feat: Added variable trusted_role_actions to sub modules as a "Action of STS" (#393)

tcharewicz · bryantbiggs · web-flow · commit 570267906486 · 2023-06-29T10:06:57.000-04:00
Co-authored-by: Bryant Biggs &lt;bryantbiggs@gmail.com&gt;
diff --git a/modules/iam-assumable-role-with-saml/README.md b/modules/iam-assumable-role-with-saml/README.md
@@ -52,7 +52,7 @@ No modules.
 | <a name="input_role_permissions_boundary_arn"></a> [role\_permissions\_boundary\_arn](#input\_role\_permissions\_boundary\_arn) | Permissions boundary ARN to use for IAM role | `string` | `""` | no |
 | <a name="input_role_policy_arns"></a> [role\_policy\_arns](#input\_role\_policy\_arns) | List of ARNs of IAM policies to attach to IAM role | `list(string)` | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to IAM role resources | `map(string)` | `{}` | no |
-| <a name="input_trusted_role_actions"></a> [trusted\_role\_actions](#input\_trusted\_role\_actions) | Extra Actions of STS | `list(string)` | <pre>[<br>  ""<br>]</pre> | no |
+| <a name="input_trusted_role_actions"></a> [trusted\_role\_actions](#input\_trusted\_role\_actions) | Additional role actions | `list(string)` | <pre>[<br>  "sts:AssumeRoleWithSAML",<br>  "sts:TagSession"<br>]</pre> | no |
 
 ## Outputs
 
diff --git a/modules/iam-assumable-role-with-saml/main.tf b/modules/iam-assumable-role-with-saml/main.tf
@@ -37,8 +37,7 @@ data "aws_iam_policy_document" "assume_role_with_saml" {
     actions = compact(distinct(concat(["sts:AssumeRoleWithSAML"], var.trusted_role_actions)))
 
     principals {
-      type = "Federated"
-
+      type        = "Federated"
       identifiers = local.identifiers
     }
 
diff --git a/modules/iam-assumable-role-with-saml/variables.tf b/modules/iam-assumable-role-with-saml/variables.tf
@@ -89,7 +89,7 @@ variable "allow_self_assume_role" {
 }
 
 variable "trusted_role_actions" {
-  description = "Extra Actions of STS"
+  description = "Additional role actions"
   type        = list(string)
-  default     = [""]
+  default     = ["sts:AssumeRoleWithSAML", "sts:TagSession"]
 }
diff --git a/modules/iam-assumable-role/README.md b/modules/iam-assumable-role/README.md
@@ -66,7 +66,7 @@ No modules.
 | <a name="input_role_session_name"></a> [role\_session\_name](#input\_role\_session\_name) | role\_session\_name for roles which require this parameter when being assumed. By default, you need to set your own username as role\_session\_name | `list(string)` | <pre>[<br>  "${aws:username}"<br>]</pre> | no |
 | <a name="input_role_sts_externalid"></a> [role\_sts\_externalid](#input\_role\_sts\_externalid) | STS ExternalId condition values to use with a role (when MFA is not required) | `any` | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to IAM role resources | `map(string)` | `{}` | no |
-| <a name="input_trusted_role_actions"></a> [trusted\_role\_actions](#input\_trusted\_role\_actions) | Actions of STS | `list(string)` | <pre>[<br>  "sts:AssumeRole"<br>]</pre> | no |
+| <a name="input_trusted_role_actions"></a> [trusted\_role\_actions](#input\_trusted\_role\_actions) | Additional trusted role actions | `list(string)` | <pre>[<br>  "sts:AssumeRole",<br>  "sts:TagSession"<br>]</pre> | no |
 | <a name="input_trusted_role_arns"></a> [trusted\_role\_arns](#input\_trusted\_role\_arns) | ARNs of AWS entities who can assume these roles | `list(string)` | `[]` | no |
 | <a name="input_trusted_role_services"></a> [trusted\_role\_services](#input\_trusted\_role\_services) | AWS Services that can assume these roles | `list(string)` | `[]` | no |
 
diff --git a/modules/iam-assumable-role/main.tf b/modules/iam-assumable-role/main.tf
@@ -35,7 +35,7 @@ data "aws_iam_policy_document" "assume_role" {
 
   statement {
     effect  = "Allow"
-    actions = var.trusted_role_actions
+    actions = compact(distinct(concat(["sts:AssumeRole"], var.trusted_role_actions)))
 
