feat: Last minute variable name changes for improved ergonomics

Author: bryantbiggs

README.md

@@ -45,7 +45,7 @@ module "iam_group" {
   ]
 
   enable_self_management_permissions = true
-  permission_statements = {
+  permissions = {
     AssumeRole = {
       actions   = ["sts:AssumeRole"]
       resources = ["arn:aws:iam::111111111111:role/admin"]
@@ -67,7 +67,8 @@ module "iam_group" {
 
 Creates an OpenID connect provider. Useful for trusting external identity providers such as GitHub, Bitbucket, etc.
 
-⚠️ An IAM provider is 1 per account per given URL. This module would be provisioned once per AWS account, and then one or more roles can be created with this provider as the trusted identity.
+> [!TIP]
+> An IAM provider is 1 per account per given URL. This module would be provisioned once per AWS account, and then one or more roles can be created with this provider as the trusted identity.
 
 ```hcl
 module "iam_oidc_provider" {
@@ -113,15 +114,15 @@ module "iam_role" {
 
   name = "example"
 
-  assume_role_policy_statements = {
+  trust_policy_permissions = {
     TrustRoleAndServiceToAssume = {
       principals = [{
         type = "AWS"
         identifiers = [
           "arn:aws:iam::835367859851:user/anton",
         ]
       }]
-      conditions = [{
+      condition = [{
         test     = "StringEquals"
         variable = "sts:ExternalId"
         values   = ["some-secret-id"]
@@ -153,7 +154,7 @@ module "iam_role_github_oidc" {
   enable_github_oidc = true
 
   # This should be updated to suit your organization, repository, references/branches, etc.
-  oidc_subjects = ["terraform-aws-modules/terraform-aws-iam:*"]
+  oidc_wildcard_subjects = ["terraform-aws-modules/terraform-aws-iam:*"]
 
   policies = {
     S3ReadOnly = "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
@@ -200,7 +201,7 @@ Creates an IAM role that is suitable for EKS IAM role for service accounts (IRSA
 
 ```hcl
 module "vpc_cni_irsa" {
-  source      = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts"
+  source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts"
 
   name   = "vpc-cni"
 

docs/UPGRADE-6.0.md

@@ -6,6 +6,8 @@ If you find a bug, please open an issue with supporting configuration to reprodu
 
 ## List of backwards incompatible changes
 
+- Terraform `v1.5.7` is now minimum supported version
+- AWS provider `v6.0.0` is now minimum supported version
 - The ability to allow roles to assume their own roles has been removed. This was previously added as part of helping users mitigate https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/. Going forward, users will need to mitigate this on the application side (i.e. - do not have a role assume itself), or update the trust policy in their implementation to continue using this behavior. It is strongly recommended to mitigate this by not having the role assume itself.
 
 - `iam-account`:
@@ -21,11 +23,13 @@ If you find a bug, please open an issue with supporting configuration to reprodu
 - `iam-group-with-assumable-roles-policy` has been merged into `iam-group`
 - `iam-eks-role` has been removed; `iam-role-for-service-accounts` or [`eks-pod-identity`](https://github.com/terraform-aws-modules/terraform-aws-eks-pod-identity) should be used instead
 - `iam-policy` has been removed; the `aws_iam_policy` resource should be used directly instead
-- `iam-role-for-service-accounts`:
+- `iam-role-for-service-accounts-eks` has been renamed to `iam-role-for-service-accounts`
     - Individual policy creation and attachment has been consolidated under one policy creation and attachment
     - Default values that enable permissive permissions have been removed; users will need to be explicit about the scope of access (i.e. ARNs) they provide when enabling permissions
     - AppMesh policy support has been removed due to service reaching end of support
 
