diff --git a/examples/iam-assumable-role/main.tf b/examples/iam-assumable-role/main.tf
index 5255283e..f94a9afb 100644
--- a/examples/iam-assumable-role/main.tf
+++ b/examples/iam-assumable-role/main.tf
@@ -8,6 +8,9 @@ provider "aws" {
module "iam_assumable_role_admin" {
source = "../../modules/iam-assumable-role"
+ # https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/
+ allow_self_assume_role = true
+
trusted_role_arns = [
"arn:aws:iam::307990089504:root",
"arn:aws:iam::835367859851:user/anton",
@@ -127,16 +130,6 @@ data "aws_iam_policy_document" "custom_trust_policy" {
identifiers = ["*"]
}
}
-
- statement {
- effect = "Deny"
- actions = ["sts:AssumeRole"]
-
- principals {
- type = "AWS"
- identifiers = ["arn:aws:iam::111111111111:root"]
- }
- }
}
#########################################
diff --git a/modules/iam-assumable-role-with-oidc/README.md b/modules/iam-assumable-role-with-oidc/README.md
index 2d53a1a3..3bf01a75 100644
--- a/modules/iam-assumable-role-with-oidc/README.md
+++ b/modules/iam-assumable-role-with-oidc/README.md
@@ -38,6 +38,7 @@ No modules.
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
+| [allow\_self\_assume\_role](#input\_allow\_self\_assume\_role) | Determines whether to allow the role to be [assume itself](https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/) | `bool` | `false` | no |
| [aws\_account\_id](#input\_aws\_account\_id) | The AWS account ID where the OIDC provider lives, leave empty to use the account for the AWS provider | `string` | `""` | no |
| [create\_role](#input\_create\_role) | Whether to create a role | `bool` | `false` | no |
| [force\_detach\_policies](#input\_force\_detach\_policies) | Whether policies should be detached from this role when destroying | `bool` | `false` | no |
diff --git a/modules/iam-assumable-role-with-oidc/main.tf b/modules/iam-assumable-role-with-oidc/main.tf
index 586bd50d..f3879ff9 100644
--- a/modules/iam-assumable-role-with-oidc/main.tf
+++ b/modules/iam-assumable-role-with-oidc/main.tf
@@ -9,18 +9,32 @@ locals {
}
data "aws_caller_identity" "current" {}
-
data "aws_partition" "current" {}
data "aws_iam_policy_document" "assume_role_with_oidc" {
count = var.create_role ? 1 : 0
dynamic "statement" {
- for_each = local.urls
+ # https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/
+ for_each = var.allow_self_assume_role ? [1] : []
content {
- effect = "Allow"
+ sid = "ExplicitSelfRoleAssumption"
+ effect = "Allow"
+ actions = ["sts:AssumeRole"]
+ principals {
+ type = "AWS"
+ identifiers = ["arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:role${var.role_path}${var.role_name}"]
+ }
+ }
+ }
+
+ dynamic "statement" {
+ for_each = local.urls
+
+ content {
+ effect = "Allow"
actions = ["sts:AssumeRoleWithWebIdentity"]
principals {
diff --git a/modules/iam-assumable-role-with-oidc/variables.tf b/modules/iam-assumable-role-with-oidc/variables.tf
index 5576f5f0..d9b7cd7b 100644
--- a/modules/iam-assumable-role-with-oidc/variables.tf
+++ b/modules/iam-assumable-role-with-oidc/variables.tf
@@ -99,3 +99,9 @@ variable "force_detach_policies" {
type = bool
default = false
}
+
+variable "allow_self_assume_role" {
+ description = "Determines whether to allow the role to be [assume itself](https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/)"
+ type = bool
+ default = false
+}
diff --git a/modules/iam-assumable-role-with-saml/README.md b/modules/iam-assumable-role-with-saml/README.md
index 15f3c8f8..4d9eab4a 100644
--- a/modules/iam-assumable-role-with-saml/README.md
+++ b/modules/iam-assumable-role-with-saml/README.md
@@ -29,12 +29,15 @@ No modules.
