Releases: terraform-aws-modules/terraform-aws-iam
v6.1.1
v6.1.0
v6.0.1
v6.0.0
6.0.0 (2025-08-13)
âš BREAKING CHANGES
- Upgrade AWS provider and min required Terraform version to
6.0and1.5.7respectively (#585)
See docs/UPGRADE-6.0.md for further details
List of backwards incompatible changes
-
Terraform
v1.5.7is now minimum supported version -
AWS provider
v6.0.0is now minimum supported version -
The ability to allow roles to assume their own roles has been removed. This was previously added as part of helping users mitigate https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/. Going forward, users will need to mitigate this on the application side (i.e. - do not have a role assume itself), or update the trust policy in their implementation to continue using this behavior. It is strongly recommended to mitigate this by not having the role assume itself.
-
iam-account:- The
aws_caller_identitydata source and associated outputs have been removed. Users should instead use the data source directly in their configuration
- The
-
iam-assumable-rolehas been renamed toiam-role -
iam-assumable-role-with-oidchas been merged intoiam-role -
iam-assumable-role-with-samlhas been merged intoiam-role -
iam-assumable-roleshas been removed;iam-roleshould be used instead -
iam-assumable-roles-with-samlhas been removed;iam-roleshould be used instead -
iam-github-oidc-providerhas been renamed toiam-oidc-provider -
iam-github-oidc-rolehas been merged intoiam-role -
iam-group-with-policieshas been renamed toiam-group -
iam-group-with-assumable-roles-policyhas been merged intoiam-group -
iam-eks-rolehas been removed;iam-role-for-service-accountsoreks-pod-identityshould be used instead -
iam-role-for-service-accounts-ekshas been renamed toiam-role-for-service-accounts- Individual policy creation and attachment has been consolidated under one policy creation and attachment
- Default values that enable permissive permissions have been removed; users will need to be explicit about the scope of access (i.e. ARNs) they provide when enabling permissions
- AppMesh policy support has been removed due to service reaching end of support
Additional changes
Modified
-
Variable definitions now contain detailed
objecttypes in place of the previously used any type -
iam-group- Policy management has been updated to support extending the policy created by the sub-module, as well as adding additional policies that will be attached to the group
- The role assumption permissions has been removed from the policy; users can extend the policy to add this if needed via
permissions - Default create conditional is now
trueinstead offalse
-
iam-role- The use of individual variables to control/manipulate the assume role trust policy have been replaced by a generic
trust_policy_permissionsvariable. This allows for any number of custom statements to be added to the role's trust policy. custom_role_policy_arnshas been renamed topoliciesand now accepts a map ofname:policy-arnpairs; this allows for both existing policies and policies that will get created at the same time as the role. This also replaces the admin, readonly, and poweruser policy ARN variables and their associatedattach_*_policyvariables.- Default create conditional is now
trueinstead offalse force_detach_policieshas been removed; this is now alwaystrue- Support for inline policies has been added
- The use of individual variables to control/manipulate the assume role trust policy have been replaced by a generic
-
iam-role-for-service-accounts- Support for inline policies has been added