assumable roles for Users with SAML Identity Provider (#19)

* add assume role with saml provider

* add assume role with saml provider, examples and readme

* add module for roles with SAML Identity Provider

README.md

@@ -73,6 +73,23 @@ module "iam_assumable_roles" {
 }
 ```
 
+`iam-assumable-roles-with-saml`:
+```hcl
+module "iam_assumable_roles_with_saml" {
+  source = "terraform-aws-modules/iam/aws//modules/iam-assumable-roles-with-saml"
+
+  create_admin_role = true
+
+  create_poweruser_role = true
+  poweruser_role_name   = "developer"
+
+  create_readonly_role = true
+
+  provider_name = "${aws_iam_saml_provider.idp_saml.name}"
+  provider_id   = "${aws_iam_saml_provider.idp_saml.id}"
+}
+```
+
 `iam-user`:
 ```hcl
 module "iam_user" {
@@ -202,6 +219,7 @@ Use [iam-policy module](https://github.com/terraform-aws-modules/terraform-aws-i
 * [iam-account](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-account) - Set AWS account alias and password policy
 * [iam-assumable-role](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-assumable-roles) - Create individual IAM role which can be assumed from specified ARNs (AWS accounts, IAM users, etc)
 * [iam-assumable-roles](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-assumable-roles) - Create several IAM roles which can be assumed from specified ARNs (AWS accounts, IAM users, etc)
+* [iam-assumable-roles-with-saml](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-assumable-roles-with-saml) - Create several IAM roles which can be assumed from Users with a SAML Identity Provider
 * [iam-group-with-assumable-roles-policy](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-group-with-assumable-roles-policy) - IAM group with users who are allowed to assume IAM roles in the same or in separate AWS account
 * [iam-group-with-policies](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-group-with-policies) - IAM group with users who are allowed specified IAM policies (eg, "manage their own IAM user")
 * [iam-group-complete](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-group-complete) - IAM group with users who are allowed to assume IAM roles in another AWS account and have access to specified IAM policies

examples/iam-assumable-roles-with-saml/README.md

+# IAM assumable roles with SAML Identity Provider example
+
+Configuration in this directory creates several IAM roles which can be assumed from Users with a SAML Identity Provider
+
+# Usage
+
+To run this example you need to execute:
+
+```bash
+$ terraform init
+$ terraform plan
+$ terraform apply
+```
+
+Run `terraform destroy` when you don't need these resources.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| admin\_iam\_role\_arn | ARN of admin IAM role |
+| admin\_iam\_role\_name | Name of admin IAM role |
+| admin\_iam\_role\_path | Path of admin IAM role |
+| poweruser\_iam\_role\_arn | ARN of poweruser IAM role |
+| poweruser\_iam\_role\_name | Name of poweruser IAM role |
+| poweruser\_iam\_role\_path | Path of poweruser IAM role |
+| readonly\_iam\_role\_arn | ARN of readonly IAM role |
+| readonly\_iam\_role\_name | Name of readonly IAM role |
+| readonly\_iam\_role\_path | Path of readonly IAM role |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

examples/iam-assumable-roles-with-saml/main.tf

+provider "aws" {
+  region = "eu-west-1"
+}
+
+resource "aws_iam_saml_provider" "idp_saml" {
+  name                   = "idp_saml"
+  saml_metadata_document = "${file("${path.module}/saml-metadata.xml")}"
+}
+
+###############################
+# IAM assumable roles with SAML
+###############################
+
+module "iam_assumable_roles_with_saml" {
+  source = "../../../terraform-aws-iam/modules/iam-assumable-roles-with-saml"
+
+  create_admin_role = true
+
+  create_poweruser_role = true
+  poweruser_role_name   = "developer"
+
+  create_readonly_role = true
+
+  provider_name = "${aws_iam_saml_provider.idp_saml.name}"
+  provider_id   = "${aws_iam_saml_provider.idp_saml.id}"
+}