|------|------|
| [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role_policy_attachment.custom](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_iam_policy_document.assume_role_with_saml](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
+| [allow\_self\_assume\_role](#input\_allow\_self\_assume\_role) | Determines whether to allow the role to be [assume itself](https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/) | `bool` | `false` | no |
| [aws\_saml\_endpoint](#input\_aws\_saml\_endpoint) | AWS SAML Endpoint | `string` | `"https://signin.aws.amazon.com/saml"` | no |
| [create\_role](#input\_create\_role) | Whether to create a role | `bool` | `false` | no |
| [force\_detach\_policies](#input\_force\_detach\_policies) | Whether policies should be detached from this role when destroying | `bool` | `false` | no |
diff --git a/modules/iam-assumable-role-with-saml/main.tf b/modules/iam-assumable-role-with-saml/main.tf
index eb9d803b..6cc1eda2 100644
--- a/modules/iam-assumable-role-with-saml/main.tf
+++ b/modules/iam-assumable-role-with-saml/main.tf
@@ -1,12 +1,30 @@
+data "aws_caller_identity" "current" {}
+data "aws_partition" "current" {}
+
locals {
identifiers = compact(distinct(concat(var.provider_ids, [var.provider_id])))
number_of_role_policy_arns = coalesce(var.number_of_role_policy_arns, length(var.role_policy_arns))
}
data "aws_iam_policy_document" "assume_role_with_saml" {
- statement {
- effect = "Allow"
+ dynamic "statement" {
+ # https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/
+ for_each = var.allow_self_assume_role ? [1] : []
+ content {
+ sid = "ExplicitSelfRoleAssumption"
+ effect = "Allow"
+ actions = ["sts:AssumeRole"]
+
+ principals {
+ type = "AWS"
+ identifiers = ["arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:role${var.role_path}${var.role_name}"]
+ }
+ }
+ }
+
+ statement {
+ effect = "Allow"
actions = ["sts:AssumeRoleWithSAML"]
principals {
diff --git a/modules/iam-assumable-role-with-saml/variables.tf b/modules/iam-assumable-role-with-saml/variables.tf
index e363ed48..210ad057 100644
--- a/modules/iam-assumable-role-with-saml/variables.tf
+++ b/modules/iam-assumable-role-with-saml/variables.tf
@@ -81,3 +81,9 @@ variable "force_detach_policies" {
type = bool
default = false
}
+
+variable "allow_self_assume_role" {
+ description = "Determines whether to allow the role to be [assume itself](https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/)"
+ type = bool
+ default = false
+}
diff --git a/modules/iam-assumable-role/README.md b/modules/iam-assumable-role/README.md
index a7ce8fac..d2652e37 100644
--- a/modules/iam-assumable-role/README.md
+++ b/modules/iam-assumable-role/README.md
@@ -32,14 +32,17 @@ No modules.