+### Module Consolidation Map
+
 ```mermaid
 stateDiagram
     direction LR
@@ -63,15 +67,20 @@ stateDiagram
 
 ### Modified
 
+- Variable definitions now contain detailed `object` types in place of the previously used any type
+
 - `iam-group`
     - Policy management has been updated to support extending the policy created by the sub-module, as well as adding additional policies that will be attached to the group
-    - The role assumption permissions has been removed from the policy; users can extend the policy to add this if needed via `permission_statements`
+    - The role assumption permissions has been removed from the policy; users can extend the policy to add this if needed via `permissions`
     - Default create conditional is now `true` instead of `false`
 - `iam-role`
-    - The use of individual variables to control/manipulate the assume role trust policy have been replaced by a generic `assume_role_policy_statements` variable. This allows for any number of custom statements to be added to the role's trust policy.
+    - The use of individual variables to control/manipulate the assume role trust policy have been replaced by a generic `trust_policy_permissions` variable. This allows for any number of custom statements to be added to the role's trust policy.
     - `custom_role_policy_arns` has been renamed to `policies` and now accepts a map of `name`: `policy-arn` pairs; this allows for both existing policies and policies that will get created at the same time as the role. This also replaces the admin, readonly, and poweruser policy ARN variables and their associated `attach_*_policy` variables.
     - Default create conditional is now `true` instead of `false`
     - `force_detach_policies` has been removed; this is now always `true`
+    - Support for inline policies has been added
+- `iam-role-for-service-accounts`
+    - Support for inline policies has been added
 
 ### Variable and output changes
 
@@ -85,7 +94,7 @@ stateDiagram
     - `iam-oidc-provider`
         - `additional_thumbprints` - no longer required by GitHub
     - `iam-read-only-policy`
-        - None
+        - `additional_policy_json` - use `source_inline_policy_documents` or `override_inline_policy_documents` instead
     - `iam-role`
         - `trusted_role_actions`
         - `trusted_role_arns`
@@ -150,6 +159,7 @@ stateDiagram
         - `role_description` -> `description`
         - `role_policy_arns` -> `policies`
         - `ebs_csi_kms_cmk_ids` -> `ebs_csi_kms_cmk_arns`
+        - `assume_role_condition_test` -> `trust_condition_test`
     - `iam-user`
         - `create_user` -> `create`
         - `create_iam_user_login_profile` -> `create_login_profile`
@@ -163,23 +173,34 @@ stateDiagram
     - `iam-account`
         - `create`
     - `iam-group`
-        - `permission_statements` which allows for any number of custom statements to be added to the role's trust policy. This covers the majority of the variables that were removed
+        - `permissions` which allows for any number of custom statements to be added to the role's trust policy. This covers the majority of the variables that were removed
         - `path`/`policy_path`
         - `create_policy`
         - `enable_mfa_enforcment`
     - `iam-oidc-provider`
         - None
     - `iam-read-only-policy`
         - `create`
+        - `source_policy_documents`
+        - `override_policy_documents`
     - `iam-role`
-        - `assume_role_policy_statements` which allows for any number of custom statements to be added to the role's trust policy. This covers the majority of the variables that were removed
+        - `trust_policy_permissions` which allows for any number of custom statements to be added to the role's trust policy. This covers the majority of the variables that were removed
+        - `trust_policy_conditions`
+        - `create_inline_policy`
+        - `source_inline_policy_documents`
+        - `override_inline_policy_documents`
+        - `inline_policy_permissions`
     - `iam-role-for-service-accounts`
         - `create_policy`
         - `source_policy_documents`
         - `override_policy_documents`
-        - `policy_statements`
+        - `permissions`
         - `policy_name`
         - `policy_description`
+        - `create_inline_policy`
+        - `source_inline_policy_documents`
+        - `override_inline_policy_documents`
+        - `inline_policy_permissions`
     - `iam-user`
         - None
 
@@ -289,7 +310,7 @@ module "iam_role" {
 -    "codedeploy.amazonaws.com"
 -  ]
 -  role_sts_externalid = ["some-id-goes-here"]
-+  assume_role_policy_statements = {
++  trust_policy_permissions = {
 +    TrustRoleAndServiceToAssume = {
 +      actions = [
 +        "sts:AssumeRole",
@@ -367,7 +388,7 @@ module "iam_role" {
 +  }
 
 -  provider_trust_policy_conditions = [
-+  condition = [
++  trust_policy_conditions = [
     {
       test     = "StringLike"
       variable = "aws:RequestTag/Environment"
@@ -467,7 +488,7 @@ module "iam_role_admin" {
 
   name = "admin"
 
-  assume_role_policy_statements = {
+  trust_policy_permissions = {
     TrustRoleAndServiceToAssume = {
       actions = [
         "sts:AssumeRole",
@@ -500,7 +521,7 @@ module "iam_role_poweruser" {
 
   name = "Billing-And-Support-Access"
 
-  assume_role_policy_statements = {
+  trust_policy_permissions = {
     TrustRoleAndServiceToAssume = {
       actions = [
         "sts:AssumeRole",
@@ -668,7 +689,7 @@ module "iam_role" {
   ]
 
 -  additional_trust_policy_conditions = [
-+  condition = [
++  trust_policy_conditions = [
     {
       test     = "StringEquals"
       variable = "token.actions.githubusercontent.com:actor"
@@ -697,7 +718,7 @@ module "iam_group" {
   enable_self_management_permissions = false
 
 -  assumable_roles = ["arn:aws:iam::111111111111:role/admin"]
-+  permission_statements = {
++  permissions = {
 +    AssumeRole = {
 +      effect    = "Allow"
 +      actions   = ["sts:AssumeRole"]

examples/iam-group/main.tf

@@ -26,7 +26,7 @@ module "iam_group" {
     module.iam_user2.name,
   ]
 
-  permission_statements = {
+  permissions = {
     AssumeRole = {
       actions   = ["sts:AssumeRole"]
       resources = ["arn:aws:iam::111111111111:role/admin"]

examples/iam-role/main.tf

@@ -44,7 +44,7 @@ module "iam_roles" {
 
   name = each.key
 
-  assume_role_policy_statements = {
+  trust_policy_permissions = {
     TrustRoleAndServiceToAssume = {
       principals = [{
         type        = "AWS"
@@ -88,7 +88,7 @@ module "iam_role_instance_profile" {
 
   create_instance_profile = true
 
-  assume_role_policy_statements = {
+  trust_policy_permissions = {
     TrustRoleAndServiceToAssume = {
       principals = [
         {

modules/iam-account/README.md

@@ -6,7 +6,7 @@ Creates an account policy and account alias. Module instantiation is once per ac
 
