feat: Allows multiple STS External IDs to be provided to an assumable role (#138)

fd70c071 · Mike Carey · GitHub · 564ea413 · fd70c071 · fd70c071
Commit fd70c071 authored Mar 11, 2021 by Mike Carey Committed by GitHub Mar 11, 2021
6 changed files
--- a/examples/iam-assumable-role/README.md
+++ b/examples/iam-assumable-role/README.md
@@ -34,6 +34,7 @@ No provider.
 |------|--------|---------|
 | iam_assumable_role_admin | ../../modules/iam-assumable-role |  |
 | iam_assumable_role_custom | ../../modules/iam-assumable-role |  |
+| iam_assumable_role_sts | ../../modules/iam-assumable-role |  |
 | iam_policy | ../../modules/iam-policy |  |
 ## Resources

--- a/examples/iam-assumable-role/main.tf
+++ b/examples/iam-assumable-role/main.tf
@@ -58,6 +58,38 @@ module "iam_assumable_role_custom" {
  #  number_of_custom_role_policy_arns = 3
 }
+####################################################
+# IAM assumable role with multiple sts external ids
+####################################################
+module "iam_assumable_role_sts" {
+  source = "../../modules/iam-assumable-role"
+  trusted_role_arns = [
+    "arn:aws:iam::307990089504:root",
+  ]
+  trusted_role_services = [
+    "codedeploy.amazonaws.com"
+  ]
+  create_role = true
+  role_name         = "custom_sts"
+  role_requires_mfa = false
+  role_sts_externalid = [
+    "some-id-goes-here",
+    "another-id-goes-here",
+  ]
+  custom_role_policy_arns = [
+    "arn:aws:iam::aws:policy/AmazonCognitoReadOnly",
+    "arn:aws:iam::aws:policy/AlexaForBusinessFullAccess",
+    module.iam_policy.arn
+  ]
+  #  number_of_custom_role_policy_arns = 3
+}
 #########################################
 # IAM policy
 #########################################

--- a/modules/iam-assumable-role/README.md
+++ b/modules/iam-assumable-role/README.md
@@ -53,7 +53,7 @@ No Modules.
 | role\_path | Path of IAM role | `string` | `"/"` | no |
 | role\_permissions\_boundary\_arn | Permissions boundary ARN to use for IAM role | `string` | `""` | no |
 | role\_requires\_mfa | Whether role requires MFA | `bool` | `true` | no |
-| role\_sts\_externalid | STS ExternalId condition value to use with a role (when MFA is not required) | `string` | `null` | no |
+| role\_sts\_externalid | STS ExternalId condition values to use with a role (when MFA is not required) | `any` | `[]` | no |
 | tags | A map of tags to add to IAM role resources | `map(string)` | `{}` | no |
 | trusted\_role\_actions | Actions of STS | `list(string)` | <pre>[<br>  "sts:AssumeRole"<br>]</pre> | no |
 | trusted\_role\_arns | ARNs of AWS entities who can assume these roles | `list(string)` | `[]` | no |

--- a/modules/iam-assumable-role/main.tf
+++ b/modules/iam-assumable-role/main.tf
+locals {
+  role_sts_externalid = flatten(list(var.role_sts_externalid))
+}
 data "aws_iam_policy_document" "assume_role" {
  statement {
    effect = "Allow"
@@ -15,11 +19,11 @@ data "aws_iam_policy_document" "assume_role" {
    }
    dynamic "condition" {
-      for_each = var.role_sts_externalid != null ? [true] : []
+      for_each = length(local.role_sts_externalid) != 0 ? [true] : []
      content {
        test     = "StringEquals"
        variable = "sts:ExternalId"
-        values   = [var.role_sts_externalid]
+        values   = local.role_sts_externalid
      }
    }
  }

--- a/modules/iam-assumable-role/outputs.tf
+++ b/modules/iam-assumable-role/outputs.tf
@@ -37,4 +37,3 @@ output "role_sts_externalid" {
  description = "STS ExternalId condition value to use with a role"
  value       = var.role_sts_externalid
 }
--- a/modules/iam-assumable-role/variables.tf
+++ b/modules/iam-assumable-role/variables.tf
@@ -132,8 +132,7 @@ variable "role_description" {
 }
 variable "role_sts_externalid" {
-  description = "STS ExternalId condition value to use with a role (when MFA is not required)"
+  description = "STS ExternalId condition values to use with a role (when MFA is not required)"
-  type        = string
+  type        = any
-  default     = null
+  default     = []
 }