feat: Add support for OIDC policy conditions (#480)

Author: fatmcgav

examples/iam-assumable-role-with-oidc/README.md

@@ -32,6 +32,7 @@ No providers.
 |------|--------|---------|
 | <a name="module_iam_assumable_role_admin"></a> [iam\_assumable\_role\_admin](#module\_iam\_assumable\_role\_admin) | ../../modules/iam-assumable-role-with-oidc | n/a |
 | <a name="module_iam_assumable_role_inline_policy"></a> [iam\_assumable\_role\_inline\_policy](#module\_iam\_assumable\_role\_inline\_policy) | ../../modules/iam-assumable-role-with-oidc | n/a |
+| <a name="module_iam_assumable_role_provider_trust_policy_conditions"></a> [iam\_assumable\_role\_provider\_trust\_policy\_conditions](#module\_iam\_assumable\_role\_provider\_trust\_policy\_conditions) | ../../modules/iam-assumable-role-with-oidc | n/a |
 | <a name="module_iam_assumable_role_self_assume"></a> [iam\_assumable\_role\_self\_assume](#module\_iam\_assumable\_role\_self\_assume) | ../../modules/iam-assumable-role-with-oidc | n/a |
 
 ## Resources

examples/iam-assumable-role-with-oidc/main.tf

@@ -89,3 +89,34 @@ module "iam_assumable_role_inline_policy" {
     }
   ]
 }
+
+#####################################
+# IAM assumable role with policy conditions
+#####################################
+module "iam_assumable_role_provider_trust_policy_conditions" {
+  source = "../../modules/iam-assumable-role-with-oidc"
+
+  create_role = true
+
+  role_name = "role-with-oidc-policy-conditions"
+
+  tags = {
+    Role = "role-with-oidc-policy-conditions"
+  }
+
+  provider_url = "oidc.circleci.com/org/<CIRCLECI_ORG_UUID>"
+
+  oidc_fully_qualified_audiences = ["<CIRCLECI_ORG_UUID>"]
+
+  role_policy_arns = [
+    "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
+  ]
+
+  provider_trust_policy_conditions = [
+    {
+      test     = "StringLike"
+      variable = "aws:RequestTag/Environment"
+      values   = ["example"]
+    }
+  ]
+}

modules/iam-assumable-role-with-oidc/README.md

@@ -50,6 +50,7 @@ No modules.
 | <a name="input_oidc_fully_qualified_audiences"></a> [oidc\_fully\_qualified\_audiences](#input\_oidc\_fully\_qualified\_audiences) | The audience to be added to the role policy. Set to sts.amazonaws.com for cross-account assumable role. Leave empty otherwise. | `set(string)` | `[]` | no |
 | <a name="input_oidc_fully_qualified_subjects"></a> [oidc\_fully\_qualified\_subjects](#input\_oidc\_fully\_qualified\_subjects) | The fully qualified OIDC subjects to be added to the role policy | `set(string)` | `[]` | no |
 | <a name="input_oidc_subjects_with_wildcards"></a> [oidc\_subjects\_with\_wildcards](#input\_oidc\_subjects\_with\_wildcards) | The OIDC subject using wildcards to be added to the role policy | `set(string)` | `[]` | no |
+| <a name="input_provider_trust_policy_conditions"></a> [provider\_trust\_policy\_conditions](#input\_provider\_trust\_policy\_conditions) | [Condition constraints](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#condition) applied to the trust policy | `any` | `[]` | no |
 | <a name="input_provider_url"></a> [provider\_url](#input\_provider\_url) | URL of the OIDC Provider. Use provider\_urls to specify several URLs. | `string` | `""` | no |
 | <a name="input_provider_urls"></a> [provider\_urls](#input\_provider\_urls) | List of URLs of the OIDC Providers | `list(string)` | `[]` | no |
 | <a name="input_role_description"></a> [role\_description](#input\_role\_description) | IAM Role description | `string` | `""` | no |

modules/iam-assumable-role-with-oidc/main.tf

@@ -43,7 +43,7 @@ data "aws_iam_policy_document" "assume_role_with_oidc" {
 
     content {
       effect  = "Allow"
-      actions = ["sts:AssumeRoleWithWebIdentity"]
+      actions = ["sts:AssumeRoleWithWebIdentity", "sts:TagSession"]
 
       principals {
         type = "Federated"
@@ -80,6 +80,16 @@ data "aws_iam_policy_document" "assume_role_with_oidc" {
           values   = var.oidc_fully_qualified_audiences
         }
       }
+
+      dynamic "condition" {
+        for_each = var.provider_trust_policy_conditions
+
+        content {
+          test     = condition.value.test
+          values   = condition.value.values
+          variable = condition.value.variable
+        }
+      }
     }
   }
 }

