From 5039e10b5dc3f4129018f3ca19aab68c7e75fbf4 Mon Sep 17 00:00:00 2001 From: Philipp <38048417+philslab-ninja@users.noreply.github.com> Date: Thu, 11 Jul 2024 15:55:31 +0200 Subject: [PATCH 1/8] feat: Adding sse-kms support for Mountpoint S3 CSI driver EKS IRSA (#493) Co-authored-by: Bryant Biggs --- modules/iam-role-for-service-accounts-eks/README.md | 1 + .../iam-role-for-service-accounts-eks/policies.tf | 12 ++++++++++++ .../iam-role-for-service-accounts-eks/variables.tf | 6 ++++++ wrappers/iam-role-for-service-accounts-eks/main.tf | 1 + 4 files changed, 20 insertions(+) diff --git a/modules/iam-role-for-service-accounts-eks/README.md b/modules/iam-role-for-service-accounts-eks/README.md index a59b2277..1e9ba95d 100644 --- a/modules/iam-role-for-service-accounts-eks/README.md +++ b/modules/iam-role-for-service-accounts-eks/README.md @@ -233,6 +233,7 @@ No modules. | [load\_balancer\_controller\_targetgroup\_arns](#input\_load\_balancer\_controller\_targetgroup\_arns) | List of Target groups ARNs using Load Balancer Controller | `list(string)` | 
[
  "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*"
]
| no | | [max\_session\_duration](#input\_max\_session\_duration) | Maximum CLI/API session duration in seconds between 3600 and 43200 | `number` | `null` | no | | [mountpoint\_s3\_csi\_bucket\_arns](#input\_mountpoint\_s3\_csi\_bucket\_arns) | S3 bucket ARNs to allow Mountpoint S3 CSI to list buckets | `list(string)` | `[]` | no | +| [mountpoint\_s3\_csi\_kms\_arns](#input\_mountpoint\_s3\_csi\_kms\_arns) | KMS Key ARNs to allow Mountpoint S3 CSI driver to download and upload Objects of a S3 bucket using `aws:kms` SSE | `list(string)` | `[]` | no | | [mountpoint\_s3\_csi\_path\_arns](#input\_mountpoint\_s3\_csi\_path\_arns) | S3 path ARNs to allow Mountpoint S3 CSI driver to manage items at the provided path(s). This is required if `attach_mountpoint_s3_csi_policy = true` | `list(string)` | `[]` | no | | [node\_termination\_handler\_sqs\_queue\_arns](#input\_node\_termination\_handler\_sqs\_queue\_arns) | List of SQS ARNs that contain node termination events | `list(string)` | 
[
  "*"
]
| no | | [oidc\_providers](#input\_oidc\_providers) | Map of OIDC providers where each provider map should contain the `provider_arn` and `namespace_service_accounts` | `any` | `{}` | no | diff --git a/modules/iam-role-for-service-accounts-eks/policies.tf b/modules/iam-role-for-service-accounts-eks/policies.tf index 49317400..d40428fe 100644 --- a/modules/iam-role-for-service-accounts-eks/policies.tf +++ b/modules/iam-role-for-service-accounts-eks/policies.tf @@ -447,6 +447,18 @@ data "aws_iam_policy_document" "mountpoint_s3_csi" { ] resources = var.mountpoint_s3_csi_path_arns } + + dynamic "statement" { + for_each = length(var.mountpoint_s3_csi_kms_arns) > 0 ? [1] : [] + content { + actions = [ + "kms:GenerateDataKey", + "kms:Decrypt" + ] + + resources = var.mountpoint_s3_csi_kms_arns + } + } } resource "aws_iam_policy" "mountpoint_s3_csi" { diff --git a/modules/iam-role-for-service-accounts-eks/variables.tf b/modules/iam-role-for-service-accounts-eks/variables.tf index dc73fd33..9e2f1e4f 100644 --- a/modules/iam-role-for-service-accounts-eks/variables.tf +++ b/modules/iam-role-for-service-accounts-eks/variables.tf @@ -158,6 +158,12 @@ variable "mountpoint_s3_csi_bucket_arns" { default = [] } +variable "mountpoint_s3_csi_kms_arns" { + description = "KMS Key ARNs to allow Mountpoint S3 CSI driver to download and upload Objects of a S3 bucket using `aws:kms` SSE" + type = list(string) + default = [] +} + variable "mountpoint_s3_csi_path_arns" { description = "S3 path ARNs to allow Mountpoint S3 CSI driver to manage items at the provided path(s). This is required if `attach_mountpoint_s3_csi_policy = true`" type = list(string) diff --git a/wrappers/iam-role-for-service-accounts-eks/main.tf b/wrappers/iam-role-for-service-accounts-eks/main.tf index 291e570e..ece2521c 100644 --- a/wrappers/iam-role-for-service-accounts-eks/main.tf +++ b/wrappers/iam-role-for-service-accounts-eks/main.tf @@ -48,6 +48,7 @@ module "wrapper" { load_balancer_controller_targetgroup_arns = try(each.value.load_balancer_controller_targetgroup_arns, var.defaults.load_balancer_controller_targetgroup_arns, ["arn:aws:elasticloadbalancing:*:*:targetgroup/*/*"]) max_session_duration = try(each.value.max_session_duration, var.defaults.max_session_duration, null) mountpoint_s3_csi_bucket_arns = try(each.value.mountpoint_s3_csi_bucket_arns, var.defaults.mountpoint_s3_csi_bucket_arns, []) + mountpoint_s3_csi_kms_arns = try(each.value.mountpoint_s3_csi_kms_arns, var.defaults.mountpoint_s3_csi_kms_arns, []) mountpoint_s3_csi_path_arns = try(each.value.mountpoint_s3_csi_path_arns, var.defaults.mountpoint_s3_csi_path_arns, []) node_termination_handler_sqs_queue_arns = try(each.value.node_termination_handler_sqs_queue_arns, var.defaults.node_termination_handler_sqs_queue_arns, ["*"]) oidc_providers = try(each.value.oidc_providers, var.defaults.oidc_providers, {}) From 88435a9dfab0b038fae753ae79dfa1a3bea01710 Mon Sep 17 00:00:00 2001 From: semantic-release-bot Date: Thu, 11 Jul 2024 13:55:59 +0000 Subject: [PATCH 2/8] chore(release): version 5.41.0 [skip ci] ## [5.41.0](https://github.com/terraform-aws-modules/terraform-aws-iam/compare/v5.40.0...v5.41.0) (2024-07-11) ### Features * Adding sse-kms support for Mountpoint S3 CSI driver EKS IRSA ([#493](https://github.com/terraform-aws-modules/terraform-aws-iam/issues/493)) ([5039e10](https://github.com/terraform-aws-modules/terraform-aws-iam/commit/5039e10b5dc3f4129018f3ca19aab68c7e75fbf4)) --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index f6ec4373..91f870c1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,13 @@ All notable changes to this project will be documented in this file. +## [5.41.0](https://github.com/terraform-aws-modules/terraform-aws-iam/compare/v5.40.0...v5.41.0) (2024-07-11) + + +### Features + +* Adding sse-kms support for Mountpoint S3 CSI driver EKS IRSA ([#493](https://github.com/terraform-aws-modules/terraform-aws-iam/issues/493)) ([5039e10](https://github.com/terraform-aws-modules/terraform-aws-iam/commit/5039e10b5dc3f4129018f3ca19aab68c7e75fbf4)) + ## [5.40.0](https://github.com/terraform-aws-modules/terraform-aws-iam/compare/v5.39.1...v5.40.0) (2024-07-05) From 88ee443b60ecaf542ec221eb4aa8a4c4b3bfa70b Mon Sep 17 00:00:00 2001 From: Shaun Becker <6895147+shaunofneuron@users.noreply.github.com> Date: Mon, 29 Jul 2024 15:41:27 -0600 Subject: [PATCH 3/8] feat: Add cloudwatch logs policy to vpc-cni for networkpolicy logging (#504) Co-authored-by: Shaun Becker Co-authored-by: Bryant Biggs --- .pre-commit-config.yaml | 5 ++--- .../iam-role-for-service-accounts-eks/main.tf | 7 ++++--- .../iam-role-for-service-accounts-eks/README.md | 1 + .../iam-role-for-service-accounts-eks/policies.tf | 15 +++++++++++++++ .../variables.tf | 6 ++++++ wrappers/iam-account/versions.tf | 9 ++++++++- wrappers/iam-assumable-role-with-oidc/versions.tf | 9 ++++++++- wrappers/iam-assumable-role-with-saml/versions.tf | 9 ++++++++- wrappers/iam-assumable-role/versions.tf | 9 ++++++++- .../iam-assumable-roles-with-saml/versions.tf | 9 ++++++++- wrappers/iam-assumable-roles/versions.tf | 9 ++++++++- wrappers/iam-eks-role/versions.tf | 9 ++++++++- wrappers/iam-github-oidc-provider/versions.tf | 13 ++++++++++++- wrappers/iam-github-oidc-role/versions.tf | 9 ++++++++- .../versions.tf | 9 ++++++++- wrappers/iam-group-with-policies/versions.tf | 9 ++++++++- wrappers/iam-policy/versions.tf | 9 ++++++++- wrappers/iam-read-only-policy/versions.tf | 9 ++++++++- .../iam-role-for-service-accounts-eks/main.tf | 1 + .../iam-role-for-service-accounts-eks/versions.tf | 9 ++++++++- wrappers/iam-user/versions.tf | 9 ++++++++- 21 files changed, 153 insertions(+), 21 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 7c0a310c..b567c521 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,6 @@ repos: - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.88.0 + rev: v1.92.0 hooks: - id: terraform_fmt - id: terraform_wrapper_module_for_each @@ -22,10 +22,9 @@ repos: - '--args=--only=terraform_required_providers' - '--args=--only=terraform_standard_module_structure' - '--args=--only=terraform_workspace_remote' - - '--args=--only=terraform_unused_required_providers' - id: terraform_validate - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.5.0 + rev: v4.6.0 hooks: - id: check-merge-conflict - id: end-of-file-fixer diff --git a/examples/iam-role-for-service-accounts-eks/main.tf b/examples/iam-role-for-service-accounts-eks/main.tf index 454d8f13..a38319a7 100644 --- a/examples/iam-role-for-service-accounts-eks/main.tf +++ b/examples/iam-role-for-service-accounts-eks/main.tf @@ -340,9 +340,10 @@ module "velero_irsa_role" { module "vpc_cni_ipv4_irsa_role" { source = "../../modules/iam-role-for-service-accounts-eks" - role_name = "vpc-cni-ipv4" - attach_vpc_cni_policy = true - vpc_cni_enable_ipv4 = true + role_name = "vpc-cni-ipv4" + attach_vpc_cni_policy = true + vpc_cni_enable_ipv4 = true + vpc_cni_enable_cloudwatch_logs = true oidc_providers = { ex = { diff --git a/modules/iam-role-for-service-accounts-eks/README.md b/modules/iam-role-for-service-accounts-eks/README.md index 1e9ba95d..b335f311 100644 --- a/modules/iam-role-for-service-accounts-eks/README.md +++ b/modules/iam-role-for-service-accounts-eks/README.md @@ -246,6 +246,7 @@ No modules. | [role\_policy\_arns](#input\_role\_policy\_arns) | ARNs of any policies to attach to the IAM role | `map(string)` | `{}` | no | | [tags](#input\_tags) | A map of tags to add the the IAM role | `map(any)` | `{}` | no | | [velero\_s3\_bucket\_arns](#input\_velero\_s3\_bucket\_arns) | List of S3 Bucket ARNs that Velero needs access to in order to backup and restore cluster resources | `list(string)` | 
[
  "*"
]
| no | +| [vpc\_cni\_enable\_cloudwatch\_logs](#input\_vpc\_cni\_enable\_cloudwatch\_logs) | Determines whether to enable VPC CNI permission to create CloudWatch Log groups and publish network policy events | `bool` | `false` | no | | [vpc\_cni\_enable\_ipv4](#input\_vpc\_cni\_enable\_ipv4) | Determines whether to enable IPv4 permissions for VPC CNI policy | `bool` | `false` | no | | [vpc\_cni\_enable\_ipv6](#input\_vpc\_cni\_enable\_ipv6) | Determines whether to enable IPv6 permissions for VPC CNI policy | `bool` | `false` | no | diff --git a/modules/iam-role-for-service-accounts-eks/policies.tf b/modules/iam-role-for-service-accounts-eks/policies.tf index d40428fe..eb92383f 100644 --- a/modules/iam-role-for-service-accounts-eks/policies.tf +++ b/modules/iam-role-for-service-accounts-eks/policies.tf @@ -1480,6 +1480,21 @@ data "aws_iam_policy_document" "vpc_cni" { } } + # https://docs.aws.amazon.com/eks/latest/userguide/cni-network-policy.html#cni-network-policy-setup + dynamic "statement" { + for_each = var.vpc_cni_enable_cloudwatch_logs ? [1] : [] + content { + sid = "CloudWatchLogs" + actions = [ + "logs:DescribeLogGroups", + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents", + ] + resources = ["*"] + } + } + statement { sid = "CreateTags" actions = ["ec2:CreateTags"] diff --git a/modules/iam-role-for-service-accounts-eks/variables.tf b/modules/iam-role-for-service-accounts-eks/variables.tf index 9e2f1e4f..91e7d811 100644 --- a/modules/iam-role-for-service-accounts-eks/variables.tf +++ b/modules/iam-role-for-service-accounts-eks/variables.tf @@ -351,6 +351,12 @@ variable "attach_vpc_cni_policy" { default = false } +variable "vpc_cni_enable_cloudwatch_logs" { + description = "Determines whether to enable VPC CNI permission to create CloudWatch Log groups and publish network policy events" + type = bool + default = false +} + variable "vpc_cni_enable_ipv4" { description = "Determines whether to enable IPv4 permissions for VPC CNI policy" type = bool diff --git a/wrappers/iam-account/versions.tf b/wrappers/iam-account/versions.tf index 51cad108..d8dd1a44 100644 --- a/wrappers/iam-account/versions.tf +++ b/wrappers/iam-account/versions.tf @@ -1,3 +1,10 @@ terraform { - required_version = ">= 0.13.1" + required_version = ">= 1.