From be29e16a9b6e067219f6ea0a84b9f25e589fe9a6 Mon Sep 17 00:00:00 2001 From: edulop Date: Wed, 27 Nov 2019 07:31:41 -0800 Subject: [PATCH 1/5] [feature] Adds support for SAML trust relationship to existing roles --- aws-iam-role-poweruser/main.tf | 31 ++++++++++++++++++++++++----- aws-iam-role-poweruser/variables.tf | 11 +++++++++- 2 files changed, 36 insertions(+), 6 deletions(-) diff --git a/aws-iam-role-poweruser/main.tf b/aws-iam-role-poweruser/main.tf index 1d4d2e78..fd37fbca 100755 --- a/aws-iam-role-poweruser/main.tf +++ b/aws-iam-role-poweruser/main.tf @@ -1,12 +1,33 @@ data "aws_iam_policy_document" "assume-role" { - statement { - principals { - type = "AWS" - identifiers = ["arn:aws:iam::${var.source_account_id}:root"] + dynamic source_account { + for_each = compact([var.source_account]) + statement { + principals { + type = "AWS" + identifiers = ["arn:aws:iam::${var.source_account_id}:root"] + } + actions = ["sts:AssumeRole"] } + } - actions = ["sts:AssumeRole"] + dynamic saml { + for_each = compact([var.saml_idp_arn]) + statement { + principals { + type = "Federated" + identifiers = ["${var.saml_idp_arn}"] + } + + actions = ["sts:AssumeRoleWithSAML"] + + condition { + test = "StringEquals" + variable = "SAML:aud" + values = ["https://signin.aws.amazon.com/saml"] + } + } } + } resource "aws_iam_role" "poweruser" { diff --git a/aws-iam-role-poweruser/variables.tf b/aws-iam-role-poweruser/variables.tf index c4646091..f9d7a571 100755 --- a/aws-iam-role-poweruser/variables.tf +++ b/aws-iam-role-poweruser/variables.tf @@ -4,9 +4,18 @@ variable "role_name" { } variable "source_account_id" { - type = "string" + type = "string" + default = "" + description = "The source AWS account to establish a trust relationship. Ignored if empty or not provided." } +variable "saml_idp_arn" { + type = "string" + default = "" + description = "The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided." +} + + variable "iam_path" { type = "string" default = "/" From c1c38770e2827b98123a14bb600a725d03098e89 Mon Sep 17 00:00:00 2001 From: edulop Date: Wed, 27 Nov 2019 07:36:25 -0800 Subject: [PATCH 2/5] try that? --- aws-iam-role-poweruser/main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/aws-iam-role-poweruser/main.tf b/aws-iam-role-poweruser/main.tf index fd37fbca..a5386e55 100755 --- a/aws-iam-role-poweruser/main.tf +++ b/aws-iam-role-poweruser/main.tf @@ -1,5 +1,5 @@ data "aws_iam_policy_document" "assume-role" { - dynamic source_account { + dynamic "source_account" { for_each = compact([var.source_account]) statement { principals { @@ -10,7 +10,7 @@ data "aws_iam_policy_document" "assume-role" { } } - dynamic saml { + dynamic "saml" { for_each = compact([var.saml_idp_arn]) statement { principals { From 001215fa293dc0263ed149e048def013af5c48dc Mon Sep 17 00:00:00 2001 From: edulop Date: Wed, 27 Nov 2019 07:40:22 -0800 Subject: [PATCH 3/5] would this work? --- aws-iam-role-poweruser/main.tf | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/aws-iam-role-poweruser/main.tf b/aws-iam-role-poweruser/main.tf index a5386e55..1ce4082b 100755 --- a/aws-iam-role-poweruser/main.tf +++ b/aws-iam-role-poweruser/main.tf @@ -1,7 +1,7 @@ data "aws_iam_policy_document" "assume-role" { - dynamic "source_account" { - for_each = compact([var.source_account]) - statement { + dynamic "statement" { + for_each = compact([var.source_account_id]) + content { principals { type = "AWS" identifiers = ["arn:aws:iam::${var.source_account_id}:root"] @@ -10,9 +10,9 @@ data "aws_iam_policy_document" "assume-role" { } } - dynamic "saml" { + dynamic "statement" { for_each = compact([var.saml_idp_arn]) - statement { + content { principals { type = "Federated" identifiers = ["${var.saml_idp_arn}"] From 5ee13996f015172a69ade7bca95182aefdd0a17c Mon Sep 17 00:00:00 2001 From: edulop Date: Wed, 27 Nov 2019 