From 5320504677c9fda2447b61229ed1831b24f36074 Mon Sep 17 00:00:00 2001
From: Hayden Spitzley <105455169+hspitzley-czi@users.noreply.github.com>
Date: Wed, 24 Jul 2024 10:09:19 -0600
Subject: [PATCH] feat: add jwt_condition option to oidc variable for IAM trust
 relationships (#608)

---
 aws-assume-role-policy/main.tf      | 2 +-
 aws-assume-role-policy/variables.tf | 7 ++++---
 aws-assume-role-policy/versions.tf  | 3 +++
 aws-iam-role-crossacct/variables.tf | 7 ++++---
 aws-iam-role-crossacct/versions.tf  | 3 +++
 5 files changed, 15 insertions(+), 7 deletions(-)
 create mode 100644 aws-assume-role-policy/versions.tf
 create mode 100644 aws-iam-role-crossacct/versions.tf

diff --git a/aws-assume-role-policy/main.tf b/aws-assume-role-policy/main.tf
index 7cbce948..1fb34378 100644
--- a/aws-assume-role-policy/main.tf
+++ b/aws-assume-role-policy/main.tf
@@ -53,7 +53,7 @@ data "aws_iam_policy_document" "assume-role" {
       actions = ["sts:AssumeRoleWithWebIdentity", "sts:TagSession"]
       condition {
         test     = "StringEquals"
-        variable = "${oidc.value["provider"]}:aud"
+        variable = "${oidc.value["provider"]}:${oidc.value["jwt_condition"]}"
         values   = oidc.value["client_ids"]
       }
     }
diff --git a/aws-assume-role-policy/variables.tf b/aws-assume-role-policy/variables.tf
index 848d0a46..e5efe086 100644
--- a/aws-assume-role-policy/variables.tf
+++ b/aws-assume-role-policy/variables.tf
@@ -38,9 +38,10 @@ variable "saml_idp_arns" {
 variable "oidc" {
   type = list(object(
     {
-      idp_arn : string,          # the AWS IAM IDP arn
-      client_ids : list(string), # a list of oidc client ids
-      provider : string          # your provider url, such as foo.okta.com
+      idp_arn : string,                      # the AWS IAM IDP arn
+      client_ids : list(string),             # a list of oidc client ids
+      provider : string,                     # your provider url, such as foo.okta.com
+      jwt_condition: optional(string, "aud") # the condition to allow the JWT token
     }
   ))
   default     = []
diff --git a/aws-assume-role-policy/versions.tf b/aws-assume-role-policy/versions.tf
new file mode 100644
index 00000000..12ad22ab
--- /dev/null
+++ b/aws-assume-role-policy/versions.tf
@@ -0,0 +1,3 @@
+terraform {
+  required_version = ">= 1.3.0"
+}
diff --git a/aws-iam-role-crossacct/variables.tf b/aws-iam-role-crossacct/variables.tf
index 8962fef7..df65574f 100755
--- a/aws-iam-role-crossacct/variables.tf
+++ b/aws-iam-role-crossacct/variables.tf
@@ -29,9 +29,10 @@ variable "source_role_arns" {
 variable "oidc" {
   type = list(object(
     {
-      idp_arn : string,          # the AWS IAM IDP arn
-      client_ids : list(string), # a list of oidc client ids
-      provider : string          # your provider url, such as foo.okta.com
+      idp_arn : string,               # the AWS IAM IDP arn
+      client_ids : list(string),      # a list of oidc client ids
+      provider : string,              # your provider url, such as foo.okta.com
+      jwt_condition: optional(string) # the condition to allow the JWT token
     }
   ))
 
diff --git a/aws-iam-role-crossacct/versions.tf b/aws-iam-role-crossacct/versions.tf
new file mode 100644
index 00000000..12ad22ab
--- /dev/null
+++ b/aws-iam-role-crossacct/versions.tf
@@ -0,0 +1,3 @@
+terraform {
+  required_version = ">= 1.3.0"
+}