feat: Add support for specifying assume role conditions (#12)

Author: bryantbiggs

.pre-commit-config.yaml

@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.88.2
+    rev: v1.92.0
     hooks:
       - id: terraform_fmt
       - id: terraform_wrapper_module_for_each
@@ -22,10 +22,9 @@ repos:
           - '--args=--only=terraform_required_providers'
           - '--args=--only=terraform_standard_module_structure'
           - '--args=--only=terraform_workspace_remote'
-          - '--args=--only=terraform_unused_required_providers'
       - id: terraform_validate
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.5.0
+    rev: v4.6.0
     hooks:
       - id: check-merge-conflict
       - id: end-of-file-fixer

README.md

@@ -18,6 +18,14 @@ module "custom_pod_identity" {
 
   name = "custom"
 
+  trust_policy_conditions = [
+    {
+      test     = "StringEquals"
+      variable = "aws:PrincipalOrgID"
+      values   = ["o-1234567890"]
+    }
+  ]
+
   trust_policy_statements = [
     {
       sid       = "Test"
@@ -553,6 +561,7 @@ No modules.
 | <a name="input_policy_statements"></a> [policy\_statements](#input\_policy\_statements) | A list of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) for custom permission usage | `any` | `[]` | no |
 | <a name="input_source_policy_documents"></a> [source\_policy\_documents](#input\_source\_policy\_documents) | List of IAM policy documents that are merged together into the exported document | `list(string)` | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
+| <a name="input_trust_policy_conditions"></a> [trust\_policy\_conditions](#input\_trust\_policy\_conditions) | A list of conditions to add to the role trust policy | `any` | `[]` | no |
 | <a name="input_trust_policy_statements"></a> [trust\_policy\_statements](#input\_trust\_policy\_statements) | A list of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) for the role trust policy | `any` | `[]` | no |
 | <a name="input_use_name_prefix"></a> [use\_name\_prefix](#input\_use\_name\_prefix) | Determines whether the role name and policy name(s) are used as a prefix | `string` | `true` | no |
 | <a name="input_velero_policy_name"></a> [velero\_policy\_name](#input\_velero\_policy\_name) | Custom name of the Velero IAM policy | `string` | `null` | no |

examples/complete/main.tf

@@ -36,6 +36,14 @@ module "custom_pod_identity" {
     additional           = aws_iam_policy.additional.arn
   }
 
+  trust_policy_conditions = [
+    {
+      test     = "StringEquals"
+      variable = "aws:PrincipalOrgID"
+      values   = ["o-1234567890"]
+    }
+  ]
+
   associations = {
     ex-one = {
       cluster_name    = module.eks_one.cluster_name

main.tf

@@ -22,6 +22,16 @@ data "aws_iam_policy_document" "assume" {
       type        = "Service"
       identifiers = ["pods.eks.amazonaws.com"]
     }
+
+    dynamic "condition" {
+      for_each = var.trust_policy_conditions
+
+      content {
+        test     = condition.value.test
+        values   = condition.value.values
+        variable = condition.value.variable
+      }
+    }
   }
 
   dynamic "statement" {

variables.tf

@@ -14,6 +14,12 @@ variable "tags" {
 # IAM Role Trust Policy
 ################################################################################
 
+variable "trust_policy_conditions" {
+  description = "A list of conditions to add to the role trust policy"
+  type        = any
+  default     = []
+}
+
 variable "trust_policy_statements" {
   description = "A list of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) for the role trust policy"
   type        = any

wrappers/main.tf

@@ -72,6 +72,7 @@ module "wrapper" {
   policy_statements                                        = try(each.value.policy_statements, var.defaults.policy_statements, [])
   source_policy_documents                                  = try(each.value.source_policy_documents, var.defaults.source_policy_documents, [])
   tags                                                     = try(each.value.tags, var.defaults.tags, {})
+  trust_policy_conditions                                  = try(each.value.trust_policy_conditions, var.defaults.trust_policy_conditions, [])
   trust_policy_statements                                  = try(each.value.trust_policy_statements, var.defaults.trust_policy_statements, [])
   use_name_prefix                                          = try(each.value.use_name_prefix, var.defaults.use_name_prefix, true)
   velero_policy_name                                       = try(each.value.velero_policy_name, var.defaults.velero_policy_name, null)

wrappers/versions.tf

@@ -1,3 +1,10 @@
 terraform {
-  required_version = ">= 0.13.1"
+  required_version = ">= 1.3.2"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.30"
+    }
+  }
 }