07:51:35 -0800 Subject: [PATCH 4/5] Do all roles --- aws-iam-role-cloudfront-poweruser/main.tf | 30 +++++++++++++++---- .../variables.tf | 17 +++++++---- aws-iam-role-crossacct/main.tf | 30 +++++++++++++++---- aws-iam-role-crossacct/variables.tf | 9 +++++- aws-iam-role-ec2-poweruser/main.tf | 30 +++++++++++++++---- aws-iam-role-ec2-poweruser/variables.tf | 16 +++++++--- aws-iam-role-ecs-poweruser/main.tf | 30 +++++++++++++++---- aws-iam-role-ecs-poweruser/variables.tf | 16 +++++++--- aws-iam-role-infraci/main.tf | 30 +++++++++++++++---- aws-iam-role-infraci/variables.tf | 16 +++++++--- aws-iam-role-poweruser/main.tf | 1 - aws-iam-role-poweruser/variables.tf | 1 - aws-iam-role-readonly/main.tf | 30 +++++++++++++++---- aws-iam-role-readonly/variables.tf | 17 +++++++---- aws-iam-role-route53domains-poweruser/main.tf | 30 +++++++++++++++---- .../variables.tf | 16 +++++++--- aws-iam-role-security-audit/main.tf | 30 +++++++++++++++---- aws-iam-role-security-audit/variables.tf | 17 +++++++---- 18 files changed, 292 insertions(+), 74 deletions(-) diff --git a/aws-iam-role-cloudfront-poweruser/main.tf b/aws-iam-role-cloudfront-poweruser/main.tf index aa7d1007..d6e7c93c 100755 --- a/aws-iam-role-cloudfront-poweruser/main.tf +++ b/aws-iam-role-cloudfront-poweruser/main.tf @@ -1,11 +1,31 @@ data "aws_iam_policy_document" "assume-role" { - statement { - principals { - type = "AWS" - identifiers = ["arn:aws:iam::${var.source_account_id}:root"] + dynamic "statement" { + for_each = compact([var.source_account_id]) + content { + principals { + type = "AWS" + identifiers = ["arn:aws:iam::${var.source_account_id}:root"] + } + actions = ["sts:AssumeRole"] } + } + + dynamic "statement" { + for_each = compact([var.saml_idp_arn]) + content { + principals { + type = "Federated" + identifiers = ["${var.saml_idp_arn}"] + } - actions = ["sts:AssumeRole"] + actions = ["sts:AssumeRoleWithSAML"] + + condition { + test = "StringEquals" + variable = "SAML:aud" + values = ["https://signin.aws.amazon.com/saml"] + } + } } } diff --git a/aws-iam-role-cloudfront-poweruser/variables.tf b/aws-iam-role-cloudfront-poweruser/variables.tf index 1d9032f5..23aff3d7 100755 --- a/aws-iam-role-cloudfront-poweruser/variables.tf +++ b/aws-iam-role-cloudfront-poweruser/variables.tf @@ -1,8 +1,3 @@ -variable "source_account_id" { - type = "string" - description = "AWS Account that can assume this role." -} - variable "role_name" { type = "string" description = "Name of the role to create" @@ -21,3 +16,15 @@ variable "iam_path" { type = "string" default = "/" } + +variable "source_account_id" { + type = "string" + default = "" + description = "The source AWS account to establish a trust relationship. Ignored if empty or not provided." +} + +variable "saml_idp_arn" { + type = "string" + default = "" + description = "The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided." +} diff --git a/aws-iam-role-crossacct/main.tf b/aws-iam-role-crossacct/main.tf index 8e62b7ea..f96d0d7f 100644 --- a/aws-iam-role-crossacct/main.tf +++ b/aws-iam-role-crossacct/main.tf @@ -1,11 +1,31 @@ data "aws_iam_policy_document" "assume-role" { - statement { - principals { - type = "AWS" - identifiers = ["arn:aws:iam::${var.source_account_id}:root"] + dynamic "statement" { + for_each = compact([var.source_account_id]) + content { + principals { + type = "AWS" + identifiers = ["arn:aws:iam::${var.source_account_id}:root"] + } + actions = ["sts:AssumeRole"] } + } + + dynamic "statement" { + for_each = compact([var.saml_idp_arn]) + content { + principals { + type = "Federated" + identifiers = ["${var.saml_idp_arn}"] + } - actions = ["sts:AssumeRole"] + actions = ["sts:AssumeRoleWithSAML"] + + condition { + test = "StringEquals" + variable = "SAML:aud" + values = ["https://signin.aws.amazon.com/saml"] + } + } } } diff --git a/aws-iam-role-crossacct/variables.tf