 ```hcl
 module "iam_account" {
-  source  = "terraform-aws-modules/iam/aws//modules/iam-account"
+  source = "terraform-aws-modules/iam/aws//modules/iam-account"
 
   account_alias = "awesome-company"
 

modules/iam-group/README.md

@@ -17,7 +17,7 @@ module "iam_group" {
   ]
 
   enable_self_management_permissions = true
-  permission_statements = {
+  permissions = {
     AssumeRole = {
       actions   = ["sts:AssumeRole"]
       resources = ["arn:aws:iam::111111111111:role/admin"]
@@ -76,7 +76,7 @@ No modules.
 | <a name="input_enable_self_management_permissions"></a> [enable\_self\_management\_permissions](#input\_enable\_self\_management\_permissions) | Determines whether permissions are added to the policy which allow the groups IAM users to manage their credentials and MFA | `bool` | `true` | no |
 | <a name="input_name"></a> [name](#input\_name) | The group's name. The name must consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: `=,.@-_.` | `string` | `""` | no |
 | <a name="input_path"></a> [path](#input\_path) | Path in which to create the group | `string` | `null` | no |
-| <a name="input_permission_statements"></a> [permission\_statements](#input\_permission\_statements) | A map of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) for custom permission usage | <pre>map(object({<br/>    sid           = optional(string)<br/>    actions       = optional(list(string))<br/>    not_actions   = optional(list(string))<br/>    effect        = optional(string, "Allow")<br/>    resources     = optional(list(string))<br/>    not_resources = optional(list(string))<br/>    principals = optional(list(object({<br/>      type        = string<br/>      identifiers = list(string)<br/>    })))<br/>    not_principals = optional(list(object({<br/>      type        = string<br/>      identifiers = list(string)<br/>    })))<br/>    condition = optional(list(object({<br/>      test     = string<br/>      variable = string<br/>      values   = list(string)<br/>    })))<br/>  }))</pre> | `null` | no |
+| <a name="input_permissions"></a> [permissions](#input\_permissions) | A map of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) for custom permissions | <pre>map(object({<br/>    sid           = optional(string)<br/>    actions       = optional(list(string))<br/>    not_actions   = optional(list(string))<br/>    effect        = optional(string, "Allow")<br/>    resources     = optional(list(string))<br/>    not_resources = optional(list(string))<br/>    principals = optional(list(object({<br/>      type        = string<br/>      identifiers = list(string)<br/>    })))<br/>    not_principals = optional(list(object({<br/>      type        = string<br/>      identifiers = list(string)<br/>    })))<br/>    condition = optional(list(object({<br/>      test     = string<br/>      variable = string<br/>      values   = list(string)<br/>    })))<br/>  }))</pre> | `null` | no |
 | <a name="input_policies"></a> [policies](#input\_policies) | Policies to attach to the IAM role in `{'static_name' = 'policy_arn'}` format | `map(string)` | `{}` | no |
 | <a name="input_policy_description"></a> [policy\_description](#input\_policy\_description) | Description of the IAM policy | `string` | `null` | no |
 | <a name="input_policy_name"></a> [policy\_name](#input\_policy\_name) | Name to use on IAM policy created | `string` | `null` | no |

modules/iam-group/main.tf

@@ -39,7 +39,7 @@ resource "aws_iam_group_membership" "this" {
 ################################################################################
 
