fix: Add missing locals in iam-assumable-role module (#290)

Co-authored-by: Enver Cicak <[email protected]>
Co-authored-by: Bryant Biggs <[email protected]>
Co-authored-by: Dmytro Sirant <[email protected]>
Co-authored-by: Enver Cicak <[email protected]>
Co-authored-by: Anton Babenko <[email protected]>

Author: 6 people

examples/iam-assumable-role-with-oidc/README.md

@@ -31,6 +31,7 @@ No providers.
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_iam_assumable_role_admin"></a> [iam\_assumable\_role\_admin](#module\_iam\_assumable\_role\_admin) | ../../modules/iam-assumable-role-with-oidc | n/a |
+| <a name="module_iam_assumable_role_self_assume"></a> [iam\_assumable\_role\_self\_assume](#module\_iam\_assumable\_role\_self\_assume) | ../../modules/iam-assumable-role-with-oidc | n/a |
 
 ## Resources
 

examples/iam-assumable-role-with-oidc/main.tf

@@ -25,3 +25,28 @@ module "iam_assumable_role_admin" {
 
   oidc_fully_qualified_subjects = ["system:serviceaccount:default:sa1", "system:serviceaccount:default:sa2"]
 }
+
+#####################################
+# IAM assumable role with self assume
+#####################################
+module "iam_assumable_role_self_assume" {
+  source = "../../modules/iam-assumable-role-with-oidc"
+
+  create_role            = true
+  allow_self_assume_role = true
+
+  role_name = "role-with-oidc-self-assume"
+
+  tags = {
+    Role = "role-with-oidc-self-assume"
+  }
+
+  provider_url  = "oidc.eks.eu-west-1.amazonaws.com/id/BA9E170D464AF7B92084EF72A69B9DC8"
+  provider_urls = ["oidc.eks.eu-west-1.amazonaws.com/id/AA9E170D464AF7B92084EF72A69B9DC8"]
+
+  role_policy_arns = [
+    "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
+  ]
+
+  oidc_fully_qualified_subjects = ["system:serviceaccount:default:sa1", "system:serviceaccount:default:sa2"]
+}

examples/iam-assumable-role-with-saml/README.md

@@ -33,6 +33,7 @@ Run `terraform destroy` when you don't need these resources.
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_iam_assumable_role_admin"></a> [iam\_assumable\_role\_admin](#module\_iam\_assumable\_role\_admin) | ../../modules/iam-assumable-role-with-saml | n/a |
+| <a name="module_iam_assumable_role_self_assume"></a> [iam\_assumable\_role\_self\_assume](#module\_iam\_assumable\_role\_self\_assume) | ../../modules/iam-assumable-role-with-saml | n/a |
 
 ## Resources
 

examples/iam-assumable-role-with-saml/main.tf

@@ -33,3 +33,26 @@ module "iam_assumable_role_admin" {
     "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
   ]
 }
+
+#####################################
+# IAM assumable role with self assume
+#####################################
+module "iam_assumable_role_self_assume" {
+  source = "../../modules/iam-assumable-role-with-saml"
+
+  create_role            = true
+  allow_self_assume_role = true
+
+  role_name = "role-with-saml-self-assume"
+
+  tags = {
+    Role = "role-with-saml-self-assume"
+  }
+
+  provider_id  = aws_iam_saml_provider.idp_saml.id
+  provider_ids = [aws_iam_saml_provider.second_idp_saml.id]
+
+  role_policy_arns = [
+    "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
+  ]
+}

examples/iam-assumable-roles-with-saml/README.md

@@ -35,6 +35,7 @@ Run `terraform destroy` when you don't need these resources.
 | <a name="module_iam_assumable_roles_with_saml"></a> [iam\_assumable\_roles\_with\_saml](#module\_iam\_assumable\_roles\_with\_saml) | ../../modules/iam-assumable-roles-with-saml | n/a |
 | <a name="module_iam_assumable_roles_with_saml_custom"></a> [iam\_assumable\_roles\_with\_saml\_custom](#module\_iam\_assumable\_roles\_with\_saml\_custom) | ../../modules/iam-assumable-roles-with-saml | n/a |
 | <a name="module_iam_assumable_roles_with_saml_second_provider"></a> [iam\_assumable\_roles\_with\_saml\_second\_provider](#module\_iam\_assumable\_roles\_with\_saml\_second\_provider) | ../../modules/iam-assumable-roles-with-saml | n/a |
+| <a name="module_iam_assumable_roles_with_saml_with_self_assume"></a> [iam\_assumable\_roles\_with\_saml\_with\_self\_assume](#module\_iam\_assumable\_roles\_with\_saml\_with\_self\_assume) | ../../modules/iam-assumable-roles-with-saml | n/a |
 
