Update docs for assume role config (#406)

wata727 · web-flow · commit 9d19fcd5a547 · 2022-12-05T01:32:28.000+09:00
diff --git a/docs/configuration.md b/docs/configuration.md
@@ -14,6 +14,13 @@ plugin "aws" {
     region     = "us-east-1"
     profile    = "AWS_PROFILE"
     shared_credentials_file = "~/.aws/credentials"
+
+    assume_role {
+        role_arn     = "arn:aws:iam::123456789012:role/ROLE_NAME"
+        external_id  = "EXTERNAL_ID"
+        policy       = "..."
+        session_name = "SESSION_NAME"
+    }
 }
 ```
 
@@ -52,3 +59,9 @@ AWS shared credentials profile name used in the deep checking.
 Default: Profile declared in the `provider` block or `~/.aws/credentials` when the deep checking is enabled.
 
 AWS shared credentials file path used in the deep checking.
+
+## `assume_role`
+
+Default: Assume role config declared in the `provider` block.
+
+AWS assume role config used in the deep checking.
diff --git a/docs/deep_checking.md b/docs/deep_checking.md
@@ -37,7 +37,6 @@ Credentials can be set in several ways. Each is referenced in the following orde
 - ECS and CodeBuild task roles
 - EC2 role
 
-
 ### Static credentials
 
 If you have an access key and a secret key, you can pass these keys like the following:
@@ -53,7 +52,7 @@ plugin "aws" {
 }
 ```
 
-Although there is not recommended, if an access key is hard-coded in a provider configuration, they will also be taken into account. However, aliases are not supported. The priority is higher than the environment variable and lower than the above way.
+Although there is not recommended, if an access key is hard-coded in a provider configuration, they will also be taken into account. The priority is higher than the environment variable and lower than the above way.
 
 ```hcl
 provider "aws" {
@@ -105,6 +104,20 @@ This plugin fetches credentials in the same way as Terraform. See [this document
 
 This plugin can assume a role in the same way as Terraform. See [this documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#assume-role).
 
+You can also declare the assume role config in the plugin config:
+
+```hcl
+plugin "aws" {
+  enabled = true
+
+  deep_check = true
+
+  assume_role {
+    role_arn = "arn:aws:iam::123456789012:role/ROLE_NAME"
+  }
+}
+```
+
 ## Required permissions
 
 The following policy document provides the minimal set permissions necessary for the deep checking:
