From 470b6ffa8e2888dd2699c1fce6010704dda5e2b3 Mon Sep 17 00:00:00 2001 From: Fernando Miguel <168366+FernandoMiguel@users.noreply.github.com> Date: Thu, 13 Oct 2022 21:16:52 +0100 Subject: [PATCH] fix: Explicitly assume with condition matching role arn (#283) Co-authored-by: Anton Babenko --- .pre-commit-config.yaml | 2 +- modules/iam-account/README.md | 2 +- .../iam-assumable-role-with-oidc/README.md | 2 +- modules/iam-assumable-role-with-oidc/main.tf | 9 +- .../iam-assumable-role-with-saml/README.md | 6 +- modules/iam-assumable-role-with-saml/main.tf | 12 +- modules/iam-assumable-role/README.md | 3 +- modules/iam-assumable-role/main.tf | 21 +++- modules/iam-assumable-role/variables.tf | 6 + .../iam-assumable-roles-with-saml/README.md | 6 +- modules/iam-assumable-roles-with-saml/main.tf | 59 ++++++++- modules/iam-assumable-roles/README.md | 2 - modules/iam-assumable-roles/main.tf | 115 ++++++++++++++++-- modules/iam-eks-role/main.tf | 12 +- .../README.md | 2 +- .../iam-role-for-service-accounts-eks/main.tf | 15 ++- .../variables.tf | 2 +- 17 files changed, 229 insertions(+), 47 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 6a8a23ae..74f3751c 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,6 @@ repos: - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.75.0 + rev: v1.76.0 hooks: - id: terraform_fmt - id: terraform_validate diff --git a/modules/iam-account/README.md b/modules/iam-account/README.md index 4dc51a5c..7fb8dbc1 100644 --- a/modules/iam-account/README.md +++ b/modules/iam-account/README.md @@ -19,7 +19,7 @@ module.iam_account.aws_iam_account_alias.this: Import complete! module.iam_account.aws_iam_account_alias.this: Refreshing state... (ID: this) Import successful! -``` +``` ## Requirements diff --git a/modules/iam-assumable-role-with-oidc/README.md b/modules/iam-assumable-role-with-oidc/README.md index 3bf01a75..1662a3ed 100644 --- a/modules/iam-assumable-role-with-oidc/README.md +++ b/modules/iam-assumable-role-with-oidc/README.md @@ -4,7 +4,7 @@ Creates single IAM role which can be assumed by trusted resources using OpenID C [Creating IAM OIDC Identity Providers](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html) -This module supports IAM Roles for kubernetes service accounts as described in the [EKS documentation](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html). +This module supports IAM Roles for kubernetes service accounts as described in the [EKS documentation](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html). ## Requirements diff --git a/modules/iam-assumable-role-with-oidc/main.tf b/modules/iam-assumable-role-with-oidc/main.tf index f3879ff9..6ccc5a54 100644 --- a/modules/iam-assumable-role-with-oidc/main.tf +++ b/modules/iam-assumable-role-with-oidc/main.tf @@ -6,6 +6,7 @@ locals { replace(url, "https://", "") ] number_of_role_policy_arns = coalesce(var.number_of_role_policy_arns, length(var.role_policy_arns)) + role_name_condition = var.role_name != null ? var.role_name : "${var.role_name_prefix}*" } data "aws_caller_identity" "current" {} @@ -25,7 +26,13 @@ data "aws_iam_policy_document" "assume_role_with_oidc" { principals { type = "AWS" - identifiers = ["arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:role${var.role_path}${var.role_name}"] + identifiers = ["*"] + } + + condition { + test = "ArnLike" + variable = "aws:PrincipalArn" + values = ["arn:${local.partition}:iam::${local.account_id}:role${var.role_path}${local.role_name_condition}"] } } } diff --git a/modules/iam-assumable-role-with-saml/README.md b/modules/iam-assumable-role-with-saml/README.md index 4d9eab4a..1e0c4f52 100644 --- a/modules/iam-assumable-role-with-saml/README.md +++ b/modules/iam-assumable-role-with-saml/README.md @@ -2,8 +2,8 @@ Creates single IAM role which can be assumed by trusted resources using SAML Federated Users. -[Creating IAM SAML Identity Providers](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html) -[Enabling SAML 2.0 Federated Users to Access the AWS Management Console](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html) +[Creating IAM SAML Identity Providers](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html) +[Enabling