diff --git a/aws-iam-role-cloudfront-poweruser/README.md b/aws-iam-role-cloudfront-poweruser/README.md index 7edd9bf8..39ee4cb5 100644 --- a/aws-iam-role-cloudfront-poweruser/README.md +++ b/aws-iam-role-cloudfront-poweruser/README.md @@ -10,7 +10,8 @@ This module will create a role which is granted poweruser control over AWS Cloud | iam\_path | | string | `"/"` | no | | role\_name | Name of the role to create | string | n/a | yes | | s3\_bucket\_prefixes | Limits role permissions to buckets with specific prefixes. Empty for all buckets. | list | `` | no | -| source\_account\_id | AWS Account that can assume this role. | string | n/a | yes | +| source\_account\_id | The source AWS account to establish a trust relationship. Ignored if empty or not provided. | string | '' | no | +| saml\_idp\_arn | The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided. | string | '' | no | ## Outputs diff --git a/aws-iam-role-cloudfront-poweruser/main.tf b/aws-iam-role-cloudfront-poweruser/main.tf index aa7d1007..d6e7c93c 100755 --- a/aws-iam-role-cloudfront-poweruser/main.tf +++ b/aws-iam-role-cloudfront-poweruser/main.tf @@ -1,11 +1,31 @@ data "aws_iam_policy_document" "assume-role" { - statement { - principals { - type = "AWS" - identifiers = ["arn:aws:iam::${var.source_account_id}:root"] + dynamic "statement" { + for_each = compact([var.source_account_id]) + content { + principals { + type = "AWS" + identifiers = ["arn:aws:iam::${var.source_account_id}:root"] + } + actions = ["sts:AssumeRole"] } + } + + dynamic "statement" { + for_each = compact([var.saml_idp_arn]) + content { + principals { + type = "Federated" + identifiers = ["${var.saml_idp_arn}"] + } - actions = ["sts:AssumeRole"] + actions = ["sts:AssumeRoleWithSAML"] + + condition { + test = "StringEquals" + variable = "SAML:aud" + values = ["https://signin.aws.amazon.com/saml"] + } + } } } diff --git a/aws-iam-role-cloudfront-poweruser/variables.tf b/aws-iam-role-cloudfront-poweruser/variables.tf index 1d9032f5..23aff3d7 100755 --- a/aws-iam-role-cloudfront-poweruser/variables.tf +++ b/aws-iam-role-cloudfront-poweruser/variables.tf @@ -1,8 +1,3 @@ -variable "source_account_id" { - type = "string" - description = "AWS Account that can assume this role." -} - variable "role_name" { type = "string" description = "Name of the role to create" @@ -21,3 +16,15 @@ variable "iam_path" { type = "string" default = "/" } + +variable "source_account_id" { + type = "string" + default = "" + description = "The source AWS account to establish a trust relationship. Ignored if empty or not provided." +} + +variable "saml_idp_arn" { + type = "string" + default = "" + description = "The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided." +} diff --git a/aws-iam-role-crossacct/README.md b/aws-iam-role-crossacct/README.md index 0e1c1ec3..1cd40879 100644 --- a/aws-iam-role-crossacct/README.md +++ b/aws-iam-role-crossacct/README.md @@ -23,7 +23,8 @@ module "group" { |------|-------------|:----:|:-----:|:-----:| | iam\_path | The IAM path to put this role in. | string | `"/"` | no | | role\_name | The name of the role. | string | n/a | yes | -| source\_account\_id | The AWS account id that should be able to assume this role. | string | n/a | yes | +| source\_account\_id | The source AWS account to establish a trust relationship. Ignored if empty or not provided. | string | '' | no | +| saml\_idp\_arn | The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided. | string | '' | no | ## Outputs diff --git a/aws-iam-role-crossacct/main.tf b/aws-iam-role-crossacct/main.tf index 8e62b7ea..f96d0d7f 100644 --- a/aws-iam-role-crossacct/main.tf +++ b/aws-iam-role-crossacct/main.tf @@ -1,11 +1,31 @@ data "aws_iam_policy_document" "assume-role" { - statement { - principals { - type = "AWS" - identifiers = ["arn:aws:iam::${var.source_account_id}:root"] + dynamic "statement" { + for_each = compact([var.source_account_id]) + content { + principals { + type = "AWS" + identifiers = ["arn:aws:iam::${var.source_account_id}:root"] + } + actions = ["sts:AssumeRole"] } + } + + dynamic "statement" { + for_each = compact([var.saml_idp_arn]) + content { + principals { + type = "Federated" + identifiers = ["${var.saml_idp_arn}"] + } - actions = ["sts:AssumeRole"] + actions = ["sts:AssumeRoleWithSAML"] + + condition { + test = "StringEquals" + variable = "SAML:aud" + values = ["https://signin.aws.amazon.com/saml"] + } + } } } diff --git a/aws-iam-role-crossacct/variables.tf b/aws-iam-role-crossacct/variables.tf index 1bc816b4..5e4bfa43 100755 --- a/aws-iam-role-crossacct/variables.tf +++ b/aws-iam-role-crossacct/variables.tf @@ -9,6 +9,13 @@ variable "iam_path" { } variable "source_account_id" { - description = "The AWS account id that should be able to assume this role." type = "string" + default = "" + description = "The source AWS account to establish a trust relationship. Ignored if empty or not provided." +} + +variable "saml_idp_arn" { + type = "string" + default = "" + description = "The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided." } diff --git a/aws-iam-role-ec2-poweruser/README.md b/aws-iam-role-ec2-poweruser/README.md index 4469b671..7d6d2b9a 100644 --- a/aws-iam-role-ec2-poweruser/README.md +++ b/aws-iam-role-ec2-poweruser/README.md @@ -25,7 +25,8 @@ module "ec2-poweruser" { |------|-------------|:----:|:-----:|:-----:| | iam\_path | | string | `"/"` | no | | role\_name | | string | n/a | yes | -| source\_account\_id | | string | n/a | yes | +| source\_account\_id | The source AWS account to establish a trust relationship. Ignored if empty or not provided. | string | '' | no | +| saml\_idp\_arn | The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided. | string | '' | no | ## Outputs diff --git a/aws-iam-role-ec2-poweruser/main.tf b/aws-iam-role-ec2-poweruser/main.tf index 206e6f51..d0b703f3 100755 --- a/aws-iam-role-ec2-poweruser/main.tf +++ b/aws-iam-role-ec2-poweruser/main.tf @@ -1,11 +1,31 @@ data "aws_iam_policy_document" "assume-role" { - statement { - principals { - type = "AWS" - identifiers = ["arn:aws:iam::${var.source_account_id}:root"] + dynamic "statement" { + for_each = compact([var.source_account_id]) + content { + principals { + type = "AWS" + identifiers = ["arn:aws:iam::${var.source_account_id}:root"] + } + actions = ["sts:AssumeRole"] } + } + + dynamic "statement" { + for_each = compact([var.saml_idp_arn]) + content { + principals { + type = "Federated" + identifiers = ["${var.saml_idp_arn}"] + } - actions = ["sts:AssumeRole"] + actions = ["sts:AssumeRoleWithSAML"] + + condition { + test = "StringEquals" + variable = "SAML:aud" + values = ["https://signin.aws.amazon.com/saml"] + } + } } } diff --git a/aws-iam-role-ec2-poweruser/variables.tf b/aws-iam-role-ec2-poweruser/variables.tf index c7450473..d019da3c 100755 --- a/aws-iam-role-ec2-poweruser/variables.tf +++ b/aws-iam-role-ec2-poweruser/variables.tf @@ -1,7 +1,3 @@ -variable "source_account_id" { - type = "string" -} - variable "role_name" { type = "string" } @@ -10,3 +6,15 @@ variable "iam_path" { type = "string" default = "/" } + +variable "source_account_id" { + type = "string" + default = "" + description = "The source AWS account to establish a trust relationship. Ignored if empty or not provided." +} + +variable "saml_idp_arn" { + type = "string" + default = "" + description = "The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided." +} diff --git a/aws-iam-role-ecs-poweruser/README.md b/aws-iam-role-ecs-poweruser/README.md index a2d2c2f7..7a494713 100644 --- a/aws-iam-role-ecs-poweruser/README.md +++ b/aws-iam-role-ecs-poweruser/README.md @@ -24,7 +24,8 @@ module "ec2-poweruser" { |------|-------------|:----:|:-----:|:-----:| | iam\_path | | string | `"/"` | no | | role\_name | | string | n/a | yes | -| source\_account\_id | | string | n/a | yes | +| source\_account\_id | The source AWS account to establish a trust relationship. Ignored if empty or not provided. | string | '' | no | +| saml\_idp\_arn | The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided. | string | '' | no | ## Outputs diff --git a/aws-iam-role-ecs-poweruser/main.tf b/aws-iam-role-ecs-poweruser/main.tf index 8a29a25b..e053eeb6 100755 --- a/aws-iam-role-ecs-poweruser/main.tf +++ b/aws-iam-role-ecs-poweruser/main.tf @@ -1,11 +1,31 @@ data "aws_iam_policy_document" "assume-role" { - statement { - principals { - type = "AWS" - identifiers = ["arn:aws:iam::${var.source_account_id}:root"] + dynamic "statement" { + for_each = compact([var.source_account_id]) + content { + principals { + type = "AWS" + identifiers = ["arn:aws:iam::${var.source_account_id}:root"] + } + actions = ["sts:AssumeRole"] } + } + + dynamic "statement" { + for_each = compact([var.saml_idp_arn]) + content { + principals { + type = "Federated" + identifiers = ["${var.saml_idp_arn}"] + } - actions = ["sts:AssumeRole"] + actions = ["sts:AssumeRoleWithSAML"] + + condition { + test = "StringEquals" + variable = "SAML:aud" + values = ["https://signin.aws.amazon.com/saml"] + } + } } } diff --git a/aws-iam-role-ecs-poweruser/variables.tf b/aws-iam-role-ecs-poweruser/variables.tf index c7450473..d019da3c 100755 --- a/aws-iam-role-ecs-poweruser/variables.tf +++ b/aws-iam-role-ecs-poweruser/variables.tf @@ -1,7 +1,3 @@ -variable "source_account_id" { - type = "string" -} - variable "role_name" { type = "string" } @@ -10,3 +6,15 @@ variable "iam_path" { type = "string" default = "/" } + +variable "source_account_id" { + type = "string" + default = "" + description = "The source AWS account to establish a trust relationship. Ignored if empty or not provided." +} + +variable "saml_idp_arn" { + type = "string" + default = "" + description = "The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided." +} diff --git a/aws-iam-role-infraci/README.md b/aws-iam-role-infraci/README.md index 6aabd8d0..e02c50b3 100644 --- a/aws-iam-role-infraci/README.md +++ b/aws-iam-role-infraci/README.md @@ -9,8 +9,9 @@ Creates a role useful for running `terraform plan` in CI jobs. |------|-------------|:----:|:-----:|:-----:| | iam\_path | | string | `"/"` | no | | role\_name | | string | `"infraci"` | no | -| source\_account\_id | | string | n/a | yes | | terraform\_state\_lock\_dynamodb\_arns | "A list of unique identifiers (ARNs) of state file DynamoDB tables" | string | `[]` | yes | +| source\_account\_id | The source AWS account to establish a trust relationship. Ignored if empty or not provided. | string | '' | no | +| saml\_idp\_arn | The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided. | string | '' | no | ## Outputs diff --git a/aws-iam-role-infraci/main.tf b/aws-iam-role-infraci/main.tf index bf0ae3e3..329f5c14 100755 --- a/aws-iam-role-infraci/main.tf +++ b/aws-iam-role-infraci/main.tf @@ -1,11 +1,31 @@ data "aws_iam_policy_document" "assume-role" { - statement { - principals { - type = "AWS" - identifiers = ["arn:aws:iam::${var.source_account_id}:root"] + dynamic "statement" { + for_each = compact([var.source_account_id]) + content { + principals { + type = "AWS" + identifiers = ["arn:aws:iam::${var.source_account_id}:root"] + } + actions = ["sts:AssumeRole"] } + } - actions = ["sts:AssumeRole"] + dynamic "statement" { + for_each = compact([var.saml_idp_arn]) + content { + principals { + type = "Federated" + identifiers = ["${var.saml_idp_arn}"] + } + + actions = ["sts:AssumeRoleWithSAML"] + + condition { + test = "StringEquals" + variable = "SAML:aud" + values = ["https://signin.aws.amazon.com/saml"] + } + } } } diff --git a/aws-iam-role-infraci/variables.tf b/aws-iam-role-infraci/variables.tf index 3a95f57c..b597ffd7 100755 --- a/aws-iam-role-infraci/variables.tf +++ b/aws-iam-role-infraci/variables.tf @@ -1,7 +1,3 @@ -variable "source_account_id" { - type = "string" -} - variable "role_name" { default = "infraci" } @@ -15,3 +11,15 @@ variable "terraform_state_lock_dynamodb_arns" { default = [] description = "ARNs of the state file DynamoDB tables" } + +variable "source_account_id" { + type = "string" + default = "" + description = "The source AWS account to establish a trust relationship. Ignored if empty or not provided." +} + +variable "saml_idp_arn" { + type = "string" + default = "" + description = "The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided." +} diff --git a/aws-iam-role-poweruser/README.md b/aws-iam-role-poweruser/README.md index 7b2fbab5..e782a4e0 100644 --- a/aws-iam-role-poweruser/README.md +++ b/aws-iam-role-poweruser/README.md @@ -11,7 +11,7 @@ module "group" { # defaults to "poweruser" role_name = "..." - # The id of the other AWS account that can assume this role. + # The id of the other AWS account that can assume this role. source_account_id = "..." } ``` @@ -23,7 +23,8 @@ module "group" { |------|-------------|:----:|:-----:|:-----:| | iam\_path | | string | `"/"` | no | | role\_name | | string | `"poweruser"` | no | -| source\_account\_id | | string | n/a | yes | +| source\_account\_id | The source AWS account to establish a trust relationship. Ignored if empty or not provided. | string | '' | no | +| saml\_idp\_arn | The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided. | string | '' | no | ## Outputs diff --git a/aws-iam-role-poweruser/main.tf b/aws-iam-role-poweruser/main.tf index 1d4d2e78..02210e57 100755 --- a/aws-iam-role-poweruser/main.tf +++ b/aws-iam-role-poweruser/main.tf @@ -1,11 +1,31 @@ data "aws_iam_policy_document" "assume-role" { - statement { - principals { - type = "AWS" - identifiers = ["arn:aws:iam::${var.source_account_id}:root"] + dynamic "statement" { + for_each = compact([var.source_account_id]) + content { + principals { + type = "AWS" + identifiers = ["arn:aws:iam::${var.source_account_id}:root"] + } + actions = ["sts:AssumeRole"] } + } + + dynamic "statement" { + for_each = compact([var.saml_idp_arn]) + content { + principals { + type = "Federated" + identifiers = ["${var.saml_idp_arn}"] + } - actions = ["sts:AssumeRole"] + actions = ["sts:AssumeRoleWithSAML"] + + condition { + test = "StringEquals" + variable = "SAML:aud" + values = ["https://signin.aws.amazon.com/saml"] + } + } } } diff --git a/aws-iam-role-poweruser/variables.tf b/aws-iam-role-poweruser/variables.tf index c4646091..a408c10b 100755 --- a/aws-iam-role-poweruser/variables.tf +++ b/aws-iam-role-poweruser/variables.tf @@ -4,7 +4,15 @@ variable "role_name" { } variable "source_account_id" { - type = "string" + type = "string" + default = "" + description = "The source AWS account to establish a trust relationship. Ignored if empty or not provided." +} + +variable "saml_idp_arn" { + type = "string" + default = "" + description = "The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided." } variable "iam_path" { diff --git a/aws-iam-role-readonly/README.md b/aws-iam-role-readonly/README.md index ca2f74c4..ba097ee0 100644 --- a/aws-iam-role-readonly/README.md +++ b/aws-iam-role-readonly/README.md @@ -27,7 +27,8 @@ output "role_name" { |------|-------------|:----:|:-----:|:-----:| | iam\_path | | string | `"/"` | no | | role\_name | | string | `"readonly"` | no | -| source\_account\_id | The AWS account from which this role should be assumeable. | string | n/a | yes | +| source\_account\_id | The source AWS account to establish a trust relationship. Ignored if empty or not provided. | string | '' | no | +| saml\_idp\_arn | The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided. | string | '' | no | ## Outputs diff --git a/aws-iam-role-readonly/main.tf b/aws-iam-role-readonly/main.tf index a44a2b39..597bcb1f 100755 --- a/aws-iam-role-readonly/main.tf +++ b/aws-iam-role-readonly/main.tf @@ -1,11 +1,31 @@ data "aws_iam_policy_document" "assume-role" { - statement { - principals { - type = "AWS" - identifiers = ["arn:aws:iam::${var.source_account_id}:root"] + dynamic "statement" { + for_each = compact([var.source_account_id]) + content { + principals { + type = "AWS" + identifiers = ["arn:aws:iam::${var.source_account_id}:root"] + } + actions = ["sts:AssumeRole"] } + } + + dynamic "statement" { + for_each = compact([var.saml_idp_arn]) + content { + principals { + type = "Federated" + identifiers = ["${var.saml_idp_arn}"] + } - actions = ["sts:AssumeRole"] + actions = ["sts:AssumeRoleWithSAML"] + + condition { + test = "StringEquals" + variable = "SAML:aud" + values = ["https://signin.aws.amazon.com/saml"] + } + } } } diff --git a/aws-iam-role-readonly/variables.tf b/aws-iam-role-readonly/variables.tf index 7bedc861..0d3dc3e1 100755 --- a/aws-iam-role-readonly/variables.tf +++ b/aws-iam-role-readonly/variables.tf @@ -1,8 +1,3 @@ -variable "source_account_id" { - type = "string" - description = "The AWS account from which this role should be assumeable." -} - variable "iam_path" { type = "string" default = "/" @@ -11,3 +6,15 @@ variable "iam_path" { variable "role_name" { default = "readonly" } + +variable "source_account_id" { + type = "string" + default = "" + description = "The source AWS account to establish a trust relationship. Ignored if empty or not provided." +} + +variable "saml_idp_arn" { + type = "string" + default = "" + description = "The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided." +} diff --git a/aws-iam-role-route53domains-poweruser/README.md b/aws-iam-role-route53domains-poweruser/README.md index 049314d5..210f93d5 100644 --- a/aws-iam-role-route53domains-poweruser/README.md +++ b/aws-iam-role-route53domains-poweruser/README.md @@ -24,7 +24,8 @@ module "route53domains-poweruser" { |------|-------------|:----:|:-----:|:-----:| | iam\_path | | string | `"/"` | no | | role\_name | | string | `"route53domains-poweruser"` | no | -| source\_account\_id | | string | n/a | yes | +| source\_account\_id | The source AWS account to establish a trust relationship. Ignored if empty or not provided. | string | '' | no | +| saml\_idp\_arn | The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided. | string | '' | no | ## Outputs diff --git a/aws-iam-role-route53domains-poweruser/main.tf b/aws-iam-role-route53domains-poweruser/main.tf index 5b76e270..61a34dde 100644 --- a/aws-iam-role-route53domains-poweruser/main.tf +++ b/aws-iam-role-route53domains-poweruser/main.tf @@ -1,11 +1,31 @@ data "aws_iam_policy_document" "assume-role" { - statement { - principals { - type = "AWS" - identifiers = ["arn:aws:iam::${var.source_account_id}:root"] + dynamic "statement" { + for_each = compact([var.source_account_id]) + content { + principals { + type = "AWS" + identifiers = ["arn:aws:iam::${var.source_account_id}:root"] + } + actions = ["sts:AssumeRole"] } + } + + dynamic "statement" { + for_each = compact([var.saml_idp_arn]) + content { + principals { + type = "Federated" + identifiers = ["${var.saml_idp_arn}"] + } - actions = ["sts:AssumeRole"] + actions = ["sts:AssumeRoleWithSAML"] + + condition { + test = "StringEquals" + variable = "SAML:aud" + values = ["https://signin.aws.amazon.com/saml"] + } + } } } diff --git a/aws-iam-role-route53domains-poweruser/variables.tf b/aws-iam-role-route53domains-poweruser/variables.tf index f62e4d1e..3e2c3bfe 100644 --- a/aws-iam-role-route53domains-poweruser/variables.tf +++ b/aws-iam-role-route53domains-poweruser/variables.tf @@ -1,7 +1,3 @@ -variable "source_account_id" { - type = "string" -} - variable "role_name" { type = "string" default = "route53domains-poweruser" @@ -11,3 +7,15 @@ variable "iam_path" { type = "string" default = "/" } + +variable "source_account_id" { + type = "string" + default = "" + description = "The source AWS account to establish a trust relationship. Ignored if empty or not provided." +} + +variable "saml_idp_arn" { + type = "string" + default = "" + description = "The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided." +} diff --git a/aws-iam-role-security-audit/README.md b/aws-iam-role-security-audit/README.md index 82f1b120..2aee05e8 100644 --- a/aws-iam-role-security-audit/README.md +++ b/aws-iam-role-security-audit/README.md @@ -19,6 +19,7 @@ module "group" { |------|-------------|:----:|:-----:|:-----:| | iam\_path | | string | `"/"` | no | | role\_name | The name of this role. | string | `"security-audit"` | no | -| source\_account\_id | The AWS account from which this role should be assumeable. | string | n/a | yes | +| source\_account\_id | The source AWS account to establish a trust relationship. Ignored if empty or not provided. | string | '' | no | +| saml\_idp\_arn | The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided. | string | '' | no | diff --git a/aws-iam-role-security-audit/main.tf b/aws-iam-role-security-audit/main.tf index 4390bdd0..c52f6a21 100755 --- a/aws-iam-role-security-audit/main.tf +++ b/aws-iam-role-security-audit/main.tf @@ -1,11 +1,31 @@ data "aws_iam_policy_document" "assume-role" { - statement { - principals { - type = "AWS" - identifiers = ["arn:aws:iam::${var.source_account_id}:root"] + dynamic "statement" { + for_each = compact([var.source_account_id]) + content { + principals { + type = "AWS" + identifiers = ["arn:aws:iam::${var.source_account_id}:root"] + } + actions = ["sts:AssumeRole"] } + } + + dynamic "statement" { + for_each = compact([var.saml_idp_arn]) + content { + principals { + type = "Federated" + identifiers = ["${var.saml_idp_arn}"] + } - actions = ["sts:AssumeRole"] + actions = ["sts:AssumeRoleWithSAML"] + + condition { + test = "StringEquals" + variable = "SAML:aud" + values = ["https://signin.aws.amazon.com/saml"] + } + } } } diff --git a/aws-iam-role-security-audit/variables.tf b/aws-iam-role-security-audit/variables.tf index 087328a9..5fd8612a 100755 --- a/aws-iam-role-security-audit/variables.tf +++ b/aws-iam-role-security-audit/variables.tf @@ -1,8 +1,3 @@ -variable "source_account_id" { - type = "string" - description = "The AWS account from which this role should be assumeable." -} - variable "role_name" { type = "string" description = "The name of this role." @@ -13,3 +8,15 @@ variable "iam_path" { type = "string" default = "/" } + +variable "source_account_id" { + type = "string" + default = "" + description = "The source AWS account to establish a trust relationship. Ignored if empty or not provided." +} + +variable "saml_idp_arn" { + type = "string" + default = "" + description = "The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided." +}