     principals {
       type        = "AWS"
@@ -85,7 +85,7 @@ data "aws_iam_policy_document" "assume_role_with_mfa" {
 
   statement {
     effect  = "Allow"
-    actions = var.trusted_role_actions
+    actions = compact(distinct(concat(["sts:AssumeRole"], var.trusted_role_actions)))
 
     principals {
       type        = "AWS"
diff --git a/modules/iam-assumable-role/variables.tf b/modules/iam-assumable-role/variables.tf
@@ -1,7 +1,7 @@
 variable "trusted_role_actions" {
-  description = "Actions of STS"
+  description = "Additional trusted role actions"
   type        = list(string)
-  default     = ["sts:AssumeRole"]
+  default     = ["sts:AssumeRole", "sts:TagSession"]
 }
 
 variable "trusted_role_arns" {
diff --git a/modules/iam-assumable-roles-with-saml/README.md b/modules/iam-assumable-roles-with-saml/README.md
@@ -66,6 +66,7 @@ No modules.
 | <a name="input_readonly_role_permissions_boundary_arn"></a> [readonly\_role\_permissions\_boundary\_arn](#input\_readonly\_role\_permissions\_boundary\_arn) | Permissions boundary ARN to use for readonly role | `string` | `""` | no |
 | <a name="input_readonly_role_policy_arns"></a> [readonly\_role\_policy\_arns](#input\_readonly\_role\_policy\_arns) | List of policy ARNs to use for readonly role | `list(string)` | <pre>[<br>  "arn:aws:iam::aws:policy/ReadOnlyAccess"<br>]</pre> | no |
 | <a name="input_readonly_role_tags"></a> [readonly\_role\_tags](#input\_readonly\_role\_tags) | A map of tags to add to readonly role resource. | `map(string)` | `{}` | no |
+| <a name="input_trusted_role_actions"></a> [trusted\_role\_actions](#input\_trusted\_role\_actions) | Additional role actions | `list(string)` | <pre>[<br>  "sts:AssumeRoleWithSAML",<br>  "sts:TagSession"<br>]</pre> | no |
 
 ## Outputs
 
diff --git a/modules/iam-assumable-roles-with-saml/main.tf b/modules/iam-assumable-roles-with-saml/main.tf
@@ -75,13 +75,11 @@ data "aws_iam_policy_document" "assume_role_with_saml" {
   }
 
   statement {
-    effect = "Allow"
-
-    actions = ["sts:AssumeRoleWithSAML"]
+    effect  = "Allow"
+    actions = compact(distinct(concat(["sts:AssumeRoleWithSAML"], var.trusted_role_actions)))
 
     principals {
-      type = "Federated"
-
+      type        = "Federated"
       identifiers = local.identifiers
     }
 
@@ -103,8 +101,7 @@ resource "aws_iam_role" "admin" {
 
   force_detach_policies = var.force_detach_policies
   permissions_boundary  = var.admin_role_permissions_boundary_arn
-
-  assume_role_policy = data.aws_iam_policy_document.assume_role_with_saml.json
+  assume_role_policy    = data.aws_iam_policy_document.assume_role_with_saml.json
 
   tags = var.admin_role_tags
 }
@@ -126,8 +123,7 @@ resource "aws_iam_role" "poweruser" {
 
   force_detach_policies = var.force_detach_policies
   permissions_boundary  = var.poweruser_role_permissions_boundary_arn
-
-  assume_role_policy = data.aws_iam_policy_document.assume_role_with_saml.json
+  assume_role_policy    = data.aws_iam_policy_document.assume_role_with_saml.json
 
   tags = var.poweruser_role_tags
 }
@@ -149,8 +145,7 @@ resource "aws_iam_role" "readonly" {
 
   force_detach_policies = var.force_detach_policies
   permissions_boundary  = var.readonly_role_permissions_boundary_arn
-
-  assume_role_policy = data.aws_iam_policy_document.assume_role_with_saml.json
+  assume_role_policy    = data.aws_iam_policy_document.assume_role_with_saml.json
 
   tags = var.readonly_role_tags
 }
diff --git a/modules/iam-assumable-roles-with-saml/variables.tf b/modules/iam-assumable-roles-with-saml/variables.tf
@@ -22,6 +22,12 @@ variable "allow_self_assume_role" {
   default     = false
 }
 
