feat: iam-assumable-roles-with-saml - Allow for multiple provider ids (#110)

92dbb090 · ravanapel · GitHub · 09e0a48e · 92dbb090 · 92dbb090
Commit 92dbb090 authored Nov 13, 2020 by ravanapel Committed by GitHub Nov 13, 2020
4 changed files
--- a/examples/iam-assumable-roles-with-saml/main.tf
+++ b/examples/iam-assumable-roles-with-saml/main.tf
@@ -7,6 +7,11 @@ resource "aws_iam_saml_provider" "idp_saml" {
  saml_metadata_document = file("saml-metadata.xml")
 }

+resource "aws_iam_saml_provider" "second_idp_saml" {
+  name                   = "second_idp_saml"
+  saml_metadata_document = file("saml-metadata.xml")
+}
+
 ###############################
 # IAM assumable roles with SAML
 ###############################
@@ -24,6 +29,23 @@ module "iam_assumable_roles_with_saml" {
  provider_id = aws_iam_saml_provider.idp_saml.id
 }

+###############################
+# IAM assumable roles with SAML
+###############################
+
+module "iam_assumable_roles_with_saml_second_provider" {
+  source = "../../modules/iam-assumable-roles-with-saml"
+
+  create_admin_role = true
+
+  create_poweruser_role = true
+  poweruser_role_name   = "developer"
+
+  create_readonly_role = true
+
+  provider_ids = [aws_iam_saml_provider.idp_saml.id, aws_iam_saml_provider.second_idp_saml.id]
+}
+
 #################################################################
 # Create custom role with SAML idp trust and additional policies
 #################################################################

--- a/modules/iam-assumable-roles-with-saml/README.md
+++ b/modules/iam-assumable-roles-with-saml/README.md
@@ -40,7 +40,8 @@ Creates predefined IAM roles (admin, poweruser and readonly) which can be assume
 | poweruser\_role\_permissions\_boundary\_arn | Permissions boundary ARN to use for poweruser role | `string` | `""` | no |
 | poweruser\_role\_policy\_arns | List of policy ARNs to use for poweruser role | `list(string)` | <pre>[<br>  "arn:aws:iam::aws:policy/PowerUserAccess"<br>]</pre> | no |
 | poweruser\_role\_tags | A map of tags to add to poweruser role resource. | `map(string)` | `{}` | no |
-| provider\_id | ID of the SAML Provider | `string` | n/a | yes |
+| provider\_id | ID of the SAML Provider. Use provider\_ids to specify several IDs. | `string` | `""` | no |
+| provider\_ids | List of SAML Provider IDs | `list(string)` | `[]` | no |
 | readonly\_role\_name | IAM role with readonly access | `string` | `"readonly"` | no |
 | readonly\_role\_path | Path of readonly IAM role | `string` | `"/"` | no |
 | readonly\_role\_permissions\_boundary\_arn | Permissions boundary ARN to use for readonly role | `string` | `""` | no |

--- a/modules/iam-assumable-roles-with-saml/main.tf
+++ b/modules/iam-assumable-roles-with-saml/main.tf
+locals {
+  identifiers = compact(distinct(concat(var.provider_ids, [var.provider_id])))
+}
+
 data "aws_iam_policy_document" "assume_role_with_saml" {
  statement {
    effect = "Allow"
@@ -6,7 +10,8 @@ data "aws_iam_policy_document" "assume_role_with_saml" {

    principals {
      type = "Federated"
-      identifiers = [var.provider_id]
+
+      identifiers = local.identifiers
    }

    condition {

--- a/modules/iam-assumable-roles-with-saml/variables.tf
+++ b/modules/iam-assumable-roles-with-saml/variables.tf
 variable "provider_id" {
-  description = "ID of the SAML Provider"
+  description = "ID of the SAML Provider. Use provider_ids to specify several IDs."
  type        = string
+  default     = ""
+}
+
+variable "provider_ids" {
+  description = "List of SAML Provider IDs"
+  type        = list(string)
+  default     = []
 }

 variable "aws_saml_endpoint" {