chanzuckerberg · kuannie1 · Apr 11, 2024 · Apr 10, 2024 · Apr 10, 2024 · Apr 11, 2024
@@ -85,6 +85,9 @@ No resources.
 
 | Name | Description |
 |------|-------------|
+| <a name="output_aws_rds_cluster_instance_endpoint"></a> [aws\_rds\_cluster\_instance\_endpoint](#output\_aws\_rds\_cluster\_instance\_endpoint) | n/a |
+| <a name="output_cluster_id"></a> [cluster\_id](#output\_cluster\_id) | n/a |
+| <a name="output_cluster_resource_id"></a> [cluster\_resource\_id](#output\_cluster\_resource\_id) | n/a |
 | <a name="output_database_name"></a> [database\_name](#output\_database\_name) | n/a |
 | <a name="output_endpoint"></a> [endpoint](#output\_endpoint) | n/a |
 | <a name="output_master_password"></a> [master\_password](#output\_master\_password) | n/a |

@@ -68,6 +68,8 @@ No modules.
 
 | Name | Description |
 |------|-------------|
+| <a name="output_aws_rds_cluster_instance_endpoint"></a> [aws\_rds\_cluster\_instance\_endpoint](#output\_aws\_rds\_cluster\_instance\_endpoint) | n/a |
+| <a name="output_cluster_resource_id"></a> [cluster\_resource\_id](#output\_cluster\_resource\_id) | n/a |
 | <a name="output_database_name"></a> [database\_name](#output\_database\_name) | n/a |
 | <a name="output_database_password"></a> [database\_password](#output\_database\_password) | n/a |
 | <a name="output_database_username"></a> [database\_username](#output\_database\_username) | n/a |

@@ -47,6 +47,8 @@ No requirements.
 
 | Name | Type |
 |------|------|
+| [aws_s3_bucket_acl.cloudfront-owner-grant](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
+| [aws_s3_bucket_ownership_controls.cloudfront-owner-preferred](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource |
 | [aws_canonical_user_id.current_user](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/canonical_user_id) | data source |
 
 ## Inputs
@@ -58,6 +60,7 @@ No requirements.
 | <a name="input_bucket_policy"></a> [bucket\_policy](#input\_bucket\_policy) | n/a | `string` | `""` | no |
 | <a name="input_enable_versioning"></a> [enable\_versioning](#input\_enable\_versioning) | Keep old versions of overwritten S3 objects. | `bool` | `true` | no |
 | <a name="input_env"></a> [env](#input\_env) | n/a | `string` | n/a | yes |
+| <a name="input_kms_encryption"></a> [kms\_encryption](#input\_kms\_encryption) | n/a | `bool` | `false` | no |
 | <a name="input_lifecycle_rules"></a> [lifecycle\_rules](#input\_lifecycle\_rules) | List of maps containing configuration of object lifecycle management. | `any` | <pre>[<br>  {<br>    "enabled": true,<br>    "expiration": {<br>      "expired_object_delete_marker": true<br>    },<br>    "noncurrent_version_expiration": {<br>      "days": 365<br>    },<br>    "noncurrent_version_transition": {<br>      "days": 30,<br>      "storage_class": "STANDARD_IA"<br>    }<br>  }<br>]</pre> | no |
 | <a name="input_owner"></a> [owner](#input\_owner) | n/a | `string` | n/a | yes |
 | <a name="input_project"></a> [project](#input\_project) | n/a | `string` | n/a | yes |
@@ -69,6 +72,7 @@ No requirements.
 | Name | Description |
 |------|-------------|
 | <a name="output_arn"></a> [arn](#output\_arn) | n/a |
+| <a name="output_bucket_kms_encryption_key_arn"></a> [bucket\_kms\_encryption\_key\_arn](#output\_bucket\_kms\_encryption\_key\_arn) | n/a |
 | <a name="output_domain_name"></a> [domain\_name](#output\_domain\_name) | n/a |
 | <a name="output_id"></a> [id](#output\_id) | n/a |
 | <a name="output_name"></a> [name](#output\_name) | HACK(el): we do this to hint TF dependency graph since modules can't depend\_on |

@@ -3,13 +3,16 @@
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.45 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.5.1 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.45 |
+| <a name="provider_random"></a> [random](#provider\_random) | >= 3.5.1 |
 
 ## Modules
 
@@ -19,17 +22,18 @@ No modules.
 
 | Name | Type |
 |------|------|
-| [aws_iam_policy.table](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
-| [aws_iam_role_policy_attachment.table](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
-| [aws_iam_policy_document.table](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_role_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [random_pet.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
+| [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_iam_path"></a> [iam\_path](#input\_iam\_path) | n/a | `string` | `"/"` | no |
 | <a name="input_role_name"></a> [role\_name](#input\_role\_name) | optional role to attach this policy to. | `string` | `null` | no |
 | <a name="input_table_arn"></a> [table\_arn](#input\_table\_arn) | n/a | `string` | n/a | yes |
+| <a name="input_tags"></a> [tags](#input\_tags) | Tags to apply to policy | `object({ project : string, env : string, service : string, owner : string, managedBy : string })` | n/a | yes |
 