+variable "trusted_role_actions" {
+  description = "Additional role actions"
+  type        = list(string)
+  default     = ["sts:AssumeRoleWithSAML", "sts:TagSession"]
+}
+
 # Admin
 variable "create_admin_role" {
   description = "Whether to create admin role"
diff --git a/modules/iam-assumable-roles/README.md b/modules/iam-assumable-roles/README.md
@@ -66,6 +66,7 @@ No modules.
 | <a name="input_readonly_role_policy_arns"></a> [readonly\_role\_policy\_arns](#input\_readonly\_role\_policy\_arns) | List of policy ARNs to use for readonly role | `list(string)` | <pre>[<br>  "arn:aws:iam::aws:policy/ReadOnlyAccess"<br>]</pre> | no |
 | <a name="input_readonly_role_requires_mfa"></a> [readonly\_role\_requires\_mfa](#input\_readonly\_role\_requires\_mfa) | Whether readonly role requires MFA | `bool` | `true` | no |
 | <a name="input_readonly_role_tags"></a> [readonly\_role\_tags](#input\_readonly\_role\_tags) | A map of tags to add to readonly role resource. | `map(string)` | `{}` | no |
+| <a name="input_trusted_role_actions"></a> [trusted\_role\_actions](#input\_trusted\_role\_actions) | Additional trusted role actions | `list(string)` | <pre>[<br>  "sts:AssumeRole",<br>  "sts:TagSession"<br>]</pre> | no |
 | <a name="input_trusted_role_arns"></a> [trusted\_role\_arns](#input\_trusted\_role\_arns) | ARNs of AWS entities who can assume these roles | `list(string)` | `[]` | no |
 | <a name="input_trusted_role_services"></a> [trusted\_role\_services](#input\_trusted\_role\_services) | AWS Services that can assume these roles | `list(string)` | `[]` | no |
 
diff --git a/modules/iam-assumable-roles/main.tf b/modules/iam-assumable-roles/main.tf
@@ -75,7 +75,7 @@ data "aws_iam_policy_document" "assume_role" {
 
   statement {
     effect  = "Allow"
-    actions = ["sts:AssumeRole"]
+    actions = compact(distinct(concat(["sts:AssumeRole"], var.trusted_role_actions)))
 
     principals {
       type        = "AWS"
@@ -158,7 +158,7 @@ data "aws_iam_policy_document" "assume_role_with_mfa" {
 
   statement {
     effect  = "Allow"
-    actions = ["sts:AssumeRole"]
+    actions = compact(distinct(concat(["sts:AssumeRole"], var.trusted_role_actions)))
 
     principals {
       type        = "AWS"
diff --git a/modules/iam-assumable-roles/variables.tf b/modules/iam-assumable-roles/variables.tf
@@ -1,3 +1,9 @@
+variable "trusted_role_actions" {
+  description = "Additional trusted role actions"
+  type        = list(string)
+  default     = ["sts:AssumeRole", "sts:TagSession"]
+}
+
 variable "trusted_role_arns" {
   description = "ARNs of AWS entities who can assume these roles"
   type        = list(string)
diff --git a/wrappers/iam-assumable-role-with-saml/main.tf b/wrappers/iam-assumable-role-with-saml/main.tf
@@ -18,5 +18,5 @@ module "wrapper" {
   number_of_role_policy_arns    = try(each.value.number_of_role_policy_arns, var.defaults.number_of_role_policy_arns, null)
   force_detach_policies         = try(each.value.force_detach_policies, var.defaults.force_detach_policies, false)
   allow_self_assume_role        = try(each.value.allow_self_assume_role, var.defaults.allow_self_assume_role, false)
-  trusted_role_actions          = try(each.value.trusted_role_actions, var.defaults.trusted_role_actions, [""])
+  trusted_role_actions          = try(each.value.trusted_role_actions, var.defaults.trusted_role_actions, ["sts:AssumeRoleWithSAML", "sts:TagSession"])
 }
diff --git a/wrappers/iam-assumable-role/main.tf b/wrappers/iam-assumable-role/main.tf
@@ -3,7 +3,7 @@ module "wrapper" {
 
