Skip to content

T
terraform-aws-iam
Commit f34e1035 authored by Zyntogz's avatar Zyntogz Committed by GitHub
Browse files
Options

feat: Added number_of_ variables for iam-assumable-role submodules (#96)

parent cf8f3cce
Hide whitespace changes
Inline Side-by-side
Showing with 19 additions and 2 deletions
examples/iam-assumable-role-with-oidc/main.tf
View file @ f34e1035
...@@ -22,6 +22,7 @@ module "iam_assumable_role_admin" { ...@@ -22,6 +22,7 @@ module "iam_assumable_role_admin" {
role_policy_arns = [ role_policy_arns = [
"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy", "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
] ]
number_of_role_policy_arns = 1
oidc_fully_qualified_subjects = ["system:serviceaccount:default:sa1", "system:serviceaccount:default:sa2"] oidc_fully_qualified_subjects = ["system:serviceaccount:default:sa1", "system:serviceaccount:default:sa2"]
} }
examples/iam-assumable-role/main.tf
View file @ f34e1035
...@@ -54,4 +54,5 @@ module "iam_assumable_role_custom" { ...@@ -54,4 +54,5 @@ module "iam_assumable_role_custom" {
"arn:aws:iam::aws:policy/AmazonCognitoReadOnly", "arn:aws:iam::aws:policy/AmazonCognitoReadOnly",
"arn:aws:iam::aws:policy/AlexaForBusinessFullAccess", "arn:aws:iam::aws:policy/AlexaForBusinessFullAccess",
] ]
number_of_custom_role_policy_arns = 2
} }
modules/iam-assumable-role-with-oidc/README.md
View file @ f34e1035
...@@ -28,6 +28,7 @@ This module supports IAM Roles for kubernetes service accounts as described in t ...@@ -28,6 +28,7 @@ This module supports IAM Roles for kubernetes service accounts as described in t
| create\_role | Whether to create a role | `bool` | `false` | no | | create\_role | Whether to create a role | `bool` | `false` | no |
| force\_detach\_policies | Whether policies should be detached from this role when destroying | `bool` | `false` | no | | force\_detach\_policies | Whether policies should be detached from this role when destroying | `bool` | `false` | no |
| max\_session\_duration | Maximum CLI/API session duration in seconds between 3600 and 43200 | `number` | `3600` | no | | max\_session\_duration | Maximum CLI/API session duration in seconds between 3600 and 43200 | `number` | `3600` | no |
| number\_of\_role\_policy\_arns | Number of custom policies passed to variable role\_policy\_arns | `number` | `0` | no |
| oidc\_fully\_qualified\_subjects | The fully qualified OIDC subjects to be added to the role policy | `set(string)` | `[]` | no | | oidc\_fully\_qualified\_subjects | The fully qualified OIDC subjects to be added to the role policy | `set(string)` | `[]` | no |
| oidc\_subjects\_with\_wildcards | The OIDC subject using wildcards to be added to the role policy | `set(string)` | `[]` | no | | oidc\_subjects\_with\_wildcards | The OIDC subject using wildcards to be added to the role policy | `set(string)` | `[]` | no |
| provider\_url | URL of the OIDC Provider. Use provider\_urls to specify several URLs. | `string` | `""` | no | | provider\_url | URL of the OIDC Provider. Use provider\_urls to specify several URLs. | `string` | `""` | no |
......
modules/iam-assumable-role-with-oidc/main.tf
View file @ f34e1035
...@@ -68,7 +68,7 @@ resource "aws_iam_role" "this" { ...@@ -68,7 +68,7 @@ resource "aws_iam_role" "this" {
} }
resource "aws_iam_role_policy_attachment" "custom" { resource "aws_iam_role_policy_attachment" "custom" {
count = var.create_role ? length(var.role_policy_arns) : 0 count = var.create_role ? var.number_of_role_policy_arns : 0
role = join("", aws_iam_role.this.*.name) role = join("", aws_iam_role.this.*.name)
policy_arn = var.role_policy_arns[count.index] policy_arn = var.role_policy_arns[count.index]
