terraform-aws-modules · antonbabenko · Jan 27, 2020 · Oct 11, 2019 · Oct 11, 2019 · Jan 27, 2020
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
 - repo: git://github.com/antonbabenko/pre-commit-terraform
-  rev: v1.21.0
+  rev: v1.24.0
   hooks:
     - id: terraform_fmt
     - id: terraform_docs

diff --git a/README.md b/README.md
@@ -61,6 +61,28 @@ module "iam_assumable_role" {
 }
 ```
 
+`iam-assumable-role-with-oidc`:
+```hcl
+module "iam_assumable_role" {
+  source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
+  version = "~> 2.0"
+
+  create_role = true
+
+  role_name = "role-with-oidc"
+
+  tags = {
+    Role = "role-with-oidc"
+  }
+
+  provider_url = "oidc.eks.eu-west-1.amazonaws.com/id/BA9E170D464AF7B92084EF72A69B9DC8"
+
+  role_policy_arns = [
+    "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
+  ]
+}
+```
+
 `iam-assumable-roles`:
 ```hcl
 module "iam_assumable_roles" {
@@ -231,6 +253,7 @@ Use [iam-policy module](https://github.com/terraform-aws-modules/terraform-aws-i
 
 * [iam-account](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-account) - Set AWS account alias and password policy
 * [iam-assumable-role](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-assumable-role) - Create individual IAM role which can be assumed from specified ARNs (AWS accounts, IAM users, etc)
+* [iam-assumable-role-with-oidc](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-assumable-role-with-oidc) - Create individual IAM role which can be assumed from specified subjects federated with a OIDC Identity Provider
 * [iam-assumable-roles](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-assumable-roles) - Create several IAM roles which can be assumed from specified ARNs (AWS accounts, IAM users, etc)
 * [iam-assumable-roles-with-saml](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-assumable-roles-with-saml) - Create several IAM roles which can be assumed by users with a SAML Identity Provider
 * [iam-group-with-assumable-roles-policy](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-group-with-assumable-roles-policy) - IAM group with users who are allowed to assume IAM roles in the same or in separate AWS account

diff --git a/examples/iam-account/README.md b/examples/iam-account/README.md
@@ -15,11 +15,19 @@ $ terraform apply
 Run `terraform destroy` when you don't need these resources.
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Providers
+
+No provider.
+
+## Inputs
+
+No input.
+
 ## Outputs
 
 | Name | Description |
 |------|-------------|
 | this\_caller\_identity\_account\_id | The ID of the AWS account |
-| this\_iam\_account\_password\_policy\_expire\_passwords | Indicates whether passwords in the account expire. Returns true if max_password_age contains a value greater than 0. Returns false if it is 0 or not present. |
+| this\_iam\_account\_password\_policy\_expire\_passwords | Indicates whether passwords in the account expire. Returns true if max\_password\_age contains a value greater than 0. Returns false if it is 0 or not present. |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/examples/iam-assumable-role-with-oidc/README.md b/examples/iam-assumable-role-with-oidc/README.md
@@ -0,0 +1,34 @@
+# Individual IAM assumable role example
+
+Configuration in this directory creates a single IAM role which can be assumed by trusted resources using OpenID Connect Federated Users.
+
+# Usage
+
+To run this example you need to execute:
+
+```bash
+$ terraform init
+$ terraform plan
+$ terraform apply
+```
+
+Run `terraform destroy` when you don't need these resources.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Providers
+
+No provider.
+
+## Inputs
+
+No input.
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| this\_iam\_role\_arn | ARN of IAM role |
+| this\_iam\_role\_name | Name of IAM role |
+| this\_iam\_role\_path | Path of IAM role |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/examples/iam-assumable-role-with-oidc/main.tf b/examples/iam-assumable-role-with-oidc/main.tf
@@ -0,0 +1,24 @@
+provider "aws" {
+  region = "eu-west-1"
+}
+
+###############################
+# IAM assumable role for admin
+###############################
+module "iam_assumable_role_admin" {
+  source = "../../modules/iam-assumable-role-with-iodc"
+
+  create_role = true
+
+  role_name = "role-with-oidc"
+
+  tags = {
+    Role = "role-with-oidc"
+  }
+
+  provider_url = "oidc.eks.eu-west-1.amazonaws.com/id/BA9E170D464AF7B92084EF72A69B9DC8"
+
+  role_policy_arns = [
+    "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
+  ]
+}
diff --git a/examples/iam-assumable-role-with-oidc/outputs.tf b/examples/iam-assumable-role-with-oidc/outputs.tf
@@ -0,0 +1,14 @@
+output "this_iam_role_arn" {
+  description = "ARN of IAM role"
+  value       = module.iam_assumable_role_admin.this_iam_role_arn
+}
+
+output "this_iam_role_name" {
+  description = "Name of IAM role"
+  value       = module.iam_assumable_role_admin.this_iam_role_name
+}
+
+output "this_iam_role_path" {
+  description = "Path of IAM role"
+  value       = module.iam_assumable_role_admin.this_iam_role_path
+}
diff --git a/examples/iam-assumable-role/README.md b/examples/iam-assumable-role/README.md
@@ -17,6 +17,14 @@ $ terraform apply
 Run `terraform destroy` when you don't need these resources.
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Providers
+
+No provider.
+
+## Inputs
+
+No input.
+
 ## Outputs
 