| [aws_iam_role_policy_attachment.custom](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.poweruser](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.readonly](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.assume_role_with_mfa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [admin\_role\_policy\_arn](#input\_admin\_role\_policy\_arn) | Policy ARN to use for admin role | `string` | `"arn:aws:iam::aws:policy/AdministratorAccess"` | no |
+| [allow\_self\_assume\_role](#input\_allow\_self\_assume\_role) | Determines whether to allow the role to be [assume itself](https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/) | `bool` | `false` | no |
| [attach\_admin\_policy](#input\_attach\_admin\_policy) | Whether to attach an admin policy to a role | `bool` | `false` | no |
| [attach\_poweruser\_policy](#input\_attach\_poweruser\_policy) | Whether to attach a poweruser policy to a role | `bool` | `false` | no |
| [attach\_readonly\_policy](#input\_attach\_readonly\_policy) | Whether to attach a readonly policy to a role | `bool` | `false` | no |
diff --git a/modules/iam-assumable-role/main.tf b/modules/iam-assumable-role/main.tf
index 7f5beb54..6e3971b5 100644
--- a/modules/iam-assumable-role/main.tf
+++ b/modules/iam-assumable-role/main.tf
@@ -1,3 +1,6 @@
+data "aws_caller_identity" "current" {}
+data "aws_partition" "current" {}
+
locals {
role_sts_externalid = flatten([var.role_sts_externalid])
}
@@ -5,9 +8,24 @@ locals {
data "aws_iam_policy_document" "assume_role" {
count = var.custom_role_trust_policy == "" && var.role_requires_mfa ? 0 : 1
- statement {
- effect = "Allow"
+ dynamic "statement" {
+ # https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/
+ for_each = var.allow_self_assume_role ? [1] : []
+
+ content {
+ sid = "ExplicitSelfRoleAssumption"
+ effect = "Allow"
+ actions = ["sts:AssumeRole"]
+
+ principals {
+ type = "AWS"
+ identifiers = ["arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:role${var.role_path}${var.role_name}"]
+ }
+ }
+ }
+ statement {
+ effect = "Allow"
actions = var.trusted_role_actions
principals {
@@ -34,9 +52,24 @@ data "aws_iam_policy_document" "assume_role" {
data "aws_iam_policy_document" "assume_role_with_mfa" {
count = var.custom_role_trust_policy == "" && var.role_requires_mfa ? 1 : 0
- statement {
- effect = "Allow"
+ dynamic "statement" {
+ # https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/
+ for_each = var.allow_self_assume_role ? [1] : []
+
+ content {
+ sid = "ExplicitSelfRoleAssumption"
+ effect = "Allow"
+ actions = ["sts:AssumeRole"]
+ principals {
+ type = "AWS"
+ identifiers = ["arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:role${var.role_path}${var.role_name}"]
+ }
+ }
+ }
+
+ statement {
+ effect = "Allow"
actions = var.trusted_role_actions
principals {
diff --git a/modules/iam-assumable-role/variables.tf b/modules/iam-assumable-role/variables.tf
index a74d339d..ab2d3451 100644
--- a/modules/iam-assumable-role/variables.tf
+++ b/modules/iam-assumable-role/variables.tf
@@ -142,3 +142,9 @@ variable "role_sts_externalid" {
type = any
default = []
}
+
+variable "allow_self_assume_role" {
+ description = "Determines whether to allow the role to be [assume itself](https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/)"
+ type = bool
+ default = false
+}
diff --git a/modules/iam-assumable-roles-with-saml/README.md b/modules/iam-assumable-roles-with-saml/README.md
index 8e81a897..6ab729ce 100644
--- a/modules/iam-assumable-roles-with-saml/README.md
+++ b/modules/iam-assumable-roles-with-saml/README.md
@@ -34,7 +34,9 @@ No modules.
| [aws_iam_role_policy_attachment.admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.poweruser](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.readonly](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_iam_policy_document.assume_role_with_saml](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
## Inputs
@@ -45,6 +47,7 @@ No modules.
