From e039ac2fbcc25f8990965cc298f97208e573e74c Mon Sep 17 00:00:00 2001
From: Bryant Biggs <bryantbiggs@gmail.com>
Date: Wed, 16 Aug 2023 15:34:20 -0400
Subject: [PATCH] feat: Add support for conditionally passing role wildcards to
 IRSA trust policy (#19)

---
 .pre-commit-config.yaml |  2 +-
 README.md               |  1 +
 main.tf                 | 10 ++++++++++
 variables.tf            |  6 ++++++
 4 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 46e16b7..210c8da 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -10,7 +10,7 @@ repos:
       - id: detect-aws-credentials
         args: ['--allow-missing-credentials']
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.80.0
+    rev: v1.81.2
     hooks:
       - id: terraform_fmt
       - id: terraform_docs
diff --git a/README.md b/README.md
index 4475b9d..38659e8 100644
--- a/README.md
+++ b/README.md
@@ -310,6 +310,7 @@ No modules.
 | <a name="input_name"></a> [name](#input\_name) | A common name used across resources created unless a more specific resource name is provdied | `string` | `""` | no |
 | <a name="input_namespaces"></a> [namespaces](#input\_namespaces) | A map of Kubernetes namespace definitions to create | `any` | `{}` | no |
 | <a name="input_oidc_provider_arn"></a> [oidc\_provider\_arn](#input\_oidc\_provider\_arn) | ARN of the OIDC provider created by the EKS cluster | `string` | `""` | no |
+| <a name="input_principal_arns"></a> [principal\_arns](#input\_principal\_arns) | A list of IAM principal arns to support passing wildcards for AWS Identity Center (SSO) roles. [Reference](https://docs.aws.amazon.com/singlesignon/latest/userguide/referencingpermissionsets.html#custom-trust-policy-example) | `list(string)` | `[]` | no |
 | <a name="input_role_name"></a> [role\_name](#input\_role\_name) | Name to use on Kubernetes role created | `string` | `""` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all AWS resources | `map(string)` | `{}` | no |
 | <a name="input_users"></a> [users](#input\_users) | A list of IAM user and/or role ARNs that can assume the IAM role created | `list(string)` | `[]` | no |
diff --git a/main.tf b/main.tf
index 44e3f2f..3191b5c 100644
--- a/main.tf
+++ b/main.tf
@@ -395,6 +395,16 @@ data "aws_iam_policy_document" "this" {
       type        = "AWS"
       identifiers = var.users
     }
+
+    dynamic "condition" {
+      for_each = length(var.principal_arns) > 0 ? [1] : []
+
+      content {
+        test     = "ArnLike"
+        variable = "aws:PrincipalArn"
+        values   = var.principal_arns
+      }
+    }
   }
 
   # IRSA
diff --git a/variables.tf b/variables.tf
index 587fc61..ea01da7 100644
--- a/variables.tf
+++ b/variables.tf
@@ -129,6 +129,12 @@ variable "users" {
   default     = []
 }
 
+variable "principal_arns" {
+  description = "A list of IAM principal arns to support passing wildcards for AWS Identity Center (SSO) roles. [Reference](https://docs.aws.amazon.com/singlesignon/latest/userguide/referencingpermissionsets.html#custom-trust-policy-example)"
+  type        = list(string)
+  default     = []
+}
+
 variable "oidc_provider_arn" {
   description = "ARN of the OIDC provider created by the EKS cluster"
   type        = string