fix: Fix conditions with multiple subjects in assume role with oidc policy

[miguelaferreira]

Fixes #73

Description

This PR fixes the logic that creates the assume role policy with OIDC to allow users to specify multiple subjects for the policy.

Motivation and Context

See #73

Breaking Changes

No breaking changes

How Has This Been Tested?

This PR was tested by extending the example provided with the module (examples/iam-assumable-role-with-oidc) with the failing use case reported in #73. Then asking for a plan of that example shows that the policy is now created with two subjects.

  # module.iam_assumable_role_admin.aws_iam_role.this[0] will be created
  + resource "aws_iam_role" "this" {
      + arn                   = (known after apply)
      + assume_role_policy    = jsonencode(
            {
              + Statement = [
                  + {
                      + Action    = "sts:AssumeRoleWithWebIdentity"
                      + Condition = {
                          + StringEquals = {
                              + oidc.eks.eu-west-1.amazonaws.com/id/BA9E170D464AF7B92084EF72A69B9DC8:sub = [
                                  + "system:serviceaccount:default:sa2",
                                  + "system:serviceaccount:default:sa1",
                                ]
                            }
                        }
                      + Effect    = "Allow"
                      + Principal = {
                          + Federated = "arn:aws:iam::119393867667:oidc-provider/oidc.eks.eu-west-1.amazonaws.com/id/BA9E170D464AF7B92084EF72A69B9DC8"
                        }
                      + Sid       = ""
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + create_date           = (known after apply)
      + force_detach_policies = false
      + id                    = (known after apply)
      + max_session_duration  = 3600
      + name                  = "role-with-oidc"
      + path                  = "/"
      + tags                  = {
          + "Role" = "role-with-oidc"
        }
      + unique_id             = (known after apply)
    }

[LS80]

FYI there are three other open PRs all fixing the same issue
#53
#63
#66

[miguelaferreira]

Thanks for letting me know @LS80.
I'm happy to close this in favour of an earlier PR.

[LS80]

I have no preference, I was just pointing out the other fixes in case it was instructive. Can we get this merged?

[miguelaferreira]

I understand @LS80. I often have the same problem even when I'm the maintainer of a module I do not have the freedom to merge, or release the code. That is by design so I would advise you to reach out to the owners of this organisation. You can find them here: https://github.com/orgs/terraform-aws-modules/people

[antonbabenko]

Thanks, @miguelaferreira !

v2.12.0 has been just released.

Fixes #73

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.