diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 6a8a23ae..74f3751c 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
repos:
- repo: https://github.com/antonbabenko/pre-commit-terraform
- rev: v1.75.0
+ rev: v1.76.0
hooks:
- id: terraform_fmt
- id: terraform_validate
diff --git a/modules/iam-account/README.md b/modules/iam-account/README.md
index 4dc51a5c..7fb8dbc1 100644
--- a/modules/iam-account/README.md
+++ b/modules/iam-account/README.md
@@ -19,7 +19,7 @@ module.iam_account.aws_iam_account_alias.this: Import complete!
module.iam_account.aws_iam_account_alias.this: Refreshing state... (ID: this)
Import successful!
-```
+```
## Requirements
diff --git a/modules/iam-assumable-role-with-oidc/README.md b/modules/iam-assumable-role-with-oidc/README.md
index 3bf01a75..1662a3ed 100644
--- a/modules/iam-assumable-role-with-oidc/README.md
+++ b/modules/iam-assumable-role-with-oidc/README.md
@@ -4,7 +4,7 @@ Creates single IAM role which can be assumed by trusted resources using OpenID C
[Creating IAM OIDC Identity Providers](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html)
-This module supports IAM Roles for kubernetes service accounts as described in the [EKS documentation](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html).
+This module supports IAM Roles for kubernetes service accounts as described in the [EKS documentation](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html).
## Requirements
diff --git a/modules/iam-assumable-role-with-oidc/main.tf b/modules/iam-assumable-role-with-oidc/main.tf
index f3879ff9..6ccc5a54 100644
--- a/modules/iam-assumable-role-with-oidc/main.tf
+++ b/modules/iam-assumable-role-with-oidc/main.tf
@@ -6,6 +6,7 @@ locals {
replace(url, "https://", "")
]
number_of_role_policy_arns = coalesce(var.number_of_role_policy_arns, length(var.role_policy_arns))
+ role_name_condition = var.role_name != null ? var.role_name : "${var.role_name_prefix}*"
}
data "aws_caller_identity" "current" {}
@@ -25,7 +26,13 @@ data "aws_iam_policy_document" "assume_role_with_oidc" {
principals {
type = "AWS"
- identifiers = ["arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:role${var.role_path}${var.role_name}"]
+ identifiers = ["*"]
+ }
+
+ condition {
+ test = "ArnLike"
+ variable = "aws:PrincipalArn"
+ values = ["arn:${local.partition}:iam::${local.account_id}:role${var.role_path}${local.role_name_condition}"]
}
}
}
diff --git a/modules/iam-assumable-role-with-saml/README.md b/modules/iam-assumable-role-with-saml/README.md
index 4d9eab4a..1e0c4f52 100644
--- a/modules/iam-assumable-role-with-saml/README.md
+++ b/modules/iam-assumable-role-with-saml/README.md
@@ -2,8 +2,8 @@
Creates single IAM role which can be assumed by trusted resources using SAML Federated Users.
-[Creating IAM SAML Identity Providers](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html)
-[Enabling SAML 2.0 Federated Users to Access the AWS Management Console](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html)
+[Creating IAM SAML Identity Providers](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html)
+[Enabling SAML 2.0 Federated Users to Access the AWS Management Console](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html)
## Requirements
@@ -29,9 +29,7 @@ No modules.
|------|------|
| [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role_policy_attachment.custom](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
-| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_iam_policy_document.assume_role_with_saml](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
## Inputs
diff --git a/modules/iam-assumable-role-with-saml/main.tf b/modules/iam-assumable-role-with-saml/main.tf
index 6cc1eda2..3a82320c 100644
--- a/modules/iam-assumable-role-with-saml/main.tf
+++ b/modules/iam-assumable-role-with-saml/main.tf
@@ -1,9 +1,7 @@
-data "aws_caller_identity" "current" {}
-data "aws_partition" "current" {}
-
locals {
identifiers = compact(distinct(concat(var.provider_ids, [var.provider_id])))
number_of_role_policy_arns = coalesce(var.number_of_role_policy_arns, length(var.role_policy_arns))
+ role_name_condition = var.role_name != null ? var.role_name : "${var.role_name_prefix}*"
}
data "aws_iam_policy_document" "assume_role_with_saml" {
@@ -18,7 +16,13 @@ data "aws_iam_policy_document" "assume_role_with_saml" {
principals {
type = "AWS"
- identifiers = ["arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:role${var.role_path}${var.role_name}"]
+ identifiers = ["*"]
+ }
+
+ condition {
+ test = "ArnLike"
+ variable = "aws:PrincipalArn"
+ values = ["arn:${local.partition}:iam::${local.account_id}:role${var.role_path}${local.role_name_condition}"]
}
}
}
diff --git a/modules/iam-assumable-role/README.md b/modules/iam-assumable-role/README.md
index d2652e37..1c60834e 100644
--- a/modules/iam-assumable-role/README.md
+++ b/modules/iam-assumable-role/README.md
@@ -32,10 +32,8 @@ No modules.
