feat: Add create_custom_role_trust_policy to control when a custom_role_trust_policy should be used (#321)

Co-authored-by: Bryant Biggs <[email protected]>

Author: egarbi

.pre-commit-config.yaml

@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.82.0
+    rev: v1.83.0
     hooks:
       - id: terraform_fmt
       - id: terraform_wrapper_module_for_each

examples/iam-assumable-role/main.tf

@@ -104,8 +104,9 @@ module "iam_assumable_role_custom_trust_policy" {
 
   role_name = "iam_assumable_role_custom_trust_policy"
 
-  custom_role_trust_policy = data.aws_iam_policy_document.custom_trust_policy.json
-  custom_role_policy_arns  = ["arn:aws:iam::aws:policy/AmazonCognitoReadOnly"]
+  create_custom_role_trust_policy = true
+  custom_role_trust_policy        = data.aws_iam_policy_document.custom_trust_policy.json
+  custom_role_policy_arns         = ["arn:aws:iam::aws:policy/AmazonCognitoReadOnly"]
 }
 
 data "aws_iam_policy_document" "custom_trust_policy" {

modules/iam-assumable-role/README.md

@@ -46,10 +46,11 @@ No modules.
 | <a name="input_attach_admin_policy"></a> [attach\_admin\_policy](#input\_attach\_admin\_policy) | Whether to attach an admin policy to a role | `bool` | `false` | no |
 | <a name="input_attach_poweruser_policy"></a> [attach\_poweruser\_policy](#input\_attach\_poweruser\_policy) | Whether to attach a poweruser policy to a role | `bool` | `false` | no |
 | <a name="input_attach_readonly_policy"></a> [attach\_readonly\_policy](#input\_attach\_readonly\_policy) | Whether to attach a readonly policy to a role | `bool` | `false` | no |
+| <a name="input_create_custom_role_trust_policy"></a> [create\_custom\_role\_trust\_policy](#input\_create\_custom\_role\_trust\_policy) | Whether to create a custom\_role\_trust\_policy. Prevent errors with count, when custom\_role\_trust\_policy is computed | `bool` | `false` | no |
 | <a name="input_create_instance_profile"></a> [create\_instance\_profile](#input\_create\_instance\_profile) | Whether to create an instance profile | `bool` | `false` | no |
 | <a name="input_create_role"></a> [create\_role](#input\_create\_role) | Whether to create a role | `bool` | `false` | no |
 | <a name="input_custom_role_policy_arns"></a> [custom\_role\_policy\_arns](#input\_custom\_role\_policy\_arns) | List of ARNs of IAM policies to attach to IAM role | `list(string)` | `[]` | no |
-| <a name="input_custom_role_trust_policy"></a> [custom\_role\_trust\_policy](#input\_custom\_role\_trust\_policy) | A custom role trust policy | `string` | `""` | no |
+| <a name="input_custom_role_trust_policy"></a> [custom\_role\_trust\_policy](#input\_custom\_role\_trust\_policy) | A custom role trust policy. (Only valid if create\_custom\_role\_trust\_policy = true) | `string` | `""` | no |
 | <a name="input_force_detach_policies"></a> [force\_detach\_policies](#input\_force\_detach\_policies) | Whether policies should be detached from this role when destroying | `bool` | `false` | no |
 | <a name="input_max_session_duration"></a> [max\_session\_duration](#input\_max\_session\_duration) | Maximum CLI/API session duration in seconds between 3600 and 43200 | `number` | `3600` | no |
 | <a name="input_mfa_age"></a> [mfa\_age](#input\_mfa\_age) | Max age of valid MFA (in seconds) for roles which require MFA | `number` | `86400` | no |

modules/iam-assumable-role/main.tf

@@ -2,14 +2,15 @@ data "aws_caller_identity" "current" {}
 data "aws_partition" "current" {}
 
 locals {
-  account_id          = data.aws_caller_identity.current.account_id
-  partition           = data.aws_partition.current.partition
-  role_sts_externalid = flatten([var.role_sts_externalid])
-  role_name_condition = var.role_name != null ? var.role_name : "${var.role_name_prefix}*"
+  account_id                         = data.aws_caller_identity.current.account_id
+  partition                          = data.aws_partition.current.partition
+  role_sts_externalid                = flatten([var.role_sts_externalid])
+  role_name_condition                = var.role_name != null ? var.role_name : "${var.role_name_prefix}*"
+  custom_role_trust_policy_condition = var.create_custom_role_trust_policy ? var.custom_role_trust_policy : ""
 }
 
 data "aws_iam_policy_document" "assume_role" {
-  count = var.custom_role_trust_policy == "" && var.role_requires_mfa ? 0 : 1
+  count = !var.create_custom_role_trust_policy && var.role_requires_mfa ? 0 : 1
 
   dynamic "statement" {
     # https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/
@@ -68,7 +69,7 @@ data "aws_iam_policy_document" "assume_role" {
 }
 
 data "aws_iam_policy_document" "assume_role_with_mfa" {
-  count = var.custom_role_trust_policy == "" && var.role_requires_mfa ? 1 : 0
+  count = !var.create_custom_role_trust_policy && var.role_requires_mfa ? 1 : 0
 
   dynamic "statement" {
     # https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/
@@ -151,7 +152,7 @@ resource "aws_iam_role" "this" {
   permissions_boundary  = var.role_permissions_boundary_arn
 
   assume_role_policy = coalesce(
-    var.custom_role_trust_policy,
+    local.custom_role_trust_policy_condition,
     try(data.aws_iam_policy_document.assume_role_with_mfa[0].json,
       data.aws_iam_policy_document.assume_role[0].json
     )

modules/iam-assumable-role/variables.tf

@@ -83,11 +83,17 @@ variable "custom_role_policy_arns" {
 }
 
 variable "custom_role_trust_policy" {
-  description = "A custom role trust policy"
+  description = "A custom role trust policy. (Only valid if create_custom_role_trust_policy = true)"
   type        = string
   default     = ""
 }
 
+variable "create_custom_role_trust_policy" {
+  description = "Whether to create a custom_role_trust_policy. Prevent errors with count, when custom_role_trust_policy is computed"
+  type        = bool
+  default     = false
+}
+
 variable "number_of_custom_role_policy_arns" {
   description = "Number of IAM policies to attach to IAM role"
   type        = number