feat: Remove permission variable defaults, add updates from upstream issues/PRs

bryantbiggs · bryantbiggs · commit 0e979ff42a19 · 2025-08-12T11:19:20.000-05:00
diff --git a/modules/iam-group/main.tf b/modules/iam-group/main.tf
@@ -55,8 +55,10 @@ data "aws_iam_policy_document" "this" {
     content {
       sid = "ViewAccountInfo"
       actions = [
+        "iam:GetAccountSummary",
         "iam:GetAccountPasswordPolicy",
-        "iam:ListVirtualMFADevices"
+        "iam:ListAccountAliases",
+        "iam:ListVirtualMFADevices",
       ]
       resources = ["*"]
     }
@@ -69,7 +71,9 @@ data "aws_iam_policy_document" "this" {
       sid = "ManageOwnPasswords"
       actions = [
         "iam:ChangePassword",
-        "iam:GetUser"
+        "iam:GetLoginProfile",
+        "iam:GetUser",
+        "iam:UpdateLoginProfile",
       ]
       resources = local.user_resources
     }
@@ -84,7 +88,11 @@ data "aws_iam_policy_document" "this" {
         "iam:CreateAccessKey",
         "iam:DeleteAccessKey",
         "iam:ListAccessKeys",
-        "iam:UpdateAccessKey"
+        "iam:UpdateAccessKey",
+        "iam:GetAccessKeyLastUsed",
+        "iam:TagUser",
+        "iam:ListUserTags",
+        "iam:UntagUser",
       ]
       resources = local.user_resources
     }
@@ -168,14 +176,15 @@ data "aws_iam_policy_document" "this" {
     content {
       sid = "DenyAllExceptListedIfNoMFA"
       not_actions = [
-        "iam:ChangePassword",
         "iam:CreateVirtualMFADevice",
         "iam:EnableMFADevice",
         "iam:GetUser",
+        "iam:GetMFADevice",
         "iam:ListMFADevices",
         "iam:ListVirtualMFADevices",
         "iam:ResyncMFADevice",
-        "sts:GetSessionToken"
+        "sts:GetSessionToken",
+        "iam:ChangePassword",
       ]
       resources = ["*"]
 
diff --git a/modules/iam-read-only-policy/main.tf b/modules/iam-read-only-policy/main.tf
@@ -28,6 +28,7 @@ data "aws_iam_policy_document" "this" {
       actions = [
         "${statement.value}:List*",
         "${statement.value}:Get*",
+        "${statement.value}:BatchGet*",
         "${statement.value}:Describe*",
         "${statement.value}:View*",
       ]
@@ -44,6 +45,7 @@ data "aws_iam_policy_document" "this" {
       actions = [
         "${statement.value}:List*",
         "${statement.value}:Get*",
+        "${statement.value}:BatchGet*",
         "${statement.value}:Describe*",
         "${statement.value}:View*",
       ]
diff --git a/modules/iam-role/README.md b/modules/iam-role/README.md
@@ -141,8 +141,10 @@ No modules.
 |------|------|
 | [aws_iam_instance_profile.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource |
 | [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy.inline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.inline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
 
@@ -151,13 +153,16 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_assume_role_policy_statements"></a> [assume\_role\_policy\_statements](#input\_assume\_role\_policy\_statements) | A map of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) for custom permission usage | <pre>map(object({<br/>    sid           = optional(string)<br/>    actions       = optional(list(string))<br/>    not_actions   = optional(list(string))<br/>    effect        = optional(string, "Allow")<br/>    resources     = optional(list(string))<br/>    not_resources = optional(list(string))<br/>    principals = optional(list(object({<br/>      type        = string<br/>      identifiers = list(string)<br/>    })))<br/>    not_principals = optional(list(object({<br/>      type        = string<br/>      identifiers = list(string)<br/>    })))<br/>    condition = optional(list(object({<br/>      test     = string<br/>      variable = string<br/>      values   = list(string)<br/>    })))<br/>  }))</pre> | `null` | no |
+| <a name="input_condition"></a> [condition](#input\_condition) | [Condition constraints](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#condition) applied to the trust policy(s) enabled | <pre>list(object({<br/>    test     = string<br/>    variable = string<br/>    values   = list(string)<br/>  }))</pre> | `[]` | no |
 | <a name="input_create"></a> [create](#input\_create) | Controls if resources should be created (affects all resources) | `bool` | `true` | no |
 | <a name="input_create_instance_profile"></a> [create\_instance\_profile](#input\_create\_instance\_profile) | Determines whether to create an instance profile | `bool` | `false` | no |
 | <a name="input_description"></a> [description](#input\_description) | Description of the role | `string` | `null` | no |
 | <a name="input_enable_bitbucket_oidc"></a> [enable\_bitbucket\_oidc](#input\_enable\_bitbucket\_oidc) | Enable Bitbucket OIDC provider trust for the role | `bool` | `false` | no |
 | <a name="input_enable_github_oidc"></a> [enable\_github\_oidc](#input\_enable\_github\_oidc) | Enable GitHub OIDC provider trust for the role | `bool` | `false` | no |
 | <a name="input_enable_oidc"></a> [enable\_oidc](#input\_enable\_oidc) | Enable OIDC provider trust for the role | `bool` | `false` | no |
 | <a name="input_enable_saml"></a> [enable\_saml](#input\_enable\_saml) | Enable SAML provider trust for the role | `bool` | `false` | no |
+| <a name="input_github_provider"></a> [github\_provider](#input\_github\_provider) | The GitHub OIDC provider URL *without the `https://` prefix | `string` | `"token.actions.githubusercontent.com"` | no |
+| <a name="input_inline_policy_statements"></a> [inline\_policy\_statements](#input\_inline\_policy\_statements) | A map of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) for inline policy permissions | <pre>map(object({<br/>    sid           = optional(string)<br/>    actions       = optional(list(string))<br/>    not_actions   = optional(list(string))<br/>    effect        = optional(string, "Allow")<br/>    resources     = optional(list(string))<br/>    not_resources = optional(list(string))<br/>    principals = optional(list(object({<br/>      type        = string<br/>      identifiers = list(string)<br/>    })))<br/>    not_principals = optional(list(object({<br/>      type        = string<br/>      identifiers = list(string)<br/>    })))<br/>    condition = optional(list(object({<br/>      test     = string<br/>      variable = string<br/>      values   = list(string)<br/>    })))<br/>  }))</pre> | `null` | no |
 | <a name="input_max_session_duration"></a> [max\_session\_duration](#input\_max\_session\_duration) | Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours | `number` | `null` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name to use on IAM role created | `string` | `null` | no |
 | <a name="input_oidc_account_id"></a> [oidc\_account\_id](#input\_oidc\_account\_id) | An overriding AWS account ID where the OIDC provider lives; leave empty to use the current account ID for the AWS provider | `string` | `null` | no |
diff --git a/modules/iam-role/main.tf b/modules/iam-role/main.tf
@@ -10,7 +10,6 @@ locals {
   partition  = try(data.aws_partition.current[0].partition, "")
 
   oidc_providers     = [for url in var.oidc_provider_urls : replace(url, "https://", "")]
-  github_provider    = coalesce(one(local.oidc_providers), "token.actions.githubusercontent.com")
   bitbucket_provider = one(local.oidc_providers)
 }
 