SAML 2.0 Federated Users to Access the AWS Management Console](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html) ## Requirements @@ -29,9 +29,7 @@ No modules. |------|------| | [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_role_policy_attachment.custom](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_iam_policy_document.assume_role_with_saml](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | ## Inputs diff --git a/modules/iam-assumable-role-with-saml/main.tf b/modules/iam-assumable-role-with-saml/main.tf index 6cc1eda2..3a82320c 100644 --- a/modules/iam-assumable-role-with-saml/main.tf +++ b/modules/iam-assumable-role-with-saml/main.tf @@ -1,9 +1,7 @@ -data "aws_caller_identity" "current" {} -data "aws_partition" "current" {} - locals { identifiers = compact(distinct(concat(var.provider_ids, [var.provider_id]))) number_of_role_policy_arns = coalesce(var.number_of_role_policy_arns, length(var.role_policy_arns)) + role_name_condition = var.role_name != null ? var.role_name : "${var.role_name_prefix}*" } data "aws_iam_policy_document" "assume_role_with_saml" { @@ -18,7 +16,13 @@ data "aws_iam_policy_document" "assume_role_with_saml" { principals { type = "AWS" - identifiers = ["arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:role${var.role_path}${var.role_name}"] + identifiers = ["*"] + } + + condition { + test = "ArnLike" + variable = "aws:PrincipalArn" + values = ["arn:${local.partition}:iam::${local.account_id}:role${var.role_path}${local.role_name_condition}"] } } } diff --git a/modules/iam-assumable-role/README.md b/modules/iam-assumable-role/README.md index d2652e37..1c60834e 100644 --- a/modules/iam-assumable-role/README.md +++ b/modules/iam-assumable-role/README.md @@ -32,10 +32,8 @@ No modules. | [aws_iam_role_policy_attachment.custom](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.poweruser](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.readonly](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.assume_role_with_mfa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | ## Inputs @@ -58,6 +56,7 @@ No modules. | [readonly\_role\_policy\_arn](#input\_readonly\_role\_policy\_arn) | Policy ARN to use for readonly role | `string` | `"arn:aws:iam::aws:policy/ReadOnlyAccess"` | no | | [role\_description](#input\_role\_description) | IAM Role description | `string` | `""` | no | | [role\_name](#input\_role\_name) | IAM role name | `string` | `""` | no | +| [role\_name\_prefix](#input\_role\_name\_prefix) | IAM role name prefix | `string` | `null` | no | | [role\_path](#input\_role\_path) | Path of IAM role | `string` | `"/"` | no | | [role\_permissions\_boundary\_arn](#input\_role\_permissions\_boundary\_arn) | Permissions boundary ARN to use for IAM role | `string` | `""` | no | | [role\_requires\_mfa](#input\_role\_requires\_mfa) | Whether role requires MFA | `bool` | `true` | no | diff --git a/modules/iam-assumable-role/main.tf b/modules/iam-assumable-role/main.tf index 6e3971b5..04480a5b 100644 --- a/modules/iam-assumable-role/main.tf +++ b/modules/iam-assumable-role/main.tf @@ -1,8 +1,6 @@ -data "aws_caller_identity" "current" {} -data "aws_partition" "current" {} - locals { role_sts_externalid = flatten([var.role_sts_externalid]) + role_name_condition = var.role_name != null ? var.role_name : "${var.role_name_prefix}*" } data "aws_iam_policy_document" "assume_role" { @@ -19,7 +17,13 @@ data "aws_iam_policy_document" "assume_role" { principals { type = "AWS" - identifiers = ["arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:role${var.role_path}${var.role_name}"] + identifiers = ["*"] + } + + condition { + test = "ArnLike" + variable = "aws:PrincipalArn" + values = ["arn:${local.partition}:iam::${local.account_id}:role${var.role_path}${local.role_name_condition}"] } } } @@ -63,7 +67,13 @@ data "aws_iam_policy_document" "assume_role_with_mfa" { principals { type = "AWS" - identifiers = ["arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:role${var.role_path}${var.role_name}"] + identifiers = ["*"] + } + + condition { + test = "ArnLike" + variable = "aws:PrincipalArn" + values = ["arn:${local.partition}:iam::${local.account_id}:role${var.role_path}${local.role_name_condition}"] } } } @@ -109,6 +119,7 @@ resource "aws_iam_role" "this" { count = var.create_role ? 