feat: iam-assumable-roles-with-saml - Allow for multiple provider ids (#110)

Author: ravanapel

examples/iam-assumable-roles-with-saml/main.tf

@@ -7,6 +7,11 @@ resource "aws_iam_saml_provider" "idp_saml" {
   saml_metadata_document = file("saml-metadata.xml")
 }
 
+resource "aws_iam_saml_provider" "second_idp_saml" {
+  name                   = "second_idp_saml"
+  saml_metadata_document = file("saml-metadata.xml")
+}
+
 ###############################
 # IAM assumable roles with SAML
 ###############################
@@ -24,6 +29,23 @@ module "iam_assumable_roles_with_saml" {
   provider_id = aws_iam_saml_provider.idp_saml.id
 }
 
+###############################
+# IAM assumable roles with SAML
+###############################
+
+module "iam_assumable_roles_with_saml_second_provider" {
+  source = "../../modules/iam-assumable-roles-with-saml"
+
+  create_admin_role = true
+
+  create_poweruser_role = true
+  poweruser_role_name   = "developer"
+
+  create_readonly_role = true
+
+  provider_ids = [aws_iam_saml_provider.idp_saml.id, aws_iam_saml_provider.second_idp_saml.id]
+}
+
 #################################################################
 # Create custom role with SAML idp trust and additional policies
 #################################################################

modules/iam-assumable-roles-with-saml/README.md

@@ -40,7 +40,8 @@ Creates predefined IAM roles (admin, poweruser and readonly) which can be assume
 | poweruser\_role\_permissions\_boundary\_arn | Permissions boundary ARN to use for poweruser role | `string` | `""` | no |
 | poweruser\_role\_policy\_arns | List of policy ARNs to use for poweruser role | `list(string)` | <pre>[<br>  "arn:aws:iam::aws:policy/PowerUserAccess"<br>]</pre> | no |
 | poweruser\_role\_tags | A map of tags to add to poweruser role resource. | `map(string)` | `{}` | no |
-| provider\_id | ID of the SAML Provider | `string` | n/a | yes |
+| provider\_id | ID of the SAML Provider. Use provider\_ids to specify several IDs. | `string` | `""` | no |
+| provider\_ids | List of SAML Provider IDs | `list(string)` | `[]` | no |
 | readonly\_role\_name | IAM role with readonly access | `string` | `"readonly"` | no |
 | readonly\_role\_path | Path of readonly IAM role | `string` | `"/"` | no |
 | readonly\_role\_permissions\_boundary\_arn | Permissions boundary ARN to use for readonly role | `string` | `""` | no |

modules/iam-assumable-roles-with-saml/main.tf

@@ -1,12 +1,17 @@
+locals {
+  identifiers = compact(distinct(concat(var.provider_ids, [var.provider_id])))
+}
+
 data "aws_iam_policy_document" "assume_role_with_saml" {
   statement {
     effect = "Allow"
 
     actions = ["sts:AssumeRoleWithSAML"]
 
     principals {
-      type        = "Federated"
-      identifiers = [var.provider_id]
+      type = "Federated"
+
+      identifiers = local.identifiers
     }
 
     condition {

modules/iam-assumable-roles-with-saml/variables.tf

@@ -1,6 +1,13 @@
 variable "provider_id" {
-  description = "ID of the SAML Provider"
+  description = "ID of the SAML Provider. Use provider_ids to specify several IDs."
   type        = string
+  default     = ""
+}
+
+variable "provider_ids" {
+  description = "List of SAML Provider IDs"
+  type        = list(string)
+  default     = []
 }
 
 variable "aws_saml_endpoint" {