examples/iam-assumable-roles-with-saml/outputs.tf

+# Admin
+output "admin_iam_role_arn" {
+  description = "ARN of admin IAM role"
+  value       = "${module.iam_assumable_roles_with_saml.admin_iam_role_arn}"
+}
+
+output "admin_iam_role_name" {
+  description = "Name of admin IAM role"
+  value       = "${module.iam_assumable_roles_with_saml.admin_iam_role_name}"
+}
+
+output "admin_iam_role_path" {
+  description = "Path of admin IAM role"
+  value       = "${module.iam_assumable_roles_with_saml.admin_iam_role_path}"
+}
+
+# Poweruser
+output "poweruser_iam_role_arn" {
+  description = "ARN of poweruser IAM role"
+  value       = "${module.iam_assumable_roles_with_saml.poweruser_iam_role_arn}"
+}
+
+output "poweruser_iam_role_name" {
+  description = "Name of poweruser IAM role"
+  value       = "${module.iam_assumable_roles_with_saml.poweruser_iam_role_name}"
+}
+
+output "poweruser_iam_role_path" {
+  description = "Path of poweruser IAM role"
+  value       = "${module.iam_assumable_roles_with_saml.poweruser_iam_role_path}"
+}
+
+# Readonly
+output "readonly_iam_role_arn" {
+  description = "ARN of readonly IAM role"
+  value       = "${module.iam_assumable_roles_with_saml.readonly_iam_role_arn}"
+}
+
+output "readonly_iam_role_name" {
+  description = "Name of readonly IAM role"
+  value       = "${module.iam_assumable_roles_with_saml.readonly_iam_role_name}"
+}
+
+output "readonly_iam_role_path" {
+  description = "Path of readonly IAM role"
+  value       = "${module.iam_assumable_roles_with_saml.readonly_iam_role_path}"
+}

modules/iam-assumable-roles-with-saml/README.md

+# iam-assumable-roles
+
+Creates single IAM role which can be assumed by trusted resources using SAML Federated Users.
+
+
+[Creating IAM SAML Identity Providers](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html) 
+[Enabling SAML 2.0 Federated Users to Access the AWS Management Console](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html) 
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| admin\_role\_name | IAM role with admin access | string | `"admin"` | no |
+| admin\_role\_path | Path of admin IAM role | string | `"/"` | no |
+| admin\_role\_permissions\_boundary\_arn | Permissions boundary ARN to use for admin role | string | `""` | no |
+| admin\_role\_policy\_arn | Policy ARN to use for admin role | string | `"arn:aws:iam::aws:policy/AdministratorAccess"` | no |
+| admin\_role\_requires\_mfa | Whether admin role requires MFA | string | `"true"` | no |
+| create\_admin\_role | Whether to create admin role | string | `"false"` | no |
+| create\_poweruser\_role | Whether to create poweruser role | string | `"false"` | no |
+| create\_readonly\_role | Whether to create readonly role | string | `"false"` | no |
+| max\_session\_duration | Maximum CLI/API session duration in seconds between 3600 and 43200 | string | `"3600"` | no |
+| poweruser\_role\_name | IAM role with poweruser access | string | `"poweruser"` | no |
+| poweruser\_role\_path | Path of poweruser IAM role | string | `"/"` | no |
+| poweruser\_role\_permissions\_boundary\_arn | Permissions boundary ARN to use for poweruser role | string | `""` | no |
+| poweruser\_role\_policy\_arn | Policy ARN to use for poweruser role | string | `"arn:aws:iam::aws:policy/PowerUserAccess"` | no |
+| poweruser\_role\_requires\_mfa | Whether poweruser role requires MFA | string | `"true"` | no |
+| readonly\_role\_name | IAM role with readonly access | string | `"readonly"` | no |
+| readonly\_role\_path | Path of readonly IAM role | string | `"/"` | no |
+| readonly\_role\_permissions\_boundary\_arn | Permissions boundary ARN to use for readonly role | string | `""` | no |
+| readonly\_role\_policy\_arn | Policy ARN to use for readonly role | string | `"arn:aws:iam::aws:policy/ReadOnlyAccess"` | no |
+| readonly\_role\_requires\_mfa | Whether readonly role requires MFA | string | `"true"` | no |
+| provider\_name | Name of the SAML Provider | string | `""` | yes |
+| provider\_id | ID of the SAML Provider | string | `""` | yes |
+| aws_saml_endpoint | AWS SAML Endpoint | list | `["https://signin.aws.amazon.com/saml"]` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| admin\_iam\_role\_arn | ARN of admin IAM role |
+| admin\_iam\_role\_name | Name of admin IAM role |
+| admin\_iam\_role\_path | Path of admin IAM role |
+| admin\_iam\_role\_requires\_mfa | Whether admin IAM role requires MFA |
+| poweruser\_iam\_role\_arn | ARN of poweruser IAM role |
+| poweruser\_iam\_role\_name | Name of poweruser IAM role |
+| poweruser\_iam\_role\_path | Path of poweruser IAM role |
+| poweruser\_iam\_role\_requires\_mfa | Whether poweruser IAM role requires MFA |
+| readonly\_iam\_role\_arn | ARN of readonly IAM role |
+| readonly\_iam\_role\_name | Name of readonly IAM role |
+| readonly\_iam\_role\_path | Path of readonly IAM role |
+| readonly\_iam\_role\_requires\_mfa | Whether readonly IAM role requires MFA |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