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 4.0" + } + } } diff --git a/wrappers/iam-assumable-role-with-oidc/versions.tf b/wrappers/iam-assumable-role-with-oidc/versions.tf index 51cad108..d8dd1a44 100644 --- a/wrappers/iam-assumable-role-with-oidc/versions.tf +++ b/wrappers/iam-assumable-role-with-oidc/versions.tf @@ -1,3 +1,10 @@ terraform { - required_version = ">= 0.13.1" + required_version = ">= 1.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 4.0" + } + } } diff --git a/wrappers/iam-assumable-role-with-saml/versions.tf b/wrappers/iam-assumable-role-with-saml/versions.tf index 51cad108..d8dd1a44 100644 --- a/wrappers/iam-assumable-role-with-saml/versions.tf +++ b/wrappers/iam-assumable-role-with-saml/versions.tf @@ -1,3 +1,10 @@ terraform { - required_version = ">= 0.13.1" + required_version = ">= 1.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 4.0" + } + } } diff --git a/wrappers/iam-assumable-role/versions.tf b/wrappers/iam-assumable-role/versions.tf index 51cad108..d8dd1a44 100644 --- a/wrappers/iam-assumable-role/versions.tf +++ b/wrappers/iam-assumable-role/versions.tf @@ -1,3 +1,10 @@ terraform { - required_version = ">= 0.13.1" + required_version = ">= 1.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 4.0" + } + } } diff --git a/wrappers/iam-assumable-roles-with-saml/versions.tf b/wrappers/iam-assumable-roles-with-saml/versions.tf index 51cad108..d8dd1a44 100644 --- a/wrappers/iam-assumable-roles-with-saml/versions.tf +++ b/wrappers/iam-assumable-roles-with-saml/versions.tf @@ -1,3 +1,10 @@ terraform { - required_version = ">= 0.13.1" + required_version = ">= 1.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 4.0" + } + } } diff --git a/wrappers/iam-assumable-roles/versions.tf b/wrappers/iam-assumable-roles/versions.tf index 51cad108..d8dd1a44 100644 --- a/wrappers/iam-assumable-roles/versions.tf +++ b/wrappers/iam-assumable-roles/versions.tf @@ -1,3 +1,10 @@ terraform { - required_version = ">= 0.13.1" + required_version = ">= 1.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 4.0" + } + } } diff --git a/wrappers/iam-eks-role/versions.tf b/wrappers/iam-eks-role/versions.tf index 51cad108..d8dd1a44 100644 --- a/wrappers/iam-eks-role/versions.tf +++ b/wrappers/iam-eks-role/versions.tf @@ -1,3 +1,10 @@ terraform { - required_version = ">= 0.13.1" + required_version = ">= 1.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 4.0" + } + } } diff --git a/wrappers/iam-github-oidc-provider/versions.tf b/wrappers/iam-github-oidc-provider/versions.tf index 51cad108..3501ad27 100644 --- a/wrappers/iam-github-oidc-provider/versions.tf +++ b/wrappers/iam-github-oidc-provider/versions.tf @@ -1,3 +1,14 @@ terraform { - required_version = ">= 0.13.1" + required_version = ">= 1.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 4.0" + } + tls = { + source = "hashicorp/tls" + version = ">= 3.0" + } + } } diff --git a/wrappers/iam-github-oidc-role/versions.tf b/wrappers/iam-github-oidc-role/versions.tf index 51cad108..d8dd1a44 100644 --- a/wrappers/iam-github-oidc-role/versions.tf +++ b/wrappers/iam-github-oidc-role/versions.tf @@ -1,3 +1,10 @@ terraform { - required_version = ">= 0.13.1" + required_version = ">= 1.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 4.0" + } + } } diff --git a/wrappers/iam-group-with-assumable-roles-policy/versions.tf b/wrappers/iam-group-with-assumable-roles-policy/versions.tf index 51cad108..d8dd1a44 100644 --- a/wrappers/iam-group-with-assumable-roles-policy/versions.tf +++ b/wrappers/iam-group-with-assumable-roles-policy/versions.tf @@ -1,3 +1,10 @@ terraform { - required_version = ">= 0.13.1" + required_version = ">= 1.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 4.0" + } + } } diff --git a/wrappers/iam-group-with-policies/versions.tf b/wrappers/iam-group-with-policies/versions.tf index 51cad108..d8dd1a44 100644 --- a/wrappers/iam-group-with-policies/versions.tf +++ b/wrappers/iam-group-with-policies/versions.tf @@ -1,3 +1,10 @@ terraform { - required_version = ">= 0.13.1" + required_version = ">= 1.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 4.0" + } + } } diff --git a/wrappers/iam-policy/versions.tf b/wrappers/iam-policy/versions.tf index 51cad108..d8dd1a44 100644 --- a/wrappers/iam-policy/versions.tf +++ b/wrappers/iam-policy/versions.tf @@ -1,3 +1,10 @@ terraform { - required_version = ">= 0.13.1" + required_version = ">= 1.