diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0cedac2..3ebed36 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -341,3 +341,7 @@
* 2.9.6 -- 2023-07-06
- vpc-transit-gateway-association/self
- allow passing of transit_gateway_environments
+
+* 2.9.7 -- 2023-09-28
+ - route53-zone-association/terraform-role
+ - add `sso_permissionset_names` for use of assume role by SSO roles
diff --git a/common/version.tf b/common/version.tf
index 394d846..6c5b89c 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,5 +1,5 @@
locals {
- _module_version = "2.9.6"
+ _module_version = "2.9.7"
_module_names = {
"_main_" = "aws-vpc-setup"
diff --git a/route53-zone-association/terraform-role/README.md b/route53-zone-association/terraform-role/README.md
index 196ee3f..c6751d7 100644
--- a/route53-zone-association/terraform-role/README.md
+++ b/route53-zone-association/terraform-role/README.md
@@ -42,6 +42,7 @@ No modules.
| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
| [role\_description](#input\_role\_description) | IAM Role description | `string` | `"INF Terraform Role for Route53 actions"` | no |
| [role\_name](#input\_role\_name) | IAM Role name (without prefix) | `string` | `"inf-terraform-route53"` | no |
+| [sso\_permissionset\_names](#input\_sso\_permissionset\_names) | List of SSO Permissionset Names (aka, SSO roles) to allow to assume the role | `list(string)` | [
"inf-terraform"
]
| no |
| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
## Outputs
diff --git a/route53-zone-association/terraform-role/main.tf b/route53-zone-association/terraform-role/main.tf
index 90fa6a8..0fd5f2b 100644
--- a/route53-zone-association/terraform-role/main.tf
+++ b/route53-zone-association/terraform-role/main.tf
@@ -19,6 +19,11 @@ locals {
role_name = format("%v%v", lookup(local._prefixes, "role", ""), var.role_name)
role_description = var.role_description == "" ? format("Role for %v", var.role_name) : var.role_description
+ iam_arn = format("arn:%v:iam::%v:%%v", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id)
+ sso_role_arn_formats = [
+ format("arn:%v:iam::%v:role/aws-reserved/sso.amazonaws.com/*/AWSReservedSSO_%%v_*", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id),
+ format("arn:%v:iam::%v:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_%%v_*", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id),
+ ]
}
data "aws_organizations_organization" "org" {}
@@ -39,6 +44,20 @@ data "aws_iam_policy_document" "assume_role" {
values = [data.aws_organizations_organization.org.id]
}
}
+ statement {
+ sid = "AllowSTSAssumeFromSSO"
+ effect = "Allow"
+ actions = ["sts:AssumeRole"]
+ principals {
+ type = "AWS"
+ identifiers = [format(local.iam_arn, "root")]
+ }
+ condition {
+ test = "ArnLike"
+ variable = "aws:PrincipalArn"
+ values = flatten([for p in var.sso_permissionset_names : [for f in local.sso_role_arn_formats : format(f, p)]])
+ }
+ }
}
data "aws_iam_policy_document" "policy" {
diff --git a/route53-zone-association/terraform-role/variables.tf b/route53-zone-association/terraform-role/variables.tf
index 6ecc207..98a6746 100644
--- a/route53-zone-association/terraform-role/variables.tf
+++ b/route53-zone-association/terraform-role/variables.tf
@@ -9,3 +9,10 @@ variable "role_description" {
type = string
default = "INF Terraform Role for Route53 actions"
}
+
+variable "sso_permissionset_names" {
+ description = "List of SSO Permissionset Names (aka, SSO roles) to allow to assume the role"
+ type = list(string)
+ default = ["inf-terraform"]
+}
+