feat!: Upgrade AWS provider and min required Terraform version to 6.0 and 1.5.7 respectively

[bryantbiggs]

List of backwards incompatible changes

See the docs/UPGRADE-6.0.md guide for more details

• Terraform v1.5.7 is now minimum supported version

• AWS provider v6.0.0 is now minimum supported version

• The ability to allow roles to assume their own roles has been removed. This was previously added as part of helping users mitigate https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/. Going forward, users will need to mitigate this on the application side (i.e. - do not have a role assume itself), or update the trust policy in their implementation to continue using this behavior. It is strongly recommended to mitigate this by not having the role assume itself.

• iam-account:

  • The aws_caller_identity data source and associated outputs have been removed. Users should instead use the data source directly in their configuration

• iam-assumable-role has been renamed to iam-role

• iam-assumable-role-with-oidc has been merged into iam-role

• iam-assumable-role-with-saml has been merged into iam-role

• iam-assumable-roles has been removed; iam-role should be used instead

• iam-assumable-roles-with-saml has been removed; iam-role should be used instead

• iam-github-oidc-provider has been renamed to iam-oidc-provider

• iam-github-oidc-role has been merged into iam-role

• iam-group-with-policies has been renamed to iam-group

• iam-group-with-assumable-roles-policy has been merged into iam-group

• iam-eks-role has been removed; iam-role-for-service-accounts or eks-pod-identity should be used instead

• iam-policy has been removed; the aws_iam_policy resource should be used directly instead

• iam-role-for-service-accounts-eks has been renamed to iam-role-for-service-accounts

  • Individual policy creation and attachment has been consolidated under one policy creation and attachment
  • Default values that enable permissive permissions have been removed; users will need to be explicit about the scope of access (i.e. ARNs) they provide when enabling permissions
  • AppMesh policy support has been removed due to service reaching end of support

stateDiagram
    direction LR

    # Old
    assumeRole: iam-assumable-role
    assumeRoleOIDC: iam-assumable-role-with-oidc
    assumeRoleSAML: iam-assumable-role-with-saml
    assumeRoles: iam-assumable-roles
    assumeRolesSAML: iam-assumable-roles-with-saml
    githubOIDCProvider: iam-github-oidc-provider
    githubOIDCRole: iam-github-oidc-role
    groupWithAssumablePolicy: iam-group-with-assumable-roles-policy
    groupWithPolicies: iam-group-with-policies

    # New
    group: iam-group
    oidcProvider: iam-oidc-provider
    role: iam-role

    assumeRole --> role
    assumeRoleOIDC --> role
    assumeRoleSAML --> role
    assumeRoles --> role
    assumeRolesSAML --> role
    githubOIDCRole --> role

    groupWithAssumablePolicy --> group
    groupWithPolicies --> group

    githubOIDCProvider --> oidcProvider

Loading

Additional changes

Modified

• Variable definitions now contain detailed object types in place of the previously used any type

• iam-group

  • Policy management has been updated to support extending the policy created by the sub-module, as well as adding additional policies that will be attached to the group
  • The role assumption permissions has been removed from the policy; users can extend the policy to add this if needed via permissions
  • Default create conditional is now true instead of false

• iam-role

  • The use of individual variables to control/manipulate the assume role trust policy have been replaced by a generic trust_policy_permissions variable. This allows for any number of custom statements to be added to the role's trust policy.
  • custom_role_policy_arns has been renamed to policies and now accepts a map of name: policy-arn pairs; this allows for both existing policies and policies that will get created at the same time as the role. This also replaces the admin, readonly, and poweruser policy ARN variables and their associated attach_*_policy variables.
  • Default create conditional is now true instead of false
  • force_detach_policies has been removed; this is now always true
  • Support for inline policies has been added

• iam-role-for-service-accounts

  • Support for inline policies has been added

Motivation and Context

• Primary motivation is to reduce the amount of individual sub-modules which are performing duplicate/overlapping functionality. This tends to cause confusion and mis-use, as well as additional overhead in terms of keeping modules consistently aligned in terms of functionality. These changes should preserver nearly 90-95% of the original functionality but with less than half of the code (the docs/UPGRADE guidance adds to the line count of additions)
• Resolves feat(iam-assumable-role-with-oidc): Add condition for role session name #384
• Resolves chore(iam-assume-role-with-oidc): Update audience dynamic block to StringEquals #415
• Resolves feat: Create group with optional assumable roles #481
• Resolves IAM roles supporting both SPIFFE (AWS Roles Anywhere) and OIDC #487
• Resolves feat: Add dynamic block to support job_workflow_ref #488
• Resolves fix: Properly configure fully qualified audiences #492
• Resolves feat: Add JSON documents support for inline policies #499
• Resolves feat: Add support for inline policy for IAM EKS Role #502
• Resolves Allow empty values for external secrets kms keys, secrets, ssm parameters #511
• Resolves MFA test condition is Bool where it should be BoolIfExists #516
• Resolves fix: Fix creating roles with name prefix AND inline policy #528
• Resolves Add more options for generating trust policy #535
• Resolves feat: Allow adding iss for the oidc assumable role #541
• Resolves Add TagSession permission to Self-Assume policy #548
• Resolves fix remove the need for the policy count variable #549
• Resolves feat: Support inline policies for EKS IRSA #551
• Resolves iam-assumable-role-with-oidc submodule dynamic condition has wrong test value #566
• Closes chore: Use appropriate mapping of assume_role_policy #570
• Resolves Dangerous defaults used for IRSA secrets #572
• Resolves Deprecated attribute: The attribute "name" is deprecated #574
• Resolves fix: Remove deprecated-attribute #577
• Resolves fix: Update deprecated reference #579
• Closes fix: Replace deprecated aws_region data source name attribute #581
• Closes Resolve deprecation warning for AWS provider >= 6.x #584

Breaking Changes

• Yes

How Has This Been Tested?

• I have updated at least one of the examples/* to demonstrate and validate my change(s)
• I have tested and validated these changes using one or more of the provided examples/* projects
• I have executed pre-commit run -a on my pull request

[antonbabenko]

Lots of awesome stuff! :)

[antonbabenko]

This PR is included in version 6.0.0 🎉