feat: Add support for condition role_session_name when assuming a role (#379)

christiangonre · Christian González · web-flow · commit 5aabe67c945a · 2023-05-17T09:12:12.000-04:00
Co-authored-by: Christian González &lt;christian.gonzalez@intruder.io&gt;
diff --git a/modules/iam-assumable-role/README.md b/modules/iam-assumable-role/README.md
@@ -62,6 +62,8 @@ No modules.
 | <a name="input_role_path"></a> [role\_path](#input\_role\_path) | Path of IAM role | `string` | `"/"` | no |
 | <a name="input_role_permissions_boundary_arn"></a> [role\_permissions\_boundary\_arn](#input\_role\_permissions\_boundary\_arn) | Permissions boundary ARN to use for IAM role | `string` | `""` | no |
 | <a name="input_role_requires_mfa"></a> [role\_requires\_mfa](#input\_role\_requires\_mfa) | Whether role requires MFA | `bool` | `true` | no |
+| <a name="input_role_requires_session_name"></a> [role\_requires\_session\_name](#input\_role\_requires\_session\_name) | Determines if the role-session-name variable is needed when assuming a role(https://aws.amazon.com/blogs/security/easily-control-naming-individual-iam-role-sessions/) | `bool` | `false` | no |
+| <a name="input_role_session_name"></a> [role\_session\_name](#input\_role\_session\_name) | role\_session\_name for roles which require this parameter when being assumed. By default, you need to set your own username as role\_session\_name | `list(string)` | <pre>[<br>  "${aws:username}"<br>]</pre> | no |
 | <a name="input_role_sts_externalid"></a> [role\_sts\_externalid](#input\_role\_sts\_externalid) | STS ExternalId condition values to use with a role (when MFA is not required) | `any` | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to IAM role resources | `map(string)` | `{}` | no |
 | <a name="input_trusted_role_actions"></a> [trusted\_role\_actions](#input\_trusted\_role\_actions) | Actions of STS | `list(string)` | <pre>[<br>  "sts:AssumeRole"<br>]</pre> | no |
diff --git a/modules/iam-assumable-role/main.tf b/modules/iam-assumable-role/main.tf
@@ -117,6 +117,15 @@ data "aws_iam_policy_document" "assume_role_with_mfa" {
         values   = local.role_sts_externalid
       }
     }
+
+    dynamic "condition" {
+      for_each = var.role_requires_session_name ? [1] : []
+      content {
+        test     = "StringEquals"
+        variable = "sts:RoleSessionName"
+        values   = var.role_session_name
+      }
+    }
   }
 }
 
diff --git a/modules/iam-assumable-role/variables.tf b/modules/iam-assumable-role/variables.tf
@@ -154,3 +154,15 @@ variable "allow_self_assume_role" {
   type        = bool
   default     = false
 }
+
+variable "role_requires_session_name" {
+  description = "Determines if the role-session-name variable is needed when assuming a role(https://aws.amazon.com/blogs/security/easily-control-naming-individual-iam-role-sessions/)"
+  type        = bool
+  default     = false
+}
+
+variable "role_session_name" {
+  description = "role_session_name for roles which require this parameter when being assumed. By default, you need to set your own username as role_session_name"
+  type        = list(string)
+  default     = ["$${aws:username}"]
+}

Original file line number	Diff line number	Diff line change
`@@ -117,6 +117,15 @@ data "aws_iam_policy_document" "assume_role_with_mfa" {`
`117`	`117`	`values = local.role_sts_externalid`
`118`	`118`	`}`
`119`	`119`	`}`
	`120`	`+`
	`121`	`+ dynamic "condition" {`
	`122`	`+ for_each = var.role_requires_session_name ? [1] : []`
	`123`	`+ content {`
	`124`	`+ test = "StringEquals"`
	`125`	`+ variable = "sts:RoleSessionName"`
	`126`	`+ values = var.role_session_name`
	`127`	`+ }`
	`128`	`+ }`
`120`	`129`	`}`
`121`	`130`	`}`
`122`	`131`