 ## Resources
 

examples/iam-assumable-roles-with-saml/main.tf

@@ -39,7 +39,9 @@ module "iam_assumable_roles_with_saml_second_provider" {
   create_admin_role = true
 
   create_poweruser_role = true
-  poweruser_role_name   = "developer"
+  admin_role_name       = "Admin-Role-Name"
+  poweruser_role_name   = "Poweruser-Role-Name"
+  readonly_role_name    = "Readonly-Role-Name"
 
   create_readonly_role = true
 
@@ -58,3 +60,20 @@ module "iam_assumable_roles_with_saml_custom" {
 
   provider_id = aws_iam_saml_provider.idp_saml.id
 }
+
+################################################
+# IAM assumable roles with SAML with self assume
+################################################
+module "iam_assumable_roles_with_saml_with_self_assume" {
+  source = "../../modules/iam-assumable-roles-with-saml"
+
+  create_admin_role      = true
+  allow_self_assume_role = true
+  create_poweruser_role  = true
+  admin_role_name        = "Admin-Role-Name-Self-Assume"
+  poweruser_role_name    = "Poweruser-Role-Name-Self-Assume"
+  readonly_role_name     = "Readonly-Role-Name-Self-Assume"
+  create_readonly_role   = true
+
+  provider_id = aws_iam_saml_provider.idp_saml.id
+}

examples/iam-assumable-roles/README.md

@@ -31,6 +31,7 @@ No providers.
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_iam_assumable_roles"></a> [iam\_assumable\_roles](#module\_iam\_assumable\_roles) | ../../modules/iam-assumable-roles | n/a |
+| <a name="module_iam_assumable_roles_with_self_assume"></a> [iam\_assumable\_roles\_with\_self\_assume](#module\_iam\_assumable\_roles\_with\_self\_assume) | ../../modules/iam-assumable-roles | n/a |
 
 ## Resources
 

examples/iam-assumable-roles/main.tf

@@ -26,3 +26,30 @@ module "iam_assumable_roles" {
   create_readonly_role       = true
   readonly_role_requires_mfa = false
 }
+
+######################################
+# IAM assumable roles with self assume
+######################################
+module "iam_assumable_roles_with_self_assume" {
+  source = "../../modules/iam-assumable-roles"
+
+  trusted_role_arns = [
+    "arn:aws:iam::307990089504:root",
+    "arn:aws:iam::835367859851:user/anton",
+  ]
+
+  trusted_role_services = [
+    "codedeploy.amazonaws.com"
+  ]
+
+  create_admin_role          = true
+  allow_self_assume_role     = true
+  create_poweruser_role      = true
+  admin_role_name            = "Admin-Role-Name-Self-Assume"
+  poweruser_role_name        = "Billing-And-Support-Access-Self-Assume"
+  poweruser_role_policy_arns = ["arn:aws:iam::aws:policy/job-function/Billing", "arn:aws:iam::aws:policy/AWSSupportAccess"]
+  readonly_role_name         = "Read-Only-Role-Name-Self-Assume"
+
+  create_readonly_role       = true
+  readonly_role_requires_mfa = false
+}

examples/iam-eks-role/README.md

@@ -36,13 +36,14 @@ Run `terraform destroy` when you don't need these resources.
 |------|--------|---------|
 | <a name="module_eks"></a> [eks](#module\_eks) | terraform-aws-modules/eks/aws | ~> 18.0 |
 | <a name="module_iam_eks_role"></a> [iam\_eks\_role](#module\_iam\_eks\_role) | ../../modules/iam-eks-role | n/a |
+| <a name="module_iam_eks_role_with_self_assume"></a> [iam\_eks\_role\_with\_self\_assume](#module\_iam\_eks\_role\_with\_self\_assume) | ../../modules/iam-eks-role | n/a |
 