modules/iam-assumable-roles-with-saml/main.tf

+data "aws_iam_policy_document" "assume_role_with_saml" {
+  statement {
+    effect = "Allow"
+
+    actions = ["sts:AssumeRoleWithSAML"]
+
+    principals {
+      type        = "Federated"
+      identifiers = ["${var.provider_id}"]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "SAML:aud"
+      values   = ["${var.aws_saml_endpoint}"]
+    }
+  }
+}
+
+# Admin
+resource "aws_iam_role" "admin" {
+  count = "${var.create_admin_role ? 1 : 0}"
+
+  name                 = "${var.admin_role_name}"
+  path                 = "${var.admin_role_path}"
+  max_session_duration = "${var.max_session_duration}"
+
+  permissions_boundary = "${var.admin_role_permissions_boundary_arn}"
+
+  assume_role_policy = "${data.aws_iam_policy_document.assume_role_with_saml.json}"
+}
+
+resource "aws_iam_role_policy_attachment" "admin" {
+  count = "${var.create_admin_role ? 1 : 0}"
+
+  role       = "${aws_iam_role.admin.name}"
+  policy_arn = "${var.admin_role_policy_arn}"
+}
+
+# Poweruser
+resource "aws_iam_role_policy_attachment" "poweruser" {
+  count = "${var.create_poweruser_role ? 1 : 0}"
+
+  role       = "${aws_iam_role.poweruser.name}"
+  policy_arn = "${var.poweruser_role_policy_arn}"
+}
+
+resource "aws_iam_role" "poweruser" {
+  count = "${var.create_poweruser_role ? 1 : 0}"
+
+  name                 = "${var.poweruser_role_name}"
+  path                 = "${var.poweruser_role_path}"
+  max_session_duration = "${var.max_session_duration}"
+
+  permissions_boundary = "${var.poweruser_role_permissions_boundary_arn}"
+
+  assume_role_policy = "${data.aws_iam_policy_document.assume_role_with_saml.json}"
+}
+
+# Readonly
+resource "aws_iam_role_policy_attachment" "readonly" {
+  count = "${var.create_readonly_role ? 1 : 0}"
+
+  role       = "${aws_iam_role.readonly.name}"
+  policy_arn = "${var.readonly_role_policy_arn}"
+}
+
+resource "aws_iam_role" "readonly" {
+  count = "${var.create_readonly_role ? 1 : 0}"
+
+  name                 = "${var.readonly_role_name}"
+  path                 = "${var.readonly_role_path}"
+  max_session_duration = "${var.max_session_duration}"
+
+  permissions_boundary = "${var.readonly_role_permissions_boundary_arn}"
+
+  assume_role_policy = "${data.aws_iam_policy_document.assume_role_with_saml.json}"
+}

