Add Trusted Services to iam-assumable-role (#31)

40375a58 · Matt · Anton Babenko · 19066278 · 40375a58 · 40375a58
Commit 40375a58 authored Aug 21, 2019 by Matt Committed by Anton Babenko Aug 21, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 12 additions and 0 deletions

README.md modules/iam-assumable-role/README.md +1 -0

main.tf modules/iam-assumable-role/main.tf +5 -0

variables.tf modules/iam-assumable-role/variables.tf +6 -0

No files found.
--- a/modules/iam-assumable-role/README.md
+++ b/modules/iam-assumable-role/README.md
@@ -25,6 +25,7 @@ Trusted resources can be any [IAM ARNs](https://docs.aws.amazon.com/IAM/latest/U
 | role\_requires\_mfa | Whether role requires MFA | string | `"true"` | no |
 | tags | A map of tags to add to all resources. | map | `{}` | no |
 | trusted\_role\_arns | ARNs of AWS entities who can assume these roles | list | `[]` | no |
+| trusted\_role\_services | AWS Services that can assume these roles | list | `[]` | no |
 ## Outputs

--- a/modules/iam-assumable-role/main.tf
+++ b/modules/iam-assumable-role/main.tf
@@ -8,6 +8,11 @@ data "aws_iam_policy_document" "assume_role" {
      type        = "AWS"
      identifiers = var.trusted_role_arns
    }
+    principals {
+      type        = "Service"
+      identifiers = var.trusted_role_services
+    }
  }
 }

--- a/modules/iam-assumable-role/variables.tf
+++ b/modules/iam-assumable-role/variables.tf
@@ -4,6 +4,12 @@ variable "trusted_role_arns" {
  default     = []
 }
+variable "trusted_role_services" {
+  description = "AWS Services that can assume these roles"
+  type        = list(string)
+  default     = []
+}
 variable "mfa_age" {
  description = "Max age of valid MFA (in seconds) for roles which require MFA"
  type        = number