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 4.0" + } + } } diff --git a/wrappers/iam-read-only-policy/versions.tf b/wrappers/iam-read-only-policy/versions.tf index 51cad108..d8dd1a44 100644 --- a/wrappers/iam-read-only-policy/versions.tf +++ b/wrappers/iam-read-only-policy/versions.tf @@ -1,3 +1,10 @@ terraform { - required_version = ">= 0.13.1" + required_version = ">= 1.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 4.0" + } + } } diff --git a/wrappers/iam-role-for-service-accounts-eks/main.tf b/wrappers/iam-role-for-service-accounts-eks/main.tf index ece2521c..11e4a2ae 100644 --- a/wrappers/iam-role-for-service-accounts-eks/main.tf +++ b/wrappers/iam-role-for-service-accounts-eks/main.tf @@ -61,6 +61,7 @@ module "wrapper" { role_policy_arns = try(each.value.role_policy_arns, var.defaults.role_policy_arns, {}) tags = try(each.value.tags, var.defaults.tags, {}) velero_s3_bucket_arns = try(each.value.velero_s3_bucket_arns, var.defaults.velero_s3_bucket_arns, ["*"]) + vpc_cni_enable_cloudwatch_logs = try(each.value.vpc_cni_enable_cloudwatch_logs, var.defaults.vpc_cni_enable_cloudwatch_logs, false) vpc_cni_enable_ipv4 = try(each.value.vpc_cni_enable_ipv4, var.defaults.vpc_cni_enable_ipv4, false) vpc_cni_enable_ipv6 = try(each.value.vpc_cni_enable_ipv6, var.defaults.vpc_cni_enable_ipv6, false) } diff --git a/wrappers/iam-role-for-service-accounts-eks/versions.tf b/wrappers/iam-role-for-service-accounts-eks/versions.tf index 51cad108..d8dd1a44 100644 --- a/wrappers/iam-role-for-service-accounts-eks/versions.tf +++ b/wrappers/iam-role-for-service-accounts-eks/versions.tf @@ -1,3 +1,10 @@ terraform { - required_version = ">= 0.13.1" + required_version = ">= 1.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 4.0" + } + } } diff --git a/wrappers/iam-user/versions.tf b/wrappers/iam-user/versions.tf index 51cad108..d8dd1a44 100644 --- a/wrappers/iam-user/versions.tf +++ b/wrappers/iam-user/versions.tf @@ -1,3 +1,10 @@ terraform { - required_version = ">= 0.13.1" + required_version = ">= 1.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 4.0" + } + } } From 017c21af990a2972eb2fbe8b30a9d104ab9b8320 Mon Sep 17 00:00:00 2001 From: semantic-release-bot Date: Mon, 29 Jul 2024 21:41:54 +0000 Subject: [PATCH 4/8] chore(release): version 5.42.0 [skip ci] ## [5.42.0](https://github.com/terraform-aws-modules/terraform-aws-iam/compare/v5.41.0...v5.42.0) (2024-07-29) ### Features * Add cloudwatch logs policy to vpc-cni for networkpolicy logging ([#504](https://github.com/terraform-aws-modules/terraform-aws-iam/issues/504)) ([88ee443](https://github.com/terraform-aws-modules/terraform-aws-iam/commit/88ee443b60ecaf542ec221eb4aa8a4c4b3bfa70b)) --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 91f870c1..180452fb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,13 @@ All notable changes to this project will be documented in this file. +## [5.42.0](https://github.com/terraform-aws-modules/terraform-aws-iam/compare/v5.41.0...v5.42.0) (2024-07-29) + + +### Features + +* Add cloudwatch logs policy to vpc-cni for networkpolicy logging ([#504](https://github.com/terraform-aws-modules/terraform-aws-iam/issues/504)) ([88ee443](https://github.com/terraform-aws-modules/terraform-aws-iam/commit/88ee443b60ecaf542ec221eb4aa8a4c4b3bfa70b)) + ## [5.41.0](https://github.com/terraform-aws-modules/terraform-aws-iam/compare/v5.40.0...v5.41.0) (2024-07-11) From 56e436441a2064ddfba6db379993127937aa7f28 Mon Sep 17 00:00:00 2001 From: TomasKohout Date: Mon, 5 Aug 2024 15:11:02 +0200 Subject: [PATCH 5/8] feat: Allow changing iss for the github oidc role (#507) Signed-off-by: Tomas Kohout Co-authored-by: Tomas Kohout --- modules/iam-github-oidc-role/main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/iam-github-oidc-role/main.tf b/modules/iam-github-oidc-role/main.tf index a2cd2905..5f63dcdd 100644 --- a/modules/iam-github-oidc-role/main.tf +++ b/modules/iam-github-oidc-role/main.tf @@ -31,8 +31,8 @@ data "aws_iam_policy_document" "this" { condition { test = "ForAllValues:StringEquals" - variable = "token.actions.githubusercontent.com:iss" - values = ["https://token.actions.githubusercontent.com"] + variable = "${local.provider_url}:iss" + values = ["https://${local.provider_url}"] } condition { From fc799c161cb5451a2c32ad48a89b2f69a91ae8bb Mon Sep 17 00:00:00 2001 From: semantic-release-bot Date: Mon, 5 Aug 2024 13:11:31 +0000 Subject: [PATCH 6/8] chore(release): version 5.43.0 [skip ci] ## [5.43.0](https://github.com/terraform-aws-modules/terraform-aws-iam/compare/v5.42.0...v5.43.0) (2024-08-05) ### Features * Allow changing iss for the github oidc role ([#507](https://github.com/terraform-aws-modules/terraform-aws-iam/issues/507)) ([56e4364](https://github.com/terraform-aws-modules/terraform-aws-iam/commit/56e436441a2064ddfba6db379993127937aa7f28)) --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 180452fb..f5894f08 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,13 @@ All notable changes to this project will be documented in this file. +## [5.43.0](https://github.com/terraform-aws-modules/terraform-aws-iam/compare/v5.42.0...v5.43.0) (2024-08-05) + + +### Features + +* Allow changing iss for the github oidc role ([#507](https://github.com/terraform-aws-modules/terraform-aws-iam/issues/507)) ([56e4364](https://github.com/terraform-aws-modules/terraform-aws-iam/commit/56e436441a2064ddfba6db379993127937aa7f28)) + ## [5.42.0](https://github.com/terraform-aws-modules/terraform-aws-iam/compare/v5.41.0...v5.42.0) (2024-07-29) From 02a5b7f35ecdd60498d978166ab2033bbdae5013 Mon Sep 17 00:00:00 2001 From: Gavin Williams Date: Thu, 8 Aug 2024 18:30:47 +0100 Subject: [PATCH 7/8] feat: Add support for OIDC policy conditions (#480) --- .../iam-assumable-role-with-oidc/README.md | 1 + examples/iam-assumable-role-with-oidc/main.tf | 31 +++++++++++++++ .../iam-assumable-role-with-oidc/README.md | 1 + modules/iam-assumable-role-with-oidc/main.tf | 12 +++++- .../iam-assumable-role-with-oidc/variables.tf | 6 +++ wrappers/iam-assumable-role-with-oidc/main.tf | 39 ++++++++++--------- 6 files changed, 70 insertions(+), 20 deletions(-) diff --git a/examples/iam-assumable-role-with-oidc/README.md b/examples/iam-assumable-role-with-oidc/README.md index dfba9ce0..01429c10 100644 --- a/examples/iam-assumable-role-with-oidc/README.md +++ b/examples/iam-assumable-role-with-oidc/README.md @@ -32,6 +32,7 @@ No providers. |------|--------|---------| | [iam\_assumable\_role\_admin](#module\_iam\_assumable\_role\_admin) | ../../modules/iam-assumable-role-with-oidc | n/a | | [iam\_assumable\_role\_inline\_policy](#module\_iam\_assumable\_role\_inline\_policy) | ../../modules/iam-assumable-role-with-oidc | n/a | +| [iam\_assumable\_role\_provider\_trust\_policy\_conditions](#module\_iam\_assumable\_role\_provider\_trust\_policy\_conditions) | ../../modules/iam-assumable-role-with-oidc | n/a | | [iam\_assumable\_role\_self\_assume](#module\_iam\_assumable\_role\_self\_assume) | ../../modules/iam-assumable-role-with-oidc | n/a | ## Resources diff --git a/examples/iam-assumable-role-with-oidc/main.tf b/examples/iam-assumable-role-with-oidc/main.tf index 390970bb..d324bdfd 100644 --- a/examples/iam-assumable-role-with-oidc/main.tf +++ b/examples/iam-assumable-role-with-oidc/main.tf @@ -89,3 +89,34 @@ module "iam_assumable_role_inline_policy" { } ] } + +##################################### +# IAM assumable role with policy conditions +##################################### +module "iam_assumable_role_provider_trust_policy_conditions" { + source = "../../modules/iam-assumable-role-with-oidc" + + create_role = true + + role_name = "role-with-oidc-policy-conditions" + + tags = { + Role = "role-with-oidc-policy-conditions" + } + + provider_url = "oidc.circleci.com/org/" + + oidc_fully_qualified_audiences = [""] + + role_policy_arns = [ + "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy", + ] + + provider_trust_policy_conditions = [ + { + test = "StringLike" + variable = "aws:RequestTag/Environment" + values = ["example"] + } + ] +} diff --git