| [admin\_role\_permissions\_boundary\_arn](#input\_admin\_role\_permissions\_boundary\_arn) | Permissions boundary ARN to use for admin role | `string` | `""` | no |
| [admin\_role\_policy\_arns](#input\_admin\_role\_policy\_arns) | List of policy ARNs to use for admin role | `list(string)` | [
"arn:aws:iam::aws:policy/AdministratorAccess"
]
| no |
| [admin\_role\_tags](#input\_admin\_role\_tags) | A map of tags to add to admin role resource. | `map(string)` | `{}` | no |
+| [allow\_self\_assume\_role](#input\_allow\_self\_assume\_role) | Determines whether to allow the role to be [assume itself](https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/) | `bool` | `false` | no |
| [aws\_saml\_endpoint](#input\_aws\_saml\_endpoint) | AWS SAML Endpoint | `string` | `"https://signin.aws.amazon.com/saml"` | no |
| [create\_admin\_role](#input\_create\_admin\_role) | Whether to create admin role | `bool` | `false` | no |
| [create\_poweruser\_role](#input\_create\_poweruser\_role) | Whether to create poweruser role | `bool` | `false` | no |
diff --git a/modules/iam-assumable-roles-with-saml/main.tf b/modules/iam-assumable-roles-with-saml/main.tf
index fdfb687c..9c9e7168 100644
--- a/modules/iam-assumable-roles-with-saml/main.tf
+++ b/modules/iam-assumable-roles-with-saml/main.tf
@@ -1,8 +1,27 @@
+data "aws_caller_identity" "current" {}
+data "aws_partition" "current" {}
+
locals {
identifiers = compact(distinct(concat(var.provider_ids, [var.provider_id])))
}
data "aws_iam_policy_document" "assume_role_with_saml" {
+ dynamic "statement" {
+ # https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/
+ for_each = var.allow_self_assume_role ? [1] : []
+
+ content {
+ sid = "ExplicitSelfRoleAssumption"
+ effect = "Allow"
+ actions = ["sts:AssumeRole"]
+
+ principals {
+ type = "AWS"
+ identifiers = ["arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:role${var.role_path}${var.role_name}"]
+ }
+ }
+ }
+
statement {
effect = "Allow"
diff --git a/modules/iam-assumable-roles-with-saml/variables.tf b/modules/iam-assumable-roles-with-saml/variables.tf
index 4f2af0f7..cfe635e0 100644
--- a/modules/iam-assumable-roles-with-saml/variables.tf
+++ b/modules/iam-assumable-roles-with-saml/variables.tf
@@ -16,6 +16,12 @@ variable "aws_saml_endpoint" {
type = string
}
+variable "allow_self_assume_role" {
+ description = "Determines whether to allow the role to be [assume itself](https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/)"
+ type = bool
+ default = false
+}
+
# Admin
variable "create_admin_role" {
description = "Whether to create admin role"
diff --git a/modules/iam-assumable-roles/README.md b/modules/iam-assumable-roles/README.md
index 3779d71b..d5721cac 100644
--- a/modules/iam-assumable-roles/README.md
+++ b/modules/iam-assumable-roles/README.md
@@ -32,8 +32,10 @@ No modules.
| [aws_iam_role_policy_attachment.admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.poweruser](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.readonly](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.assume_role_with_mfa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
## Inputs
@@ -45,6 +47,7 @@ No modules.
| [admin\_role\_policy\_arns](#input\_admin\_role\_policy\_arns) | List of policy ARNs to use for admin role | `list(string)` | [
"arn:aws:iam::aws:policy/AdministratorAccess"
]
| no |
| [admin\_role\_requires\_mfa](#input\_admin\_role\_requires\_mfa) | Whether admin role requires MFA | `bool` | `true` | no |
| [admin\_role\_tags](#input\_admin\_role\_tags) | A map of tags to add to admin role resource. | `map(string)` | `{}` | no |
+| [allow\_self\_assume\_role](#input\_allow\_self\_assume\_role) | Determines whether to allow the role to be [assume itself](https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/) | `bool` | `false` | no |
| [create\_admin\_role](#input\_create\_admin\_role) | Whether to create admin role | `bool` | `false` | no |
| [create\_poweruser\_role](#input\_create\_poweruser\_role) | Whether to create poweruser role | `bool` | `false` | no |
| [create\_readonly\_role](#input\_create\_readonly\_role) | Whether to create readonly role | `bool` | `false` | no |
diff --git a/modules/iam-assumable-roles/main.tf b/modules/iam-assumable-roles/main.tf
index c0d935d4..fc8f9e1e 100644
--- a/modules/iam-assumable-roles/main.tf
+++ b/modules/iam-assumable-roles/main.tf
@@ -1,7 +1,25 @@
+data "aws_caller_identity" "current" {}
+data "aws_partition" "current" {}
+
data "aws_iam_policy_document" "assume_role" {
