feat: Merge iam-role-oidc and iam-role-saml into iam-role

Author: bryantbiggs

README.md

@@ -2,8 +2,6 @@
 
 Terraform module which creates AWS IAM resources.
 
-### ⚠️ JUST FOR TESTING - DO NOT RELY ON THIS ⚠️
-
 [![SWUbanner](https://raw.githubusercontent.com/vshymanskyy/StandWithUkraine/main/banner2-direct.svg)](https://github.com/vshymanskyy/StandWithUkraine/blob/main/docs/README.md)
 
 ## Usage
@@ -47,13 +45,12 @@ module "iam_group" {
   ]
 
   enable_self_management_permissions = true
-  permission_statements = [
-    {
-      sid       = "AssumeRole"
+  permission_statements = {
+    AssumeRole = {
       actions   = ["sts:AssumeRole"]
       resources = ["arn:aws:iam::111111111111:role/admin"]
     }
-  ]
+  }
 
   policies = {
     AdministratorAccess = "arn:aws:iam::aws:policy/AdministratorAccess",
@@ -106,40 +103,52 @@ module "iam_read_only_policy" {
 }
 ```
 
-### IAM Role for Service Accounts (IRSA)
+### IAM Role
 
-Creates an IAM role that is suitable for EKS IAM role for service accounts (IRSA) with a set of pre-defined policies for common EKS addons.
+Creates an IAM role with a trust policy and (optional) IAM instance profile. Useful for service roles such as EC2, ECS, etc., or roles assumed across AWS accounts.
 
 ```hcl
-module "vpc_cni_irsa" {
-  source      = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts"
-
-  name   = "vpc-cni"
+module "iam_role" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-role"
 
-  attach_vpc_cni_policy = true
-  vpc_cni_enable_ipv4   = true
+  name = "example"
 
-  oidc_providers = {
-    this = {
-      provider_arn               = "arn:aws:iam::012345678901:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D"
-      namespace_service_accounts = ["kube-system:aws-node"]
+  assume_role_policy_statements = {
+    TrustRoleAndServiceToAssume = {
+      principals = [{
+        type = "AWS"
+        identifiers = [
+          "arn:aws:iam::835367859851:user/anton",
+        ]
+      }]
+      conditions = [{
+        test     = "StringEquals"
+        variable = "sts:ExternalId"
+        values   = ["some-secret-id"]
+      }]
     }
   }
 
+  policies = {
+    AmazonCognitoReadOnly      = "arn:aws:iam::aws:policy/AmazonCognitoReadOnly"
+    AlexaForBusinessFullAccess = "arn:aws:iam::aws:policy/AlexaForBusinessFullAccess"
+    custom                     = aws_iam_policy.this.arn
+  }
+
   tags = {
     Terraform   = "true"
     Environment = "dev"
   }
 }
 ```
 
-### OIDC IAM Role
+### IAM Role - GitHub OIDC
 
 Creates an IAM role that trusts an OpenID connect provider. Useful for trusting external identity providers such as GitHub, Bitbucket, etc.
 
 ```hcl
-module "iam_oidc_role" {
-  source    = "terraform-aws-modules/iam/aws//modules/iam-oidc-role"
+module "iam_role_github_oidc" {
+  source    = "terraform-aws-modules/iam/aws//modules/iam-role"
 
   enable_github_oidc = true
 
@@ -157,16 +166,17 @@ module "iam_oidc_role" {
 }
 ```
 
-### SAML IAM Role
+### IAM Role - SAML 2.0
 
 Creates an IAM role that trusts a SAML provider. Useful for trusting external identity providers such as Okta, OneLogin, etc.
 