 locals {
-  create_policy = var.create && var.create_policy && (var.enable_self_management_permissions || var.permission_statements != null)
+  create_policy = var.create && var.create_policy && (var.enable_self_management_permissions || var.permissions != null)
 
   policy_name = try(coalesce(var.policy_name, var.name), "")
 }
@@ -198,7 +198,7 @@ data "aws_iam_policy_document" "this" {
   }
 
   dynamic "statement" {
-    for_each = var.permission_statements != null ? var.permission_statements : {}
+    for_each = var.permissions != null ? var.permissions : {}
 
     content {
       sid           = try(coalesce(statement.value.sid, statement.key))

modules/iam-group/variables.tf

@@ -54,8 +54,8 @@ variable "enable_mfa_enforcment" {
   default     = true
 }
 
-variable "permission_statements" {
-  description = "A map of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) for custom permission usage"
+variable "permissions" {
+  description = "A map of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) for custom permissions"
   type = map(object({
     sid           = optional(string)
     actions       = optional(list(string))

modules/iam-read-only-policy/README.md

@@ -52,16 +52,17 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_additional_policy_json"></a> [additional\_policy\_json](#input\_additional\_policy\_json) | JSON policy document if you want to add custom actions | `string` | `""` | no |
 | <a name="input_allow_cloudwatch_logs_query"></a> [allow\_cloudwatch\_logs\_query](#input\_allow\_cloudwatch\_logs\_query) | Allows StartQuery/StopQuery/FilterLogEvents CloudWatch actions | `bool` | `true` | no |
 | <a name="input_allow_predefined_sts_actions"></a> [allow\_predefined\_sts\_actions](#input\_allow\_predefined\_sts\_actions) | Allows GetCallerIdentity/GetSessionToken/GetAccessKeyInfo sts actions | `bool` | `true` | no |
 | <a name="input_allow_web_console_services"></a> [allow\_web\_console\_services](#input\_allow\_web\_console\_services) | Allows List/Get/Describe/View actions for services used when browsing AWS console (e.g. resource-groups, tag, health services) | `bool` | `true` | no |
 | <a name="input_allowed_services"></a> [allowed\_services](#input\_allowed\_services) | List of services to allow Get/List/Describe/View options. Service name should be the same as corresponding service IAM prefix. See what it is for each service here https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html | `list(string)` | `[]` | no |
 | <a name="input_create"></a> [create](#input\_create) | Controls if resources should be created (affects all resources) | `bool` | `true` | no |
 | <a name="input_create_policy"></a> [create\_policy](#input\_create\_policy) | Controls if IAM policy should be created. Set to `false` to generate the policy JSON without creating the policy itself | `bool` | `true` | no |
-| <a name="input_description"></a> [description](#input\_description) | The description of the policy | `string` | `"IAM Policy"` | no |
+| <a name="input_description"></a> [description](#input\_description) | The description of the policy | `string` | `null` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name to use on IAM policy created | `string` | `null` | no |
-| <a name="input_path"></a> [path](#input\_path) | Path of IAM policy | `string` | `"/"` | no |
+| <a name="input_override_inline_policy_documents"></a> [override\_inline\_policy\_documents](#input\_override\_inline\_policy\_documents) | List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank `sid`s will override statements with the same `sid` | `list(string)` | `[]` | no |
+| <a name="input_path"></a> [path](#input\_path) | Path of IAM policy | `string` | `null` | no |
+| <a name="input_source_inline_policy_documents"></a> [source\_inline\_policy\_documents](#input\_source\_inline\_policy\_documents) | List of IAM policy documents that are merged together into the exported document. Statements must have unique `sid`s | `list(string)` | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
 | <a name="input_use_name_prefix"></a> [use\_name\_prefix](#input\_use\_name\_prefix) | Determines whether the IAM policy name (`name`) is used as a prefix | `bool` | `true` | no |
 | <a name="input_web_console_services"></a> [web\_console\_services](#input\_web\_console\_services) | List of web console services to allow | `list(string)` | <pre>[<br/>  "resource-groups",<br/>  "tag",<br/>  "health",<br/>  "ce"<br/>]</pre> | no |

modules/iam-read-only-policy/main.tf

@@ -17,7 +17,8 @@ resource "aws_iam_policy" "policy" {
 data "aws_iam_policy_document" "this" {
   count = var.create ? 1 : 0
 
-  source_policy_documents = [var.additional_policy_json]
+  source_policy_documents   = var.source_inline_policy_documents
+  override_policy_documents = var.override_inline_policy_documents
 
   dynamic "statement" {
     for_each = toset(distinct(var.allowed_services))