feat: Add support for OIDC policy conditions

terraform-aws-modules / terraform-aws-iam

Terraform module to create AWS IAM resources 🇺🇦

https://registry.terraform.io/modules/terraform-aws-modules/iam/aws

Apache License 2.0

779 stars 985 forks source link

feat: Add support for OIDC policy conditions #480

Closed fatmcgav closed 1 month ago

fatmcgav commented 4 months ago

Description

This commit adds support to the iam-assumable-role-with-oidc module for adding policy conditions constraints [1]

Also add an example showing use with aws:RequestTag session tag match [2].

[1] https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#condition [2] https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html

Motivation and Context

AWS STS session tags allow for additional control when using the AssumeRoleWithWebIdentity authentication call.

Breaking Changes

None

How Has This Been Tested?

[x] I have updated at least one of the examples/* to demonstrate and validate my change(s)
[x] I have tested and validated these changes using one or more of the provided examples/* projects
[x] I have executed pre-commit run -a on my pull request

bryantbiggs commented 4 months ago

this looks like you are looking for the https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/modules/iam-role-for-service-accounts-eks instead - using that sub-module, is this change still warranted? I'm thinking no

fatmcgav commented 4 months ago

Hey @bryantbiggs ...

So I think this change is still valid, as I'm using session tags in combination with an external OIDC provider, in this case env0. Docs are here: https://docs.env0.com/docs/oidc-with-aws#custom-claims-with-aws-session-tags-optional

github-actions[bot] commented 3 months ago

This PR has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this PR will be closed in 10 days

fatmcgav commented 3 months ago

@bryantbiggs / @antonbabenko Any chance of a review on this one? 👍

github-actions[bot] commented 2 months ago

This PR has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this PR will be closed in 10 days

yaroslav-nakonechnikov commented 2 months ago

ping

yaroslav-nakonechnikov commented 2 months ago

as i understand, it also covers https://github.com/terraform-aws-modules/terraform-aws-iam/issues/426 in different way

fatmcgav commented 2 months ago

@bryantbiggs I've updated this PR following the discussion we had on https://github.com/terraform-aws-modules/terraform-aws-iam/pull/479#issuecomment-2203812126

fatmcgav commented 2 months ago

@bryantbiggs OK, I've tweaked the PR to make it more generic. I did make one tweak to your suggestions, which was to call the variable polcy_conditions rather than prvovider_conditions, as I think the former is closer to the docs.

PTAL 👍

github-actions[bot] commented 1 month ago

This PR has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this PR will be closed in 10 days

fatmcgav commented 1 month ago

Apologies, just noticed the failed pre-commit check... Have fixed that now so should be good 🤞

antonbabenko commented 1 month ago

This PR is included in version 5.44.0 :tada:

github-actions[bot] commented 11 hours ago

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.