 ```hcl
 module "iam_role_saml" {
-  source  = "terraform-aws-modules/iam/aws//modules/iam-role-saml"
+  source  = "terraform-aws-modules/iam/aws//modules/iam-role"
 
   name = "example"
 
+  enable_saml       = true
   saml_provider_ids = ["arn:aws:iam::235367859851:saml-provider/idp_saml"]
 
   policies = {
@@ -180,37 +190,24 @@ module "iam_role_saml" {
 }
 ```
 
-### IAM Role
+### IAM Role for EKS Service Accounts (IRSA)
 
-Creates an IAM role with a trust policy and (optional) IAM instance profile. Useful for service roles such as EC2, ECS, etc., or roles assumed across AWS accounts.
+Creates an IAM role that is suitable for EKS IAM role for service accounts (IRSA) with a set of pre-defined policies for common EKS addons.
 
 ```hcl
-module "iam_role" {
-  source  = "terraform-aws-modules/iam/aws//modules/iam-role"
+module "vpc_cni_irsa" {
+  source      = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts"
 
-  name = "example"
+  name   = "vpc-cni"
 
-  assume_role_policy_statements = [
-    {
-      sid = "TrustRoleAndServiceToAssume"
-      principals = [{
-        type = "AWS"
-        identifiers = [
-          "arn:aws:iam::835367859851:user/anton",
-        ]
-      }]
-      conditions = [{
-        test     = "StringEquals"
-        variable = "sts:ExternalId"
-        values   = ["some-secret-id"]
-      }]
-    }
-  ]
+  attach_vpc_cni_policy = true
+  vpc_cni_enable_ipv4   = true
 
-  policies = {
-    AmazonCognitoReadOnly      = "arn:aws:iam::aws:policy/AmazonCognitoReadOnly"
-    AlexaForBusinessFullAccess = "arn:aws:iam::aws:policy/AlexaForBusinessFullAccess"
-    custom                     = aws_iam_policy.this.arn
+  oidc_providers = {
+    this = {
+      provider_arn               = "arn:aws:iam::012345678901:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D"
+      namespace_service_accounts = ["kube-system:aws-node"]
+    }
   }
 
   tags = {
@@ -249,7 +246,6 @@ module "iam_user" {
 - [iam-read-only-policy](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-read-only-policy) - Create IAM read-only policy
 - [iam-role](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-role) - Create individual IAM role which can be assumed from specified ARNs (AWS accounts, IAM users, etc)
 - [iam-role-for-service-accounts](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-role-for-service-accounts) - Create IAM role for service accounts (IRSA) for use within EKS clusters
-- [iam-role-saml](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-role-saml) - Create individual IAM role which can be assumed by users with a SAML Identity Provider
 - [iam-user](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-user) - Add IAM user, login profile and access keys (with PGP enabled or disabled)
 
 ## Authors

UPGRADE-6.0.md renamed to docs/UPGRADE-6.0.md

@@ -7,14 +7,14 @@ If you find a bug, please open an issue with supporting configuration to reprodu
 ## List of backwards incompatible changes
 
 - `iam-assumable-role` has been renamed to `iam-role`
-- `iam-assumable-role-with-oidc` has been renamed to `iam-role-oidc`
-- `iam-assumable-role-with-saml` has been renamed to `iam-role-saml`
+- `iam-assumable-role-with-oidc` has been merged into `iam-role`
+- `iam-assumable-role-with-saml` has been merged into `iam-role`
 - `iam-assumable-roles` has been removed; `iam-role` should be used instead. See the [`iam-role` example](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-role) that shows an example replacement implementation.
-- `iam-assumable-roles-with-saml` has been removed; `iam-role-saml` should be used instead. See the [`iam-role-saml` example](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-role-saml) that shows an example replacement implementation.
+- `iam-assumable-roles-with-saml` has been removed; `iam-role` should be used instead. See the [`iam-role` example](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-role-saml) that shows an example replacement implementation.
 - `iam-github-oidc-provider` has been renamed to `iam-oidc-provider`
-- `iam-github-oidc-role` has been removed; `iam-role-oidc` should be used instead. See the [`iam-oidc-provider` example](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-oidc-provider)
+- `iam-github-oidc-role` has been merged into `iam-role`. See the [`iam-oidc-provider` example](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-oidc-provider)
 - `iam-group-with-assumable-roles-policy` has been removed; the renamed `iam-group` (was `iam-group-with-policies`) should be used instead
-- `iam-eks-role` has been removed; `iam-role-for-service-accounts-eks` should be used instead
+- `iam-eks-role` has been removed; `iam-role-for-service-accounts` should be used instead
 - `iam-policy` has been removed; the `aws_iam_policy` resource should be used directly instead
 