b/aws-iam-role-crossacct/variables.tf index 1bc816b4..5e4bfa43 100755 --- a/aws-iam-role-crossacct/variables.tf +++ b/aws-iam-role-crossacct/variables.tf @@ -9,6 +9,13 @@ variable "iam_path" { } variable "source_account_id" { - description = "The AWS account id that should be able to assume this role." type = "string" + default = "" + description = "The source AWS account to establish a trust relationship. Ignored if empty or not provided." +} + +variable "saml_idp_arn" { + type = "string" + default = "" + description = "The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided." } diff --git a/aws-iam-role-ec2-poweruser/main.tf b/aws-iam-role-ec2-poweruser/main.tf index 206e6f51..d0b703f3 100755 --- a/aws-iam-role-ec2-poweruser/main.tf +++ b/aws-iam-role-ec2-poweruser/main.tf @@ -1,11 +1,31 @@ data "aws_iam_policy_document" "assume-role" { - statement { - principals { - type = "AWS" - identifiers = ["arn:aws:iam::${var.source_account_id}:root"] + dynamic "statement" { + for_each = compact([var.source_account_id]) + content { + principals { + type = "AWS" + identifiers = ["arn:aws:iam::${var.source_account_id}:root"] + } + actions = ["sts:AssumeRole"] } + } + + dynamic "statement" { + for_each = compact([var.saml_idp_arn]) + content { + principals { + type = "Federated" + identifiers = ["${var.saml_idp_arn}"] + } - actions = ["sts:AssumeRole"] + actions = ["sts:AssumeRoleWithSAML"] + + condition { + test = "StringEquals" + variable = "SAML:aud" + values = ["https://signin.aws.amazon.com/saml"] + } + } } } diff --git a/aws-iam-role-ec2-poweruser/variables.tf b/aws-iam-role-ec2-poweruser/variables.tf index c7450473..d019da3c 100755 --- a/aws-iam-role-ec2-poweruser/variables.tf +++ b/aws-iam-role-ec2-poweruser/variables.tf @@ -1,7 +1,3 @@ -variable "source_account_id" { - type = "string" -} - variable "role_name" { type = "string" } @@ -10,3 +6,15 @@ variable "iam_path" { type = "string" default = "/" } + +variable "source_account_id" { + type = "string" + default = "" + description = "The source AWS account to establish a trust relationship. Ignored if empty or not provided." +} + +variable "saml_idp_arn" { + type = "string" + default = "" + description = "The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided." +} diff --git a/aws-iam-role-ecs-poweruser/main.tf b/aws-iam-role-ecs-poweruser/main.tf index 8a29a25b..e053eeb6 100755 --- a/aws-iam-role-ecs-poweruser/main.tf +++ b/aws-iam-role-ecs-poweruser/main.tf @@ -1,11 +1,31 @@ data "aws_iam_policy_document" "assume-role" { - statement { - principals { - type = "AWS" - identifiers = ["arn:aws:iam::${var.source_account_id}:root"] + dynamic "statement" { + for_each = compact([var.source_account_id]) + content { + principals { + type = "AWS" + identifiers = ["arn:aws:iam::${var.source_account_id}:root"] + } + actions = ["sts:AssumeRole"] } + } + + dynamic "statement" { + for_each = compact([var.saml_idp_arn]) + content { + principals { + type = "Federated" + identifiers = ["${var.saml_idp_arn}"] + } - actions = ["sts:AssumeRole"] + actions = ["sts:AssumeRoleWithSAML"] + + condition { + test = "StringEquals" + variable = "SAML:aud" + values = ["https://signin.aws.amazon.com/saml"] + } + } } } diff --git a/aws-iam-role-ecs-poweruser/variables.tf b/aws-iam-role-ecs-poweruser/variables.tf index c7450473..d019da3c 100755 --- a/aws-iam-role-ecs-poweruser/variables.tf +++ b/aws-iam-role-ecs-poweruser/variables.tf @@ -1,7 +1,3 @@ -variable "source_account_id" { - type = "string" -} - variable "role_name" { type = "string" } @@ -10,3 +6,15 @@ variable "iam_path" { type = "string" default = "/" } + +variable "source_account_id" { + type = "string" + default = "" + description = "The source AWS account to establish a trust relationship. Ignored if empty or not provided." +} + +variable "saml_idp_arn" { + type = "string" + default = "" + description = "The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided." +} diff --git a/aws-iam-role-infraci/main.tf b/aws-iam-role-infraci/main.tf index bf0ae3e3..329f5c14 100755 --- a/aws-iam-role-infraci/main.tf +++ b/aws-iam-role-infraci/main.tf @@ -1,11 +1,31 @@ data "aws_iam_policy_document" "assume-role" { - statement { - principals { - type = "AWS" - identifiers = ["arn:aws:iam::${var.source_account_id}:root"] + dynamic "statement" { + for_each = compact([var.source_account_id]) + content { + principals { + type = "AWS" + identifiers = ["arn:aws:iam::${var.source_account_id}:root"] + } + actions = ["sts:AssumeRole"] } + } - actions = ["sts:AssumeRole"] + dynamic "statement" { + for_each = compact([var.saml_idp_arn]) + content { + principals { + type = "Federated" + identifiers = ["${var.saml_idp_arn}"] + } + + actions = ["sts:AssumeRoleWithSAML"] + + condition { + test = "StringEquals" + variable = "SAML:aud" + values = ["https://signin.aws.amazon.com/saml"] + } + } } } diff --git a/aws-iam-role-infraci/variables.tf b/aws-iam-role-infraci/variables.tf index 3a95f57c..b597ffd7 100755 --- a/aws-iam-role-infraci/variables.tf +++ b/aws-iam-role-infraci/variables.tf @@ -1,7 +1,3 @@ -variable "source_account_id" { - type = "string" -} - variable "role_name" { default = "infraci" } @@ -15,3 +11,15 @@ variable "terraform_state_lock_dynamodb_arns" { default = [] description = "ARNs of the state file DynamoDB tables" } + +variable "source_account_id" { + type = "string" + default = "" + description = "The source AWS account to establish a trust relationship. Ignored if empty or not provided." +} + +variable "saml_idp_arn" { + type = "string" + default = "" + description = "The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided." +} diff --git a/aws-iam-role-poweruser/main.tf b/aws-iam-role-poweruser/main.tf index 1ce4082b..02210e57 100755 --- a/aws-iam-role-poweruser/main.tf +++ b/aws-iam-role-poweruser/main.tf @@ -27,7 +27,6 @@ data "aws_iam_policy_document" "assume-role" { } } } - } resource "aws_iam_role" "poweruser" { diff --git a/aws-iam-role-poweruser/variables.tf b/aws-iam-role-poweruser/variables.tf index f9d7a571..a408c10b 100755 --- a/aws-iam-role-poweruser/variables.tf +++ b/aws-iam-role-poweruser/variables.tf @@ -15,7 +15,6 @@ variable "saml_idp_arn" { description = "The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided." } - variable "iam_path" { type = "string" default = "/" diff --git a/aws-iam-role-readonly/main.tf b/aws-iam-role-readonly/main.tf index a44a2b39..597bcb1f 100755 --- a/aws-iam-role-readonly/main.tf +++ b/aws-iam-role-readonly/main.tf @@ -1,11 +1,31 @@ data "aws_iam_policy_document" "assume-role" { - statement { - principals { - type = "AWS" - identifiers = ["arn:aws:iam::${var.source_account_id}:root"] + dynamic "statement" { + for_each = compact([var.source_account_id]) + content { + principals { + type = "AWS" + identifiers = ["arn:aws:iam::${var.source_account_id}:root"] + } + actions = ["sts:AssumeRole"] } + } + + dynamic "statement" { + for_each = compact([var.saml_idp_arn]) + content { + principals { + type = "Federated" + identifiers = ["${var.saml_idp_arn}"] + } - actions = ["sts:AssumeRole"] + actions = ["sts:AssumeRoleWithSAML"] + + condition { + test = "StringEquals" + variable = "SAML:aud" + values = ["https://signin.aws.amazon.com/saml"] + } + } } } diff --git a/aws-iam-role-readonly/variables.tf b/aws-iam-role-readonly/variables.tf index 7bedc861..0d3dc3e1 100755 --- a/aws-iam-role-readonly/variables.tf +++ b/aws-iam-role-readonly/variables.tf @@ -1,8 +1,3 @@ -variable "source_account_id" { - type = "string" - description = "The AWS account from which this role should be assumeable." -} - variable "iam_path" { type = "string" default = "/" @@ -11,3 +6,15 @@ variable "iam_path" { variable "role_name" { default = "readonly" } + +variable "source_account_id" { + type = "string" + default = "" + description = "The source AWS account to establish a trust relationship. Ignored if empty or not provided." +} + +variable "saml_idp_arn" { + type = "string" + default = "" + description = "The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided." +} diff --git a/aws-iam-role-route53domains-poweruser/main.tf b/aws-iam-role-route53domains-poweruser/main.tf index 5b76e270..61a34dde 100644 --- a/aws-iam-role-route53domains-poweruser/main.tf +++ b/aws-iam-role-route53domains-poweruser/main.tf @@ -1,11 +1,31 @@ data "aws_iam_policy_document" "assume-role" { - statement { - principals { - type = "AWS" - identifiers = ["arn:aws:iam::${var.source_account_id}:root"] + dynamic "statement" { + for_each = compact([var.source_account_id]) + content { + principals { + type = "AWS" + identifiers = ["arn:aws:iam::${var.source_account_id}:root"] + } + actions = ["sts:AssumeRole"] } + } + + dynamic "statement" { + for_each = compact([var.saml_idp_arn]) + content { + principals { + type = "Federated" + identifiers = ["${var.saml_idp_arn}"] + } - actions = ["sts:AssumeRole"] + actions = ["sts:AssumeRoleWithSAML"] + + condition { + test = "StringEquals" + variable = "SAML:aud" + values = ["https://signin.aws.amazon.com/saml"] + } + } } } diff --git a/aws-iam-role-route53domains-poweruser/variables.tf b/aws-iam-role-route53domains-poweruser/variables.tf index f62e4d1e..3e2c3bfe 100644 --- a/aws-iam-role-route53domains-poweruser/variables.tf +++ b/aws-iam-role-route53domains-poweruser/variables.tf @@ -1,7 +1,3 @@ -variable "source_account_id" { - type = "string" -} - variable "role_name" { type = "string" default = "route53domains-poweruser" @@ -11,3 +7,15 @@ variable "iam_path" { type = "string" default = "/" } + +variable "source_account_id" { + type = "string" + default = "" + description = "The source AWS account to establish a trust relationship. Ignored if empty or not provided." +} + +variable "saml_idp_arn" { + type = "string" + default = "" + description = "The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided." +} diff --git a/aws-iam-role-security-audit/main.tf b/aws-iam-role-security-audit/main.tf index 4390bdd0..c52f6a21 100755 --- a/aws-iam-role-security-audit/main.tf +++ b/aws-iam-role-security-audit/main.tf @@ -1,11 +1,31 @@ data "aws_iam_policy_document" "assume-role" { - statement { - principals { - type = "AWS" - identifiers = ["arn:aws:iam::${var.source_account_id}:root"] + dynamic "statement" { + for_each = compact([var.source_account_id]) + content { + principals { + type = "AWS" + identifiers = ["arn:aws:iam::${var.source_account_id}:root"] + } + actions = ["sts:AssumeRole"] } + } + + dynamic "statement" { + for_each = compact([var.saml_idp_arn]) + content { + principals { + type = "Federated" + identifiers = ["${var.saml_idp_arn}"] + } - actions = ["sts:AssumeRole"] + actions = ["sts:AssumeRoleWithSAML"] + + condition { + test = "StringEquals" + variable = "SAML:aud" + values = ["https://signin.aws.amazon.com/saml"] + } + } } } diff --git a/aws-iam-role-security-audit/variables.tf b/aws-iam-role-security-audit/variables.tf index 087328a9..5fd8612a 100755 --- a/aws-iam-role-security-audit/variables.tf +++ b/aws-iam-role-security-audit/variables.tf @@ -1,8 +1,3 @@ -variable "source_account_id" { - type = "string" - description = "The AWS account from which this role should be assumeable." -} - variable "role_name" { type = "string" description = "The name of this role." @@ -13,3 +8,15 @@ variable "iam_path" { type = "string" default = "/" } + +variable "source_account_id" { + type = "string" + default = "" + description = "The source AWS account to establish a trust relationship. Ignored if empty or not provided." +} + +variable "saml_idp_arn" { + type = "string" + default = "" + description = "The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided." +} From c605a34d025da8d94e12338ae611e2cf556db03f Mon Sep 17 00:00:00 2001 From: edulop Date: Wed, 27 Nov 2019 08:17:10 -0800 Subject: [PATCH 5/5] READMEs --- aws-iam-role-cloudfront-poweruser/README.md | 3 ++- aws-iam-role-crossacct/README.md | 3 ++- aws-iam-role-ec2-poweruser/README.md | 3 ++- aws-iam-role-ecs-poweruser/README.md | 3 ++- aws-iam-role-infraci/README.md | 3 ++- aws-iam-role-poweruser/README.md | 5 +++-- aws-iam-role-readonly/README.md | 3 ++- aws-iam-role-route53domains-poweruser/README.md | 3 ++- aws-iam-role-security-audit/README.md | 3 ++- 9 files changed, 19 insertions(+), 10 deletions(-) diff --git a/aws-iam-role-cloudfront-poweruser/README.md b/aws-iam-role-cloudfront-poweruser/README.md index 7edd9bf8..39ee4cb5 100644 --- a/aws-iam-role-cloudfront-poweruser/README.md +++ b/aws-iam-role-cloudfront-poweruser/README.md @@ -10,7 +10,8 @@ This module will create a role which is granted poweruser control over AWS Cloud | iam\_path | | string | `"/"` | no | | role\_name | Name of the role to create | string | n/a | yes | | s3\_bucket\_prefixes | Limits role permissions to buckets with specific prefixes. Empty for all buckets. | list | `` | no | -| source\_account\_id | AWS Account that can assume this role. | string | n/a | yes | +| source\_account\_id | The source AWS account to establish a trust relationship. Ignored if empty or not provided. | string | '' | no | +| saml\_idp\_arn | The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided. | string | '' | no | ## Outputs diff --git a/aws-iam-role-crossacct/README.md b/aws-iam-role-crossacct/README.md index 0e1c1ec3..1cd40879 100644 --- a/aws-iam-role-crossacct/README.md +++ b/aws-iam-role-crossacct/README.md @@ -23,7 +23,8 @@ module "group" { |------|-------------|:----:|:-----:|:-----:| | iam\_path | The IAM path to put this role in. | string | `"/"` | no | | role\_name | The name of the role. | string | n/a | yes | -| source\_account\_id | The AWS account id that should be able to assume this role. | string | n/a | yes | +| source\_account\_id | The source AWS account to establish a trust relationship. Ignored if empty or not provided. | string | '' | no | +| saml\_idp\_arn | The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided. | string | '' | no | ## Outputs diff --git a/aws-iam-role-ec2-poweruser/README.md b/aws-iam-role-ec2-poweruser/README.md index 4469b671..7d6d2b9a 100644 --- a/aws-iam-role-ec2-poweruser/README.md +++ b/aws-iam-role-ec2-poweruser/README.md @@ -25,7 +25,8 @@ module "ec2-poweruser" { |------|-------------|:----:|:-----:|:-----:| | iam\_path | | string | `"/"` | no | | role\_name | | string | n/a | yes | -| source\_account\_id | | string | n/a | yes | +| source\_account\_id | The source AWS account to establish a trust relationship. Ignored if empty or not provided. | string | '' | no | +| saml\_idp\_arn | The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided. | string | '' | no | ## Outputs diff --git a/aws-iam-role-ecs-poweruser/README.md b/aws-iam-role-ecs-poweruser/README.md index a2d2c2f7..7a494713 100644 --- a/aws-iam-role-ecs-poweruser/README.md +++ b/aws-iam-role-ecs-poweruser/README.md @@ -24,7 +24,8 @@ module "ec2-poweruser" { |------|-------------|:----:|:-----:|:-----:| | iam\_path | | string | `"/"` | no | | role\_name | | string | n/a | yes | -| source\_account\_id | | string | n/a | yes | +| source\_account\_id | The source AWS account to establish a trust relationship. Ignored if empty or not provided. | string | '' | no | +| saml\_idp\_arn | The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided. | string | '' | no | ## Outputs diff --git a/aws-iam-role-infraci/README.md b/aws-iam-role-infraci/README.md index 6aabd8d0..e02c50b3 