feat: add jwt_condition option to oidc variable for IAM trust relatio…

…nships (#608)

aws-assume-role-policy/main.tf

@@ -53,7 +53,7 @@ data "aws_iam_policy_document" "assume-role" {
       actions = ["sts:AssumeRoleWithWebIdentity", "sts:TagSession"]
       condition {
         test     = "StringEquals"
-        variable = "${oidc.value["provider"]}:aud"
+        variable = "${oidc.value["provider"]}:${oidc.value["jwt_condition"]}"
         values   = oidc.value["client_ids"]
       }
     }

aws-assume-role-policy/variables.tf

@@ -38,9 +38,10 @@ variable "saml_idp_arns" {
 variable "oidc" {
   type = list(object(
     {
-      idp_arn : string,          # the AWS IAM IDP arn
-      client_ids : list(string), # a list of oidc client ids
-      provider : string          # your provider url, such as foo.okta.com
+      idp_arn : string,                      # the AWS IAM IDP arn
+      client_ids : list(string),             # a list of oidc client ids
+      provider : string,                     # your provider url, such as foo.okta.com
+      jwt_condition: optional(string, "aud") # the condition to allow the JWT token
     }
   ))
   default     = []

aws-assume-role-policy/versions.tf

@@ -0,0 +1,3 @@
+terraform {
+  required_version = ">= 1.3.0"
+}

aws-iam-role-crossacct/variables.tf

@@ -29,9 +29,10 @@ variable "source_role_arns" {
 variable "oidc" {
   type = list(object(
     {
-      idp_arn : string,          # the AWS IAM IDP arn
-      client_ids : list(string), # a list of oidc client ids
-      provider : string          # your provider url, such as foo.okta.com
+      idp_arn : string,               # the AWS IAM IDP arn
+      client_ids : list(string),      # a list of oidc client ids
+      provider : string,              # your provider url, such as foo.okta.com
+      jwt_condition: optional(string) # the condition to allow the JWT token
     }
   ))
 

aws-iam-role-crossacct/versions.tf

@@ -0,0 +1,3 @@
+terraform {
+  required_version = ">= 1.3.0"
+}