feat: modules/iam-assumable-role-with-oidc: Support multiple provider URLs (#91)

283a5142 · Anton Babenko · GitHub · b5bf1cbd · 283a5142 · 283a5142
Commit 283a5142 authored Aug 18, 2020 by Anton Babenko Committed by GitHub Aug 18, 2020
4 changed files
--- a/examples/iam-assumable-role-with-oidc/main.tf
+++ b/examples/iam-assumable-role-with-oidc/main.tf
@@ -16,7 +16,8 @@ module "iam_assumable_role_admin" {
    Role = "role-with-oidc"
  }
-  provider_url = "oidc.eks.eu-west-1.amazonaws.com/id/BA9E170D464AF7B92084EF72A69B9DC8"
+  provider_url  = "oidc.eks.eu-west-1.amazonaws.com/id/BA9E170D464AF7B92084EF72A69B9DC8"
+  provider_urls = ["oidc.eks.eu-west-1.amazonaws.com/id/AA9E170D464AF7B92084EF72A69B9DC8"]
  role_policy_arns = [
    "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",

--- a/modules/iam-assumable-role-with-oidc/README.md
+++ b/modules/iam-assumable-role-with-oidc/README.md
@@ -24,13 +24,14 @@ This module supports IAM Roles for kubernetes service accounts as described in t
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| aws\_account\_id | The AWS account ID where the OIDC provider lives, leave empty to use the account fo the AWS provider | `string` | `""` | no |
+| aws\_account\_id | The AWS account ID where the OIDC provider lives, leave empty to use the account for the AWS provider | `string` | `""` | no |
 | create\_role | Whether to create a role | `bool` | `false` | no |
 | force\_detach\_policies | Whether policies should be detached from this role when destroying | `bool` | `false` | no |
 | max\_session\_duration | Maximum CLI/API session duration in seconds between 3600 and 43200 | `number` | `3600` | no |
 | oidc\_fully\_qualified\_subjects | The fully qualified OIDC subjects to be added to the role policy | `set(string)` | `[]` | no |
 | oidc\_subjects\_with\_wildcards | The OIDC subject using wildcards to be added to the role policy | `set(string)` | `[]` | no |
-| provider\_url | URL of the OIDC Provider | `string` | n/a | yes |
+| provider\_url | URL of the OIDC Provider. Use provider\_urls to specify several URLs. | `string` | `""` | no |
+| provider\_urls | List of URLs of the OIDC Providers | `list(string)` | `[]` | no |
 | role\_name | IAM role name | `string` | `""` | no |
 | role\_path | Path of IAM role | `string` | `"/"` | no |
 | role\_permissions\_boundary\_arn | Permissions boundary ARN to use for IAM role | `string` | `""` | no |

--- a/modules/iam-assumable-role-with-oidc/main.tf
+++ b/modules/iam-assumable-role-with-oidc/main.tf
 locals {
  aws_account_id = var.aws_account_id != "" ? var.aws_account_id : data.aws_caller_identity.current.account_id
-  provider_url   = replace(var.provider_url, "https://", "")
+  # clean URLs of https:// prefix
+  urls = [
+    for url in distinct(concat(var.provider_urls, [var.provider_url])) :
+    replace(url, "https://", "")
+  ]
+  identifiers = [
+    for url in local.urls :
+    "arn:${data.aws_partition.current.partition}:iam::${local.aws_account_id}:oidc-provider/${url}"
+  ]
 }
 data "aws_caller_identity" "current" {}
@@ -18,26 +26,24 @@ data "aws_iam_policy_document" "assume_role_with_oidc" {
    principals {
      type = "Federated"
-      identifiers = [
+      identifiers = local.identifiers
-        "arn:${data.aws_partition.current.partition}:iam::${local.aws_account_id}:oidc-provider/${local.provider_url}"
-      ]
    }
    dynamic "condition" {
-      for_each = length(var.oidc_fully_qualified_subjects) > 0 ? [1] : []
+      for_each = length(var.oidc_fully_qualified_subjects) > 0 ? local.urls : []
      content {
        test     = "StringEquals"
-        variable = "${local.provider_url}:sub"
+        variable = "${condition.value}:sub"
        values   = var.oidc_fully_qualified_subjects
      }
    }
    dynamic "condition" {
-      for_each = length(var.oidc_subjects_with_wildcards) > 0 ? [1] : []
+      for_each = length(var.oidc_subjects_with_wildcards) > 0 ? local.urls : []
      content {
        test     = "StringLike"
-        variable = "${local.provider_url}:sub"
+        variable = "${condition.value}:sub"
        values   = var.oidc_subjects_with_wildcards
      }
    }

--- a/modules/iam-assumable-role-with-oidc/variables.tf
+++ b/modules/iam-assumable-role-with-oidc/variables.tf
@@ -5,12 +5,19 @@ variable "create_role" {
 }
 variable "provider_url" {
-  description = "URL of the OIDC Provider"
+  description = "URL of the OIDC Provider. Use provider_urls to specify several URLs."
  type        = string
+  default     = ""
+}
+variable "provider_urls" {
+  description = "List of URLs of the OIDC Providers"
+  type        = list(string)
+  default     = []
 }
 variable "aws_account_id" {
-  description = "The AWS account ID where the OIDC provider lives, leave empty to use the account fo the AWS provider"
+  description = "The AWS account ID where the OIDC provider lives, leave empty to use the account for the AWS provider"
  type        = string
  default     = ""
 }