| [aws_iam_role_policy_attachment.custom](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.poweruser](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.readonly](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
-| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.assume_role_with_mfa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
## Inputs
@@ -58,6 +56,7 @@ No modules.
| [readonly\_role\_policy\_arn](#input\_readonly\_role\_policy\_arn) | Policy ARN to use for readonly role | `string` | `"arn:aws:iam::aws:policy/ReadOnlyAccess"` | no |
| [role\_description](#input\_role\_description) | IAM Role description | `string` | `""` | no |
| [role\_name](#input\_role\_name) | IAM role name | `string` | `""` | no |
+| [role\_name\_prefix](#input\_role\_name\_prefix) | IAM role name prefix | `string` | `null` | no |
| [role\_path](#input\_role\_path) | Path of IAM role | `string` | `"/"` | no |
| [role\_permissions\_boundary\_arn](#input\_role\_permissions\_boundary\_arn) | Permissions boundary ARN to use for IAM role | `string` | `""` | no |
| [role\_requires\_mfa](#input\_role\_requires\_mfa) | Whether role requires MFA | `bool` | `true` | no |
diff --git a/modules/iam-assumable-role/main.tf b/modules/iam-assumable-role/main.tf
index 6e3971b5..04480a5b 100644
--- a/modules/iam-assumable-role/main.tf
+++ b/modules/iam-assumable-role/main.tf
@@ -1,8 +1,6 @@
-data "aws_caller_identity" "current" {}
-data "aws_partition" "current" {}
-
locals {
role_sts_externalid = flatten([var.role_sts_externalid])
+ role_name_condition = var.role_name != null ? var.role_name : "${var.role_name_prefix}*"
}
data "aws_iam_policy_document" "assume_role" {
@@ -19,7 +17,13 @@ data "aws_iam_policy_document" "assume_role" {
principals {
type = "AWS"
- identifiers = ["arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:role${var.role_path}${var.role_name}"]
+ identifiers = ["*"]
+ }
+
+ condition {
+ test = "ArnLike"
+ variable = "aws:PrincipalArn"
+ values = ["arn:${local.partition}:iam::${local.account_id}:role${var.role_path}${local.role_name_condition}"]
}
}
}
@@ -63,7 +67,13 @@ data "aws_iam_policy_document" "assume_role_with_mfa" {
principals {
type = "AWS"
- identifiers = ["arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:role${var.role_path}${var.role_name}"]
+ identifiers = ["*"]
+ }
+
+ condition {
+ test = "ArnLike"
+ variable = "aws:PrincipalArn"
+ values = ["arn:${local.partition}:iam::${local.account_id}:role${var.role_path}${local.role_name_condition}"]
}
}
}
@@ -109,6 +119,7 @@ resource "aws_iam_role" "this" {
count = var.create_role ? 1 : 0
name = var.role_name
+ name_prefix = var.role_name_prefix
path = var.role_path
max_session_duration = var.max_session_duration
description = var.role_description
diff --git a/modules/iam-assumable-role/variables.tf b/modules/iam-assumable-role/variables.tf
index ab2d3451..3d096abf 100644
--- a/modules/iam-assumable-role/variables.tf
+++ b/modules/iam-assumable-role/variables.tf
@@ -46,6 +46,12 @@ variable "role_name" {
default = ""
}
+variable "role_name_prefix" {
+ description = "IAM role name prefix"
+ type = string
+ default = null
+}
+
variable "role_path" {
description = "Path of IAM role"
type = string
diff --git a/modules/iam-assumable-roles-with-saml/README.md b/modules/iam-assumable-roles-with-saml/README.md
index 6ab729ce..2f1f20c1 100644
--- a/modules/iam-assumable-roles-with-saml/README.md
+++ b/modules/iam-assumable-roles-with-saml/README.md
@@ -3,8 +3,8 @@
Creates predefined IAM roles (admin, poweruser and readonly) which can be assumed by trusted resources using SAML Federated Users.
