From 40d923e52eae1967df4f2334e7ed149915a5b959 Mon Sep 17 00:00:00 2001
From: Hayden Spitzley <hspitzley@chanzuckerberg.com>
Date: Tue, 23 Jul 2024 12:07:53 -0600
Subject: [PATCH 1/3] feat: add jwt_condition option to oidc variable for IAM
 trust relationships

---
 aws-assume-role-policy/main.tf      | 2 +-
 aws-assume-role-policy/variables.tf | 3 ++-
 aws-iam-role-crossacct/variables.tf | 3 ++-
 3 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/aws-assume-role-policy/main.tf b/aws-assume-role-policy/main.tf
index 7cbce948..85e766b7 100644
--- a/aws-assume-role-policy/main.tf
+++ b/aws-assume-role-policy/main.tf
@@ -53,7 +53,7 @@ data "aws_iam_policy_document" "assume-role" {
       actions = ["sts:AssumeRoleWithWebIdentity", "sts:TagSession"]
       condition {
         test     = "StringEquals"
-        variable = "${oidc.value["provider"]}:aud"
+        variable = "${oidc.value["provider"]}:${length(oidc.value["jwt_condition"]) > 0 ? oidc.value["jwt_condition"] : "aud"}"
         values   = oidc.value["client_ids"]
       }
     }
diff --git a/aws-assume-role-policy/variables.tf b/aws-assume-role-policy/variables.tf
index 848d0a46..fb61b12d 100644
--- a/aws-assume-role-policy/variables.tf
+++ b/aws-assume-role-policy/variables.tf
@@ -40,7 +40,8 @@ variable "oidc" {
     {
       idp_arn : string,          # the AWS IAM IDP arn
       client_ids : list(string), # a list of oidc client ids
-      provider : string          # your provider url, such as foo.okta.com
+      provider : string,         # your provider url, such as foo.okta.com
+      jwt_condition: string      # the condition to allow the JWT token
     }
   ))
   default     = []
diff --git a/aws-iam-role-crossacct/variables.tf b/aws-iam-role-crossacct/variables.tf
index 8962fef7..32eb947d 100755
--- a/aws-iam-role-crossacct/variables.tf
+++ b/aws-iam-role-crossacct/variables.tf
@@ -31,7 +31,8 @@ variable "oidc" {
     {
       idp_arn : string,          # the AWS IAM IDP arn
       client_ids : list(string), # a list of oidc client ids
-      provider : string          # your provider url, such as foo.okta.com
+      provider : string,         # your provider url, such as foo.okta.com
+      jwt_condition: string      # the condition to allow the JWT token
     }
   ))
 

From 35dda2fcffceeb8a942d941be96ca9e13b40aebf Mon Sep 17 00:00:00 2001
From: Hayden Spitzley <hspitzley@chanzuckerberg.com>
Date: Tue, 23 Jul 2024 13:14:34 -0600
Subject: [PATCH 2/3] use default

---
 aws-assume-role-policy/main.tf      | 2 +-
 aws-assume-role-policy/variables.tf | 8 ++++----
 aws-assume-role-policy/versions.tf  | 3 +++
 aws-iam-role-crossacct/versions.tf  | 3 +++
 4 files changed, 11 insertions(+), 5 deletions(-)
 create mode 100644 aws-assume-role-policy/versions.tf
 create mode 100644 aws-iam-role-crossacct/versions.tf

diff --git a/aws-assume-role-policy/main.tf b/aws-assume-role-policy/main.tf
index 85e766b7..1fb34378 100644
--- a/aws-assume-role-policy/main.tf
+++ b/aws-assume-role-policy/main.tf
@@ -53,7 +53,7 @@ data "aws_iam_policy_document" "assume-role" {
       actions = ["sts:AssumeRoleWithWebIdentity", "sts:TagSession"]
       condition {
         test     = "StringEquals"
-        variable = "${oidc.value["provider"]}:${length(oidc.value["jwt_condition"]) > 0 ? oidc.value["jwt_condition"] : "aud"}"
+        variable = "${oidc.value["provider"]}:${oidc.value["jwt_condition"]}"
         values   = oidc.value["client_ids"]
       }
     }
diff --git a/aws-assume-role-policy/variables.tf b/aws-assume-role-policy/variables.tf
index fb61b12d..e5efe086 100644
--- a/aws-assume-role-policy/variables.tf
+++ b/aws-assume-role-policy/variables.tf
@@ -38,10 +38,10 @@ variable "saml_idp_arns" {
 variable "oidc" {
   type = list(object(
     {
-      idp_arn : string,          # the AWS IAM IDP arn
-      client_ids : list(string), # a list of oidc client ids
-      provider : string,         # your provider url, such as foo.okta.com
-      jwt_condition: string      # the condition to allow the JWT token
+      idp_arn : string,                      # the AWS IAM IDP arn
+      client_ids : list(string),             # a list of oidc client ids
+      provider : string,                     # your provider url, such as foo.okta.com
+      jwt_condition: optional(string, "aud") # the condition to allow the JWT token
     }
   ))
   default     = []
diff --git a/aws-assume-role-policy/versions.tf b/aws-assume-role-policy/versions.tf
new file mode 100644
index 00000000..12ad22ab
--- /dev/null
+++ b/aws-assume-role-policy/versions.tf
@@ -0,0 +1,3 @@
+terraform {
+  required_version = ">= 1.3.0"
+}
diff --git a/aws-iam-role-crossacct/versions.tf b/aws-iam-role-crossacct/versions.tf
new file mode 100644
index 00000000..12ad22ab
--- /dev/null
+++ b/aws-iam-role-crossacct/versions.tf
@@ -0,0 +1,3 @@
+terraform {
+  required_version = ">= 1.3.0"
+}

From 059a9b558f00a8b1ce299b1cecee62c8559c323b Mon Sep 17 00:00:00 2001
From: Hayden Spitzley <hspitzley@chanzuckerberg.com>
Date: Wed, 24 Jul 2024 09:00:56 -0600
Subject: [PATCH 3/3] make string optional

---
 aws-iam-role-crossacct/variables.tf | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/aws-iam-role-crossacct/variables.tf b/aws-iam-role-crossacct/variables.tf
index 32eb947d..df65574f 100755
--- a/aws-iam-role-crossacct/variables.tf
+++ b/aws-iam-role-crossacct/variables.tf
@@ -29,10 +29,10 @@ variable "source_role_arns" {
 variable "oidc" {
   type = list(object(
     {
-      idp_arn : string,          # the AWS IAM IDP arn
-      client_ids : list(string), # a list of oidc client ids
-      provider : string,         # your provider url, such as foo.okta.com
-      jwt_condition: string      # the condition to allow the JWT token
+      idp_arn : string,               # the AWS IAM IDP arn
+      client_ids : list(string),      # a list of oidc client ids
+      provider : string,              # your provider url, such as foo.okta.com
+      jwt_condition: optional(string) # the condition to allow the JWT token
     }
   ))