Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Allows multiple STS External IDs to be provided to an assumable role #138

Merged
merged 11 commits into from
Mar 11, 2021
Merged

feat: Allows multiple STS External IDs to be provided to an assumable role #138

merged 11 commits into from
Mar 11, 2021

Conversation

mike-carey
Copy link
Contributor

@mike-carey mike-carey commented Mar 3, 2021
edited
Loading

Description

Allows more than one STS External ID to be provided to an assumable role.

Motivation and Context

We need to pass multiple External IDs allowing one role for multiple external ids.

Breaking Changes

No

How Has This Been Tested?

  • I have tested and validated these changes using one or more of the provided examples/* projects

I have added the role_sts_external_ids field to the iam-assumable-role example.

Using a string

  # module.iam_assumable_role_custom.aws_iam_role.this[0] will be created
  + resource "aws_iam_role" "this" {
      + arn                   = (known after apply)
      + assume_role_policy    = jsonencode(
            {
              + Statement = [
                  + {
                      + Action    = "sts:AssumeRole"
                      + Condition = {
                          + StringEquals = {
                              + sts:ExternalId = [
                                  + "some-id-goes-here",
                                ]
                            }
                        }
                      + Effect    = "Allow"
                      + Principal = {
                          + AWS     = "arn:aws:iam::307990089504:root"
                          + Service = "codedeploy.amazonaws.com"
                        }
                      + Sid       = ""
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + create_date           = (known after apply)
      + force_detach_policies = false
      + id                    = (known after apply)
      + managed_policy_arns   = (known after apply)
      + max_session_duration  = 3600
      + name                  = "custom"
      + path                  = "/"
      + unique_id             = (known after apply)

      + inline_policy {
          + name   = (known after apply)
          + policy = (known after apply)
        }
    }

Using a list(string)

  # module.iam_assumable_role_sts.aws_iam_role.this[0] will be created
  + resource "aws_iam_role" "this" {
      + arn                   = (known after apply)
      + assume_role_policy    = jsonencode(
            {
              + Statement = [
                  + {
                      + Action    = "sts:AssumeRole"
                      + Condition = {
                          + StringEquals = {
                              + sts:ExternalId = [
                                  + "some-id-goes-here",
                                  + "another-id-goes-here",
                                ]
                            }
                        }
                      + Effect    = "Allow"
                      + Principal = {
                          + AWS     = "arn:aws:iam::307990089504:root"
                          + Service = "codedeploy.amazonaws.com"
                        }
                      + Sid       = ""
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + create_date           = (known after apply)
      + force_detach_policies = false
      + id                    = (known after apply)
      + managed_policy_arns   = (known after apply)
      + max_session_duration  = 3600
      + name                  = "custom_sts"
      + path                  = "/"
      + unique_id             = (known after apply)

      + inline_policy {
          + name   = (known after apply)
          + policy = (known after apply)
        }
    }

@mike-carey mike-carey changed the title Allows multiple STS External IDs to be provided to an assumable role feat: Allows multiple STS External IDs to be provided to an assumable role Mar 3, 2021
@mike-carey mike-carey requested a review from antonbabenko March 11, 2021 16:36
@antonbabenko antonbabenko merged commit fd70c07 into terraform-aws-modules:master Mar 11, 2021
@antonbabenko
Copy link
Member

Thanks, @mike-carey !

v3.13.0 has been just released.

@mike-carey mike-carey deleted the feature/multiple-sts-external-ids branch March 12, 2021 18:04
@github-actions
Copy link

github-actions bot commented Nov 9, 2022

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 9, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@antonbabenko antonbabenko antonbabenko approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mike-carey @antonbabenko