   for_each = var.items
 
-  trusted_role_actions              = try(each.value.trusted_role_actions, var.defaults.trusted_role_actions, ["sts:AssumeRole"])
+  trusted_role_actions              = try(each.value.trusted_role_actions, var.defaults.trusted_role_actions, ["sts:AssumeRole", "sts:TagSession"])
   trusted_role_arns                 = try(each.value.trusted_role_arns, var.defaults.trusted_role_arns, [])
   trusted_role_services             = try(each.value.trusted_role_services, var.defaults.trusted_role_services, [])
   mfa_age                           = try(each.value.mfa_age, var.defaults.mfa_age, 86400)
diff --git a/wrappers/iam-assumable-roles-with-saml/main.tf b/wrappers/iam-assumable-roles-with-saml/main.tf
@@ -7,6 +7,7 @@ module "wrapper" {
   provider_ids                            = try(each.value.provider_ids, var.defaults.provider_ids, [])
   aws_saml_endpoint                       = try(each.value.aws_saml_endpoint, var.defaults.aws_saml_endpoint, "https://signin.aws.amazon.com/saml")
   allow_self_assume_role                  = try(each.value.allow_self_assume_role, var.defaults.allow_self_assume_role, false)
+  trusted_role_actions                    = try(each.value.trusted_role_actions, var.defaults.trusted_role_actions, ["sts:AssumeRoleWithSAML", "sts:TagSession"])
   create_admin_role                       = try(each.value.create_admin_role, var.defaults.create_admin_role, false)
   admin_role_name                         = try(each.value.admin_role_name, var.defaults.admin_role_name, "admin")
   admin_role_path                         = try(each.value.admin_role_path, var.defaults.admin_role_path, "/")
diff --git a/wrappers/iam-assumable-roles/main.tf b/wrappers/iam-assumable-roles/main.tf
@@ -3,6 +3,7 @@ module "wrapper" {
 
   for_each = var.items
 
+  trusted_role_actions                    = try(each.value.trusted_role_actions, var.defaults.trusted_role_actions, ["sts:AssumeRole", "sts:TagSession"])
   trusted_role_arns                       = try(each.value.trusted_role_arns, var.defaults.trusted_role_arns, [])
   trusted_role_services                   = try(each.value.trusted_role_services, var.defaults.trusted_role_services, [])
   mfa_age                                 = try(each.value.mfa_age, var.defaults.mfa_age, 86400)

Original file line number	Diff line number	Diff line change
`@@ -37,8 +37,7 @@ data "aws_iam_policy_document" "assume_role_with_saml" {`
`37`	`37`	`actions = compact(distinct(concat(["sts:AssumeRoleWithSAML"], var.trusted_role_actions)))`
`38`	`38`
`39`	`39`	`principals {`
`40`		`- type = "Federated"`
`41`		`-`
	`40`	`+ type = "Federated"`
`42`	`41`	`identifiers = local.identifiers`
`43`	`42`	`}`
`44`	`43`
Original file line number	Diff line number	Diff line change
`@@ -89,7 +89,7 @@ variable "allow_self_assume_role" {`
`89`	`89`	`}`
`90`	`90`
`91`	`91`	`variable "trusted_role_actions" {`
`92`		`- description = "Extra Actions of STS"`
	`92`	`+ description = "Additional role actions"`
`93`	`93`	`type = list(string)`
`94`		`- default = [""]`
	`94`	`+ default = ["sts:AssumeRoleWithSAML", "sts:TagSession"]`
`95`	`95`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`variable "trusted_role_actions" {`
`2`		`- description = "Actions of STS"`
	`2`	`+ description = "Additional trusted role actions"`
`3`	`3`	`type = list(string)`
`4`		`- default = ["sts:AssumeRole"]`
	`4`	`+ default = ["sts:AssumeRole", "sts:TagSession"]`
`5`	`5`	`}`
`6`	`6`
`7`	`7`	`variable "trusted_role_arns" {`
Original file line number	Diff line number	Diff line change
`@@ -18,5 +18,5 @@ module "wrapper" {`
`18`	`18`	`number_of_role_policy_arns = try(each.value.number_of_role_policy_arns, var.defaults.number_of_role_policy_arns, null)`
`19`	`19`	`force_detach_policies = try(each.value.force_detach_policies, var.defaults.force_detach_policies, false)`
`20`	`20`	`allow_self_assume_role = try(each.value.allow_self_assume_role, var.defaults.allow_self_assume_role, false)`
`21`		`- trusted_role_actions = try(each.value.trusted_role_actions, var.defaults.trusted_role_actions, [""])`
	`21`	`+ trusted_role_actions = try(each.value.trusted_role_actions, var.defaults.trusted_role_actions, ["sts:AssumeRoleWithSAML", "sts:TagSession"])`
`22`	`22`	`}`