 ## Outputs
 

@@ -22,14 +22,16 @@ NOTE: this module doesn't manage the role's permissions. Users of this module sh
 <!-- START -->
 ## Requirements
 
-No requirements.
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.45 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_assert"></a> [assert](#provider\_assert) | n/a |
-| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.45 |
 
 ## Modules
 
@@ -40,15 +42,17 @@ No modules.
 | Name | Type |
 |------|------|
 | [aws_iam_role.role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
-| [assert_test.authorized_github_org](https://registry.terraform.io/providers/bwoznicki/assert/latest/docs/data-sources/test) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_authorized_github_repos"></a> [authorized\_github\_repos](#input\_authorized\_github\_repos) | A map that specifies the authorized repos to assume the created role.<br>  Keys specify the name of the GitHub org.<br>  Values specify the authorized repos within that org.<br><br>  NOTE: "chanzuckerberg" is, currently, the only authorized GitHub org. | `map(list(string))` | n/a | yes |
+| <a name="input_additional_assume_role_policies_json"></a> [additional\_assume\_role\_policies\_json](#input\_additional\_assume\_role\_policies\_json) | The JSON string of any other additional assume role policies to add to the Github Actions role | `string` | `""` | no |
+| <a name="input_authorized_aws_accounts"></a> [authorized\_aws\_accounts](#input\_authorized\_aws\_accounts) | The map of authorized AWS accounts to assume the created role. | `map(string)` | `{}` | no |
+| <a name="input_authorized_github_repos"></a> [authorized\_github\_repos](#input\_authorized\_github\_repos) | A map that specifies the authorized repos to assume the created role.<br>  Keys specify the name of the GitHub org.<br>  Values specify the authorized repos within that org. | `map(list(string))` | n/a | yes |
 | <a name="input_role"></a> [role](#input\_role) | Configure the AWS IAM Role. | <pre>object({<br>    name : string,<br>  })</pre> | n/a | yes |
 | <a name="input_tags"></a> [tags](#input\_tags) | Standard tagging. | <pre>object({<br>    env : string,<br>    owner : string,<br>    managedBy : string,<br>    project : string<br>    service : string<br>  })</pre> | n/a | yes |
 

@@ -38,7 +38,9 @@ No requirements.
 
 ## Modules
 
-No modules.
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_assume_role_policy"></a> [assume\_role\_policy](#module\_assume\_role\_policy) | ../aws-assume-role-policy | n/a |
 
 ## Resources
 
@@ -47,7 +49,6 @@ No modules.
 | [aws_iam_role.role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy_attachment.policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
-| [aws_iam_policy_document.assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 
 ## Inputs
 
@@ -58,14 +59,15 @@ No modules.
 | <a name="input_iam_path"></a> [iam\_path](#input\_iam\_path) | The IAM path under which the IAM role will be created. | `string` | `null` | no |
 | <a name="input_inline_policies"></a> [inline\_policies](#input\_inline\_policies) | List of inline policies to be associated with the IAM role. | `list(object({ name = string, policy = string }))` | `[]` | no |
 | <a name="input_max_session_duration"></a> [max\_session\_duration](#input\_max\_session\_duration) | The maximum amount of time, in seconds, that a principal can assume this role. | `number` | `3600` | no |
+| <a name="input_oidc"></a> [oidc](#input\_oidc) | A list of AWS OIDC IDPs to establish a trust relationship for this role. | <pre>list(object(<br>    {<br>      idp_arn : string,          # the AWS IAM IDP arn<br>      client_ids : list(string), # a list of oidc client ids<br>      provider : string          # your provider url, such as foo.okta.com<br>    }<br>  ))</pre> | `[]` | no |
 | <a name="input_owner"></a> [owner](#input\_owner) | Owner for tagging and naming. See [doc](../README.md#consistent-tagging) | `string` | n/a | yes |
-| <a name="input_principals"></a> [principals](#input\_principals) | AWS IAM Principals which will be able to assume this role. | `list(object({ type = string, identifiers = list(string) }))` | n/a | yes |
 | <a name="input_project"></a> [project](#input\_project) | Project for tagging and naming. See [doc](../README.md#consistent-tagging) | `string` | n/a | yes |
 | <a name="input_role_description"></a> [role\_description](#input\_role\_description) | IAM role description. | `string` | `null` | no |
 | <a name="input_role_name"></a> [role\_name](#input\_role\_name) | IAM role name. | `string` | n/a | yes |
 | <a name="input_saml_idp_arns"></a> [saml\_idp\_arns](#input\_saml\_idp\_arns) | The AWS SAML IDP arns to establish a trust relationship. Ignored if empty or not provided. | `set(string)` | `[]` | no |
 | <a name="input_saml_idps"></a> [saml\_idps](#input\_saml\_idps) | The AWS SAML IDPs to establish a trust relationship.<br>  Ignored if empty or missing."<br>  If unsure, saml\_auds would typically be ["https://signin.aws.amazon.com/saml"]. | <pre>list(object({<br>    saml_idp_arns : list(string),<br>    saml_auds : list(string)<br>  }))</pre> | `[]` | no |
 | <a name="input_service"></a> [service](#input\_service) | Service for tagging and naming. See [doc](../README.md#consistent-tagging) | `string` | n/a | yes |
+| <a name="input_source_account_ids"></a> [source\_account\_ids](#input\_source\_account\_ids) | The source AWS account IDs to establish a trust relationship. Ignored if empty or not provided. | `set(string)` | `[]` | no |
 