a/modules/iam-assumable-role-with-oidc/README.md b/modules/iam-assumable-role-with-oidc/README.md index f38548fb..76ee5a35 100644 --- a/modules/iam-assumable-role-with-oidc/README.md +++ b/modules/iam-assumable-role-with-oidc/README.md @@ -50,6 +50,7 @@ No modules. | [oidc\_fully\_qualified\_audiences](#input\_oidc\_fully\_qualified\_audiences) | The audience to be added to the role policy. Set to sts.amazonaws.com for cross-account assumable role. Leave empty otherwise. | `set(string)` | `[]` | no | | [oidc\_fully\_qualified\_subjects](#input\_oidc\_fully\_qualified\_subjects) | The fully qualified OIDC subjects to be added to the role policy | `set(string)` | `[]` | no | | [oidc\_subjects\_with\_wildcards](#input\_oidc\_subjects\_with\_wildcards) | The OIDC subject using wildcards to be added to the role policy | `set(string)` | `[]` | no | +| [provider\_trust\_policy\_conditions](#input\_provider\_trust\_policy\_conditions) | [Condition constraints](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#condition) applied to the trust policy | `any` | `[]` | no | | [provider\_url](#input\_provider\_url) | URL of the OIDC Provider. Use provider\_urls to specify several URLs. | `string` | `""` | no | | [provider\_urls](#input\_provider\_urls) | List of URLs of the OIDC Providers | `list(string)` | `[]` | no | | [role\_description](#input\_role\_description) | IAM Role description | `string` | `""` | no | diff --git a/modules/iam-assumable-role-with-oidc/main.tf b/modules/iam-assumable-role-with-oidc/main.tf index fb14c928..216b299f 100644 --- a/modules/iam-assumable-role-with-oidc/main.tf +++ b/modules/iam-assumable-role-with-oidc/main.tf @@ -43,7 +43,7 @@ data "aws_iam_policy_document" "assume_role_with_oidc" { content { effect = "Allow" - actions = ["sts:AssumeRoleWithWebIdentity"] + actions = ["sts:AssumeRoleWithWebIdentity", "sts:TagSession"] principals { type = "Federated" @@ -80,6 +80,16 @@ data "aws_iam_policy_document" "assume_role_with_oidc" { values = var.oidc_fully_qualified_audiences } } + + dynamic "condition" { + for_each = var.provider_trust_policy_conditions + + content { + test = condition.value.test + values = condition.value.values + variable = condition.value.variable + } + } } } } diff --git a/modules/iam-assumable-role-with-oidc/variables.tf b/modules/iam-assumable-role-with-oidc/variables.tf index 730f90af..dcbe117f 100644 --- a/modules/iam-assumable-role-with-oidc/variables.tf +++ b/modules/iam-assumable-role-with-oidc/variables.tf @@ -111,3 +111,9 @@ variable "allow_self_assume_role" { type = bool default = false } + +variable "provider_trust_policy_conditions" { + description = "[Condition constraints](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#condition) applied to the trust policy" + type = any + default = [] +} diff --git a/wrappers/iam-assumable-role-with-oidc/main.tf b/wrappers/iam-assumable-role-with-oidc/main.tf index 66b53928..caa8a24a 100644 --- a/wrappers/iam-assumable-role-with-oidc/main.tf +++ b/wrappers/iam-assumable-role-with-oidc/main.tf @@ -3,23 +3,24 @@ module "wrapper" { for_each = var.items - allow_self_assume_role = try(each.value.allow_self_assume_role, var.defaults.allow_self_assume_role, false) - aws_account_id = try(each.value.aws_account_id, var.defaults.aws_account_id, "") - create_role = try(each.value.create_role, var.defaults.create_role, false) - force_detach_policies = try(each.value.force_detach_policies, var.defaults.force_detach_policies, false) - inline_policy_statements = try(each.value.inline_policy_statements, var.defaults.inline_policy_statements, []) - max_session_duration = try(each.value.max_session_duration, var.defaults.max_session_duration, 3600) - number_of_role_policy_arns = try(each.value.number_of_role_policy_arns, var.defaults.number_of_role_policy_arns, null) - oidc_fully_qualified_audiences = try(each.value.oidc_fully_qualified_audiences, var.defaults.oidc_fully_qualified_audiences, []) - oidc_fully_qualified_subjects = try(each.value.oidc_fully_qualified_subjects, var.defaults.oidc_fully_qualified_subjects, []) - oidc_subjects_with_wildcards = try(each.value.oidc_subjects_with_wildcards, var.defaults.oidc_subjects_with_wildcards, []) - provider_url = try(each.value.provider_url, var.defaults.provider_url, "") - provider_urls = try(each.value.provider_urls, var.defaults.provider_urls, []) - role_description = try(each.value.role_description, var.defaults.role_description, "") - role_name = try(each.value.role_name, var.defaults.role_name, null) - role_name_prefix = try(each.value.role_name_prefix, var.defaults.role_name_prefix, null) - role_path = try(each.value.role_path, var.defaults.role_path, "/") - role_permissions_boundary_arn = try(each.value.role_permissions_boundary_arn, var.defaults.role_permissions_boundary_arn, "") - role_policy_arns = try(each.value.role_policy_arns, var.defaults.role_policy_arns, []) - tags = try(each.value.tags, var.defaults.tags, {}) + allow_self_assume_role = try(each.value.allow_self_assume_role, var.defaults.allow_self_assume_role, false) + aws_account_id = try(each.value.aws_account_id, var.defaults.aws_account_id, "") + create_role = try(each.value.create_role, var.defaults.create_role, false) + force_detach_policies = try(each.value.force_detach_policies, var.defaults.force_detach_policies, false) + inline_policy_statements = try(each.value.inline_policy_statements, var.defaults.inline_policy_statements, []) + max_session_duration = try(each.value.max_session_duration, var.defaults.max_session_duration, 3600) + number_of_role_policy_arns = try(each.value.number_of_role_policy_arns, var.defaults.number_of_role_policy_arns, null) + oidc_fully_qualified_audiences = try(each.value.oidc_fully_qualified_audiences, var.defaults.oidc_fully_qualified_audiences, []) + oidc_fully_qualified_subjects = try(each.value.oidc_fully_qualified_subjects, var.defaults.oidc_fully_qualified_subjects, []) + oidc_subjects_with_wildcards = try(each.value.oidc_subjects_with_wildcards, var.defaults.oidc_subjects_with_wildcards, []) + provider_trust_policy_conditions = try(each.value.provider_trust_policy_conditions, var.defaults.provider_trust_policy_conditions, []) + provider_url = try(each.value.provider_url, var.defaults.provider_url, "") + provider_urls = try(each.value.provider_urls, var.defaults.provider_urls, []) + role_description = try(each.value.role_description, var.defaults.role_description, "") + role_name = try(each.value.role_name, var.defaults.role_name, null) + role_name_prefix = try(each.value.role_name_prefix, var.defaults.role_name_prefix, null) + role_path = try(each.value.role_path, var.defaults.role_path, "/") + role_permissions_boundary_arn = try(each.value.role_permissions_boundary_arn, var.defaults.role_permissions_boundary_arn, "") + role_policy_arns = try(each.value.role_policy_arns, var.defaults.role_policy_arns, []) + tags = try(each.value.tags, var.defaults.tags, {}) } From 89fe17a6549728f1dc7e7a8f7b707486dfb45d89 Mon Sep 17 00:00:00 2001 From: semantic-release-bot Date: Thu, 8 Aug 2024 17:31:22 +0000 Subject: [PATCH 8/8] chore(release): version 5.44.0 [skip ci] ## [5.44.0](https://github.com/terraform-aws-modules/terraform-aws-iam/compare/v5.43.0...v5.44.0) (2024-08-08) ### Features * Add support for OIDC policy conditions ([#480](https://github.com/terraform-aws-modules/terraform-aws-iam/issues/480)) ([02a5b7f](https://github.com/terraform-aws-modules/terraform-aws-iam/commit/02a5b7f35ecdd60498d978166ab2033bbdae5013)) --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index f5894f08..bac28f4c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,13 @@ All notable changes to this project will be documented in this file. +## [5.44.0](https://github.com/terraform-aws-modules/terraform-aws-iam/compare/v5.43.0...v5.44.0) (2024-08-08) + + +### Features + +* Add support for OIDC policy conditions ([#480](https://github.com/terraform-aws-modules/terraform-aws-iam/issues/480)) ([02a5b7f](https://github.com/terraform-aws-modules/terraform-aws-iam/commit/02a5b7f35ecdd60498d978166ab2033bbdae5013)) + ## [5.43.0](https://github.com/terraform-aws-modules/terraform-aws-iam/compare/v5.42.0...v5.43.0) (2024-08-05)