 ## Resources
 
 | Name | Type |
 |------|------|
 | [random_pet.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
-| [aws_subnet_ids.all](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet_ids) | data source |
+| [aws_subnets.all](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source |
 | [aws_vpc.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
 
 ## Inputs

examples/iam-eks-role/main.tf

@@ -19,6 +19,27 @@ module "iam_eks_role" {
   }
 }
 
+###############################
+# IAM EKS role with self assume
+###############################
+module "iam_eks_role_with_self_assume" {
+  source    = "../../modules/iam-eks-role"
+  role_name = "my-app-self-assume"
+
+  allow_self_assume_role = true
+  cluster_service_accounts = {
+    (random_pet.this.id) = ["default:my-app"]
+  }
+
+  tags = {
+    Name = "eks-role"
+  }
+
+  role_policy_arns = {
+    AmazonEKS_CNI_Policy = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
+  }
+}
+
 ##################
 # Extra resources
 ##################
@@ -35,7 +56,7 @@ module "eks" {
   cluster_version = "1.21"
 
   vpc_id     = data.aws_vpc.default.id
-  subnet_ids = data.aws_subnet_ids.all.ids
+  subnet_ids = data.aws_subnets.all.ids
 }
 
 ##################################################################
@@ -46,6 +67,9 @@ data "aws_vpc" "default" {
   default = true
 }
 
-data "aws_subnet_ids" "all" {
-  vpc_id = data.aws_vpc.default.id
+data "aws_subnets" "all" {
+  filter {
+    name   = "vpc-id"
+    values = [data.aws_vpc.default.id]
+  }
 }

modules/iam-assumable-role-with-oidc/main.tf

@@ -1,5 +1,6 @@
 locals {
   aws_account_id = var.aws_account_id != "" ? var.aws_account_id : data.aws_caller_identity.current.account_id
+  partition      = data.aws_partition.current.partition
   # clean URLs of https:// prefix
   urls = [
     for url in compact(distinct(concat(var.provider_urls, [var.provider_url]))) :
@@ -32,7 +33,7 @@ data "aws_iam_policy_document" "assume_role_with_oidc" {
       condition {
         test     = "ArnLike"
         variable = "aws:PrincipalArn"
-        values   = ["arn:${local.partition}:iam::${local.account_id}:role${var.role_path}${local.role_name_condition}"]
+        values   = ["arn:${local.partition}:iam::${data.aws_caller_identity.current.account_id}:role${var.role_path}${local.role_name_condition}"]
       }
     }
   }

modules/iam-assumable-role-with-saml/README.md

@@ -29,7 +29,9 @@ No modules.
 |------|------|
 | [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy_attachment.custom](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.assume_role_with_saml](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
 
 ## Inputs
 

modules/iam-assumable-role-with-saml/main.tf

@@ -1,6 +1,11 @@
+data "aws_caller_identity" "current" {}
+data "aws_partition" "current" {}
+
 locals {
+  account_id                 = data.aws_caller_identity.current.account_id
   identifiers                = compact(distinct(concat(var.provider_ids, [var.provider_id])))
   number_of_role_policy_arns = coalesce(var.number_of_role_policy_arns, length(var.role_policy_arns))
+  partition                  = data.aws_partition.current.partition
   role_name_condition        = var.role_name != null ? var.role_name : "${var.role_name_prefix}*"
 }
 

modules/iam-assumable-role/README.md

@@ -32,8 +32,10 @@ No modules.
 | [aws_iam_role_policy_attachment.custom](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.poweruser](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.readonly](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.assume_role_with_mfa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
 
 ## Inputs
 

modules/iam-assumable-role/main.tf

@@ -1,4 +1,9 @@
+data "aws_caller_identity" "current" {}
+data "aws_partition" "current" {}
+
 locals {
+  account_id          = data.aws_caller_identity.current.account_id
+  partition           = data.aws_partition.current.partition
   role_sts_externalid = flatten([var.role_sts_externalid])
   role_name_condition = var.role_name != null ? var.role_name : "${var.role_name_prefix}*"
 }

modules/iam-assumable-roles-with-saml/README.md

@@ -34,7 +34,9 @@ No modules.
 | [aws_iam_role_policy_attachment.admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.poweruser](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.readonly](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.assume_role_with_saml](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
 
