Make assume_policy_principles optional

sudoblark · Sep 14, 2024 · 7e01954 · 7e01954
1 parent 006e2fa
commit 7e01954
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 10 deletions.
diff --git a/README.md b/README.md
@@ -74,7 +74,7 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_application_name"></a> [application\_name](#input\_application\_name) | Name of the application utilising resource. | `string` | n/a | yes |
 | <a name="input_environment"></a> [environment](#input\_environment) | Which environment this is being instantiated in. | `string` | n/a | yes |
-| <a name="input_raw_iam_roles"></a> [raw\_iam\_roles](#input\_raw\_iam\_roles) | Data structure<br>---------------<br>A list of dictionaries, where each dictionary has the following attributes:<br><br>REQUIRED<br>---------<br>- suffix                : Suffix to use for the role name<br>- iam\_policy\_statements : A list of dictionaries where each dictionary is an IAM statement defining permissions<br>-- Each dictionary in this list must define the following attributes:<br>--- sid: Friendly name for the policy, no spaces or special characters allowed<br>--- actions: A list of IAM actions the role is allowed to perform<br>--- resources: Which resource(s) the role may perform the above actions against<br>--- conditions    : An OPTIONAL list of dictionaries, which each defines:<br>---- test         : Test condition for limiting the action<br>---- variable     : Value to test<br>---- values       : A list of strings, denoting what to test for<br><br>- assume\_policy\_principles : A list of dictionaries where each dictionary defines a principle allowed to assume the role.<br>-- Each dictionary in this list must define the following attributes:<br>--- type          : A string defining what type the principle(s) is/are<br>--- identifiers   : A list of strings, where each string is an allowed principle<br>--- conditions    : An OPTIONAL list of dictionaries, which each defines:<br>---- test         : Test condition for limiting the action<br>---- variable     : Value to test<br>---- values       : A list of strings, denoting what to test for<br><br>OPTIONAL<br>---------<br>- path                  : Path to create the role and policies under, defaults to "/"<br><br>Constraints<br>---------------<br>- <var.environment>-<var.application\_name>-<suffix> has<br>to be lower than 38 characters due to IAM role naming requirements. Cannot encode in variable validation as<br>string interpolations are not allowed in variables. | <pre>list(<br>    object({<br>      suffix = string,<br>      path   = optional(string, "/"),<br>      iam_policy_statements = list(<br>        object({<br>          sid       = string,<br>          actions   = list(string),<br>          resources = list(string),<br>          conditions = optional(list(<br>            object({<br>              test : string,<br>              variable : string,<br>              values = list(string)<br>            })<br>          ), [])<br>        })<br>      ),<br>      assume_policy_principles = list(<br>        object({<br>          type        = string,<br>          identifiers = list(string),<br>          conditions = optional(list(<br>            object({<br>              test : string,<br>              variable : string,<br>              values = list(string)<br>            })<br>          ), [])<br>        })<br>      )<br>    })<br>  )</pre> | n/a | yes |
+| <a name="input_raw_iam_roles"></a> [raw\_iam\_roles](#input\_raw\_iam\_roles) | Data structure<br>---------------<br>A list of dictionaries, where each dictionary has the following attributes:<br><br>REQUIRED<br>---------<br>- suffix                : Suffix to use for the role name<br>- iam\_policy\_statements : A list of dictionaries where each dictionary is an IAM statement defining permissions<br>-- Each dictionary in this list must define the following attributes:<br>--- sid: Friendly name for the policy, no spaces or special characters allowed<br>--- actions: A list of IAM actions the role is allowed to perform<br>--- resources: Which resource(s) the role may perform the above actions against<br>--- conditions    : An OPTIONAL list of dictionaries, which each defines:<br>---- test         : Test condition for limiting the action<br>---- variable     : Value to test<br>---- values       : A list of strings, denoting what to test for<br><br>OPTIONAL<br>---------<br>- path                  : Path to create the role and policies under, defaults to "/"<br><br>- assume\_policy\_principles : A list of dictionaries where each dictionary defines a principle allowed to assume the role.<br>-- Each dictionary in this list must define the following attributes:<br>--- type          : A string defining what type the principle(s) is/are<br>--- identifiers   : A list of strings, where each string is an allowed principle<br>--- conditions    : An OPTIONAL list of dictionaries, which each defines:<br>---- test         : Test condition for limiting the action<br>---- variable     : Value to test<br>---- values       : A list of strings, denoting what to test for<br><br><br>Constraints<br>---------------<br>- <var.environment>-<var.application\_name>-<suffix> has<br>to be lower than 38 characters due to IAM role naming requirements. Cannot encode in variable validation as<br>string interpolations are not allowed in variables. | <pre>list(<br>    object({<br>      suffix = string,<br>      path   = optional(string, "/"),<br>      iam_policy_statements = list(<br>        object({<br>          sid       = string,<br>          actions   = list(string),<br>          resources = list(string),<br>          conditions = optional(list(<br>            object({<br>              test : string,<br>              variable : string,<br>              values = list(string)<br>            })<br>          ), [])<br>        })<br>      ),<br>      assume_policy_principles = optional(list(<br>        object({<br>          type        = string,<br>          identifiers = list(string),<br>          conditions = optional(list(<br>            object({<br>              test : string,<br>              variable : string,<br>              values = list(string)<br>            })<br>          ), [])<br>        })<br>      ), [])<br>    })<br>  )</pre> | n/a | yes |
 