-[Creating IAM SAML Identity Providers](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html)
-[Enabling SAML 2.0 Federated Users to Access the AWS Management Console](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html)
+[Creating IAM SAML Identity Providers](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html)
+[Enabling SAML 2.0 Federated Users to Access the AWS Management Console](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html)
## Requirements
@@ -34,9 +34,7 @@ No modules.
| [aws_iam_role_policy_attachment.admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.poweruser](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.readonly](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
-| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_iam_policy_document.assume_role_with_saml](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
## Inputs
diff --git a/modules/iam-assumable-roles-with-saml/main.tf b/modules/iam-assumable-roles-with-saml/main.tf
index 9c9e7168..5dbc47eb 100644
--- a/modules/iam-assumable-roles-with-saml/main.tf
+++ b/modules/iam-assumable-roles-with-saml/main.tf
@@ -1,6 +1,3 @@
-data "aws_caller_identity" "current" {}
-data "aws_partition" "current" {}
-
locals {
identifiers = compact(distinct(concat(var.provider_ids, [var.provider_id])))
}
@@ -8,16 +5,66 @@ locals {
data "aws_iam_policy_document" "assume_role_with_saml" {
dynamic "statement" {
# https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/
- for_each = var.allow_self_assume_role ? [1] : []
+ for_each = var.allow_self_assume_role && var.create_admin_role ? [1] : []
content {
- sid = "ExplicitSelfRoleAssumption"
+ sid = "ExplicitSelfAdminRoleAssumption"
effect = "Allow"
actions = ["sts:AssumeRole"]
principals {
type = "AWS"
- identifiers = ["arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:role${var.role_path}${var.role_name}"]
+ identifiers = ["*"]
+ }
+
+ condition {
+ test = "ArnLike"
+ variable = "aws:PrincipalArn"
+ values = ["arn:${local.partition}:iam::${local.account_id}:role${var.admin_role_path}${var.admin_role_name}"]
+ }
+ }
+ }
+
+ dynamic "statement" {
+ # https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/
+ for_each = var.allow_self_assume_role && var.create_poweruser_role ? [1] : []
+
+ content {
+ sid = "ExplicitSelfPowerUserRoleAssumption"
+ effect = "Allow"
+ actions = ["sts:AssumeRole"]
+
+ principals {
+ type = "AWS"
+ identifiers = ["*"]
+ }
+
+ condition {
+ test = "ArnLike"
+ variable = "aws:PrincipalArn"
+ values = ["arn:${local.partition}:iam::${local.account_id}:role${var.poweruser_role_path}${var.poweruser_role_name}"]
+ }
+ }
+ }
+
+ dynamic "statement" {
+ # https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/
+ for_each = var.allow_self_assume_role && var.create_readonly_role ? [1] : []
+
+ content {
+ sid = "ExplicitSelfReadOnlyRoleAssumption"
+ effect = "Allow"
+ actions = ["sts:AssumeRole"]
+
+ principals {
+ type = "AWS"
+ identifiers = ["*"]
+ }
+
+ condition {
+ test = "ArnLike"
+ variable = "aws:PrincipalArn"
+ values = ["arn:${local.partition}:iam::${local.account_id}:role${var.readonly_role_path}${var.readonly_role_name}"]
}
}
}
diff --git a/modules/iam-assumable-roles/README.md b/modules/iam-assumable-roles/README.md
index d5721cac..f1ac5c78 100644
--- a/modules/iam-assumable-roles/README.md
+++ b/modules/iam-assumable-roles/README.md
@@ -32,10 +32,8 @@ No modules.
