Create data source for aws iam roles

[jlamande]

The purpose of this new data source is to provide a way get ARNs and Names of IAM Roles that are created outside of the current Terraform state.

E.g., in an AWS SSO powered environment, IAM Roles are automatically provisioned by AWS SSO in the different AWS accounts of the organization and their names is only following a pattern. The exact name is unpredictable because it contains a random/hash number.

When provisioning resources based on these roles (as Kubernetes aws-auth map) this data source is a must-have.

Community Note

• Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for pull request followers and do not help prioritize the request

Closes #14470
Closes #14173

Output from acceptance testing:

$ make testacc TESTARGS='-run=TestAccAWSDataSourceIAMRoles_'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAWSDataSourceIAMRoles_ -timeout 180m
=== RUN   TestAccAWSDataSourceIAMRoles_basic
=== PAUSE TestAccAWSDataSourceIAMRoles_basic
=== RUN   TestAccAWSDataSourceIAMRoles_filterRoleName
=== PAUSE TestAccAWSDataSourceIAMRoles_filterRoleName
=== RUN   TestAccAWSDataSourceIAMRoles_pathPrefix
=== PAUSE TestAccAWSDataSourceIAMRoles_pathPrefix
=== RUN   TestAccAWSDataSourceIAMRoles_pathPrefixAndFilterRoleName
=== PAUSE TestAccAWSDataSourceIAMRoles_pathPrefixAndFilterRoleName
=== CONT  TestAccAWSDataSourceIAMRoles_basic
=== CONT  TestAccAWSDataSourceIAMRoles_pathPrefixAndFilterRoleName
=== CONT  TestAccAWSDataSourceIAMRoles_pathPrefix
=== CONT  TestAccAWSDataSourceIAMRoles_filterRoleName
--- PASS: TestAccAWSDataSourceIAMRoles_basic (71.14s)
--- PASS: TestAccAWSDataSourceIAMRoles_filterRoleName (76.23s)
--- PASS: TestAccAWSDataSourceIAMRoles_pathPrefix (76.35s)
--- PASS: TestAccAWSDataSourceIAMRoles_pathPrefixAndFilterRoleName (76.37s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	78.687s

[github-actions]

Welcome @jlamande 👋

It looks like this is your first Pull Request submission to the Terraform AWS Provider! If you haven’t already done so please make sure you have checked out our CONTRIBUTING guide and FAQ to make sure your contribution is adhering to best practice and has all the necessary elements in place for a successful approval.

Also take a look at our FAQ which details how we prioritize Pull Requests for inclusion.

Thanks again, and welcome to the community! 😃

[Marcvd316]

Awesome work! Just commenting to add a link to a related issue : #14470

[jlamande]

Hi @anGie44
Any chance to have some feedback ?

[jlamande]

Hi @anGie44,
Any chance to have some feedback ?

[anGie44]

Hi @jlamande , thank you for this PR! It's off to a great start. A couple comments to address given we'll want to support a different argument in place of filter (as it's not natively supported by the API method), but things should fall into place once that is addressed. I've suggested the use of name_regex but if you feel name_prefix or another alternative may be better suited for this data source, feel free to discuss here!

[tomelliff]

This is potentially a follow up feature request but it might be useful to also return the ARNs wtih the path stripped. Or at least documentation should show how to get at the ARN without the path in it.

EKS role mapping against AWS SSO roles for some reason requires the path to be removed from the ARN of the role. This is documented in https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html and https://docs.aws.amazon.com/eks/latest/userguide/troubleshooting_iam.html#security-iam-troubleshoot-ConfigMap

[mattoneillphx]

This PR will be incredibly useful and provides a workaround for #20552, thank you!

Any idea on when this may get released?

[anGie44]

@tomelliff thanks for pointing out this type of usage! hope this helps :)

[anGie44]

Thanks again @jlamande for introducing this new data source 🎉 To help this get into an upcoming release, I've committed the requested changes.

Output of acceptance tests (commercial):

--- PASS: TestAccAWSIAMRolesDataSource_nonExistentPathPrefix (11.37s)
--- PASS: TestAccAWSIAMRolesDataSource_nameRegex (19.79s)
--- PASS: TestAccAWSIAMRolesDataSource_basic (20.72s)
--- PASS: TestAccAWSIAMRolesDataSource_pathPrefix (21.56s)
--- PASS: TestAccAWSIAMRolesDataSource_nameRegexAndPathPrefix (31.89s)

[jlamande]

Hi @anGie44
sorry I wasnt connected during summer.
Great to see that the PR advanced and has been merged.
Just a question : did you squash the commits ?

[anGie44]

No worries @jlamande !
No, commits were all kept-as is (your initial commit, commit that merged main into this branch, my commit with changes)

[github-actions]

This functionality has been released in v3.55.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.