 ## Outputs
 

@@ -6,51 +6,25 @@ locals {
     owner     = var.owner
     managedBy = "terraform"
   }
-  all_saml_idps = concat(
-    var.saml_idps,
-    // NOTE(el): by default, these assume SAML assertions signed for AWS specifically.
-    [for aws_saml_idp_arn in var.saml_idp_arns : {
-      saml_idp_arn = [aws_saml_idp_arn],
-      saml_aud     = ["https://signin.aws.amazon.com/saml"]
-  }])
 }
 
-data "aws_iam_policy_document" "assume_role_policy" {
-  statement {
-    dynamic "principals" {
-      for_each = var.principals
-      content {
-        type        = principals.value.type
-        identifiers = principals.value.identifiers
-      }
-    }
-    actions = ["sts:AssumeRole"]
-  }
-
-  dynamic "statement" {
-    for_each = local.all_saml_idps
-    content {
-      principals {
-        type        = "Federated"
-        identifiers = statement.value.saml_idp_arns
-      }
-
-      actions = ["sts:AssumeRoleWithSAML"]
-
-      condition {
-        test     = "StringEquals"
-        variable = "SAML:aud"
-        values   = statement.value.saml_auds
-      }
-    }
-  }
+module "assume_role_policy" {
+  source             = "../aws-assume-role-policy"
+  source_account_ids = var.source_account_ids
+  saml_idp_arns      = toset(flatten([for idp in var.saml_idps: idp.saml_idp_arns]))
+  oidc               = var.oidc
+  env                = var.env
+  owner              = var.owner
+  service            = var.service
+  project            = var.project
 }
 
+
 resource "aws_iam_role" "role" {
   name               = var.role_name
   description        = var.role_description
   path               = var.iam_path
-  assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json
+  assume_role_policy = module.assume_role_policy.json
 
   max_session_duration = var.max_session_duration
 

@@ -24,11 +24,6 @@ variable "iam_path" {
   default     = null
 }
 
-variable "principals" {
-  type        = list(object({ type = string, identifiers = list(string) }))
-  description = "AWS IAM Principals which will be able to assume this role."
-}
-
 variable "max_session_duration" {
   type        = number
   description = "The maximum amount of time, in seconds, that a principal can assume this role."
@@ -55,6 +50,20 @@ variable "saml_idps" {
   EOF
 }
 
+
+variable "oidc" {
+  type = list(object(
+    {
+      idp_arn : string,          # the AWS IAM IDP arn
+      client_ids : list(string), # a list of oidc client ids
+      provider : string          # your provider url, such as foo.okta.com
+    }
+  ))
+
+  default     = []
+  description = "A list of AWS OIDC IDPs to establish a trust relationship for this role."
+}
+
 variable "role_name" {
   type        = string
   description = "IAM role name."
@@ -77,3 +86,9 @@ variable "attached_policies_names_arns" {
   description = "Map of policy names to the respective ARNs to be attached to the IAM role."
   default     = {}
 }
+
+variable "source_account_ids" {
+  type        = set(string)
+  default     = []
+  description = "The source AWS account IDs to establish a trust relationship. Ignored if empty or not provided."
+}
@@ -57,6 +57,7 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_at_edge"></a> [at\_edge](#input\_at\_edge) | Is this lambda going to be used with a Cloufront distribution? If you set this, you will not have control over log retention, and you cannot include environment variables. | `bool` | `false` | no |
+| <a name="input_datadog_enabled"></a> [datadog\_enabled](#input\_datadog\_enabled) | Indicates if Datadog integration is enabled (see https://www.datadoghq.com/blog/monitoring-aws-lambda-with-datadog/ for details). | `bool` | `true` | no |
 | <a name="input_env"></a> [env](#input\_env) | Env for tagging and naming. See [doc](../README.md#consistent-tagging) | `string` | n/a | yes |
 | <a name="input_environment"></a> [environment](#input\_environment) | Map of environment variables. | `map(string)` | `{}` | no |
 | <a name="input_filename"></a> [filename](#input\_filename) | n/a | `string` | `null` | no |