| [aws_iam_role_policy_attachment.admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.poweruser](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.readonly](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
-| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.assume_role_with_mfa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
## Inputs
diff --git a/modules/iam-assumable-roles/main.tf b/modules/iam-assumable-roles/main.tf
index fc8f9e1e..f8881d0c 100644
--- a/modules/iam-assumable-roles/main.tf
+++ b/modules/iam-assumable-roles/main.tf
@@ -1,19 +1,66 @@
-data "aws_caller_identity" "current" {}
-data "aws_partition" "current" {}
-
data "aws_iam_policy_document" "assume_role" {
dynamic "statement" {
# https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/
- for_each = var.allow_self_assume_role ? [1] : []
+ for_each = var.allow_self_assume_role && var.create_admin_role ? [1] : []
content {
- sid = "ExplicitSelfRoleAssumption"
+ sid = "ExplicitSelfAdminRoleAssumption"
effect = "Allow"
actions = ["sts:AssumeRole"]
principals {
type = "AWS"
- identifiers = ["arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:role${var.role_path}${var.role_name}"]
+ identifiers = ["*"]
+ }
+
+ condition {
+ test = "ArnLike"
+ variable = "aws:PrincipalArn"
+ values = ["arn:${local.partition}:iam::${local.account_id}:role${var.admin_role_path}${var.admin_role_name}"]
+ }
+ }
+ }
+
+ dynamic "statement" {
+ # https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/
+ for_each = var.allow_self_assume_role && var.create_poweruser_role ? [1] : []
+
+ content {
+ sid = "ExplicitSelfPowerUserRoleAssumption"
+ effect = "Allow"
+ actions = ["sts:AssumeRole"]
+
+ principals {
+ type = "AWS"
+ identifiers = ["*"]
+ }
+
+ condition {
+ test = "ArnLike"
+ variable = "aws:PrincipalArn"
+ values = ["arn:${local.partition}:iam::${local.account_id}:role${var.poweruser_role_path}${var.poweruser_role_name}"]
+ }
+ }
+ }
+
+ dynamic "statement" {
+ # https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/
+ for_each = var.allow_self_assume_role && var.create_readonly_role ? [1] : []
+
+ content {
+ sid = "ExplicitSelfReadOnlyRoleAssumption"
+ effect = "Allow"
+ actions = ["sts:AssumeRole"]
+
+ principals {
+ type = "AWS"
+ identifiers = ["*"]
+ }
+
+ condition {
+ test = "ArnLike"
+ variable = "aws:PrincipalArn"
+ values = ["arn:${local.partition}:iam::${local.account_id}:role${var.readonly_role_path}${var.readonly_role_name}"]
}
}
}
@@ -37,16 +84,66 @@ data "aws_iam_policy_document" "assume_role" {
data "aws_iam_policy_document" "assume_role_with_mfa" {
dynamic "statement" {
# https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/
- for_each = var.allow_self_assume_role ? [1] : []
+ for_each = var.allow_self_assume_role && var.create_admin_role ? [1] : []
content {
- sid = "ExplicitSelfRoleAssumption"
+ sid = "ExplicitSelfAdminRoleAssumption"
effect = "Allow"
actions = ["sts:AssumeRole"]
principals {
type = "AWS"
- identifiers = ["arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:role${var.role_path}${var.role_name}"]
+ identifiers = ["*"]
+ }
+
+ condition {
+ test = "ArnLike"
+ variable = "aws:PrincipalArn"
+ values = ["arn:${local.partition}:iam::${local.account_id}:role${var.admin_role_path}${var.admin_role_name}"]
+ }
+ }
+ }
+
+ dynamic "statement" {
+ # https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/
+ for_each = var.allow_self_assume_role && var.create_poweruser_role ? [1] : []
+
+ content {
+ sid = "ExplicitSelfPowerUserRoleAssumption"
+ effect = "Allow"
+ actions = ["sts:AssumeRole"]
+
+ principals {
+ type = "AWS"
+ identifiers = ["*"]
+ }
+
+ condition {
+ test = "ArnLike"
+ variable = "aws:PrincipalArn"
+ values = ["arn:${local.partition}:iam::${local.account_id}:role${var.poweruser_role_path}${var.poweruser_role_name}"]
+ }
+ }
+ }
+
+ dynamic "statement" {
+ # https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/
+ for_each = var.allow_self_assume_role && var.create_readonly_role ? [1] : []
+
+ content {
