[feature] Allow the aws-iam-role-crossacct for OIDC federation (#179)

[feature] Allow the aws-iam-role-crossacct for OIDC federation### Summary Augments the aws-iam-role-crossacct for OIDC federation ### Test Plan test in internal repo ### References
chanzuckerberg · Mar 17, 2020 · 72fe3a7 · 72fe3a7
1 parent 968da0b
commit 72fe3a7
Show file tree

Hide file tree

Showing 7 changed files with 40 additions and 4 deletions.
diff --git a/aws-aurora-mysql/README.md b/aws-aurora-mysql/README.md
@@ -41,7 +41,7 @@ No provider.
 |------|-------------|------|---------|:-----:|
 | apply\_immediately | If false changes will not be applied until next maintenance window. | `string` | `false` | no |
 | backtrack\_window | Turns on Backgrack for this many seconds. [Doc](https://aws.amazon.com/blogs/aws/amazon-aurora-backtrack-turn-back-time/) | `string` | `0` | no |
-| ca\_cert\_identifier | Identifier for the certificate authority. 9 is the latest available version. | `string` | `"rds-ca-2015"` | no |
+| ca\_cert\_identifier | Identifier for the certificate authority. 9 is the latest available version. | `string` | `"rds-ca-2019"` | no |
 | database\_name | The name of the database to be created in the cluster. | `string` | n/a | yes |
 | database\_password | Password for user that will be created. | `string` | n/a | yes |
 | database\_subnet\_group | The name of an existing database subnet group to use. | `string` | n/a | yes |

diff --git a/aws-aurora-postgres/README.md b/aws-aurora-postgres/README.md
@@ -39,7 +39,7 @@ No provider.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:-----:|
 | apply\_immediately | If false changes will not be applied until next maintenance window. | `string` | `false` | no |
-| ca\_cert\_identifier | Identifier for the certificate authority. Use rds-ca-2015 for anything new. | `string` | `"rds-ca-2015"` | no |
+| ca\_cert\_identifier | Identifier for the certificate authority. | `string` | `"rds-ca-2019"` | no |
 | database\_name | The name of the database to be created in the cluster. | `string` | n/a | yes |
 | database\_password | Password for user that will be created. | `string` | n/a | yes |
 | database\_subnet\_group | The name of an existing database subnet group to use. | `string` | n/a | yes |

diff --git a/aws-aurora/README.md b/aws-aurora/README.md
@@ -15,7 +15,7 @@ This is a low-level module for creating AWS Aurora clusters. We strongly reccome
 |------|-------------|------|---------|:-----:|
 | apply\_immediately | n/a | `bool` | `false` | no |
 | backtrack\_window | n/a | `number` | `0` | no |
-| ca\_cert\_identifier | Identifier for the certificate authority. Use rds-ca-2015 for anything new. | `string` | `"rds-ca-2015"` | no |
+| ca\_cert\_identifier | Identifier for the certificate authority. Use rds-ca-2015 for anything new. | `string` | `"rds-ca-2019"` | no |
 | database\_name | n/a | `string` | n/a | yes |
 | database\_password | n/a | `string` | n/a | yes |
 | database\_subnet\_group | n/a | `string` | n/a | yes |
@@ -33,6 +33,7 @@ This is a low-level module for creating AWS Aurora clusters. We strongly reccome
 | instance\_count | n/a | `string` | `1` | no |
 | kms\_key\_id | If supplied, RDS will use this key to encrypt data at rest. Empty string means that RDS will use an AWS-managed key. Encryption is always on with this module. | `string` | `""` | no |
 | owner | Owner for tagging and naming. See [doc](../README.md#consistent-tagging). | `string` | n/a | yes |
+| params\_engine\_version | n/a | `string` | n/a | yes |
 | performance\_insights\_enabled | n/a | `string` | `true` | no |
 | port | n/a | `string` | n/a | yes |
 | project | Project for tagging and naming. See [doc](../README.md#consistent-tagging) | `string` | n/a | yes |