@@ -26,8 +25,11 @@ data "aws_iam_policy_document" "this" {
     for_each = var.enable_oidc ? local.oidc_providers : []
 
     content {
-      effect  = "Allow"
-      actions = ["sts:AssumeRoleWithWebIdentity"]
+      effect = "Allow"
+      actions = [
+        "sts:TagSession",
+        "sts:AssumeRoleWithWebIdentity",
+      ]
 
       principals {
         type = "Federated"
@@ -59,11 +61,22 @@ data "aws_iam_policy_document" "this" {
         for_each = length(var.oidc_audiences) > 0 ? local.oidc_providers : []
 
         content {
-          test     = "StringLike"
+          test     = "StringEquals"
           variable = "${statement.value}:aud"
           values   = var.oidc_audiences
         }
       }
+
+      # Generic conditions
+      dynamic "condition" {
+        for_each = var.condition
+
+        content {
+          test     = condition.value.test
+          variable = condition.value.variable
+          values   = condition.value.values
+        }
+      }
     }
   }
 
@@ -75,31 +88,57 @@ data "aws_iam_policy_document" "this" {
       sid = "GithubOidcAuth"
       actions = [
         "sts:TagSession",
-        "sts:AssumeRoleWithWebIdentity"
+        "sts:AssumeRoleWithWebIdentity",
       ]
 
       principals {
         type        = "Federated"
-        identifiers = ["arn:${local.partition}:iam::${local.account_id}:oidc-provider/${local.github_provider}"]
+        identifiers = ["arn:${local.partition}:iam::${local.account_id}:oidc-provider/${var.github_provider}"]
       }
 
       condition {
         test     = "ForAllValues:StringEquals"
-        variable = "token.actions.githubusercontent.com:iss"
-        values   = ["http://token.actions.githubusercontent.com"]
+        variable = "${var.github_provider}:iss"
+        values   = ["https://${var.github_provider}"]
       }
 
       condition {
         test     = "ForAllValues:StringEquals"
-        variable = "${local.github_provider}:aud"
+        variable = "${var.github_provider}:aud"
         values   = coalescelist(var.oidc_audiences, ["sts.amazonaws.com"])
       }
 
-      condition {
-        test     = "StringLike"
-        variable = "${local.github_provider}:sub"
-        # Strip `repo:` to normalize for cases where users may prepend it
-        values = [for subject in var.oidc_subjects : "repo:${trimprefix(subject, "repo:")}"]
+      dynamic "condition" {
+        for_each = length(var.oidc_subjects) > 0 ? [1] : []
+
+        content {
+          test     = "StringEquals"
+          variable = "${var.github_provider}:sub"
+          # Strip `repo:` to normalize for cases where users may prepend it
+          values = [for subject in var.oidc_subjects : "repo:${trimprefix(subject, "repo:")}"]
+        }
+      }
+
+      dynamic "condition" {
+        for_each = length(var.oidc_wildcard_subjects) > 0 ? [1] : []
+
+        content {
+          test     = "StringLike"
+          variable = "${var.github_provider}:sub"
+          # Strip `repo:` to normalize for cases where users may prepend it
+          values = [for subject in var.oidc_wildcard_subjects : "repo:${trimprefix(subject, "repo:")}"]
+        }
+      }
+
+      # Generic conditions
+      dynamic "condition" {
+        for_each = var.condition
+
+        content {
+          test     = condition.value.test
+          variable = condition.value.variable
+          values   = condition.value.values
+        }
       }
     }
   }
@@ -112,7 +151,7 @@ data "aws_iam_policy_document" "this" {
       sid = "BitbucketOidcAuth"
       actions = [
         "sts:TagSession",
-        "sts:AssumeRoleWithWebIdentity"
+        "sts:AssumeRoleWithWebIdentity",
       ]
 
       principals {
@@ -126,10 +165,35 @@ data "aws_iam_policy_document" "this" {
         values   = coalescelist(var.oidc_audiences, ["sts.amazonaws.com"])
       }
 
