From 3fae1bbc949aed8a051e8bfc23a8f60a999b8e12 Mon Sep 17 00:00:00 2001 From: Matt Calhoun Date: Thu, 9 Sep 2021 20:59:59 -0400 Subject: [PATCH] update assume actions variable to support multiple actions (#29) Co-authored-by: cloudpossebot <11232728+cloudpossebot@users.noreply.github.com> --- README.md | 2 +- docs/terraform.md | 2 +- main.tf | 2 +- variables.tf | 8 ++++---- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 43f079b..dfa9447 100644 --- a/README.md +++ b/README.md @@ -210,7 +210,7 @@ For automated tests of the complete example using [bats](https://github.com/bats | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | -| [assume\_role\_action](#input\_assume\_role\_action) | The IAM action to be granted by the AssumeRole policy | `string` | `"sts:AssumeRole"` | no | +| [assume\_role\_actions](#input\_assume\_role\_actions) | The IAM action to be granted by the AssumeRole policy | `list(string)` | 
[
  "sts:AssumeRole",
  "sts:TagSession"
]
| no | | [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | | [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | 
{
  "additional_tag_map": {},
  "attributes": [],
  "delimiter": null,
  "descriptor_formats": {},
  "enabled": true,
  "environment": null,
  "id_length_limit": null,
  "label_key_case": null,
  "label_order": [],
  "label_value_case": null,
  "labels_as_tags": [
    "unset"
  ],
  "name": null,
  "namespace": null,
  "regex_replace_chars": null,
  "stage": null,
  "tags": {},
  "tenant": null
}
| no | | [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | diff --git a/docs/terraform.md b/docs/terraform.md index df6c534..b9353af 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -36,7 +36,7 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | -| [assume\_role\_action](#input\_assume\_role\_action) | The IAM action to be granted by the AssumeRole policy | `string` | `"sts:AssumeRole"` | no | +| [assume\_role\_actions](#input\_assume\_role\_actions) | The IAM action to be granted by the AssumeRole policy | `list(string)` | 
[
  "sts:AssumeRole",
  "sts:TagSession"
]
| no | | [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | | [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | 
{
  "additional_tag_map": {},
  "attributes": [],
  "delimiter": null,
  "descriptor_formats": {},
  "enabled": true,
  "environment": null,
  "id_length_limit": null,
  "label_key_case": null,
  "label_order": [],
  "label_value_case": null,
  "labels_as_tags": [
    "unset"
  ],
  "name": null,
  "namespace": null,
  "regex_replace_chars": null,
  "stage": null,
  "tags": {},
  "tenant": null
}
| no | | [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | diff --git a/main.tf b/main.tf index 2f42e0d..ac9d91c 100644 --- a/main.tf +++ b/main.tf @@ -3,7 +3,7 @@ data "aws_iam_policy_document" "assume_role" { statement { effect = "Allow" - actions = [var.assume_role_action] + actions = var.assume_role_actions principals { type = element(keys(var.principals), count.index) diff --git a/variables.tf b/variables.tf index c94ad71..388128d 100644 --- a/variables.tf +++ b/variables.tf @@ -38,9 +38,9 @@ variable "policy_description" { description = "The description of the IAM policy that is visible in the IAM policy manager" } -variable "assume_role_action" { - type = string - default = "sts:AssumeRole" +variable "assume_role_actions" { + type = list(string) + default = ["sts:AssumeRole", "sts:TagSession"] description = "The IAM action to be granted by the AssumeRole policy" } @@ -48,4 +48,4 @@ variable "instance_profile_enabled" { type = bool default = false description = "Create EC2 Instance Profile for the role" -} \ No newline at end of file +}