diff --git a/aws-iam-role-crossacct/README.md b/aws-iam-role-crossacct/README.md
@@ -28,6 +28,7 @@ module "group" {
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:-----:|
 | iam\_path | The IAM path to put this role in. | `string` | `"/"` | no |
+| oidc | A list of AWS OIDC IDPs to establish a trust relationship for this role. | <pre>list(object(<br>    {<br>      idp_arn : string,          # the AWS IAM IDP arn<br>      client_ids : list(string), # a list of oidc client ids<br>      provider : string          # your provider url, such as foo.okta.com<br>    }<br>  ))<br></pre> | `[]` | no |
 | role\_name | The name of the role. | `string` | n/a | yes |
 | saml\_idp\_arn | The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided. | `string` | `""` | no |
 | source\_account\_id | The source AWS account to establish a trust relationship. Ignored if empty or not provided. | `string` | `""` | no |
@@ -37,6 +38,7 @@ module "group" {
 | Name | Description |
 |------|-------------|
 | iam\_path | n/a |
+| role\_arn | n/a |
 | role\_name | n/a |
 
 <!-- END -->
diff --git a/aws-iam-role-crossacct/main.tf b/aws-iam-role-crossacct/main.tf
@@ -27,6 +27,26 @@ data "aws_iam_policy_document" "assume-role" {
       }
     }
   }
+
+  dynamic "statement" {
+    for_each = var.oidc
+    iterator = oidc
+
+    content {
+      principals {
+        type        = "Federated"
+        identifiers = [oidc.value["idp_arn"]]
+      }
+
+      actions = ["sts:AssumeRoleWithWebIdentity"]
+      condition {
+        test     = "StringEquals"
+        variable = "${oidc.value["provider"]}:aud"
+        values   = oidc.value["client_ids"]
+      }
+    }
+  }
+
 }
 
 resource "aws_iam_role" "role" {

diff --git a/aws-iam-role-crossacct/variables.tf b/aws-iam-role-crossacct/variables.tf
@@ -19,3 +19,16 @@ variable "saml_idp_arn" {
   default     = ""
   description = "The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided."
 }
+
+variable oidc {
+  type = list(object(
+    {
+      idp_arn : string,          # the AWS IAM IDP arn
+      client_ids : list(string), # a list of oidc client ids
+      provider : string          # your provider url, such as foo.okta.com
+    }
+  ))
+
+  default     = []
+  description = "A list of AWS OIDC IDPs to establish a trust relationship for this role."
+}
diff --git a/aws-s3-private-bucket/README.md b/aws-s3-private-bucket/README.md
@@ -14,7 +14,7 @@
 | bucket\_policy | n/a | `string` | `""` | no |
 | enable\_versioning | Keep old versions of overwritten S3 objects. | `bool` | `true` | no |
 | env | n/a | `string` | n/a | yes |
-| lifecycle\_rules | List of maps containing configuration of object lifecycle management. | `any` | <pre>[<br>  {<br>    "enabled": true,<br>    "expiration": {<br>      "expired_object_delete_marker": true<br>    },<br>    "noncurrent_version_expiration": {<br>      "days": 365<br>    },<br>    "noncurrent_version_transition": {<br>      "days": 30,<br>      "storage_class": "STANDARD_IA"<br>    }<br>  }<br>]</pre> | no |
+| lifecycle\_rules | List of maps containing configuration of object lifecycle management. | `list` | <pre>[<br>  {<br>    "enabled": true,<br>    "expiration": {<br>      "expired_object_delete_marker": true<br>    },<br>    "noncurrent_version_expiration": {<br>      "days": 365<br>    },<br>    "noncurrent_version_transition": {<br>      "days": 30,<br>      "storage_class": "STANDARD_IA"<br>    }<br>  }<br>]<br></pre> | no |
 | owner | n/a | `string` | n/a | yes |
 | project | n/a | `string` | n/a | yes |
 | service | n/a | `string` | n/a | yes |