- statement {
- effect = "Allow"
+ dynamic "statement" {
+ # https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/
+ for_each = var.allow_self_assume_role ? [1] : []
+
+ content {
+ sid = "ExplicitSelfRoleAssumption"
+ effect = "Allow"
+ actions = ["sts:AssumeRole"]
+
+ principals {
+ type = "AWS"
+ identifiers = ["arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:role${var.role_path}${var.role_name}"]
+ }
+ }
+ }
+ statement {
+ effect = "Allow"
actions = ["sts:AssumeRole"]
principals {
@@ -17,9 +35,24 @@ data "aws_iam_policy_document" "assume_role" {
}
data "aws_iam_policy_document" "assume_role_with_mfa" {
- statement {
- effect = "Allow"
+ dynamic "statement" {
+ # https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/
+ for_each = var.allow_self_assume_role ? [1] : []
+
+ content {
+ sid = "ExplicitSelfRoleAssumption"
+ effect = "Allow"
+ actions = ["sts:AssumeRole"]
+
+ principals {
+ type = "AWS"
+ identifiers = ["arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:role${var.role_path}${var.role_name}"]
+ }
+ }
+ }
+ statement {
+ effect = "Allow"
actions = ["sts:AssumeRole"]
principals {
diff --git a/modules/iam-assumable-roles/variables.tf b/modules/iam-assumable-roles/variables.tf
index f824502c..b0bc2352 100644
--- a/modules/iam-assumable-roles/variables.tf
+++ b/modules/iam-assumable-roles/variables.tf
@@ -16,6 +16,12 @@ variable "mfa_age" {
default = 86400
}
+variable "allow_self_assume_role" {
+ description = "Determines whether to allow the role to be [assume itself](https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/)"
+ type = bool
+ default = false
+}
+
# Admin
variable "create_admin_role" {
description = "Whether to create admin role"
diff --git a/modules/iam-eks-role/README.md b/modules/iam-eks-role/README.md
index 2b9fdf73..925028a5 100644
--- a/modules/iam-eks-role/README.md
+++ b/modules/iam-eks-role/README.md
@@ -106,6 +106,7 @@ No modules.
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
+| [allow\_self\_assume\_role](#input\_allow\_self\_assume\_role) | Determines whether to allow the role to be [assume itself](https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/) | `bool` | `false` | no |
| [cluster\_service\_accounts](#input\_cluster\_service\_accounts) | EKS cluster and k8s ServiceAccount pairs. Each EKS cluster can have multiple k8s ServiceAccount. See README for details | `map(list(string))` | `{}` | no |
| [create\_role](#input\_create\_role) | Whether to create a role | `bool` | `true` | no |
| [force\_detach\_policies](#input\_force\_detach\_policies) | Whether policies should be detached from this role when destroying | `bool` | `false` | no |
diff --git a/modules/iam-eks-role/main.tf b/modules/iam-eks-role/main.tf
index 31dac45e..a71ac725 100644
--- a/modules/iam-eks-role/main.tf
+++ b/modules/iam-eks-role/main.tf
@@ -1,5 +1,4 @@
data "aws_caller_identity" "current" {}
-
data "aws_partition" "current" {}
data "aws_eks_cluster" "main" {
@@ -10,11 +9,26 @@ data "aws_eks_cluster" "main" {
data "aws_iam_policy_document" "assume_role_with_oidc" {
dynamic "statement" {
- for_each = var.cluster_service_accounts
+ # https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/
+ for_each = var.allow_self_assume_role ? [1] : []
content {
- effect = "Allow"
+ sid = "ExplicitSelfRoleAssumption"
+ effect = "Allow"
+ actions = ["sts:AssumeRole"]
+ principals {
+ type = "AWS"
+ identifiers = ["arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:role${var.role_path}${var.role_name}"]
+ }
+ }
+ }
+
+ dynamic "statement" {
+ for_each = var.cluster_service_accounts
+
+ content {
+ effect = "Allow"
actions = ["sts:AssumeRoleWithWebIdentity"]
principals {
diff --git a/modules/iam-eks-role/variables.tf b/modules/iam-eks-role/variables.tf
index 5f69d755..e0c69ca1 100644
--- a/modules/iam-eks-role/variables.tf
+++ b/modules/iam-eks-role/variables.tf
@@ -63,3 +63,9 @@ variable "max_session_duration" {
type = number
default = 43200
}
+
+variable "allow_self_assume_role" {
+ description = "Determines whether to allow the role to be [assume itself](https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/)"
+ type = bool
+ default = false
+}
diff --git a/modules/iam-role-for-service-accounts-eks/README.md b/modules/iam-role-for-service-accounts-eks/README.md
index 5c85d97e..d3370644 100644
--- a/modules/iam-role-for-service-accounts-eks/README.md
+++ b/modules/iam-role-for-service-accounts-eks/README.md
@@ -175,6 +175,7 @@ No modules.
