added variable trusted_role_actions to sub modules as a Extra actions of STS

Author: tcharewicz

modules/iam-assumable-role/README.md

@@ -66,7 +66,7 @@ No modules.
 | <a name="input_role_session_name"></a> [role\_session\_name](#input\_role\_session\_name) | role\_session\_name for roles which require this parameter when being assumed. By default, you need to set your own username as role\_session\_name | `list(string)` | <pre>[<br>  "${aws:username}"<br>]</pre> | no |
 | <a name="input_role_sts_externalid"></a> [role\_sts\_externalid](#input\_role\_sts\_externalid) | STS ExternalId condition values to use with a role (when MFA is not required) | `any` | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to IAM role resources | `map(string)` | `{}` | no |
-| <a name="input_trusted_role_actions"></a> [trusted\_role\_actions](#input\_trusted\_role\_actions) | Actions of STS | `list(string)` | <pre>[<br>  "sts:AssumeRole"<br>]</pre> | no |
+| <a name="input_trusted_role_actions"></a> [trusted\_role\_actions](#input\_trusted\_role\_actions) | Extra Actions of STS | `list(string)` | <pre>[<br>  ""<br>]</pre> | no |
 | <a name="input_trusted_role_arns"></a> [trusted\_role\_arns](#input\_trusted\_role\_arns) | ARNs of AWS entities who can assume these roles | `list(string)` | `[]` | no |
 | <a name="input_trusted_role_services"></a> [trusted\_role\_services](#input\_trusted\_role\_services) | AWS Services that can assume these roles | `list(string)` | `[]` | no |
 

modules/iam-assumable-role/main.tf

@@ -35,7 +35,7 @@ data "aws_iam_policy_document" "assume_role" {
 
   statement {
     effect  = "Allow"
-    actions = var.trusted_role_actions
+    actions = compact(distinct(concat(["sts:AssumeRole"], var.trusted_role_actions)))
 
     principals {
       type        = "AWS"
@@ -85,7 +85,7 @@ data "aws_iam_policy_document" "assume_role_with_mfa" {
 
   statement {
     effect  = "Allow"
-    actions = var.trusted_role_actions
+    actions = compact(distinct(concat(["sts:AssumeRole"], var.trusted_role_actions)))
 
     principals {
       type        = "AWS"

modules/iam-assumable-role/variables.tf

@@ -1,7 +1,7 @@
 variable "trusted_role_actions" {
-  description = "Actions of STS"
+  description = "Extra Actions of STS"
   type        = list(string)
-  default     = ["sts:AssumeRole"]
+  default     = [""]
 }
 
 variable "trusted_role_arns" {

modules/iam-assumable-roles-with-saml/README.md

@@ -66,6 +66,7 @@ No modules.
 | <a name="input_readonly_role_permissions_boundary_arn"></a> [readonly\_role\_permissions\_boundary\_arn](#input\_readonly\_role\_permissions\_boundary\_arn) | Permissions boundary ARN to use for readonly role | `string` | `""` | no |
 | <a name="input_readonly_role_policy_arns"></a> [readonly\_role\_policy\_arns](#input\_readonly\_role\_policy\_arns) | List of policy ARNs to use for readonly role | `list(string)` | <pre>[<br>  "arn:aws:iam::aws:policy/ReadOnlyAccess"<br>]</pre> | no |
 | <a name="input_readonly_role_tags"></a> [readonly\_role\_tags](#input\_readonly\_role\_tags) | A map of tags to add to readonly role resource. | `map(string)` | `{}` | no |
+| <a name="input_trusted_role_actions"></a> [trusted\_role\_actions](#input\_trusted\_role\_actions) | Extra Actions of STS | `list(string)` | <pre>[<br>  ""<br>]</pre> | no |
 
 ## Outputs
 

modules/iam-assumable-roles-with-saml/main.tf

@@ -77,7 +77,7 @@ data "aws_iam_policy_document" "assume_role_with_saml" {
   statement {
     effect = "Allow"
 
-    actions = ["sts:AssumeRoleWithSAML"]
+    actions = compact(distinct(concat(["sts:AssumeRoleWithSAML"], var.trusted_role_actions)))
 
     principals {
       type = "Federated"

modules/iam-assumable-roles-with-saml/variables.tf

@@ -22,6 +22,12 @@ variable "allow_self_assume_role" {
   default     = false
 }
 
+variable "trusted_role_actions" {
+  description = "Extra Actions of STS"
+  type        = list(string)
+  default     = [""]
+}
+
 # Admin
 variable "create_admin_role" {
   description = "Whether to create admin role"

modules/iam-assumable-roles/README.md

@@ -66,6 +66,7 @@ No modules.
 | <a name="input_readonly_role_policy_arns"></a> [readonly\_role\_policy\_arns](#input\_readonly\_role\_policy\_arns) | List of policy ARNs to use for readonly role | `list(string)` | <pre>[<br>  "arn:aws:iam::aws:policy/ReadOnlyAccess"<br>]</pre> | no |
 | <a name="input_readonly_role_requires_mfa"></a> [readonly\_role\_requires\_mfa](#input\_readonly\_role\_requires\_mfa) | Whether readonly role requires MFA | `bool` | `true` | no |
 | <a name="input_readonly_role_tags"></a> [readonly\_role\_tags](#input\_readonly\_role\_tags) | A map of tags to add to readonly role resource. | `map(string)` | `{}` | no |
+| <a name="input_trusted_role_actions"></a> [trusted\_role\_actions](#input\_trusted\_role\_actions) | Extra Actions of STS | `list(string)` | <pre>[<br>  ""<br>]</pre> | no |
 | <a name="input_trusted_role_arns"></a> [trusted\_role\_arns](#input\_trusted\_role\_arns) | ARNs of AWS entities who can assume these roles | `list(string)` | `[]` | no |
 | <a name="input_trusted_role_services"></a> [trusted\_role\_services](#input\_trusted\_role\_services) | AWS Services that can assume these roles | `list(string)` | `[]` | no |
 

modules/iam-assumable-roles/main.tf

@@ -75,7 +75,7 @@ data "aws_iam_policy_document" "assume_role" {
 
   statement {
     effect  = "Allow"
-    actions = ["sts:AssumeRole"]
+    actions = compact(distinct(concat(["sts:AssumeRole"], var.trusted_role_actions)))
 
     principals {
       type        = "AWS"
@@ -158,7 +158,7 @@ data "aws_iam_policy_document" "assume_role_with_mfa" {
 
   statement {
     effect  = "Allow"
-    actions = ["sts:AssumeRole"]
+    actions = compact(distinct(concat(["sts:AssumeRole"], var.trusted_role_actions)))
 
     principals {
       type        = "AWS"

modules/iam-assumable-roles/variables.tf

@@ -22,6 +22,12 @@ variable "allow_self_assume_role" {
   default     = false
 }
 
+variable "trusted_role_actions" {
+  description = "Extra Actions of STS"
+  type        = list(string)
+  default     = [""]
+}
+
 # Admin
 variable "create_admin_role" {
   description = "Whether to create admin role"