Allow for condition on role assumption

[cdobbyn]

Describe the Feature

Add the variable condition, what this does is if present it will append the role assumption policy with a condition. This allows for fine tuning what can assume a role.

Expected Behavior

Ability to provide conditions to an assume role policy.

Use Case

The most simple use case I can think of for this is role assumption via an external IDP like Okta. You are assuming the role via a SAML process.

The policy should look like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::1234567890123:saml-provider/Okta"
      },
      "Action": "sts:AssumeRoleWithSAML",
      "Condition": {
        "StringEquals": {
          "SAML:aud": "https://signin.aws.amazon.com/saml"
        }
      }
    }
  ]
}

Describe Ideal Solution

Accept a condition block and if present then use it in the data block for generating the aws iam json policy.

Alternatives Considered

The only alternative at this time after looking through the code for this module is to use the basic terraform aws_iam_role for this.

[Ikana]

I looked into forking this repo and adding the functionality but the current way this module defines its Principals is not conducive to having conditions with complicated logic; in the meantime, I will be using the module maybe it will help you too: https://github.com/mineiros-io/terraform-aws-iam-role