 ## Additional changes
@@ -26,14 +26,6 @@ If you find a bug, please open an issue with supporting configuration to reprodu
     - `custom_role_policy_arns` has been renamed to `policies` and now accepts a map of `name`: `policy-arn` pairs; this allows for both existing policies and policies that will get created at the same time as the role. This also replaces the admin, readonly, and poweruser policy ARN variables and their associated `attach_*_policy` variables.
     - Default create conditional is now `true` instead of `false`
     - `force_detach_policies` has been removed; this is now always `true`
-- `iam-role-oidc`
-    - `custom_role_policy_arns` has been renamed to `policies` and now accepts a map of `name`: `policy-arn` pairs; this allows for both existing policies and policies that will get created at the same time as the role.
-    - Default create conditional is now `true` instead of `false`
-    - `force_detach_policies` has been removed; this is now always `true`
-- `iam-role-saml`
-    - `custom_role_policy_arns` has been renamed to `policies` and now accepts a map of `name`: `policy-arn` pairs; this allows for both existing policies and policies that will get created at the same time as the role.
-    - Default create conditional is now `true` instead of `false`
-    - `force_detach_policies` has been removed; this is now always `true`
 - `iam-group`
     - Policy management has been updated to support extending the policy created by the sub-module, as well as adding additional policies that will be attached to the group
     - The role assumption permissions has been removed from the policy; users can extend the policy to add this if needed via `permission_statements`
@@ -56,12 +48,6 @@ If you find a bug, please open an issue with supporting configuration to reprodu
         - `readonly_role_policy_arn` & `attach_readonly_policy`
         - `force_detach_policies`
         - `role_sts_externalid`
-    - `iam-role-oidc`
-        - `force_detach_policies`
-        - `number_of_custom_role_policy_arns`
-    - `iam-role-saml`
-        - `force_detach_policies`
-        - `number_of_custom_role_policy_arns`
     - `iam-group`
         - `custom_group_policies`
         - `assumable_roles`
@@ -76,24 +62,6 @@ If you find a bug, please open an issue with supporting configuration to reprodu
         - `role_path` -> `path`
         - `role_permissions_boundary_arn` -> `permissions_boundary_arn`
         - `custom_role_policy_arns` -> `policies`
-    - `iam-role-oidc`
-        - `create_role` -> `create`
-        - `role_name` -> `name`
-        - `role_name_prefix` -> `name_prefix`
-        - `role_description` -> `description`
-        - `role_path` -> `path`
-        - `role_permissions_boundary_arn` -> `permissions_boundary_arn`
-        - `custom_role_policy_arns` -> `policies`
-    - `iam-role-saml`
-        - `create_role` -> `create`
-        - `role_name` -> `name`
-        - `role_name_prefix` -> `name_prefix`
-        - `role_description` -> `description`
-        - `role_path` -> `path`
-        - `role_permissions_boundary_arn` -> `permissions_boundary_arn`
-        - `custom_role_policy_arns` -> `policies`
-        - `aws_saml_endpoint` -> `saml_endpoints`
-        - `trusted_role_actions` -> `saml_trust_actions`
     - `iam-group`
         - `create_group` -> `create`
         - `group_users` -> `group`
@@ -106,10 +74,6 @@ If you find a bug, please open an issue with supporting configuration to reprodu
 