modules/iam-assumable-role-with-oidc/variables.tf

@@ -111,3 +111,9 @@ variable "allow_self_assume_role" {
   type        = bool
   default     = false
 }
+
+variable "provider_trust_policy_conditions" {
+  description = "[Condition constraints](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#condition) applied to the trust policy"
+  type        = any
+  default     = []
+}

wrappers/iam-assumable-role-with-oidc/main.tf

@@ -3,23 +3,24 @@ module "wrapper" {
 
   for_each = var.items
 
-  allow_self_assume_role         = try(each.value.allow_self_assume_role, var.defaults.allow_self_assume_role, false)
-  aws_account_id                 = try(each.value.aws_account_id, var.defaults.aws_account_id, "")
-  create_role                    = try(each.value.create_role, var.defaults.create_role, false)
-  force_detach_policies          = try(each.value.force_detach_policies, var.defaults.force_detach_policies, false)
-  inline_policy_statements       = try(each.value.inline_policy_statements, var.defaults.inline_policy_statements, [])
-  max_session_duration           = try(each.value.max_session_duration, var.defaults.max_session_duration, 3600)
-  number_of_role_policy_arns     = try(each.value.number_of_role_policy_arns, var.defaults.number_of_role_policy_arns, null)
-  oidc_fully_qualified_audiences = try(each.value.oidc_fully_qualified_audiences, var.defaults.oidc_fully_qualified_audiences, [])
-  oidc_fully_qualified_subjects  = try(each.value.oidc_fully_qualified_subjects, var.defaults.oidc_fully_qualified_subjects, [])
-  oidc_subjects_with_wildcards   = try(each.value.oidc_subjects_with_wildcards, var.defaults.oidc_subjects_with_wildcards, [])
-  provider_url                   = try(each.value.provider_url, var.defaults.provider_url, "")
-  provider_urls                  = try(each.value.provider_urls, var.defaults.provider_urls, [])
-  role_description               = try(each.value.role_description, var.defaults.role_description, "")
-  role_name                      = try(each.value.role_name, var.defaults.role_name, null)
-  role_name_prefix               = try(each.value.role_name_prefix, var.defaults.role_name_prefix, null)
-  role_path                      = try(each.value.role_path, var.defaults.role_path, "/")
-  role_permissions_boundary_arn  = try(each.value.role_permissions_boundary_arn, var.defaults.role_permissions_boundary_arn, "")
-  role_policy_arns               = try(each.value.role_policy_arns, var.defaults.role_policy_arns, [])
-  tags                           = try(each.value.tags, var.defaults.tags, {})
+  allow_self_assume_role           = try(each.value.allow_self_assume_role, var.defaults.allow_self_assume_role, false)
+  aws_account_id                   = try(each.value.aws_account_id, var.defaults.aws_account_id, "")
+  create_role                      = try(each.value.create_role, var.defaults.create_role, false)
+  force_detach_policies            = try(each.value.force_detach_policies, var.defaults.force_detach_policies, false)
+  inline_policy_statements         = try(each.value.inline_policy_statements, var.defaults.inline_policy_statements, [])
+  max_session_duration             = try(each.value.max_session_duration, var.defaults.max_session_duration, 3600)
+  number_of_role_policy_arns       = try(each.value.number_of_role_policy_arns, var.defaults.number_of_role_policy_arns, null)
+  oidc_fully_qualified_audiences   = try(each.value.oidc_fully_qualified_audiences, var.defaults.oidc_fully_qualified_audiences, [])
+  oidc_fully_qualified_subjects    = try(each.value.oidc_fully_qualified_subjects, var.defaults.oidc_fully_qualified_subjects, [])
+  oidc_subjects_with_wildcards     = try(each.value.oidc_subjects_with_wildcards, var.defaults.oidc_subjects_with_wildcards, [])
+  provider_trust_policy_conditions = try(each.value.provider_trust_policy_conditions, var.defaults.provider_trust_policy_conditions, [])
+  provider_url                     = try(each.value.provider_url, var.defaults.provider_url, "")
+  provider_urls                    = try(each.value.provider_urls, var.defaults.provider_urls, [])
+  role_description                 = try(each.value.role_description, var.defaults.role_description, "")
+  role_name                        = try(each.value.role_name, var.defaults.role_name, null)
+  role_name_prefix                 = try(each.value.role_name_prefix, var.defaults.role_name_prefix, null)
+  role_path                        = try(each.value.role_path, var.defaults.role_path, "/")
+  role_permissions_boundary_arn    = try(each.value.role_permissions_boundary_arn, var.defaults.role_permissions_boundary_arn, "")
+  role_policy_arns                 = try(each.value.role_policy_arns, var.defaults.role_policy_arns, [])
+  tags                             = try(each.value.tags, var.defaults.tags, {})
 }