1 : 0 name = var.role_name + name_prefix = var.role_name_prefix path = var.role_path max_session_duration = var.max_session_duration description = var.role_description diff --git a/modules/iam-assumable-role/variables.tf b/modules/iam-assumable-role/variables.tf index ab2d3451..3d096abf 100644 --- a/modules/iam-assumable-role/variables.tf +++ b/modules/iam-assumable-role/variables.tf @@ -46,6 +46,12 @@ variable "role_name" { default = "" } +variable "role_name_prefix" { + description = "IAM role name prefix" + type = string + default = null +} + variable "role_path" { description = "Path of IAM role" type = string diff --git a/modules/iam-assumable-roles-with-saml/README.md b/modules/iam-assumable-roles-with-saml/README.md index 6ab729ce..2f1f20c1 100644 --- a/modules/iam-assumable-roles-with-saml/README.md +++ b/modules/iam-assumable-roles-with-saml/README.md @@ -3,8 +3,8 @@ Creates predefined IAM roles (admin, poweruser and readonly) which can be assumed by trusted resources using SAML Federated Users. -[Creating IAM SAML Identity Providers](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html) -[Enabling SAML 2.0 Federated Users to Access the AWS Management Console](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html) +[Creating IAM SAML Identity Providers](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html) +[Enabling SAML 2.0 Federated Users to Access the AWS Management Console](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html) ## Requirements @@ -34,9 +34,7 @@ No modules. | [aws_iam_role_policy_attachment.admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.poweruser](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.readonly](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_iam_policy_document.assume_role_with_saml](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | ## Inputs diff --git a/modules/iam-assumable-roles-with-saml/main.tf b/modules/iam-assumable-roles-with-saml/main.tf index 9c9e7168..5dbc47eb 100644 --- a/modules/iam-assumable-roles-with-saml/main.tf +++ b/modules/iam-assumable-roles-with-saml/main.tf @@ -1,6 +1,3 @@ -data "aws_caller_identity" "current" {} -data "aws_partition" "current" {} - locals { identifiers = compact(distinct(concat(var.provider_ids, [var.provider_id]))) } @@ -8,16 +5,66 @@ locals { data "aws_iam_policy_document" "assume_role_with_saml" { dynamic "statement" { # https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/ - for_each = var.allow_self_assume_role ? [1] : [] + for_each = var.allow_self_assume_role && var.create_admin_role ? [1] : [] content { - sid = "ExplicitSelfRoleAssumption" + sid = "ExplicitSelfAdminRoleAssumption" effect = "Allow" actions = ["sts:AssumeRole"] principals { type = "AWS" - identifiers = ["arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:role${var.role_path}${var.role_name}"] + identifiers = ["*"] + } + + condition { + test = "ArnLike" + variable = "aws:PrincipalArn" + values = ["arn:${local.partition}:iam::${local.account_id}:role${var.admin_role_path}${var.admin_role_name}"] + } + } + } + + dynamic "statement" { + # https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/ + for_each = var.allow_self_assume_role && var.create_poweruser_role ? [1] : [] + + content { + sid = "ExplicitSelfPowerUserRoleAssumption" + effect = "Allow" + actions = ["sts:AssumeRole"] + + principals { + type = "AWS" + identifiers = ["*"] + } + + condition { + test = "ArnLike" + variable = "aws:PrincipalArn" + values = ["arn:${local.partition}:iam::${local.account_id}:role${var.poweruser_role_path}${var.poweruser_role_name}"] + } + } + } + + dynamic "statement" { + # https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/ + for_each = var.allow_self_assume_role && var.create_readonly_role ? [1] : [] + + content { + sid = "ExplicitSelfReadOnlyRoleAssumption" + effect = "Allow" + actions = ["sts:AssumeRole"] + + principals { + type = "AWS" + identifiers = ["*"] + } + + condition { + test = "ArnLike" + variable = "aws:PrincipalArn" + values = ["arn:${local.partition}:iam::${local.account_id}:role${var.readonly_role_path}${var.readonly_role_name}"] } } } diff --git a/modules/iam-assumable-roles/README.md b/modules/iam-assumable-roles/README.md index d5721cac..f1ac5c78 100644 --- a/modules/iam-assumable-roles/README.md +++ b/modules/iam-assumable-roles/README.md @@ -32,10 +32,8 @@ No modules. | [aws_iam_role_policy_attachment.admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.poweruser](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.readonly](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.assume_role_with_mfa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | ## Inputs diff --git a/modules/iam-assumable-roles/main.tf b/modules/iam-assumable-roles/main.tf index fc8f9e1e..f8881d0c 100644 --- a/modules/iam-assumable-roles/main.tf +++ b/modules/iam-assumable-roles/main.tf @@ -1,19 +1,66 @@ -data "aws_caller_identity" "current" {} -data "aws_partition" "current" {} - data "aws_iam_policy_document" "assume_role" { dynamic "statement" { # https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/ - for_each = var.allow_self_assume_role ? [1] : [] + for_each = var.allow_self_assume_role && var.create_admin_role ? [1] : [] content { - sid = "ExplicitSelfRoleAssumption" + sid = "ExplicitSelfAdminRoleAssumption" effect = "Allow" actions = ["sts:AssumeRole"] principals { type = "AWS" - identifiers = ["arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:role${var.role_path}${var.role_name}"] + identifiers = ["*"] + } + + condition { + test = "ArnLike" + variable = "aws:PrincipalArn" + values = ["arn:${local.partition}:iam::${local.account_id}:role${var.admin_role_path}${var.admin_role_name}"] + } + } + } + + dynamic "statement" { + # https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/ + for_each = var.allow_self_assume_role && var.create_poweruser_role ? [1] : [] + + content { + sid = "ExplicitSelfPowerUserRoleAssumption" + effect = "Allow" + actions = ["sts:AssumeRole"] + + principals { + type = "AWS" + identifiers = ["*"] + } + + condition { + test = "ArnLike" + variable = "aws:PrincipalArn" + values = ["arn:${local.partition}:iam::${local.account_id}:role${var.poweruser_role_path}${var.poweruser_role_name}"] + } + } + } + + dynamic "statement" { + # https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/ + for_each = var.allow_self_assume_role && var.create_readonly_role ? [1] : [] + + content { + sid = "ExplicitSelfReadOnlyRoleAssumption" + effect = "Allow" + actions = ["sts:AssumeRole"] + + principals { + type = "AWS" + identifiers = ["*"] + } + + condition { + test = "ArnLike" + variable = "aws:PrincipalArn" + values = ["arn:${local.partition}:iam::${local.account_id}:role${var.readonly_role_path}${var.readonly_role_name}"] } } } @@ -37,16 +84,66 @@ data "aws_iam_policy_document" "assume_role" { data "aws_iam_policy_document" "assume_role_with_mfa" { dynamic "statement" { # https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/ - for_each = var.allow_self_assume_role ? [1] : [] + for_each = var.allow_self_assume_role && var.create_admin_role ? [1] : [] content { - sid = "ExplicitSelfRoleAssumption" + sid = "ExplicitSelfAdminRoleAssumption" effect = "Allow" actions = ["sts:AssumeRole"] principals { type = "AWS" - identifiers = ["arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:role${var.role_path}${var.role_name}"] + identifiers = ["*"] + } + + condition { + test = "ArnLike" + variable = "aws:PrincipalArn" + values = ["arn:${local.partition}:iam::${local.account_id}:role${var.admin_role_path}${var.admin_role_name}"] + } + } + } + + dynamic "statement" { + # https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/ + for_each = var.allow_self_assume_role && var.create_poweruser_role ? [1] : [] + + content { + sid = "ExplicitSelfPowerUserRoleAssumption" + effect = "Allow" + actions = ["sts:AssumeRole"] + + principals { + type = "AWS" + identifiers = ["*"] + } + + condition { + test = "ArnLike" + variable = "aws:PrincipalArn" + values = ["arn:${local.partition}:iam::${local.account_id}:role${var.poweruser_role_path}${var.poweruser_role_name}"] + } + } + } + + dynamic "statement" { + # https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/ + for_each = var.allow_self_assume_role && var.create_readonly_role ? [1] : [] + + content { + sid = "ExplicitSelfReadOnlyRoleAssumption" + effect = "Allow" + actions = ["sts:AssumeRole"] + + principals { + type = "AWS" + identifiers = ["*"] + } + + condition { + test = "ArnLike" + variable = "aws:PrincipalArn" + values = ["arn:${local.partition}:iam::${local.account_id}:role${var.readonly_role_path}${var.readonly_role_name}"] } } } diff --git a/modules/iam-eks-role/main.tf b/modules/iam-eks-role/main.tf index a71ac725..77162935 100644 --- a/modules/iam-eks-role/main.tf +++ b/modules/iam-eks-role/main.tf @@ -1,6 +1,10 @@ data "aws_caller_identity" "current" {} data "aws_partition" "current" {} +locals { + role_name_condition = var.role_name != null ? var.role_name : "${var.role_name_prefix}*" +} + data "aws_eks_cluster" "main" { for_each = var.cluster_service_accounts @@ -19,7 +23,13 @@ data "aws_iam_policy_document" "assume_role_with_oidc" { principals { type = "AWS" - identifiers = ["arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:role${var.role_path}${var.role_name}"] + identifiers = ["*"] + } + + condition { + test = "ArnLike" + variable = "aws:PrincipalArn" + values = ["arn:${local.partition}:iam::${local.account_id}:role${var.role_path}${local.role_name_condition}"] } } } diff --git a/modules/iam-role-for-service-accounts-eks/README.md b/modules/iam-role-for-service-accounts-eks/README.md index d3370644..ceafe97c 100644 --- a/modules/iam-role-for-service-accounts-eks/README.md +++ b/modules/iam-role-for-service-accounts-eks/README.md @@ -215,7 +215,7 @@ No modules. | [role\_description](#input\_role\_description) | IAM Role description | `string` | `null` | no | | [role\_name](#input\_role\_name) | Name of IAM role | `string` | `null` | no | | [role\_name\_prefix](#input\_role\_name\_prefix) | IAM role name prefix | `string` | `null` | no | -| [role\_path](#input\_role\_path) | Path of IAM role | `string` | `null` | no | +| [role\_path](#input\_role\_path) | Path of IAM role | `string` | `"/"` | no | | [role\_permissions\_boundary\_arn](#input\_role\_permissions\_boundary\_arn) | Permissions boundary ARN to use for IAM role | `string` | `null` | no | | [role\_policy\_arns](#input\_role\_policy\_arns) | ARNs of any policies to attach to the IAM role | `map(string)` | `{}` | no | | [tags](#input\_tags) | A map of tags to add the the IAM role | `map(any)` | `{}` | no | diff --git a/modules/iam-role-for-service-accounts-eks/main.tf b/modules/iam-role-for-service-accounts-eks/main.tf index f413825b..ab9b2751 100644 --- a/modules/iam-role-for-service-accounts-eks/main.tf +++ b/modules/iam-role-for-service-accounts-eks/main.tf @@ -2,9 +2,10 @@ data "aws_partition" "current" {} data "aws_caller_identity" "current" {} locals { - account_id = data.aws_caller_identity.current.account_id - partition = data.aws_partition.current.partition - dns_suffix = data.aws_partition.current.dns_suffix + account_id = data.aws_caller_identity.current.account_id + partition = data.aws_partition.current.partition + dns_suffix = data.aws_partition.current.dns_suffix + role_name_condition = var.role_name != null ? var.role_name : "${var.role_name_prefix}*" } data "aws_iam_policy_document" "this" { @@ -21,7 +22,13 @@ data "aws_iam_policy_document" "this" { principals { type = "AWS" - identifiers = ["arn:${local.partition}:iam::${local.account_id}:role${var.role_path}${var.role_name}"] + identifiers = ["*"] + } + + condition { + test = "ArnLike" + variable = "aws:PrincipalArn" + values = ["arn:${local.partition}:iam::${local.account_id}:role${var.role_path}${local.role_name_condition}"] } } } diff --git a/modules/iam-role-for-service-accounts-eks/variables.tf b/modules/iam-role-for-service-accounts-eks/variables.tf index d539d15d..c9192edb 100644 --- a/modules/iam-role-for-service-accounts-eks/variables.tf +++ b/modules/iam-role-for-service-accounts-eks/variables.tf @@ -13,7 +13,7 @@ variable "role_name" { variable "role_path" { description = "Path of IAM role" type = string - default = null + default = "/" } variable "role_permissions_boundary_arn" {