search

terraform-aws-modules / terraform-aws-iam

Terraform module to create AWS IAM resources 🇺🇦
https://registry.terraform.io/modules/terraform-aws-modules/iam/aws
Apache License 2.0
790 stars 1.01k forks source link

Add more options for generating trust policy #535

Open enver-multibank opened 1 week ago

enver-multibank commented 1 week ago

Description

Trust role policy generated for IAM role does not have controls for conditionals like aws:SourceArn, aws:SourceAccount, aws:SourceOrgID, or aws:SourceOrgPaths used for confused deputy problem prevention. Workaround for the problem is to provide custom trust policy with appropriate conditions for role assumption, however I think we should promote good security practices and have some of these controls added to role modules and perhaps enabled by default at some point in the future.

If approved I'm willing to submit PR (for start maybe just one conditional, like aws:SourceAccount) with backward compatible changes to test it out.

Versions

Steps to reproduce the behavior:

module "test_role" {
  source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
  version = "5.28.0"

  trusted_role_services = [
    "ec2.amazonaws.com"
  ]

  create_role             = true
  create_instance_profile = true

  role_name         = "test_role"
  role_description  = "Test role"
  role_requires_mfa = false

  custom_role_policy_arns = [
    "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
  ]
}

Generated trust policy looks like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "Service": "ec2.amazonaws.com"
            },
            "Action": [
                "sts:TagSession",
                "sts:AssumeRole"
            ]
        }
    ]
}

Expected behavior

We should be able to generate policy like this 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "Service": "ec2.amazonaws.com"
            },
            "Action": [
                "sts:TagSession",
                "sts:AssumeRole"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:SourceAccount": "<account id>"
                }
            }
        }
    ]
}

Actual behavior

There is no option to add conditions except for: aws:PrincipalArn

Terminal Output Screenshot(s)

Additional context

enver-multibank commented 4 days ago

@tbalzer Do you plan to submit PR?