fix: Fix conditions with multiple subjects in assume role with oidc policy (#74)

examples/iam-assumable-role-with-oidc/main.tf

@@ -21,4 +21,6 @@ module "iam_assumable_role_admin" {
   role_policy_arns = [
     "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
   ]
+
+  oidc_fully_qualified_subjects = ["system:serviceaccount:default:sa1","system:serviceaccount:default:sa2"]
 }

modules/iam-assumable-role-with-oidc/main.tf

@@ -21,20 +21,21 @@ data "aws_iam_policy_document" "assume_role_with_oidc" {
     }
 
     dynamic "condition" {
-      for_each = var.oidc_fully_qualified_subjects
+      for_each = length(var.oidc_fully_qualified_subjects) > 0 ? [1] : []
       content {
         test     = "StringEquals"
         variable = "${var.provider_url}:sub"
-        values   = [condition.value]
+        values   = var.oidc_fully_qualified_subjects
       }
     }
 
+
     dynamic "condition" {
-      for_each = var.oidc_subjects_with_wildcards
+      for_each = length(var.oidc_subjects_with_wildcards) > 0 ? [1] : []
       content {
         test     = "StringLike"
         variable = "${var.provider_url}:sub"
-        values   = [condition.value]
+        values   = var.oidc_subjects_with_wildcards
       }
     }
   }

modules/iam-assumable-role-with-oidc/variables.tf

@@ -53,13 +53,13 @@ variable "role_policy_arns" {
 
 variable "oidc_fully_qualified_subjects" {
   description = "The fully qualified OIDC subjects to be added to the role policy"
-  type        = list(string)
+  type        = set(string)
   default     = []
 }
 
 variable "oidc_subjects_with_wildcards" {
   description = "The OIDC subject using wildcards to be added to the role policy"
-  type        = list(string)
+  type        = set(string)
   default     = []
 }