 ## Outputs
 
@@ -100,6 +100,10 @@ REQUIRED
 ---- variable     : Value to test
 ---- values       : A list of strings, denoting what to test for
 
+OPTIONAL
+---------
+- path                  : Path to create the role and policies under, defaults to "/"
+
 - assume_policy_principles : A list of dictionaries where each dictionary defines a principle allowed to assume the role.
 -- Each dictionary in this list must define the following attributes:
 --- type          : A string defining what type the principle(s) is/are
@@ -109,9 +113,6 @@ REQUIRED
 ---- variable     : Value to test
 ---- values       : A list of strings, denoting what to test for
 
-OPTIONAL
----------
-- path                  : Path to create the role and policies under, defaults to "/"
 
 Constraints
 ---------------

diff --git a/iam_policy_document.tf b/iam_policy_document.tf
@@ -26,7 +26,7 @@ data "aws_iam_policy_document" "assume_policies" {
   for_each = { for role in var.raw_iam_roles : role.suffix => role }
 
   dynamic "statement" {
-    for_each = each.value["assume_policy_principles"]
+    for_each = length(each.value["assume_policy_principles"]) > 0 ? each.value["assume_policy_principles"] : []
 
     content {
       actions = ["sts:AssumeRole"]

diff --git a/variables.tf b/variables.tf
@@ -33,6 +33,10 @@ REQUIRED
 ---- variable     : Value to test
 ---- values       : A list of strings, denoting what to test for
 
+OPTIONAL
+---------
+- path                  : Path to create the role and policies under, defaults to "/"
+
 - assume_policy_principles : A list of dictionaries where each dictionary defines a principle allowed to assume the role.
 -- Each dictionary in this list must define the following attributes:
 --- type          : A string defining what type the principle(s) is/are
@@ -42,9 +46,6 @@ REQUIRED
 ---- variable     : Value to test
 ---- values       : A list of strings, denoting what to test for
 
-OPTIONAL
----------
-- path                  : Path to create the role and policies under, defaults to "/"
 
 Constraints
 ---------------
@@ -70,7 +71,7 @@ EOF
           ), [])
         })
       ),
-      assume_policy_principles = list(
+      assume_policy_principles = optional(list(
         object({
           type        = string,
           identifiers = list(string),
@@ -82,7 +83,7 @@ EOF
             })
           ), [])
         })
-      )
+      ), [])
     })
   )
 }