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
+| [allow\_self\_assume\_role](#input\_allow\_self\_assume\_role) | Determines whether to allow the role to be [assume itself](https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/) | `bool` | `false` | no |
| [amazon\_managed\_service\_prometheus\_workspace\_arns](#input\_amazon\_managed\_service\_prometheus\_workspace\_arns) | List of AMP Workspace ARNs to read and write metrics | `list(string)` | [
"*"
]
| no |
| [assume\_role\_condition\_test](#input\_assume\_role\_condition\_test) | Name of the [IAM condition operator](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html) to evaluate when assuming the role | `string` | `"StringEquals"` | no |
| [attach\_amazon\_managed\_service\_prometheus\_policy](#input\_attach\_amazon\_managed\_service\_prometheus\_policy) | Determines whether to attach the Amazon Managed Service for Prometheus IAM policy to the role | `bool` | `false` | no |
diff --git a/modules/iam-role-for-service-accounts-eks/main.tf b/modules/iam-role-for-service-accounts-eks/main.tf
index 075ebec6..f413825b 100644
--- a/modules/iam-role-for-service-accounts-eks/main.tf
+++ b/modules/iam-role-for-service-accounts-eks/main.tf
@@ -1,6 +1,31 @@
+data "aws_partition" "current" {}
+data "aws_caller_identity" "current" {}
+
+locals {
+ account_id = data.aws_caller_identity.current.account_id
+ partition = data.aws_partition.current.partition
+ dns_suffix = data.aws_partition.current.dns_suffix
+}
+
data "aws_iam_policy_document" "this" {
count = var.create_role ? 1 : 0
+ dynamic "statement" {
+ # https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/
+ for_each = var.allow_self_assume_role ? [1] : []
+
+ content {
+ sid = "ExplicitSelfRoleAssumption"
+ effect = "Allow"
+ actions = ["sts:AssumeRole"]
+
+ principals {
+ type = "AWS"
+ identifiers = ["arn:${local.partition}:iam::${local.account_id}:role${var.role_path}${var.role_name}"]
+ }
+ }
+ }
+
dynamic "statement" {
for_each = var.oidc_providers
diff --git a/modules/iam-role-for-service-accounts-eks/policies.tf b/modules/iam-role-for-service-accounts-eks/policies.tf
index 45979516..42b88415 100644
--- a/modules/iam-role-for-service-accounts-eks/policies.tf
+++ b/modules/iam-role-for-service-accounts-eks/policies.tf
@@ -1,12 +1,3 @@
-data "aws_partition" "current" {}
-data "aws_caller_identity" "current" {}
-
-locals {
- account_id = data.aws_caller_identity.current.account_id
- partition = data.aws_partition.current.partition
- dns_suffix = data.aws_partition.current.dns_suffix
-}
-
################################################################################
# Cert Manager Policy
################################################################################
diff --git a/modules/iam-role-for-service-accounts-eks/variables.tf b/modules/iam-role-for-service-accounts-eks/variables.tf
index 3d9504fc..d539d15d 100644
--- a/modules/iam-role-for-service-accounts-eks/variables.tf
+++ b/modules/iam-role-for-service-accounts-eks/variables.tf
@@ -76,6 +76,12 @@ variable "assume_role_condition_test" {
default = "StringEquals"
}
+variable "allow_self_assume_role" {
+ description = "Determines whether to allow the role to be [assume itself](https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/)"
+ type = bool
+ default = false
+}
+
################################################################################
# Policies
################################################################################