Improve iam-role module (#69)

examples/github-trusted-iam-roles/main.tf

@@ -65,7 +65,7 @@ module "role" {
   description = try(each.value.description, "Managed by Terraform.")
   path        = try(each.value.path, "/")
 
-  trusted_oidc_providers = [
+  trusted_oidc_provider_policies = [
     {
       url = "token.actions.githubusercontent.com"
       conditions = [

modules/iam-role/main.tf

@@ -40,10 +40,10 @@ resource "aws_iam_role" "this" {
 
 data "aws_iam_policy_document" "trusted_entities" {
   source_policy_documents = concat(
-    values(data.aws_iam_policy_document.trusted_iam_entities)[*].json,
-    values(data.aws_iam_policy_document.trusted_services)[*].json,
-    values(data.aws_iam_policy_document.trusted_oidc_providers)[*].json,
-    values(data.aws_iam_policy_document.trusted_saml_providers)[*].json,
+    values(data.aws_iam_policy_document.trusted_iam_entity_policies)[*].json,
+    values(data.aws_iam_policy_document.trusted_service_policies)[*].json,
+    values(data.aws_iam_policy_document.trusted_oidc_provider_policies)[*].json,
+    values(data.aws_iam_policy_document.trusted_saml_provider_policies)[*].json,
   )
 }
 

modules/iam-role/outputs.tf

@@ -18,36 +18,6 @@ output "description" {
   value       = aws_iam_role.this.description
 }
 
-output "mfa_required" {
-  description = "Whether MFA should be required to assume the role."
-  value       = var.mfa_required
-}
-
-output "mfa_ttl" {
-  description = "Max age of valid MFA (in seconds) for roles which require MFA."
-  value       = var.mfa_ttl
-}
-
-output "effective_date" {
-  description = "Allow to assume IAM role only after this date and time."
-  value       = var.effective_date
-}
-
-output "expiration_date" {
-  description = "Allow to assume IAM role only before this date and time."
-  value       = var.expiration_date
-}
-
-output "source_ip_whitelist" {
-  description = "A list of source IP addresses or CIDRs allowed to assume IAM role from."
-  value       = var.source_ip_whitelist
-}
-
-output "source_ip_blacklist" {
-  description = "A list of source IP addresses or CIDRs denied to assume IAM role from."
-  value       = var.source_ip_blacklist
-}
-
 output "assumable_roles" {
   description = "List of ARNs of IAM roles which members of IAM role can assume."
   value       = var.assumable_roles

modules/iam-role/trusted-iam-entities.tf → modules/iam-role/trusted-iam-entity-policies.tf

@@ -1,16 +1,17 @@
-data "aws_iam_policy_document" "trusted_iam_entities" {
-  for_each = toset(
-    length(var.trusted_iam_entities) > 0 ? ["this"] : []
-  )
+data "aws_iam_policy_document" "trusted_iam_entity_policies" {
+  for_each = {
+    for idx, policy in var.trusted_iam_entity_policies :
+    idx => policy
+  }
 
   statement {
-    sid     = "TrustedIamEntities"
+    sid     = "TrustedIamEntities${each.key}"
     effect  = "Allow"
     actions = ["sts:AssumeRole"]
 
     principals {
       type        = "AWS"
-      identifiers = var.trusted_iam_entities
+      identifiers = each.value.iam_entities
     }
 
     dynamic "condition" {
@@ -24,62 +25,72 @@ data "aws_iam_policy_document" "trusted_iam_entities" {
     }
 
     dynamic "condition" {
-      for_each = var.mfa_required ? ["go"] : []
+      for_each = each.value.conditions
+
+      content {
+        variable = condition.value.key
+        test     = condition.value.condition
+        values   = condition.value.values
+      }
+    }
+
+    dynamic "condition" {
+      for_each = each.value.mfa.required ? ["go"] : []
 
       content {
         test     = "Bool"
         variable = "aws:MultiFactorAuthPresent"
-        values   = [tostring(var.mfa_required)]
+        values   = [tostring(each.value.mfa.required)]
       }
     }
 
     dynamic "condition" {
-      for_each = var.mfa_required ? ["go"] : []
+      for_each = each.value.mfa.required ? ["go"] : []
 
       content {
         test     = "NumericLessThan"
         variable = "aws:MultiFactorAuthAge"
-        values   = [var.mfa_ttl]
+        values   = [each.value.mfa.ttl]
       }
     }
 
     dynamic "condition" {
-      for_each = var.effective_date != null ? ["go"] : []
+      for_each = each.value.effective_date != null ? ["go"] : []
 
       content {
         test     = "DateGreaterThan"
         variable = "aws:CurrentTime"
-        values   = [var.effective_date]
+        values   = [each.value.effective_date]
       }
     }
 
     dynamic "condition" {
-      for_each = var.expiration_date != null ? ["go"] : []
+      for_each = each.value.expiration_date != null ? ["go"] : []
 
       content {
         test     = "DateLessThan"
         variable = "aws:CurrentTime"
-        values   = [var.expiration_date]
+        values   = [each.value.expiration_date]
       }
     }
 
     dynamic "condition" {
-      for_each = length(var.source_ip_whitelist) > 0 ? ["go"] : []
+      for_each = length(each.value.source_ip_whitelist) > 0 ? ["go"] : []
 
