feat: Cross-account in iam-assumable-role-with-oidc

[cebidhem]

Description

This adds support for cross-account assumable role with OIDC

Motivation and Context

We have a use-case where a EKS service account in an account should be able to assume a role in a EKS cluster in another account.
Fixes #157

Breaking Changes

It doesn't bring a breaking change.

How Has This Been Tested?

• I have tested and validated these changes using one or more of the provided examples/* projects

In my environment, the module iam-assumable-role-with-oidc is used as a submodule in our custom irsa terraform module.
I created a new irsa module, calling my updated terraform-aws-iam//modules/iam-assumable-role-with-oidc.
As a variable, I've set oidc_fully_qualified_audience to sts.amazonaws.com and then ran tf apply

Below the relevant part of it:

# module.k8s_crossaccount_irsa.module.iam_assumable_role_with_oidc.aws_iam_role.this[0] will be created
  + resource "aws_iam_role" "this" {
      + arn                   = (known after apply)
      + assume_role_policy    = jsonencode(
            {
              + Statement = [
                  + {
                      + Action    = "sts:AssumeRoleWithWebIdentity"
                      + Condition = {
                          + StringLike = {
                              + oidc.eks.eu-west-1.amazonaws.com/id/my_oidc_provider_id:aud = [
                                  + "sts.amazonaws.com",
                                ]
                            }
                        }
                      + Effect    = "Allow"
                      + Principal = {
                          + Federated = "arn:aws:iam::012345678901:oidc-provider/oidc.eks.eu-west-1.amazonaws.com/id/my_oidc_provider_id"
                        }
                      + Sid       = ""
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + create_date           = (known after apply)
      + force_detach_policies = false
      + id                    = (known after apply)
      + managed_policy_arns   = (known after apply)
      + max_session_duration  = 3600
      + name                  = "cluster-a-test-role"
      + path                  = "/"
      + tags                  = {
          + "Role" = "role-with-oidc"
        }
      + unique_id             = (known after apply)

      + inline_policy {
          + name   = (known after apply)
          + policy = (known after apply)
        }
    }

  # module.k8s_crossaccount_irsa.module.iam_assumable_role_with_oidc.aws_iam_role_policy_attachment.custom[0] will be created
  + resource "aws_iam_role_policy_attachment" "custom" {
      + id         = (known after apply)
      + policy_arn = (known after apply)
      + role       = "cluster-a-test-role"
    }

terraform version: v0.14.6
aws provider version: v3.37.0

[cebidhem]

Hi @antonbabenko,

I saw the pre-commit hook issue, so I've run it locally but it changes almost all - if not all - the README.md files of the project. I'm pretty sure these changes are unwanted, but maybe I'm doing it wrong.
Could you please point me at the right way of passing this job ?

[dgoradia]

Can this be merged? Would be useful for my use-case at least.

[xometry-johnny]

same. We have a need for this as well

[antonbabenko]

Here we go! Thank you, @cebidhem for the addition!

v4.3.0 has been just released.

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.