-      condition {
-        test     = "StringLike"
-        variable = "${local.bitbucket_provider}:sub"
-        values   = var.oidc_subjects
+      dynamic "condition" {
+        for_each = length(var.oidc_subjects) > 0 ? [1] : []
+
+        content {
+          test     = "StringEquals"
+          variable = "${local.bitbucket_provider}:sub"
+          values   = var.oidc_subjects
+        }
+      }
+
+      dynamic "condition" {
+        for_each = length(var.oidc_wildcard_subjects) > 0 ? [1] : []
+
+        content {
+          test     = "StringLike"
+          variable = "${local.bitbucket_provider}:sub"
+          values   = var.oidc_wildcard_subjects
+        }
+      }
+
+      # Generic conditions
+      dynamic "condition" {
+        for_each = var.condition
+
+        content {
+          test     = condition.value.test
+          variable = condition.value.variable
+          values   = condition.value.values
+        }
       }
     }
   }
@@ -139,8 +203,13 @@ data "aws_iam_policy_document" "this" {
     for_each = var.enable_saml ? [1] : []
 
     content {
-      effect  = "Allow"
-      actions = compact(distinct(concat(["sts:AssumeRoleWithSAML"], var.saml_trust_actions)))
+      effect = "Allow"
+      actions = compact(distinct(concat(
+        [
+          "sts:TagSession",
+          "sts:AssumeRoleWithSAML",
+        ],
+      var.saml_trust_actions)))
 
       principals {
         type        = "Federated"
@@ -152,6 +221,17 @@ data "aws_iam_policy_document" "this" {
         variable = "SAML:aud"
         values   = var.saml_endpoints
       }
+
+      # Generic conditions
+      dynamic "condition" {
+        for_each = var.condition
+
+        content {
+          test     = condition.value.test
+          variable = condition.value.variable
+          values   = condition.value.values
+        }
+      }
     }
   }
 
@@ -221,6 +301,68 @@ resource "aws_iam_role_policy_attachment" "this" {
   role       = aws_iam_role.this[0].name
 }
 
+################################################################################
+# IAM Role Inline policy
+################################################################################
+
+locals {
+  create_iam_role_inline_policy = var.create && length(var.inline_policy_statements) > 0
+}
+
+data "aws_iam_policy_document" "inline" {
+  count = local.create_iam_role_inline_policy ? 1 : 0
+
+  dynamic "statement" {
+    for_each = var.inline_policy_statements != null ? var.inline_policy_statements : {}
+
+    content {
+      sid           = try(coalesce(statement.value.sid, statement.key))
+      actions       = statement.value.actions
+      not_actions   = statement.value.not_actions
+      effect        = statement.value.effect
+      resources     = statement.value.resources
+      not_resources = statement.value.not_resources
+
+      dynamic "principals" {
+        for_each = statement.value.principals != null ? statement.value.principals : []
+
+        content {
+          type        = principals.value.type
+          identifiers = principals.value.identifiers
+        }
+      }
+
+      dynamic "not_principals" {
+        for_each = statement.value.not_principals != null ? statement.value.not_principals : []
+
+        content {
+          type        = not_principals.value.type
+          identifiers = not_principals.value.identifiers
+        }
+      }
+
+      dynamic "condition" {
+        for_each = statement.value.condition != null ? statement.value.condition : []
+
+        content {
+          test     = condition.value.test
+          values   = condition.value.values
+          variable = condition.value.variable
+        }
+      }
+    }
+  }
+}
+
+resource "aws_iam_role_policy" "inline" {
+  count = local.create_iam_role_inline_policy ? 1 : 0
+
+  role        = aws_iam_role.this[0].name
+  name        = var.use_name_prefix ? null : var.name
+  name_prefix = var.use_name_prefix ? "${var.name}-" : null
+  policy      = data.aws_iam_policy_document.inline[0].json
+}
+
 ################################################################################
 # IAM Instance Profile
 ################################################################################
diff --git a/modules/iam-role/variables.tf b/modules/iam-role/variables.tf
diff --git a/wrappers/iam-role/main.tf b/wrappers/iam-role/main.tf
