feat: Allows multiple STS External IDs to be provided to an assumable role (#138)

Author: mike-carey

examples/iam-assumable-role/README.md

@@ -34,6 +34,7 @@ No provider.
 |------|--------|---------|
 | iam_assumable_role_admin | ../../modules/iam-assumable-role |  |
 | iam_assumable_role_custom | ../../modules/iam-assumable-role |  |
+| iam_assumable_role_sts | ../../modules/iam-assumable-role |  |
 | iam_policy | ../../modules/iam-policy |  |
 
 ## Resources

examples/iam-assumable-role/main.tf

@@ -58,6 +58,38 @@ module "iam_assumable_role_custom" {
   #  number_of_custom_role_policy_arns = 3
 }
 
+####################################################
+# IAM assumable role with multiple sts external ids
+####################################################
+module "iam_assumable_role_sts" {
+  source = "../../modules/iam-assumable-role"
+
+  trusted_role_arns = [
+    "arn:aws:iam::307990089504:root",
+  ]
+
+  trusted_role_services = [
+    "codedeploy.amazonaws.com"
+  ]
+
+  create_role = true
+
+  role_name         = "custom_sts"
+  role_requires_mfa = false
+
+  role_sts_externalid = [
+    "some-id-goes-here",
+    "another-id-goes-here",
+  ]
+
+  custom_role_policy_arns = [
+    "arn:aws:iam::aws:policy/AmazonCognitoReadOnly",
+    "arn:aws:iam::aws:policy/AlexaForBusinessFullAccess",
+    module.iam_policy.arn
+  ]
+  #  number_of_custom_role_policy_arns = 3
+}
+
 #########################################
 # IAM policy
 #########################################

modules/iam-assumable-role/README.md

@@ -53,7 +53,7 @@ No Modules.
 | role\_path | Path of IAM role | `string` | `"/"` | no |
 | role\_permissions\_boundary\_arn | Permissions boundary ARN to use for IAM role | `string` | `""` | no |
 | role\_requires\_mfa | Whether role requires MFA | `bool` | `true` | no |
-| role\_sts\_externalid | STS ExternalId condition value to use with a role (when MFA is not required) | `string` | `null` | no |
+| role\_sts\_externalid | STS ExternalId condition values to use with a role (when MFA is not required) | `any` | `[]` | no |
 | tags | A map of tags to add to IAM role resources | `map(string)` | `{}` | no |
 | trusted\_role\_actions | Actions of STS | `list(string)` | <pre>[<br>  "sts:AssumeRole"<br>]</pre> | no |
 | trusted\_role\_arns | ARNs of AWS entities who can assume these roles | `list(string)` | `[]` | no |

modules/iam-assumable-role/main.tf

@@ -1,3 +1,7 @@
+locals {
+  role_sts_externalid = flatten(list(var.role_sts_externalid))
+}
+
 data "aws_iam_policy_document" "assume_role" {
   statement {
     effect = "Allow"
@@ -15,11 +19,11 @@ data "aws_iam_policy_document" "assume_role" {
     }
 
     dynamic "condition" {
-      for_each = var.role_sts_externalid != null ? [true] : []
+      for_each = length(local.role_sts_externalid) != 0 ? [true] : []
       content {
         test     = "StringEquals"
         variable = "sts:ExternalId"
-        values   = [var.role_sts_externalid]
+        values   = local.role_sts_externalid
       }
     }
   }

modules/iam-assumable-role/outputs.tf

@@ -37,4 +37,3 @@ output "role_sts_externalid" {
   description = "STS ExternalId condition value to use with a role"
   value       = var.role_sts_externalid
 }
-

modules/iam-assumable-role/variables.tf

@@ -132,8 +132,7 @@ variable "role_description" {
 }
 
 variable "role_sts_externalid" {
-  description = "STS ExternalId condition value to use with a role (when MFA is not required)"
-  type        = string
-  default     = null
+  description = "STS ExternalId condition values to use with a role (when MFA is not required)"
+  type        = any
+  default     = []
 }
-