100644 --- a/aws-iam-role-infraci/README.md +++ b/aws-iam-role-infraci/README.md @@ -9,8 +9,9 @@ Creates a role useful for running `terraform plan` in CI jobs. |------|-------------|:----:|:-----:|:-----:| | iam\_path | | string | `"/"` | no | | role\_name | | string | `"infraci"` | no | -| source\_account\_id | | string | n/a | yes | | terraform\_state\_lock\_dynamodb\_arns | "A list of unique identifiers (ARNs) of state file DynamoDB tables" | string | `[]` | yes | +| source\_account\_id | The source AWS account to establish a trust relationship. Ignored if empty or not provided. | string | '' | no | +| saml\_idp\_arn | The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided. | string | '' | no | ## Outputs diff --git a/aws-iam-role-poweruser/README.md b/aws-iam-role-poweruser/README.md index 7b2fbab5..e782a4e0 100644 --- a/aws-iam-role-poweruser/README.md +++ b/aws-iam-role-poweruser/README.md @@ -11,7 +11,7 @@ module "group" { # defaults to "poweruser" role_name = "..." - # The id of the other AWS account that can assume this role. + # The id of the other AWS account that can assume this role. source_account_id = "..." } ``` @@ -23,7 +23,8 @@ module "group" { |------|-------------|:----:|:-----:|:-----:| | iam\_path | | string | `"/"` | no | | role\_name | | string | `"poweruser"` | no | -| source\_account\_id | | string | n/a | yes | +| source\_account\_id | The source AWS account to establish a trust relationship. Ignored if empty or not provided. | string | '' | no | +| saml\_idp\_arn | The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided. | string | '' | no | ## Outputs diff --git a/aws-iam-role-readonly/README.md b/aws-iam-role-readonly/README.md index ca2f74c4..ba097ee0 100644 --- a/aws-iam-role-readonly/README.md +++ b/aws-iam-role-readonly/README.md @@ -27,7 +27,8 @@ output "role_name" { |------|-------------|:----:|:-----:|:-----:| | iam\_path | | string | `"/"` | no | | role\_name | | string | `"readonly"` | no | -| source\_account\_id | The AWS account from which this role should be assumeable. | string | n/a | yes | +| source\_account\_id | The source AWS account to establish a trust relationship. Ignored if empty or not provided. | string | '' | no | +| saml\_idp\_arn | The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided. | string | '' | no | ## Outputs diff --git a/aws-iam-role-route53domains-poweruser/README.md b/aws-iam-role-route53domains-poweruser/README.md index 049314d5..210f93d5 100644 --- a/aws-iam-role-route53domains-poweruser/README.md +++ b/aws-iam-role-route53domains-poweruser/README.md @@ -24,7 +24,8 @@ module "route53domains-poweruser" { |------|-------------|:----:|:-----:|:-----:| | iam\_path | | string | `"/"` | no | | role\_name | | string | `"route53domains-poweruser"` | no | -| source\_account\_id | | string | n/a | yes | +| source\_account\_id | The source AWS account to establish a trust relationship. Ignored if empty or not provided. | string | '' | no | +| saml\_idp\_arn | The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided. | string | '' | no | ## Outputs diff --git a/aws-iam-role-security-audit/README.md b/aws-iam-role-security-audit/README.md index 82f1b120..2aee05e8 100644 --- a/aws-iam-role-security-audit/README.md +++ b/aws-iam-role-security-audit/README.md @@ -19,6 +19,7 @@ module "group" { |------|-------------|:----:|:-----:|:-----:| | iam\_path | | string | `"/"` | no | | role\_name | The name of this role. | string | `"security-audit"` | no | -| source\_account\_id | The AWS account from which this role should be assumeable. | string | n/a | yes | +| source\_account\_id | The source AWS account to establish a trust relationship. Ignored if empty or not provided. | string | '' | no | +| saml\_idp\_arn | The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided. | string | '' | no |