[feature] Adds support for SAML trust relationship to existing roles (#…

…154)
chanzuckerberg · Nov 27, 2019 · c59aa0e · c59aa0e
1 parent 8bc7c98
commit c59aa0e
Show file tree

Hide file tree

Showing 27 changed files with 345 additions and 88 deletions.
diff --git a/aws-iam-role-cloudfront-poweruser/README.md b/aws-iam-role-cloudfront-poweruser/README.md
@@ -10,7 +10,8 @@ This module will create a role which is granted poweruser control over AWS Cloud
 | iam\_path |  | string | `"/"` | no |
 | role\_name | Name of the role to create | string | n/a | yes |
 | s3\_bucket\_prefixes | Limits role permissions to buckets with specific prefixes. Empty for all buckets. | list | `<list>` | no |
-| source\_account\_id | AWS Account that can assume this role. | string | n/a | yes |
+| source\_account\_id | The source AWS account to establish a trust relationship. Ignored if empty or not provided. | string | '' | no |
+| saml\_idp\_arn | The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided. | string | '' | no |
 
 ## Outputs
 

diff --git a/aws-iam-role-cloudfront-poweruser/main.tf b/aws-iam-role-cloudfront-poweruser/main.tf
@@ -1,11 +1,31 @@
 data "aws_iam_policy_document" "assume-role" {
-  statement {
-    principals {
-      type        = "AWS"
-      identifiers = ["arn:aws:iam::${var.source_account_id}:root"]
+  dynamic "statement" {
+    for_each = compact([var.source_account_id])
+    content {
+      principals {
+        type        = "AWS"
+        identifiers = ["arn:aws:iam::${var.source_account_id}:root"]
+      }
+      actions = ["sts:AssumeRole"]
     }
+  }
+
+  dynamic "statement" {
+    for_each = compact([var.saml_idp_arn])
+    content {
+      principals {
+        type        = "Federated"
+        identifiers = ["${var.saml_idp_arn}"]
+      }
 
-    actions = ["sts:AssumeRole"]
+      actions = ["sts:AssumeRoleWithSAML"]
+
+      condition {
+        test     = "StringEquals"
+        variable = "SAML:aud"
+        values   = ["https://signin.aws.amazon.com/saml"]
+      }
+    }
   }
 }
 

diff --git a/aws-iam-role-cloudfront-poweruser/variables.tf b/aws-iam-role-cloudfront-poweruser/variables.tf
@@ -1,8 +1,3 @@
-variable "source_account_id" {
-  type        = "string"
-  description = "AWS Account that can assume this role."
-}
-
 variable "role_name" {
   type        = "string"
   description = "Name of the role to create"
@@ -21,3 +16,15 @@ variable "iam_path" {
   type    = "string"
   default = "/"
 }
+
+variable "source_account_id" {
+  type        = "string"
+  default     = ""
+  description = "The source AWS account to establish a trust relationship. Ignored if empty or not provided."
+}
+
+variable "saml_idp_arn" {
+  type        = "string"
+  default     = ""
+  description = "The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided."
+}
diff --git a/aws-iam-role-crossacct/README.md b/aws-iam-role-crossacct/README.md
@@ -23,7 +23,8 @@ module "group" {
 |------|-------------|:----:|:-----:|:-----:|
 | iam\_path | The IAM path to put this role in. | string | `"/"` | no |
 | role\_name | The name of the role. | string | n/a | yes |
-| source\_account\_id | The AWS account id that should be able to assume this role. | string | n/a | yes |
+| source\_account\_id | The source AWS account to establish a trust relationship. Ignored if empty or not provided. | string | '' | no |
+| saml\_idp\_arn | The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided. | string | '' | no |
 
 ## Outputs
 

diff --git a/aws-iam-role-crossacct/main.tf b/aws-iam-role-crossacct/main.tf
@@ -1,11 +1,31 @@
 data "aws_iam_policy_document" "assume-role" {
-  statement {
-    principals {
-      type        = "AWS"
-      identifiers = ["arn:aws:iam::${var.source_account_id}:root"]
+  dynamic "statement" {
+    for_each = compact([var.source_account_id])
+    content {
+      principals {
+        type        = "AWS"
+        identifiers = ["arn:aws:iam::${var.source_account_id}:root"]
+      }
+      actions = ["sts:AssumeRole"]
     }
+  }
+
+  dynamic "statement" {
+    for_each = compact([var.saml_idp_arn])
+    content {
+      principals {
+        type        = "Federated"
+        identifiers = ["${var.saml_idp_arn}"]
+      }
 