+ sid = "ExplicitSelfReadOnlyRoleAssumption"
+ effect = "Allow"
+ actions = ["sts:AssumeRole"]
+
+ principals {
+ type = "AWS"
+ identifiers = ["*"]
+ }
+
+ condition {
+ test = "ArnLike"
+ variable = "aws:PrincipalArn"
+ values = ["arn:${local.partition}:iam::${local.account_id}:role${var.readonly_role_path}${var.readonly_role_name}"]
}
}
}
diff --git a/modules/iam-eks-role/main.tf b/modules/iam-eks-role/main.tf
index a71ac725..77162935 100644
--- a/modules/iam-eks-role/main.tf
+++ b/modules/iam-eks-role/main.tf
@@ -1,6 +1,10 @@
data "aws_caller_identity" "current" {}
data "aws_partition" "current" {}
+locals {
+ role_name_condition = var.role_name != null ? var.role_name : "${var.role_name_prefix}*"
+}
+
data "aws_eks_cluster" "main" {
for_each = var.cluster_service_accounts
@@ -19,7 +23,13 @@ data "aws_iam_policy_document" "assume_role_with_oidc" {
principals {
type = "AWS"
- identifiers = ["arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:role${var.role_path}${var.role_name}"]
+ identifiers = ["*"]
+ }
+
+ condition {
+ test = "ArnLike"
+ variable = "aws:PrincipalArn"
+ values = ["arn:${local.partition}:iam::${local.account_id}:role${var.role_path}${local.role_name_condition}"]
}
}
}
diff --git a/modules/iam-role-for-service-accounts-eks/README.md b/modules/iam-role-for-service-accounts-eks/README.md
index d3370644..ceafe97c 100644
--- a/modules/iam-role-for-service-accounts-eks/README.md
+++ b/modules/iam-role-for-service-accounts-eks/README.md
@@ -215,7 +215,7 @@ No modules.
| [role\_description](#input\_role\_description) | IAM Role description | `string` | `null` | no |
| [role\_name](#input\_role\_name) | Name of IAM role | `string` | `null` | no |
| [role\_name\_prefix](#input\_role\_name\_prefix) | IAM role name prefix | `string` | `null` | no |
-| [role\_path](#input\_role\_path) | Path of IAM role | `string` | `null` | no |
+| [role\_path](#input\_role\_path) | Path of IAM role | `string` | `"/"` | no |
| [role\_permissions\_boundary\_arn](#input\_role\_permissions\_boundary\_arn) | Permissions boundary ARN to use for IAM role | `string` | `null` | no |
| [role\_policy\_arns](#input\_role\_policy\_arns) | ARNs of any policies to attach to the IAM role | `map(string)` | `{}` | no |
| [tags](#input\_tags) | A map of tags to add the the IAM role | `map(any)` | `{}` | no |
diff --git a/modules/iam-role-for-service-accounts-eks/main.tf b/modules/iam-role-for-service-accounts-eks/main.tf
index f413825b..ab9b2751 100644
--- a/modules/iam-role-for-service-accounts-eks/main.tf
+++ b/modules/iam-role-for-service-accounts-eks/main.tf
@@ -2,9 +2,10 @@ data "aws_partition" "current" {}
data "aws_caller_identity" "current" {}
locals {
- account_id = data.aws_caller_identity.current.account_id
- partition = data.aws_partition.current.partition
- dns_suffix = data.aws_partition.current.dns_suffix
+ account_id = data.aws_caller_identity.current.account_id
+ partition = data.aws_partition.current.partition
+ dns_suffix = data.aws_partition.current.dns_suffix
+ role_name_condition = var.role_name != null ? var.role_name : "${var.role_name_prefix}*"
}
data "aws_iam_policy_document" "this" {
@@ -21,7 +22,13 @@ data "aws_iam_policy_document" "this" {
principals {
type = "AWS"
- identifiers = ["arn:${local.partition}:iam::${local.account_id}:role${var.role_path}${var.role_name}"]
+ identifiers = ["*"]
+ }
+
+ condition {
+ test = "ArnLike"
+ variable = "aws:PrincipalArn"
+ values = ["arn:${local.partition}:iam::${local.account_id}:role${var.role_path}${local.role_name_condition}"]
}
}
}
diff --git a/modules/iam-role-for-service-accounts-eks/variables.tf b/modules/iam-role-for-service-accounts-eks/variables.tf
index d539d15d..c9192edb 100644
--- a/modules/iam-role-for-service-accounts-eks/variables.tf
+++ b/modules/iam-role-for-service-accounts-eks/variables.tf
@@ -13,7 +13,7 @@ variable "role_name" {
variable "role_path" {
description = "Path of IAM role"
type = string
- default = null
+ default = "/"
}
variable "role_permissions_boundary_arn" {