From 86bab991235dba69305970153f88d650dfa65802 Mon Sep 17 00:00:00 2001
From: Hayden Spitzley <105455169+hspitzley-czi@users.noreply.github.com>
Date: Wed, 24 Jul 2024 11:48:04 -0600
Subject: [PATCH] feat: add condition_operator field to allow overriding
 StringEquals with StringLike (#610)

---
 aws-assume-role-policy/main.tf      | 2 +-
 aws-assume-role-policy/variables.tf | 9 +++++----
 aws-iam-role-crossacct/variables.tf | 9 +++++----
 3 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/aws-assume-role-policy/main.tf b/aws-assume-role-policy/main.tf
index 1fb34378..4794ef77 100644
--- a/aws-assume-role-policy/main.tf
+++ b/aws-assume-role-policy/main.tf
@@ -52,7 +52,7 @@ data "aws_iam_policy_document" "assume-role" {
 
       actions = ["sts:AssumeRoleWithWebIdentity", "sts:TagSession"]
       condition {
-        test     = "StringEquals"
+        test     = "${oidc.value["condition_operator"]}"
         variable = "${oidc.value["provider"]}:${oidc.value["jwt_condition"]}"
         values   = oidc.value["client_ids"]
       }
diff --git a/aws-assume-role-policy/variables.tf b/aws-assume-role-policy/variables.tf
index e5efe086..daf1bab2 100644
--- a/aws-assume-role-policy/variables.tf
+++ b/aws-assume-role-policy/variables.tf
@@ -38,10 +38,11 @@ variable "saml_idp_arns" {
 variable "oidc" {
   type = list(object(
     {
-      idp_arn : string,                      # the AWS IAM IDP arn
-      client_ids : list(string),             # a list of oidc client ids
-      provider : string,                     # your provider url, such as foo.okta.com
-      jwt_condition: optional(string, "aud") # the condition to allow the JWT token
+      idp_arn : string,                                      # the AWS IAM IDP arn
+      client_ids : list(string),                             # a list of oidc client ids
+      provider : string,                                     # your provider url, such as foo.okta.com
+      jwt_condition : optional(string, "aud"),               # the condition to allow the JWT token
+      condition_operator : optional(string, "StringEquals"), # the condition operator for the iam statement
     }
   ))
   default     = []
diff --git a/aws-iam-role-crossacct/variables.tf b/aws-iam-role-crossacct/variables.tf
index df65574f..9619d23f 100755
--- a/aws-iam-role-crossacct/variables.tf
+++ b/aws-iam-role-crossacct/variables.tf
@@ -29,10 +29,11 @@ variable "source_role_arns" {
 variable "oidc" {
   type = list(object(
     {
-      idp_arn : string,               # the AWS IAM IDP arn
-      client_ids : list(string),      # a list of oidc client ids
-      provider : string,              # your provider url, such as foo.okta.com
-      jwt_condition: optional(string) # the condition to allow the JWT token
+      idp_arn : string,                      # the AWS IAM IDP arn
+      client_ids : list(string),             # a list of oidc client ids
+      provider : string,                     # your provider url, such as foo.okta.com
+      jwt_condition : optional(string),      # the condition to allow the JWT token
+      condition_operator : optional(string), # the condition operator for the iam statement
     }
   ))