feat: Extended trusted_entities variable to support multiple types

[flibustier]

Description

This change allows a better customization for the trusted entities used in the assume role policy

For example :

trusted_entities = [
    {
      type = "AWS",
      identifiers = ["arn:aws:sts::XXXXXXXXXXXX:assumed-role/OktaRoleForXXX/xxxx@xxxx"]
    }
]

Motivation and Context

Currently, trusted_entities input variable only accepts a list of strings which is added to the type Service of the assume role Principal.

For example:

trusted_entities = ["service.amazonaws.com"]

Will be interpreted as :

Principal = {
   ~ Service = "lambda.amazonaws.com" -> [
      + "lambda.amazonaws.com",
      + "service.amazonaws.com",
    ]
}

In the issue #138 I explain that we need a AWS Principal in our assume role (the goal is to execute lambda in local using its assume role).

Breaking Changes

This first version overwrites trusted_entities input variable. It was previously a list of (service only) strings, and now becomes a list of objects consisting of a type string (like Service or AWS) and an identifiers array of strings (like an array of services URL as before or a list of ARNs), which will break previous usages of this variable as a list of strings.

But It could also be moved to another input variable so it doesn’t break the current trusted_entities input variable. The only thing that is missing is a good variable name which reflects the openness of the input variable compared to the current trusted_entities, which actually seems to be a trusted_services_entities.

How Has This Been Tested?

• I have tested and validated these changes using one or more of the provided examples/* projects

• I have executed the code in our project and it results in a good terraform plan :

module.lambda.aws_iam_role.lambda[0] will be updated in-place
  ~ resource "aws_iam_role" "lambda" {
      ~ assume_role_policy    = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                      ~ Principal = {
                          + AWS     = [
                              + "arn:aws:sts::XXXXXXXXXXX:assumed-role/OktaRoleForXXX/xxx@xxx",
                            ]
                            # (1 unchanged element hidden)
                        }
                        # (3 unchanged elements hidden)
                    },
                ]
                # (1 unchanged element hidden)
            }
        )
        # (7 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

Thank you for your help and your fantastic work on this module 👏

[antonbabenko]

I like the proposal and it will be even better if you actually update code in examples/complete to show this for real.

[antonbabenko]

Could you change this to list(any) and use try() to make this PR backward compatible and support previous values also.

I think it should be rather straightforward. Let me know if you have questions.

[flibustier]

It’s a very good idea, I will try this and keep you informed on this, thank you very much !

[flibustier]

I’ve updated the pull request using try but I’m not very familiar with it so don’t hesitate to give me your feedback/modifications
Thank you !

[antonbabenko]

Thanks @flibustier !

I have updated the code and examples.

v1.47.0 has been just released.

[flibustier]

Great job! I successfully tested it in our project!

Thanks so much!! 🎉

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.