Merge pull request #11 from kabisa/feature/update_module_add_oidc_ass…

…ume_role Feature/update module - adding OIDC assume role
kabisa · Jul 4, 2023 · 4d90c02 · 4d90c02
2 parents 10afa7a + 9159bc5
commit 4d90c02
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 0 deletions.
diff --git a/main.tf b/main.tf
@@ -9,6 +9,16 @@ data "aws_iam_policy_document" "assume_role" {
       identifiers = var.trusted_role_arns
     }
   }
+  statement {
+    effect = "Allow"
+
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "AWS"
+      identifiers = var.trusted_roles_ci_cd
+    }
+  }
 }
 
 data "aws_iam_policy_document" "assume_role_with_mfa" {
@@ -34,6 +44,16 @@ data "aws_iam_policy_document" "assume_role_with_mfa" {
       values   = [var.mfa_age]
     }
   }
+  statement {
+    effect = "Allow"
+
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "AWS"
+      identifiers = var.trusted_roles_ci_cd
+    }
+  }
 }
 
 # Admin

diff --git a/variables.tf b/variables.tf
@@ -3,6 +3,12 @@ variable "trusted_role_arns" {
   default     = []
 }
 
+variable "trusted_roles_ci_cd" {
+  description = "ARNs of AWS entities who can assume these roles for CI/CD"
+  default     = []
+}
+
+
 variable "mfa_age" {
   description = "Max age of valid MFA (in seconds) for roles which require MFA"
   default     = 86400