feat: Support External ID with MFA in iam-assumable-role (#159)

9aad929b · Anton Babenko · GitHub · 0f456693 · 9aad929b · 9aad929b
Commit 9aad929b authored Jun 29, 2021 by Anton Babenko Committed by GitHub Jun 29, 2021
Show whitespace changes
Inline Side-by-side

Showing with 11 additions and 2 deletions

main.tf examples/iam-assumable-role/main.tf +1 -1

main.tf modules/iam-assumable-role/main.tf +10 -1

No files found.
--- a/examples/iam-assumable-role/main.tf
+++ b/examples/iam-assumable-role/main.tf
@@ -75,7 +75,7 @@ module "iam_assumable_role_sts" {
  create_role = true
  role_name         = "custom_sts"
-  role_requires_mfa = false
+  role_requires_mfa = true
  role_sts_externalid = [
    "some-id-goes-here",

--- a/modules/iam-assumable-role/main.tf
+++ b/modules/iam-assumable-role/main.tf
 locals {
-  role_sts_externalid = flatten(tolist(var.role_sts_externalid))
+  role_sts_externalid = flatten([var.role_sts_externalid])
 }
 data "aws_iam_policy_document" "assume_role" {
@@ -56,6 +56,15 @@ data "aws_iam_policy_document" "assume_role_with_mfa" {
      variable = "aws:MultiFactorAuthAge"
      values   = [var.mfa_age]
    }
+    dynamic "condition" {
+      for_each = length(local.role_sts_externalid) != 0 ? [true] : []
+      content {
+        test     = "StringEquals"
+        variable = "sts:ExternalId"
+        values   = local.role_sts_externalid
+      }
+    }
  }
 }