feat: Explicit self-assume permission for IAM assumable role with OIDC #278
Conversation
|
this is great work. |
| @@ -62,6 +62,28 @@ data "aws_iam_policy_document" "assume_role_with_oidc" { | |||
| } | |||
| } | |||
|
|
|||
| data "aws_iam_policy_document" "assume_self" { | |||
There was a problem hiding this comment.
instead of a new document data source and then merging documents, we can use a dynamic statement block instead like
dynamic "statement" {
for_each = var.explicit_permission_to_assume_self ? [1] : []
content {
...
}
}
yes - @miklapko can we add this to all roles that are supported in this project please |
|
thanks folks. |
Add Govcloud and CN support Co-authored-by: Peter Rifel <rifelpet@users.noreply.github.com>
|
This issue has been resolved in version 5.5.0 🎉 |
|
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
Description
Adds the ability to implement self-assume permission for IAM assumable role with OIDC.
Motivation and Context
AWS is changing the way IAM role trust policies work. Before, they implicitly allowed the role to assume itself. After the change, an explicit permission is needed.
Breaking Changes
No.
How Has This Been Tested?
Tested via Terraform Enterprise on multiple environments, with prior config (without the new variable input) and with
explicit_permission_to_assume_self = true.examples/*to demonstrate and validate my change(s)examples/*projectspre-commit run -aon my pull request