-    actions = ["sts:AssumeRole"]
+      actions = ["sts:AssumeRoleWithSAML"]
+
+      condition {
+        test     = "StringEquals"
+        variable = "SAML:aud"
+        values   = ["https://signin.aws.amazon.com/saml"]
+      }
+    }
   }
 }
 

diff --git a/aws-iam-role-crossacct/variables.tf b/aws-iam-role-crossacct/variables.tf
@@ -9,6 +9,13 @@ variable "iam_path" {
 }
 
 variable "source_account_id" {
-  description = "The AWS account id that should be able to assume this role."
   type        = "string"
+  default     = ""
+  description = "The source AWS account to establish a trust relationship. Ignored if empty or not provided."
+}
+
+variable "saml_idp_arn" {
+  type        = "string"
+  default     = ""
+  description = "The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided."
 }
diff --git a/aws-iam-role-ec2-poweruser/README.md b/aws-iam-role-ec2-poweruser/README.md
@@ -25,7 +25,8 @@ module "ec2-poweruser" {
 |------|-------------|:----:|:-----:|:-----:|
 | iam\_path |  | string | `"/"` | no |
 | role\_name |  | string | n/a | yes |
-| source\_account\_id |  | string | n/a | yes |
+| source\_account\_id | The source AWS account to establish a trust relationship. Ignored if empty or not provided. | string | '' | no |
+| saml\_idp\_arn | The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided. | string | '' | no |
 
 ## Outputs
 

diff --git a/aws-iam-role-ec2-poweruser/main.tf b/aws-iam-role-ec2-poweruser/main.tf
@@ -1,11 +1,31 @@
 data "aws_iam_policy_document" "assume-role" {
-  statement {
-    principals {
-      type        = "AWS"
-      identifiers = ["arn:aws:iam::${var.source_account_id}:root"]
+  dynamic "statement" {
+    for_each = compact([var.source_account_id])
+    content {
+      principals {
+        type        = "AWS"
+        identifiers = ["arn:aws:iam::${var.source_account_id}:root"]
+      }
+      actions = ["sts:AssumeRole"]
     }
+  }
+
+  dynamic "statement" {
+    for_each = compact([var.saml_idp_arn])
+    content {
+      principals {
+        type        = "Federated"
+        identifiers = ["${var.saml_idp_arn}"]
+      }
 
-    actions = ["sts:AssumeRole"]
+      actions = ["sts:AssumeRoleWithSAML"]
+
+      condition {
+        test     = "StringEquals"
+        variable = "SAML:aud"
+        values   = ["https://signin.aws.amazon.com/saml"]
+      }
+    }
   }
 }
 

diff --git a/aws-iam-role-ec2-poweruser/variables.tf b/aws-iam-role-ec2-poweruser/variables.tf
@@ -1,7 +1,3 @@
-variable "source_account_id" {
-  type = "string"
-}
-
 variable "role_name" {
   type = "string"
 }
@@ -10,3 +6,15 @@ variable "iam_path" {
   type    = "string"
   default = "/"
 }
+
+variable "source_account_id" {
+  type        = "string"
+  default     = ""
+  description = "The source AWS account to establish a trust relationship. Ignored if empty or not provided."
+}
+
+variable "saml_idp_arn" {
+  type        = "string"
+  default     = ""
+  description = "The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided."
+}
diff --git a/aws-iam-role-ecs-poweruser/README.md b/aws-iam-role-ecs-poweruser/README.md
@@ -24,7 +24,8 @@ module "ec2-poweruser" {
 |------|-------------|:----:|:-----:|:-----:|
 | iam\_path |  | string | `"/"` | no |
 | role\_name |  | string | n/a | yes |
-| source\_account\_id |  | string | n/a | yes |
+| source\_account\_id | The source AWS account to establish a trust relationship. Ignored if empty or not provided. | string | '' | no |
+| saml\_idp\_arn | The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided. | string | '' | no |
 
 ## Outputs
 

diff --git a/aws-iam-role-ecs-poweruser/main.tf b/aws-iam-role-ecs-poweruser/main.tf
@@ -1,11 +1,31 @@
 data "aws_iam_policy_document" "assume-role" {
-  statement {
-    principals {
-      type        = "AWS"
-      identifiers = ["arn:aws:iam::${var.source_account_id}:root"]
+  dynamic "statement" {
+    for_each = compact([var.source_account_id])
+    content {
+      principals {
+        type        = "AWS"
+        identifiers = ["arn:aws:iam::${var.source_account_id}:root"]
+      }
+      actions = ["sts:AssumeRole"]
     }
+  }
+
+  dynamic "statement" {
+    for_each = compact([var.saml_idp_arn])
+    content {
+      principals {
+        type        = "Federated"
+        identifiers = ["${var.saml_idp_arn}"]
+      }
 