 | Name | Description |

diff --git a/examples/iam-assumable-roles-with-saml/README.md b/examples/iam-assumable-roles-with-saml/README.md
@@ -15,6 +15,16 @@ $ terraform apply
 Run `terraform destroy` when you don't need these resources.
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Providers
+
+| Name | Version |
+|------|---------|
+| aws | n/a |
+
+## Inputs
+
+No input.
+
 ## Outputs
 
 | Name | Description |

diff --git a/examples/iam-assumable-roles/README.md b/examples/iam-assumable-roles/README.md
@@ -15,6 +15,14 @@ $ terraform apply
 Run `terraform destroy` when you don't need these resources.
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Providers
+
+No provider.
+
+## Inputs
+
+No input.
+
 ## Outputs
 
 | Name | Description |

diff --git a/examples/iam-group-complete/README.md b/examples/iam-group-complete/README.md
@@ -17,6 +17,14 @@ $ terraform apply
 Run `terraform destroy` when you don't need these resources.
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Providers
+
+No provider.
+
+## Inputs
+
+No input.
+
 ## Outputs
 
 | Name | Description |

diff --git a/examples/iam-group-with-assumable-roles-policy/README.md b/examples/iam-group-with-assumable-roles-policy/README.md
@@ -15,6 +15,17 @@ $ terraform apply
 Run `terraform destroy` when you don't need these resources.
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Providers
+
+| Name | Version |
+|------|---------|
+| aws | n/a |
+| aws.production | n/a |
+
+## Inputs
+
+No input.
+
 ## Outputs
 
 | Name | Description |

diff --git a/examples/iam-group-with-policies/README.md b/examples/iam-group-with-policies/README.md
@@ -15,6 +15,16 @@ $ terraform apply
 Run `terraform destroy` when you don't need these resources.
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Providers
+
+| Name | Version |
+|------|---------|
+| aws | n/a |
+
+## Inputs
+
+No input.
+
 ## Outputs
 
 | Name | Description |

diff --git a/examples/iam-policy/README.md b/examples/iam-policy/README.md
@@ -15,6 +15,16 @@ $ terraform apply
 Run `terraform destroy` when you don't need these resources.
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Providers
+
+| Name | Version |
+|------|---------|
+| aws | n/a |
+
+## Inputs
+
+No input.
+
 ## Outputs
 
 | Name | Description |

diff --git a/examples/iam-user/README.md b/examples/iam-user/README.md
@@ -16,14 +16,22 @@ $ terraform apply
 Run `terraform destroy` when you don't need these resources.
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Providers
+
+No provider.
+
+## Inputs
+
+No input.
+
 ## Outputs
 
 | Name | Description |
 |------|-------------|
-| keybase\_password\_decrypt\_command |  |
-| keybase\_password\_pgp\_message |  |
-| keybase\_secret\_key\_decrypt\_command |  |
-| keybase\_secret\_key\_pgp\_message |  |
+| keybase\_password\_decrypt\_command | n/a |
+| keybase\_password\_pgp\_message | n/a |
+| keybase\_secret\_key\_decrypt\_command | n/a |
+| keybase\_secret\_key\_pgp\_message | n/a |
 | pgp\_key | PGP key used to encrypt sensitive data for this user (if empty - secrets are not encrypted) |
 | this\_iam\_access\_key\_encrypted\_secret | The encrypted secret, base64 encoded |
 | this\_iam\_access\_key\_id | The access key ID |

