feat: allow adding more audiences to the open id connect provider

terraform-aws-modules · Jun 17, 2021 · a96eec8 · a96eec8
1 parent 9022013
commit a96eec8
Show file tree

Hide file tree

Showing 5 changed files with 12 additions and 4 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,11 +7,12 @@ project adheres to [Semantic Versioning](http://semver.org/).
 
 <a name="unreleased"></a>
 ## [Unreleased]
-
+FEATURES:
+- Add `var.openid_connect_audiences` to allow users to add more audiences to the open id connect provider ([#1145](https://github.com/terraform-aws-modules/terraform-aws-eks/issues/1145))
 
 
 <a name="v17.1.0"></a>
-## [v17.1.0] - 2021-06-04
+## [v17.1.0] - 2021-06-09
 FEATURES:
 - Add support for Managed Node Groups (`node_groups`) taints ([#1424](https://github.com/terraform-aws-modules/terraform-aws-eks/issues/1424))
 - Allow to choose launch template version for Managed Node Groups when `create_launch_template` is set to `true` ([#1419](https://github.com/terraform-aws-modules/terraform-aws-eks/issues/1419))

diff --git a/README.md b/README.md
@@ -262,6 +262,7 @@ Apache 2 Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraf
 | <a name="input_map_users"></a> [map\_users](#input\_map\_users) | Additional IAM users to add to the aws-auth configmap. See examples/basic/variables.tf for example format. | <pre>list(object({<br>    userarn  = string<br>    username = string<br>    groups   = list(string)<br>  }))</pre> | `[]` | no |
 | <a name="input_node_groups"></a> [node\_groups](#input\_node\_groups) | Map of map of node groups to create. See `node_groups` module's documentation for more details | `any` | `{}` | no |
 | <a name="input_node_groups_defaults"></a> [node\_groups\_defaults](#input\_node\_groups\_defaults) | Map of values to be applied to all node groups. See `node_groups` module's documentation for more details | `any` | `{}` | no |
+| <a name="input_openid_connect_audiences"></a> [openid\_connect\_audiences](#input\_openid\_connect\_audiences) | List of OpenID Connect audience client IDs to add to the IRSA provider. | `list(string)` | `[]` | no |
 | <a name="input_permissions_boundary"></a> [permissions\_boundary](#input\_permissions\_boundary) | If provided, all IAM roles will be created with this permissions boundary attached. | `string` | `null` | no |
 | <a name="input_subnets"></a> [subnets](#input\_subnets) | A list of subnets to place the EKS cluster and workers within. | `list(string)` | n/a | yes |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources. Tags added to launch configuration or templates override these values for ASG Tags only. | `map(string)` | `{}` | no |

diff --git a/irsa.tf b/irsa.tf
@@ -9,7 +9,7 @@
 
 resource "aws_iam_openid_connect_provider" "oidc_provider" {
   count           = var.enable_irsa && var.create_eks ? 1 : 0
-  client_id_list  = [local.sts_principal]
+  client_id_list  = local.sts_principal
   thumbprint_list = [var.eks_oidc_root_ca_thumbprint]
   url             = flatten(concat(aws_eks_cluster.this[*].identity[*].oidc.0.issuer, [""]))[0]
 

diff --git a/local.tf b/local.tf
@@ -44,7 +44,7 @@ locals {
   )
 
   ec2_principal = "ec2.${data.aws_partition.current.dns_suffix}"
-  sts_principal = "sts.${data.aws_partition.current.dns_suffix}"
+  sts_principal = concat(["sts.${data.aws_partition.current.dns_suffix}"], var.openid_connect_audiences)
 
   policy_arn_prefix = "arn:${data.aws_partition.current.partition}:iam::aws:policy"
   workers_group_defaults_defaults = {

diff --git a/variables.tf b/variables.tf
@@ -393,3 +393,9 @@ variable "wait_for_cluster_timeout" {
   type        = number
   default     = 300
 }
+
+variable "openid_connect_audiences" {
+  description = "List of OpenID Connect audience client IDs to add to the IRSA provider."
+  type        = list(string)
+  default     = []
+}