-    actions = ["sts:AssumeRole"]
+      actions = ["sts:AssumeRoleWithSAML"]
+
+      condition {
+        test     = "StringEquals"
+        variable = "SAML:aud"
+        values   = ["https://signin.aws.amazon.com/saml"]
+      }
+    }
   }
 }
 

diff --git a/aws-iam-role-ecs-poweruser/variables.tf b/aws-iam-role-ecs-poweruser/variables.tf
@@ -1,7 +1,3 @@
-variable "source_account_id" {
-  type = "string"
-}
-
 variable "role_name" {
   type = "string"
 }
@@ -10,3 +6,15 @@ variable "iam_path" {
   type    = "string"
   default = "/"
 }
+
+variable "source_account_id" {
+  type        = "string"
+  default     = ""
+  description = "The source AWS account to establish a trust relationship. Ignored if empty or not provided."
+}
+
+variable "saml_idp_arn" {
+  type        = "string"
+  default     = ""
+  description = "The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided."
+}
diff --git a/aws-iam-role-infraci/README.md b/aws-iam-role-infraci/README.md
@@ -9,8 +9,9 @@ Creates a role useful for running `terraform plan` in CI jobs.
 |------|-------------|:----:|:-----:|:-----:|
 | iam\_path |  | string | `"/"` | no |
 | role\_name |  | string | `"infraci"` | no |
-| source\_account\_id |  | string | n/a | yes |
 | terraform\_state\_lock\_dynamodb\_arns | "A list of unique identifiers (ARNs) of state file DynamoDB tables" | string | `[]` | yes |
+| source\_account\_id | The source AWS account to establish a trust relationship. Ignored if empty or not provided. | string | '' | no |
+| saml\_idp\_arn | The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided. | string | '' | no |
 
 ## Outputs
 

diff --git a/aws-iam-role-infraci/main.tf b/aws-iam-role-infraci/main.tf
@@ -1,11 +1,31 @@
 data "aws_iam_policy_document" "assume-role" {
-  statement {
-    principals {
-      type        = "AWS"
-      identifiers = ["arn:aws:iam::${var.source_account_id}:root"]
+  dynamic "statement" {
+    for_each = compact([var.source_account_id])
+    content {
+      principals {
+        type        = "AWS"
+        identifiers = ["arn:aws:iam::${var.source_account_id}:root"]
+      }
+      actions = ["sts:AssumeRole"]
     }
+  }
 
-    actions = ["sts:AssumeRole"]
+  dynamic "statement" {
+    for_each = compact([var.saml_idp_arn])
+    content {
+      principals {
+        type        = "Federated"
+        identifiers = ["${var.saml_idp_arn}"]
+      }
+
+      actions = ["sts:AssumeRoleWithSAML"]
+
+      condition {
+        test     = "StringEquals"
+        variable = "SAML:aud"
+        values   = ["https://signin.aws.amazon.com/saml"]
+      }
+    }
   }
 }
 

diff --git a/aws-iam-role-infraci/variables.tf b/aws-iam-role-infraci/variables.tf
@@ -1,7 +1,3 @@
-variable "source_account_id" {
-  type = "string"
-}
-
 variable "role_name" {
   default = "infraci"
 }
@@ -15,3 +11,15 @@ variable "terraform_state_lock_dynamodb_arns" {
   default     = []
   description = "ARNs of the state file DynamoDB tables"
 }
+
+variable "source_account_id" {
+  type        = "string"
+  default     = ""
+  description = "The source AWS account to establish a trust relationship. Ignored if empty or not provided."
+}
+
+variable "saml_idp_arn" {
+  type        = "string"
+  default     = ""
+  description = "The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided."
+}
diff --git a/aws-iam-role-poweruser/README.md b/aws-iam-role-poweruser/README.md
@@ -11,7 +11,7 @@ module "group" {
   # defaults to "poweruser"
   role_name         = "..."
 
-  # The id of the other AWS account that can assume this role. 
+  # The id of the other AWS account that can assume this role.
   source_account_id = "..."
 }
 ```
@@ -23,7 +23,8 @@ module "group" {
 |------|-------------|:----:|:-----:|:-----:|
 | iam\_path |  | string | `"/"` | no |
 | role\_name |  | string | `"poweruser"` | no |
-| source\_account\_id |  | string | n/a | yes |
+| source\_account\_id | The source AWS account to establish a trust relationship. Ignored if empty or not provided. | string | '' | no |
+| saml\_idp\_arn | The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided. | string | '' | no |
 
 ## Outputs