     - `iam-role`
         - `assume_role_policy_statements` which allows for any number of custom statements to be added to the role's trust policy. This covers the majority of the variables that were removed
-    - `iam-role-oidc`
-        - `assume_role_policy_statements` which allows for any number of custom statements to be added to the role's trust policy. This covers the majority of the variables that were removed
-    - `iam-role-saml`
-        - `assume_role_policy_statements` which allows for any number of custom statements to be added to the role's trust policy. This covers the majority of the variables that were removed
     - `iam-group`
         - `permission_statements` which allows for any number of custom statements to be added to the role's trust policy. This covers the majority of the variables that were removed
         - `path`/`policy_path`
@@ -123,12 +87,6 @@ If you find a bug, please open an issue with supporting configuration to reprodu
         - `role_requires_mfa`
         - `iam_instance_profile_path`
         - `role_sts_externalid`
-    - `iam-role-oidc`
-        - `iam_role_path`
-        - `provider_url` (use `oidc_provider_urls` instead)
-    - `iam-role-saml`
-        - `iam_role_path`
-        - `provider_id` (use `saml_provider_ids` instead)
     - `iam-group`
         - `assumable_roles`
         - `aws_account_id`
@@ -143,18 +101,6 @@ If you find a bug, please open an issue with supporting configuration to reprodu
         - `iam_instance_profile_id` -> `instance_profile_id`
         - `iam_instance_profile_name` -> `instance_profile_name`
         - `iam_instance_profile_unique_id` -> `instance_profile_unique_id`
-    - `iam-role-oidc`
-        - `iam_role_arn` -> `arn`
-        - `iam_role_name` -> `name`
-        - `iam_role_unique_id` -> `unique_id`
-        - `aws_account_id` -> `oidc_account_id`
-        - `provider_urls` -> `oidc_provider_urls`
-    - `iam-role-oidc`
-        - `iam_role_arn` -> `arn`
-        - `iam_role_name` -> `name`
-        - `iam_role_unique_id` -> `unique_id`
-        - `aws_account_id` -> `oidc_account_id`
-        - `provider_ids` -> `saml_provider_ids`
     - `iam-group`
         - `group_id` -> `id`
         - `group_name` -> `name`

examples/iam-oidc-provider/README.md

@@ -34,9 +34,8 @@ No providers.
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_github_oidc_iam_provider"></a> [github\_oidc\_iam\_provider](#module\_github\_oidc\_iam\_provider) | ../../modules/iam-oidc-provider | n/a |
-| <a name="module_github_oidc_iam_role"></a> [github\_oidc\_iam\_role](#module\_github\_oidc\_iam\_role) | ../../modules/iam-role-oidc | n/a |
+| <a name="module_github_oidc_iam_role"></a> [github\_oidc\_iam\_role](#module\_github\_oidc\_iam\_role) | ../../modules/iam-role | n/a |
 | <a name="module_oidc_iam_provider_disabled"></a> [oidc\_iam\_provider\_disabled](#module\_oidc\_iam\_provider\_disabled) | ../../modules/iam-oidc-provider | n/a |
-| <a name="module_oidc_iam_role_disabled"></a> [oidc\_iam\_role\_disabled](#module\_oidc\_iam\_role\_disabled) | ../../modules/iam-role-oidc | n/a |
 
 ## Resources
 

examples/iam-oidc-provider/main.tf

@@ -30,11 +30,11 @@ module "oidc_iam_provider_disabled" {
 }
 
 ################################################################################
-# OIDC IAM Role
+# GitHub OIDC IAM Role
 ################################################################################
 
 module "github_oidc_iam_role" {
-  source = "../../modules/iam-role-oidc"
+  source = "../../modules/iam-role"
 
   name = local.name
 
@@ -53,9 +53,3 @@ module "github_oidc_iam_role" {
 
   tags = local.tags
 }
-
-module "oidc_iam_role_disabled" {
-  source = "../../modules/iam-role-oidc"
-
-  create = false
-}