       content {
         test     = "IpAddress"
         variable = "aws:SourceIp"
-        values   = var.source_ip_whitelist
+        values   = each.value.source_ip_whitelist
       }
     }
 
     dynamic "condition" {
-      for_each = length(var.source_ip_blacklist) > 0 ? ["go"] : []
+      for_each = length(each.value.source_ip_blacklist) > 0 ? ["go"] : []
 
       content {
         test     = "NotIpAddress"
         variable = "aws:SourceIp"
-        values   = var.source_ip_blacklist
+        values   = each.value.source_ip_blacklist
       }
     }
   }
@@ -88,13 +99,13 @@ data "aws_iam_policy_document" "trusted_iam_entities" {
     for_each = var.trusted_session_tagging.enabled ? ["go"] : []
 
     content {
-      sid     = "TrustedTagSession"
+      sid     = "TrustedTagSessionForIamEntities${each.key}"
       effect  = "Allow"
       actions = ["sts:TagSession"]
 
       principals {
         type        = "AWS"
-        identifiers = var.trusted_iam_entities
+        identifiers = each.value.iam_entities
       }
 
       dynamic "condition" {
@@ -123,13 +134,13 @@ data "aws_iam_policy_document" "trusted_iam_entities" {
     for_each = var.trusted_source_identity.enabled ? ["go"] : []
 
     content {
-      sid     = "TrustedSourceIdentity"
+      sid     = "TrustedSourceIdentityForIamEntities${each.key}"
       effect  = "Allow"
       actions = ["sts:SetSourceIdentity"]
 
       principals {
         type        = "AWS"
-        identifiers = var.trusted_iam_entities
+        identifiers = each.value.iam_entities
       }
 
       dynamic "condition" {

modules/iam-role/trusted-oidc-providers.tf → modules/iam-role/trusted-oidc-provider-policies.tf

@@ -8,10 +8,10 @@ locals {
   oidc_provider_arn_prefix = "arn:${local.partition}:iam::${local.account_id}:oidc-provider/"
 }
 
-data "aws_iam_policy_document" "trusted_oidc_providers" {
+data "aws_iam_policy_document" "trusted_oidc_provider_policies" {
   for_each = {
-    for idx, provider in var.trusted_oidc_providers :
-    idx => provider
+    for idx, policy in var.trusted_oidc_provider_policies :
+    idx => policy
   }
 
   statement {
@@ -29,62 +29,62 @@ data "aws_iam_policy_document" "trusted_oidc_providers" {
     }
 
     dynamic "condition" {
-      for_each = each.value.conditions
+      for_each = var.conditions
 
       content {
-        variable = "${each.value.url}:${condition.value.key}"
+        variable = condition.value.key
         test     = condition.value.condition
         values   = condition.value.values
       }
     }
 
     dynamic "condition" {
-      for_each = var.conditions
+      for_each = each.value.conditions
 
       content {
-        variable = condition.value.key
+        variable = "${each.value.url}:${condition.value.key}"
         test     = condition.value.condition
         values   = condition.value.values
       }
     }
 
     dynamic "condition" {
-      for_each = var.effective_date != null ? ["go"] : []
+      for_each = each.value.effective_date != null ? ["go"] : []
 
       content {
         test     = "DateGreaterThan"
         variable = "aws:CurrentTime"
-        values   = [var.effective_date]
+        values   = [each.value.effective_date]
       }
     }
 
     dynamic "condition" {
-      for_each = var.expiration_date != null ? ["go"] : []
+      for_each = each.value.expiration_date != null ? ["go"] : []
 
       content {
         test     = "DateLessThan"
         variable = "aws:CurrentTime"
-        values   = [var.expiration_date]
+        values   = [each.value.expiration_date]
       }
     }
 
     dynamic "condition" {
-      for_each = length(var.source_ip_whitelist) > 0 ? ["go"] : []
+      for_each = length(each.value.source_ip_whitelist) > 0 ? ["go"] : []
 
       content {
         test     = "IpAddress"
         variable = "aws:SourceIp"
-        values   = var.source_ip_whitelist
+        values   = each.value.source_ip_whitelist
       }
     }
 
     dynamic "condition" {
-      for_each = length(var.source_ip_blacklist) > 0 ? ["go"] : []
+      for_each = length(each.value.source_ip_blacklist) > 0 ? ["go"] : []
 
       content {
         test     = "NotIpAddress"
         variable = "aws:SourceIp"
-        values   = var.source_ip_blacklist
+        values   = each.value.source_ip_blacklist
       }
     }
   }
@@ -93,7 +93,7 @@ data "aws_iam_policy_document" "trusted_oidc_providers" {
     for_each = var.trusted_session_tagging.enabled ? ["go"] : []
 
     content {
-      sid     = "TrustedTagSession${each.key}"
+      sid     = "TrustedTagSessionForOidcProvider${each.key}"
       effect  = "Allow"
       actions = ["sts:TagSession"]
 
@@ -132,7 +132,7 @@ data "aws_iam_policy_document" "trusted_oidc_providers" {
     for_each = var.trusted_source_identity.enabled ? ["go"] : []
 
     content {
-      sid     = "TrustedSourceIdentity${each.key}"
+      sid     = "TrustedSourceIdentityForOidcProvider${each.key}"
       effect  = "Allow"
       actions = ["sts:SetSourceIdentity"]