* 2.10.3 -- 2024-09-16

  - route53-zone-association
    - terraform-role
      - add for other_role_names

CHANGELOG.md

@@ -404,3 +404,9 @@
   - tag-shared-vpc-resources
     - fix to use aws_ resource to get network_acls (awscc_ does not have filter) to only include from network account
 
+* 2.10.2 -- 2024-07-09
+
+* 2.10.3 -- 2024-09-16
+  - route53-zone-association
+    - terraform-role
+      - add for other_role_names

common/version.tf

@@ -1,5 +1,5 @@
 locals {
-  _module_version = "2.10.1"
+  _module_version = "2.10.3"
   _module_names = {
     "_main_" = "aws-vpc-setup"
 

route53-zone-association/terraform-role/README.md

@@ -48,3 +48,57 @@ No modules.
 ## Outputs
 
 No outputs.
+
+<!-- BEGIN_TF_DOCS -->
+# About aws-vpc-setup :: route53-zone-assoication :: terraform-role
+
+Role to be assumed from terraform in a remote account (or local account) to allow for associating the VPC to the PHZ
+and for updating route53 entries.  This fails if not a member of an organization.
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.0.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.0.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_role.role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_account_alias.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_account_alias) | data source |
+| [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_organizations_organization.org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias (default: will pull from current account\_alias) | `string` | `""` | no |
+| <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default: will pull from current user) | `string` | `""` | no |
+| <a name="input_other_role_names"></a> [other\_role\_names](#input\_other\_role\_names) | List of other role names to allow to assume the role | `list(string)` | <pre>[<br>  "r-inf-terraform",<br>  "r-inf-terraform-eks"<br>]</pre> | no |
+| <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| <a name="input_role_description"></a> [role\_description](#input\_role\_description) | IAM Role description | `string` | `"INF Terraform Role for Route53 actions"` | no |
+| <a name="input_role_name"></a> [role\_name](#input\_role\_name) | IAM Role name (without prefix) | `string` | `"inf-terraform-route53"` | no |
+| <a name="input_sso_permissionset_names"></a> [sso\_permissionset\_names](#input\_sso\_permissionset\_names) | List of SSO Permissionset Names (aka, SSO roles) to allow to assume the role | `list(string)` | <pre>[<br>  "inf-terraform"<br>]</pre> | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->

route53-zone-association/terraform-role/main.tf

@@ -24,6 +24,7 @@ locals {
     format("arn:%v:iam::%v:role/aws-reserved/sso.amazonaws.com/*/AWSReservedSSO_%%v_*", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id),
     format("arn:%v:iam::%v:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_%%v_*", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id),
   ]
+  other_role_arns = [for r in var.other_role_names : format("arn:%v:iam::*:role/%v", data.aws_arn.current.partition, r)]
 }
 
 data "aws_organizations_organization" "org" {}
@@ -55,7 +56,7 @@ data "aws_iam_policy_document" "assume_role" {
     condition {
       test     = "ArnLike"
       variable = "aws:PrincipalArn"
-      values   = flatten([for p in var.sso_permissionset_names : [for f in local.sso_role_arn_formats : format(f, p)]])
+      values   = flatten(concat(local.other_role_arns, [for p in var.sso_permissionset_names : [for f in local.sso_role_arn_formats : format(f, p)]]))
     }
   }
 }

route53-zone-association/terraform-role/variables.tf

@@ -16,3 +16,12 @@ variable "sso_permissionset_names" {
   default     = ["inf-terraform"]
 }
 
+variable "other_role_names" {
+  description = "List of other role names to allow to assume the role"
+  type        = list(string)
+  default = [
+    "r-inf-terraform",
+    "r-inf-terraform-eks",
+  ]
+}
+