feat: Support External ID with MFA in iam-assumable-role (#159)

antonbabenko · web-flow · commit 9aad929b8baf · 2021-06-29T15:32:47.000+03:00
diff --git a/examples/iam-assumable-role/main.tf b/examples/iam-assumable-role/main.tf
@@ -75,7 +75,7 @@ module "iam_assumable_role_sts" {
   create_role = true
 
   role_name         = "custom_sts"
-  role_requires_mfa = false
+  role_requires_mfa = true
 
   role_sts_externalid = [
     "some-id-goes-here",
diff --git a/modules/iam-assumable-role/main.tf b/modules/iam-assumable-role/main.tf
@@ -1,5 +1,5 @@
 locals {
-  role_sts_externalid = flatten(tolist(var.role_sts_externalid))
+  role_sts_externalid = flatten([var.role_sts_externalid])
 }
 
 data "aws_iam_policy_document" "assume_role" {
@@ -56,6 +56,15 @@ data "aws_iam_policy_document" "assume_role_with_mfa" {
       variable = "aws:MultiFactorAuthAge"
       values   = [var.mfa_age]
     }
+
+    dynamic "condition" {
+      for_each = length(local.role_sts_externalid) != 0 ? [true] : []
+      content {
+        test     = "StringEquals"
+        variable = "sts:ExternalId"
+        values   = local.role_sts_externalid
+      }
+    }
   }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`locals {`
`2`		`- role_sts_externalid = flatten(tolist(var.role_sts_externalid))`
	`2`	`+ role_sts_externalid = flatten([var.role_sts_externalid])`
`3`	`3`	`}`
`4`	`4`
`5`	`5`	`data "aws_iam_policy_document" "assume_role" {`
`@@ -56,6 +56,15 @@ data "aws_iam_policy_document" "assume_role_with_mfa" {`
`56`	`56`	`variable = "aws:MultiFactorAuthAge"`
`57`	`57`	`values = [var.mfa_age]`
`58`	`58`	`}`
	`59`	`+`
	`60`	`+ dynamic "condition" {`
	`61`	`+ for_each = length(local.role_sts_externalid) != 0 ? [true] : []`
	`62`	`+ content {`
	`63`	`+ test = "StringEquals"`
	`64`	`+ variable = "sts:ExternalId"`
	`65`	`+ values = local.role_sts_externalid`
	`66`	`+ }`
	`67`	`+ }`
`59`	`68`	`}`
`60`	`69`	`}`
`61`	`70`