......
modules/iam-assumable-role-with-oidc/variables.tf
View file @ f34e1035
...@@ -70,6 +70,13 @@ variable "role_policy_arns" { ...@@ -70,6 +70,13 @@ variable "role_policy_arns" {
default = [] default = []
} }
variable "number_of_role_policy_arns" {
description = "Number of IAM policies to attach to IAM role"
type = number
default = 0
}
variable "oidc_fully_qualified_subjects" { variable "oidc_fully_qualified_subjects" {
description = "The fully qualified OIDC subjects to be added to the role policy" description = "The fully qualified OIDC subjects to be added to the role policy"
type = set(string) type = set(string)
......
modules/iam-assumable-role/README.md
View file @ f34e1035
...@@ -32,6 +32,7 @@ Trusted resources can be any [IAM ARNs](https://docs.aws.amazon.com/IAM/latest/U ...@@ -32,6 +32,7 @@ Trusted resources can be any [IAM ARNs](https://docs.aws.amazon.com/IAM/latest/U
| force\_detach\_policies | Whether policies should be detached from this role when destroying | `bool` | `false` | no | | force\_detach\_policies | Whether policies should be detached from this role when destroying | `bool` | `false` | no |
| max\_session\_duration | Maximum CLI/API session duration in seconds between 3600 and 43200 | `number` | `3600` | no | | max\_session\_duration | Maximum CLI/API session duration in seconds between 3600 and 43200 | `number` | `3600` | no |
| mfa\_age | Max age of valid MFA (in seconds) for roles which require MFA | `number` | `86400` | no | | mfa\_age | Max age of valid MFA (in seconds) for roles which require MFA | `number` | `86400` | no |
| number\_of\_custom\_role\_policy\_arns | Number of custom policies passed to variable custom\_role\_policy\_arns | `number` | `0` | no |
| poweruser\_role\_policy\_arn | Policy ARN to use for poweruser role | `string` | `"arn:aws:iam::aws:policy/PowerUserAccess"` | no | | poweruser\_role\_policy\_arn | Policy ARN to use for poweruser role | `string` | `"arn:aws:iam::aws:policy/PowerUserAccess"` | no |
| readonly\_role\_policy\_arn | Policy ARN to use for readonly role | `string` | `"arn:aws:iam::aws:policy/ReadOnlyAccess"` | no | | readonly\_role\_policy\_arn | Policy ARN to use for readonly role | `string` | `"arn:aws:iam::aws:policy/ReadOnlyAccess"` | no |
| role\_description | IAM Role description | `string` | `""` | no | | role\_description | IAM Role description | `string` | `""` | no |
......
modules/iam-assumable-role/main.tf
View file @ f34e1035
...@@ -72,7 +72,7 @@ resource "aws_iam_role" "this" { ...@@ -72,7 +72,7 @@ resource "aws_iam_role" "this" {
} }
resource "aws_iam_role_policy_attachment" "custom" { resource "aws_iam_role_policy_attachment" "custom" {
count = var.create_role ? length(var.custom_role_policy_arns) : 0 count = var.create_role ? var.number_of_custom_role_policy_arns : 0
role = aws_iam_role.this[0].name role = aws_iam_role.this[0].name
policy_arn = element(var.custom_role_policy_arns, count.index) policy_arn = element(var.custom_role_policy_arns, count.index)
......
modules/iam-assumable-role/variables.tf
View file @ f34e1035
...@@ -76,6 +76,12 @@ variable "custom_role_policy_arns" { ...@@ -76,6 +76,12 @@ variable "custom_role_policy_arns" {
default = [] default = []
} }
variable "number_of_custom_role_policy_arns" {
description = "Number of IAM policies to attach to IAM role"
type = number
default = 0
}
# Pre-defined policies # Pre-defined policies
variable "admin_role_policy_arn" { variable "admin_role_policy_arn" {
description = "Policy ARN to use for admin role" description = "Policy ARN to use for admin role"
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment