diff --git a/CHANGELOG.md b/CHANGELOG.md
index 559c653..612c11b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -404,3 +404,9 @@
- tag-shared-vpc-resources
- fix to use aws_ resource to get network_acls (awscc_ does not have filter) to only include from network account
+* 2.10.2 -- 2024-07-09
+
+* 2.10.3 -- 2024-09-16
+ - route53-zone-association
+ - terraform-role
+ - add for other_role_names
diff --git a/common/version.tf b/common/version.tf
index 7a37459..b7e3e3b 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,5 +1,5 @@
locals {
- _module_version = "2.10.1"
+ _module_version = "2.10.3"
_module_names = {
"_main_" = "aws-vpc-setup"
diff --git a/route53-zone-association/terraform-role/README.md b/route53-zone-association/terraform-role/README.md
index c6751d7..eb1d332 100644
--- a/route53-zone-association/terraform-role/README.md
+++ b/route53-zone-association/terraform-role/README.md
@@ -48,3 +48,57 @@ No modules.
## Outputs
No outputs.
+
+
+# About aws-vpc-setup :: route53-zone-assoication :: terraform-role
+
+Role to be assumed from terraform in a remote account (or local account) to allow for associating the VPC to the PHZ
+and for updating route53 entries. This fails if not a member of an organization.
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 1.0.0 |
+| [aws](#requirement\_aws) | >= 4.0.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | >= 4.0.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_role.role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_account_alias.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_account_alias) | data source |
+| [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_organizations_organization.org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [account\_alias](#input\_account\_alias) | AWS Account Alias (default: will pull from current account\_alias) | `string` | `""` | no |
+| [account\_id](#input\_account\_id) | AWS Account ID (default: will pull from current user) | `string` | `""` | no |
+| [other\_role\_names](#input\_other\_role\_names) | List of other role names to allow to assume the role | `list(string)` | [
"r-inf-terraform",
"r-inf-terraform-eks"
]
| no |
+| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| [role\_description](#input\_role\_description) | IAM Role description | `string` | `"INF Terraform Role for Route53 actions"` | no |
+| [role\_name](#input\_role\_name) | IAM Role name (without prefix) | `string` | `"inf-terraform-route53"` | no |
+| [sso\_permissionset\_names](#input\_sso\_permissionset\_names) | List of SSO Permissionset Names (aka, SSO roles) to allow to assume the role | `list(string)` | [
"inf-terraform"
]
| no |
+| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
+
+## Outputs
+
+No outputs.
+
\ No newline at end of file
diff --git a/route53-zone-association/terraform-role/main.tf b/route53-zone-association/terraform-role/main.tf
index 0fd5f2b..9e37420 100644
--- a/route53-zone-association/terraform-role/main.tf
+++ b/route53-zone-association/terraform-role/main.tf
@@ -24,6 +24,7 @@ locals {
format("arn:%v:iam::%v:role/aws-reserved/sso.amazonaws.com/*/AWSReservedSSO_%%v_*", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id),
format("arn:%v:iam::%v:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_%%v_*", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id),
]
+ other_role_arns = [for r in var.other_role_names : format("arn:%v:iam::*:role/%v", data.aws_arn.current.partition, r)]
}
data "aws_organizations_organization" "org" {}
@@ -55,7 +56,7 @@ data "aws_iam_policy_document" "assume_role" {
condition {
test = "ArnLike"
variable = "aws:PrincipalArn"
- values = flatten([for p in var.sso_permissionset_names : [for f in local.sso_role_arn_formats : format(f, p)]])
+ values = flatten(concat(local.other_role_arns, [for p in var.sso_permissionset_names : [for f in local.sso_role_arn_formats : format(f, p)]]))
}
}
}
diff --git a/route53-zone-association/terraform-role/variables.tf b/route53-zone-association/terraform-role/variables.tf
index 98a6746..cb378b2 100644
--- a/route53-zone-association/terraform-role/variables.tf
+++ b/route53-zone-association/terraform-role/variables.tf
@@ -16,3 +16,12 @@ variable "sso_permissionset_names" {
default = ["inf-terraform"]
}
+variable "other_role_names" {
+ description = "List of other role names to allow to assume the role"
+ type = list(string)
+ default = [
+ "r-inf-terraform",
+ "r-inf-terraform-eks",
+ ]
+}
+