diff --git a/modules/iam-account/README.md b/modules/iam-account/README.md
@@ -22,22 +22,28 @@ Import successful!
 ``` 
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Providers
+
+| Name | Version |
+|------|---------|
+| aws | ~> 2.23 |
+
 ## Inputs
 
 | Name | Description | Type | Default | Required |
-|------|-------------|:----:|:-----:|:-----:|
-| account\_alias | AWS IAM account alias for this account | string | n/a | yes |
-| allow\_users\_to\_change\_password | Whether to allow users to change their own password | bool | `"true"` | no |
-| create\_account\_password\_policy | Whether to create AWS IAM account password policy | bool | `"true"` | no |
-| get\_caller\_identity | Whether to get AWS account ID, User ID, and ARN in which Terraform is authorized | bool | `"true"` | no |
-| hard\_expiry | Whether users are prevented from setting a new password after their password has expired (i.e. require administrator reset) | bool | `"false"` | no |
-| max\_password\_age | The number of days that an user password is valid. | number | `"0"` | no |
-| minimum\_password\_length | Minimum length to require for user passwords | number | `"8"` | no |
-| password\_reuse\_prevention | The number of previous passwords that users are prevented from reusing | number | `"null"` | no |
-| require\_lowercase\_characters | Whether to require lowercase characters for user passwords | bool | `"true"` | no |
-| require\_numbers | Whether to require numbers for user passwords | bool | `"true"` | no |
-| require\_symbols | Whether to require symbols for user passwords | bool | `"true"` | no |
-| require\_uppercase\_characters | Whether to require uppercase characters for user passwords | bool | `"true"` | no |
+|------|-------------|------|---------|:-----:|
+| account\_alias | AWS IAM account alias for this account | `string` | n/a | yes |
+| allow\_users\_to\_change\_password | Whether to allow users to change their own password | `bool` | `true` | no |
+| create\_account\_password\_policy | Whether to create AWS IAM account password policy | `bool` | `true` | no |
+| get\_caller\_identity | Whether to get AWS account ID, User ID, and ARN in which Terraform is authorized | `bool` | `true` | no |
+| hard\_expiry | Whether users are prevented from setting a new password after their password has expired (i.e. require administrator reset) | `bool` | `false` | no |
+| max\_password\_age | The number of days that an user password is valid. | `number` | `0` | no |
+| minimum\_password\_length | Minimum length to require for user passwords | `number` | `8` | no |
+| password\_reuse\_prevention | The number of previous passwords that users are prevented from reusing | `number` | n/a | yes |
+| require\_lowercase\_characters | Whether to require lowercase characters for user passwords | `bool` | `true` | no |
+| require\_numbers | Whether to require numbers for user passwords | `bool` | `true` | no |
+| require\_symbols | Whether to require symbols for user passwords | `bool` | `true` | no |
+| require\_uppercase\_characters | Whether to require uppercase characters for user passwords | `bool` | `true` | no |
 
 ## Outputs
 
@@ -46,6 +52,6 @@ Import successful!
 | this\_caller\_identity\_account\_id | The AWS Account ID number of the account that owns or contains the calling entity |
 | this\_caller\_identity\_arn | The AWS ARN associated with the calling entity |
 | this\_caller\_identity\_user\_id | The unique identifier of the calling entity |
-| this\_iam\_account\_password\_policy\_expire\_passwords | Indicates whether passwords in the account expire. Returns true if max_password_age contains a value greater than 0. Returns false if it is 0 or not present. |
+| this\_iam\_account\_password\_policy\_expire\_passwords | Indicates whether passwords in the account expire. Returns true if max\_password\_age contains a value greater than 0. Returns false if it is 0 or not present. |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/modules/iam-account/versions.tf b/modules/iam-account/versions.tf
@@ -0,0 +1,7 @@
+terraform {
+  required_version = "~> 0.12.6"
+
+  required_providers {
+    aws = "~> 2.23"
+  }
+}
diff --git a/modules/iam-assumable-role-with-iodc/README.md b/modules/iam-assumable-role-with-iodc/README.md
@@ -0,0 +1,40 @@
+# iam-assumable-role-with-oidc
+
+Creates single IAM role which can be assumed by trusted resources using OpenID Connect Federated Users.
+
+[Creating IAM OIDC Identity Providers](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html)
+
+This module supports IAM Roles for kubernetes service accounts as described in the [EKS documentation](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html). 
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Providers
+
+| Name | Version |
+|------|---------|
+| aws | ~> 2.23 |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:-----:|
+| aws\_account\_id | The AWS account ID where the OIDC provider lives, leave empty to use the account fo the AWS provider | `string` | `""` | no |
+| create\_role | Whether to create a role | `bool` | `false` | no |
+| max\_session\_duration | Maximum CLI/API session duration in seconds between 3600 and 43200 | `number` | `3600` | no |
+| oidc\_fully\_qualified\_subjects | The fully qualified OIDC subjects to be added to the role policy | `list(string)` | `[]` | no |
+| oidc\_subjects\_with\_wildcards | The OIDC subject using wildcards to be added to the role policy | `list(string)` | `[]` | no |
+| provider\_url | URL of the OIDC Provider | `string` | n/a | yes |
+| role\_name | IAM role name | `string` | `""` | no |
+| role\_path | Path of IAM role | `string` | `"/"` | no |
+| role\_permissions\_boundary\_arn | Permissions boundary ARN to use for IAM role | `string` | `""` | no |
+| role\_policy\_arns | List of ARNs of IAM policies to attach to IAM role | `list(string)` | `[]` | no |
+| tags | A map of tags to add to IAM role resources | `map(string)` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| this\_iam\_role\_arn | ARN of IAM role |
+| this\_iam\_role\_name | Name of IAM role |
+| this\_iam\_role\_path | Path of IAM role |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->