From: yuriy-kirb Date: Tue, 4 Jun 2024 17:38:27 -0500 Subject: [PATCH 1/2] Adding ability to add additional principal to trusted policy --- data.tf | 7 +++++++ variables.tf | 6 ++++++ 2 files changed, 13 insertions(+) diff --git a/data.tf b/data.tf index ff1fafa..2a86b91 100644 --- a/data.tf +++ b/data.tf @@ -38,6 +38,13 @@ data "aws_iam_policy_document" "mwaa_assume" { type = "Service" identifiers = ["s3.amazonaws.com"] } + dynamic "principals" { + for_each = var.additional_principal_arns + content { + type = "AWS" + identifiers = [principals.value] + } + } } } #tfsec:ignore:AWS099 diff --git a/variables.tf b/variables.tf index b58fbb5..612b9ee 100644 --- a/variables.tf +++ b/variables.tf @@ -157,6 +157,12 @@ variable "iam_role_name" { default = null } +variable "additional_principal_arns" { + description = "List of additional AWS principal ARNs" + type = list(string) + default = [] +} + variable "iam_role_permissions_boundary" { description = "IAM role Permission boundary" type = string From 5c336aa773bd3703225ceb8aaa331cac1626d15c Mon Sep 17 00:00:00 2001 From: yuriy-kirb Date: Tue, 4 Jun 2024 17:52:39 -0500 Subject: [PATCH 2/2] updating readme after running pre-commit --- README.md | 1 + examples/basic/main.tf | 2 +- test/mwaa_test.go | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index a25b2ce..bf2455c 100644 --- a/README.md +++ b/README.md @@ -129,6 +129,7 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| [additional\_principal\_arns](#input\_additional\_principal\_arns) | List of additional AWS principal ARNs | `list(string)` | `[]` | no | | [airflow\_configuration\_options](#input\_airflow\_configuration\_options) | (Optional) The airflow\_configuration\_options parameter specifies airflow override options. | `any` | `null` | no | | [airflow\_version](#input\_airflow\_version) | (Optional) Airflow version of your environment, will be set by default to the latest version that MWAA supports. | `string` | `null` | no | | [create\_iam\_role](#input\_create\_iam\_role) | Create IAM role for MWAA | `bool` | `true` | no | diff --git a/examples/basic/main.tf b/examples/basic/main.tf index 6f4c53d..49180b9 100644 --- a/examples/basic/main.tf +++ b/examples/basic/main.tf @@ -34,7 +34,7 @@ resource "aws_s3_bucket_ownership_controls" "this" { resource "aws_s3_bucket_acl" "this" { depends_on = [aws_s3_bucket_ownership_controls.this] - bucket = aws_s3_bucket.this.id + bucket = aws_s3_bucket.this.id rule { object_ownership = "BucketOwnerPreferred" } diff --git a/test/mwaa_test.go b/test/mwaa_test.go index be9850b..ea44232 100644 --- a/test/mwaa_test.go +++ b/test/mwaa_test.go @@ -18,4 +18,4 @@ func TestExamplesBasic(t *testing.T) { defer terraform.Destroy(t, terraformOptions) terraform.InitAndApply(t, terraformOptions) -} \ No newline at end of file +}