fix: Allow customisation of trusted_role_actions in iam-assumable-rol…

…e module (#76)
terraform-aws-modules · May 26, 2020 · 5bb2ab9 · 5bb2ab9
1 parent 3b665db
commit 5bb2ab9
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 1 deletion.
diff --git a/modules/iam-assumable-role/README.md b/modules/iam-assumable-role/README.md
@@ -39,6 +39,7 @@ Trusted resources can be any [IAM ARNs](https://docs.aws.amazon.com/IAM/latest/U
 | role\_permissions\_boundary\_arn | Permissions boundary ARN to use for IAM role | `string` | `""` | no |
 | role\_requires\_mfa | Whether role requires MFA | `bool` | `true` | no |
 | tags | A map of tags to add to IAM role resources | `map(string)` | `{}` | no |
+| trusted\_role\_actions | Actions of STS | `list(string)` | <pre>[<br>  "sts:AssumeRole"<br>]</pre> | no |
 | trusted\_role\_arns | ARNs of AWS entities who can assume these roles | `list(string)` | `[]` | no |
 | trusted\_role\_services | AWS Services that can assume these roles | `list(string)` | `[]` | no |
 

diff --git a/modules/iam-assumable-role/main.tf b/modules/iam-assumable-role/main.tf
@@ -2,7 +2,7 @@ data "aws_iam_policy_document" "assume_role" {
   statement {
     effect = "Allow"
 
-    actions = ["sts:AssumeRole"]
+    actions = var.trusted_role_actions
 
     principals {
       type        = "AWS"

diff --git a/modules/iam-assumable-role/variables.tf b/modules/iam-assumable-role/variables.tf
@@ -1,3 +1,9 @@
+variable "trusted_role_actions" {
+  description = "Actions of STS"
+  type        = list(string)
+  default     = ["sts:AssumeRole"]
+}
+
 variable "trusted_role_arns" {
   description = "ARNs of AWS entities who can assume these roles"
   type        = list(string)