feat: Add support for cross account access in iam-assumable-role-with-oidc (#158)

Author: cebidhem

modules/iam-assumable-role-with-oidc/README.md

@@ -43,6 +43,7 @@ No modules.
 | <a name="input_force_detach_policies"></a> [force\_detach\_policies](#input\_force\_detach\_policies) | Whether policies should be detached from this role when destroying | `bool` | `false` | no |
 | <a name="input_max_session_duration"></a> [max\_session\_duration](#input\_max\_session\_duration) | Maximum CLI/API session duration in seconds between 3600 and 43200 | `number` | `3600` | no |
 | <a name="input_number_of_role_policy_arns"></a> [number\_of\_role\_policy\_arns](#input\_number\_of\_role\_policy\_arns) | Number of IAM policies to attach to IAM role | `number` | `null` | no |
+| <a name="input_oidc_fully_qualified_audiences"></a> [oidc\_fully\_qualified\_audiences](#input\_oidc\_fully\_qualified\_audiences) | The audience to be added to the role policy. Set to sts.amazonaws.com for cross-account assumable role. Leave empty otherwise. | `set(string)` | `[]` | no |
 | <a name="input_oidc_fully_qualified_subjects"></a> [oidc\_fully\_qualified\_subjects](#input\_oidc\_fully\_qualified\_subjects) | The fully qualified OIDC subjects to be added to the role policy | `set(string)` | `[]` | no |
 | <a name="input_oidc_subjects_with_wildcards"></a> [oidc\_subjects\_with\_wildcards](#input\_oidc\_subjects\_with\_wildcards) | The OIDC subject using wildcards to be added to the role policy | `set(string)` | `[]` | no |
 | <a name="input_provider_url"></a> [provider\_url](#input\_provider\_url) | URL of the OIDC Provider. Use provider\_urls to specify several URLs. | `string` | `""` | no |

modules/iam-assumable-role-with-oidc/main.tf

@@ -48,6 +48,16 @@ data "aws_iam_policy_document" "assume_role_with_oidc" {
           values   = var.oidc_subjects_with_wildcards
         }
       }
+
+      dynamic "condition" {
+        for_each = length(var.oidc_fully_qualified_audiences) > 0 ? local.urls : []
+
+        content {
+          test     = "StringLike"
+          variable = "${statement.value}:aud"
+          values   = var.oidc_fully_qualified_audiences
+        }
+      }
     }
   }
 }

modules/iam-assumable-role-with-oidc/variables.tf

@@ -89,6 +89,12 @@ variable "oidc_subjects_with_wildcards" {
   default     = []
 }
 
+variable "oidc_fully_qualified_audiences" {
+  description = "The audience to be added to the role policy. Set to sts.amazonaws.com for cross-account assumable role. Leave empty otherwise."
+  type        = set(string)
+  default     = []
+}
+
 variable "force_detach_policies" {
   description = "Whether policies should be detached from this role when destroying"
   type        = bool