modules/iam-assumable-roles-with-saml/outputs.tf

+#Admin
+output "admin_iam_role_arn" {
+  description = "ARN of admin IAM role"
+  value       = "${element(concat(aws_iam_role.admin.*.arn, list("")), 0)}"
+}
+
+output "admin_iam_role_name" {
+  description = "Name of admin IAM role"
+  value       = "${element(concat(aws_iam_role.admin.*.name, list("")), 0)}"
+}
+
+output "admin_iam_role_path" {
+  description = "Path of admin IAM role"
+  value       = "${element(concat(aws_iam_role.admin.*.path, list("")), 0)}"
+}
+
+output "poweruser_iam_role_arn" {
+  description = "ARN of poweruser IAM role"
+  value       = "${element(concat(aws_iam_role.poweruser.*.arn, list("")), 0)}"
+}
+
+output "poweruser_iam_role_name" {
+  description = "Name of poweruser IAM role"
+  value       = "${element(concat(aws_iam_role.poweruser.*.name, list("")), 0)}"
+}
+
+output "poweruser_iam_role_path" {
+  description = "Path of poweruser IAM role"
+  value       = "${element(concat(aws_iam_role.poweruser.*.path, list("")), 0)}"
+}
+
+# Readonly
+output "readonly_iam_role_arn" {
+  description = "ARN of readonly IAM role"
+  value       = "${element(concat(aws_iam_role.readonly.*.arn, list("")), 0)}"
+}
+
+output "readonly_iam_role_name" {
+  description = "Name of readonly IAM role"
+  value       = "${element(concat(aws_iam_role.readonly.*.name, list("")), 0)}"
+}
+
+output "readonly_iam_role_path" {
+  description = "Path of readonly IAM role"
+  value       = "${element(concat(aws_iam_role.readonly.*.path, list("")), 0)}"
+}

modules/iam-assumable-roles-with-saml/variables.tf

+variable "provider_name" {
+  description = "Name of the SAML Provider"
+  type        = "string"
+}
+
+variable "provider_id" {
+  description = "ID of the SAML Provider"
+  type        = "string"
+}
+
+variable "aws_saml_endpoint" {
+  description = "AWS SAML Endpoint"
+  default     = ["https://signin.aws.amazon.com/saml"]
+  type        = "list"
+}
+
+# Admin
+variable "create_admin_role" {
+  description = "Whether to create admin role"
+  default     = false
+}
+
+variable "admin_role_name" {
+  description = "IAM role with admin access"
+  default     = "admin"
+}
+
+variable "admin_role_path" {
+  description = "Path of admin IAM role"
+  default     = "/"
+}
+
+variable "admin_role_policy_arn" {
+  description = "Policy ARN to use for admin role"
+  default     = "arn:aws:iam::aws:policy/AdministratorAccess"
+}
+
+variable "admin_role_permissions_boundary_arn" {
+  description = "Permissions boundary ARN to use for admin role"
+  default     = ""
+}
+
+# Poweruser
+variable "create_poweruser_role" {
+  description = "Whether to create poweruser role"
+  default     = false
+}
+
+variable "poweruser_role_name" {
+  description = "IAM role with poweruser access"
+  default     = "poweruser"
+}
+
+variable "poweruser_role_path" {
+  description = "Path of poweruser IAM role"
+  default     = "/"
+}
+
+variable "poweruser_role_policy_arn" {
+  description = "Policy ARN to use for poweruser role"
+  default     = "arn:aws:iam::aws:policy/PowerUserAccess"
+}
+
+variable "poweruser_role_permissions_boundary_arn" {
+  description = "Permissions boundary ARN to use for poweruser role"
+  default     = ""
+}
+
+# Readonly
+variable "create_readonly_role" {
+  description = "Whether to create readonly role"
+  default     = false
+}
+
+variable "readonly_role_name" {
+  description = "IAM role with readonly access"
+  default     = "readonly"
+}
+
+variable "readonly_role_path" {
+  description = "Path of readonly IAM role"
+  default     = "/"
+}
+
+variable "readonly_role_policy_arn" {
+  description = "Policy ARN to use for readonly role"
+  default     = "arn:aws:iam::aws:policy/ReadOnlyAccess"
+}
+
+variable "readonly_role_permissions_boundary_arn" {
+  description = "Permissions boundary ARN to use for readonly role"
+  default     = ""
+}
+
+variable "max_session_duration" {
+  description = "Maximum CLI/API session duration in seconds between 3600 and 43200"
+  default     = 3600
+}