 ## Inputs
 

modules/iam-assumable-roles-with-saml/main.tf

@@ -1,5 +1,10 @@
+data "aws_caller_identity" "current" {}
+data "aws_partition" "current" {}
+
 locals {
+  account_id  = data.aws_caller_identity.current.account_id
   identifiers = compact(distinct(concat(var.provider_ids, [var.provider_id])))
+  partition   = data.aws_partition.current.partition
 }
 
 data "aws_iam_policy_document" "assume_role_with_saml" {

modules/iam-assumable-roles/README.md

@@ -32,8 +32,10 @@ No modules.
 | [aws_iam_role_policy_attachment.admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.poweruser](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.readonly](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.assume_role_with_mfa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
 
 ## Inputs
 

modules/iam-assumable-roles/main.tf

@@ -1,3 +1,11 @@
+data "aws_caller_identity" "current" {}
+data "aws_partition" "current" {}
+
+locals {
+  account_id = data.aws_caller_identity.current.account_id
+  partition  = data.aws_partition.current.partition
+}
+
 data "aws_iam_policy_document" "assume_role" {
   dynamic "statement" {
     # https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/

modules/iam-eks-role/main.tf

@@ -2,6 +2,8 @@ data "aws_caller_identity" "current" {}
 data "aws_partition" "current" {}
 
 locals {
+  account_id          = data.aws_caller_identity.current.account_id
+  partition           = data.aws_partition.current.partition
   role_name_condition = var.role_name != null ? var.role_name : "${var.role_name_prefix}*"
 }
 
@@ -45,7 +47,7 @@ data "aws_iam_policy_document" "assume_role_with_oidc" {
         type = "Federated"
 
         identifiers = [
-          "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${replace(data.aws_eks_cluster.main[statement.key].identity[0].oidc[0].issuer, "https://", "")}"
+          "arn:${local.partition}:iam::${local.account_id}:oidc-provider/${replace(data.aws_eks_cluster.main[statement.key].identity[0].oidc[0].issuer, "https://", "")}"
         ]
       }
 

modules/iam-group-with-policies/policies.tf

@@ -6,6 +6,7 @@ data "aws_partition" "current" {}
 
 locals {
   aws_account_id = try(data.aws_caller_identity.current[0].account_id, var.aws_account_id)
+  partition      = data.aws_partition.current.partition
 }
 
 data "aws_iam_policy_document" "iam_self_management" {
@@ -40,9 +41,9 @@ data "aws_iam_policy_document" "iam_self_management" {
 
     # Allow for both users with "path" and without it
     resources = [
-      "arn:${data.aws_partition.current.partition}:iam::${local.aws_account_id}:user/*/$${aws:username}",
-      "arn:${data.aws_partition.current.partition}:iam::${local.aws_account_id}:user/$${aws:username}",
-      "arn:${data.aws_partition.current.partition}:iam::${local.aws_account_id}:mfa/$${aws:username}",
+      "arn:${local.partition}:iam::${local.aws_account_id}:user/*/$${aws:username}",
+      "arn:${local.partition}:iam::${local.aws_account_id}:user/$${aws:username}",
+      "arn:${local.partition}:iam::${local.aws_account_id}:mfa/$${aws:username}",
     ]
   }
 
@@ -70,9 +71,9 @@ data "aws_iam_policy_document" "iam_self_management" {
 
     # Allow for both users with "path" and without it
     resources = [
-      "arn:${data.aws_partition.current.partition}:iam::${local.aws_account_id}:user/*/$${aws:username}",
-      "arn:${data.aws_partition.current.partition}:iam::${local.aws_account_id}:user/$${aws:username}",
-      "arn:${data.aws_partition.current.partition}:iam::${local.aws_account_id}:mfa/$${aws:username}",
+      "arn:${local.partition}:iam::${local.aws_account_id}:user/*/$${aws:username}",
+      "arn:${local.partition}:iam::${local.aws_account_id}:user/$${aws:username}",
+      "arn:${local.partition}:iam::${local.aws_account_id}:mfa/$${aws:username}",
     ]
 
     condition {