- route53-zone-association/terraform-role

- add `sso_permissionset_names` for use of assume role by SSO roles
terraform-modules · Sep 28, 2023 · b51e126 · b51e126
1 parent f668228
commit b51e126
Show file tree

Hide file tree

Showing 5 changed files with 32 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -341,3 +341,7 @@
 * 2.9.6 -- 2023-07-06
   - vpc-transit-gateway-association/self
     - allow passing of transit_gateway_environments
+
+* 2.9.7 -- 2023-09-28
+  - route53-zone-association/terraform-role
+    - add `sso_permissionset_names` for use of assume role by SSO roles
diff --git a/common/version.tf b/common/version.tf
@@ -1,5 +1,5 @@
 locals {
-  _module_version = "2.9.6"
+  _module_version = "2.9.7"
   _module_names = {
     "_main_" = "aws-vpc-setup"
 

diff --git a/route53-zone-association/terraform-role/README.md b/route53-zone-association/terraform-role/README.md
@@ -42,6 +42,7 @@ No modules.
 | <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
 | <a name="input_role_description"></a> [role\_description](#input\_role\_description) | IAM Role description | `string` | `"INF Terraform Role for Route53 actions"` | no |
 | <a name="input_role_name"></a> [role\_name](#input\_role\_name) | IAM Role name (without prefix) | `string` | `"inf-terraform-route53"` | no |
+| <a name="input_sso_permissionset_names"></a> [sso\_permissionset\_names](#input\_sso\_permissionset\_names) | List of SSO Permissionset Names (aka, SSO roles) to allow to assume the role | `list(string)` | <pre>[<br>  "inf-terraform"<br>]</pre> | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
 
 ## Outputs

diff --git a/route53-zone-association/terraform-role/main.tf b/route53-zone-association/terraform-role/main.tf
@@ -19,6 +19,11 @@ locals {
 
   role_name        = format("%v%v", lookup(local._prefixes, "role", ""), var.role_name)
   role_description = var.role_description == "" ? format("Role for %v", var.role_name) : var.role_description
+  iam_arn          = format("arn:%v:iam::%v:%%v", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id)
+  sso_role_arn_formats = [
+    format("arn:%v:iam::%v:role/aws-reserved/sso.amazonaws.com/*/AWSReservedSSO_%%v_*", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id),
+    format("arn:%v:iam::%v:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_%%v_*", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id),
+  ]
 }
 
 data "aws_organizations_organization" "org" {}
@@ -39,6 +44,20 @@ data "aws_iam_policy_document" "assume_role" {
       values   = [data.aws_organizations_organization.org.id]
     }
   }
+  statement {
+    sid     = "AllowSTSAssumeFromSSO"
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+    principals {
+      type        = "AWS"
+      identifiers = [format(local.iam_arn, "root")]
+    }
+    condition {
+      test     = "ArnLike"
+      variable = "aws:PrincipalArn"
+      values   = flatten([for p in var.sso_permissionset_names : [for f in local.sso_role_arn_formats : format(f, p)]])
+    }
+  }
 }
 
 data "aws_iam_policy_document" "policy" {

diff --git a/route53-zone-association/terraform-role/variables.tf b/route53-zone-association/terraform-role/variables.tf
@@ -9,3 +9,10 @@ variable "role_description" {
   type        = string
   default     = "INF Terraform Role for Route53 actions"
 }
+
+variable "sso_permissionset_names" {
+  description = "List of SSO Permissionset Names (aka, SSO roles) to allow to assume the role"
+  type        = list(string)
+  default     = ["inf-terraform"]
+}
+