feat: allow github actions to attach more assume role policies

chanzuckerberg · Oct 30, 2023 · 2e33003 · 2e33003
1 parent a2d7c4a
commit 2e33003
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 0 deletions.
diff --git a/aws-iam-role-github-action/main.tf b/aws-iam-role-github-action/main.tf
@@ -7,10 +7,24 @@ locals {
 
 // https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#adding-the-identity-provider-to-aws
 data "aws_iam_policy_document" "assume_role" {
+  dynamic "statement" {
+    for_each = var.authorized_aws_accounts
+
+    content {
+      sid = "AllowAssumeRoleFrom${statement.key}"
+      principals {
+        type        = "AWS"
+        identifiers = ["arn:aws:iam::${statement.value}:root"]
+      }
+      actions = ["sts:AssumeRole", "sts:TagSession"]
+      effect  = "Allow"
+    }
+  }
   dynamic "statement" {
     for_each = var.authorized_github_repos
 
     content {
+      sid = "AllowGithubActionsToAssumeRole"
       principals {
         type        = "Federated"
         identifiers = [local.idp_arn]

diff --git a/aws-iam-role-github-action/variables.tf b/aws-iam-role-github-action/variables.tf
@@ -25,3 +25,9 @@ variable "tags" {
 
   description = "Standard tagging."
 }
+
+variable "authorized_aws_accounts" {
+  type        = map(string)
+  description = "The map of authorized AWS accounts to assume the created role."
+  default     = {}
+}