feat: Add support for conditionally passing role wildcards to IRSA tr…

…ust policy (#19)
aws-ia · Aug 16, 2023 · e039ac2 · e039ac2
1 parent 4ebe234
commit e039ac2
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 1 deletion.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -10,7 +10,7 @@ repos:
       - id: detect-aws-credentials
         args: ['--allow-missing-credentials']
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.80.0
+    rev: v1.81.2
     hooks:
       - id: terraform_fmt
       - id: terraform_docs

diff --git a/README.md b/README.md
@@ -310,6 +310,7 @@ No modules.
 | <a name="input_name"></a> [name](#input\_name) | A common name used across resources created unless a more specific resource name is provdied | `string` | `""` | no |
 | <a name="input_namespaces"></a> [namespaces](#input\_namespaces) | A map of Kubernetes namespace definitions to create | `any` | `{}` | no |
 | <a name="input_oidc_provider_arn"></a> [oidc\_provider\_arn](#input\_oidc\_provider\_arn) | ARN of the OIDC provider created by the EKS cluster | `string` | `""` | no |
+| <a name="input_principal_arns"></a> [principal\_arns](#input\_principal\_arns) | A list of IAM principal arns to support passing wildcards for AWS Identity Center (SSO) roles. [Reference](https://docs.aws.amazon.com/singlesignon/latest/userguide/referencingpermissionsets.html#custom-trust-policy-example) | `list(string)` | `[]` | no |
 | <a name="input_role_name"></a> [role\_name](#input\_role\_name) | Name to use on Kubernetes role created | `string` | `""` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all AWS resources | `map(string)` | `{}` | no |
 | <a name="input_users"></a> [users](#input\_users) | A list of IAM user and/or role ARNs that can assume the IAM role created | `list(string)` | `[]` | no |

diff --git a/main.tf b/main.tf
@@ -395,6 +395,16 @@ data "aws_iam_policy_document" "this" {
       type        = "AWS"
       identifiers = var.users
     }
+
+    dynamic "condition" {
+      for_each = length(var.principal_arns) > 0 ? [1] : []
+
+      content {
+        test     = "ArnLike"
+        variable = "aws:PrincipalArn"
+        values   = var.principal_arns
+      }
+    }
   }
 
   # IRSA

diff --git a/variables.tf b/variables.tf
@@ -129,6 +129,12 @@ variable "users" {
   default     = []
 }
 
+variable "principal_arns" {
+  description = "A list of IAM principal arns to support passing wildcards for AWS Identity Center (SSO) roles. [Reference](https://docs.aws.amazon.com/singlesignon/latest/userguide/referencingpermissionsets.html#custom-trust-policy-example)"
+  type        = list(string)
+  default     = []
+}
+
 variable "oidc_provider_arn" {
   description = "ARN of the OIDC provider created by the EKS cluster"
   type        = string