Skip to content

feat: Allow overriding the whole assume policy #86

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Jun 4, 2025
Merged

feat: Allow overriding the whole assume policy #86

merged 6 commits into from
Jun 4, 2025

Conversation

pablotp
Copy link
Contributor

@pablotp pablotp commented Jun 3, 2025
edited by nitrocode
Loading

what

Adds the assume_role_policy_document variable, allowing users to provide a complete JSON assume role policy for the IAM role. When set, this overrides the principals, assume_role_conditions, and assume_role_actions variables.

why

This enables advanced use cases where a custom trust policy is needed, offering more flexibility than the module’s built-in policy generation. If not set, the module’s default behavior remains unchanged.

Example of an assume policy that couldn't be generated before

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::111122223333:role/app-prod-ci-agent",
          "AROAEXAMPLEID1",
          "arn:aws:iam::444455556666:role/ci-agent",
          "arn:aws:iam::111122223333:role/app-prod-use1-mz-4-ci-agent"
        ]
      },
      "Action": "sts:AssumeRole"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::444455556666:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/EXAMPLEOIDC"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "oidc.eks.us-east-1.amazonaws.com/id/EXAMPLEOIDC:sub": "system:serviceaccount:ci:ci-agent"
        }
      }
    }
  ]
}

With the previous implementation, you could not generate the second statement with a different action (sts:AssumeRoleWithWebIdentity) and a different condition for the Federated principal.

references

@mergify mergify bot added the triage Needs triage label Jun 3, 2025
@pablotp pablotp force-pushed the allow-set-custom-assume-policy branch 2 times, most recently from cbc225a to 4746f86 Compare June 3, 2025 10:18
@pablotp pablotp marked this pull request as ready for review June 3, 2025 10:44
@pablotp pablotp requested review from a team as code owners June 3, 2025 10:44
@pablotp pablotp requested review from hans-d and gberenice June 3, 2025 10:44
@pablotp pablotp mentioned this pull request Jun 3, 2025
Open
nitrocode
nitrocode reviewed Jun 3, 2025
View reviewed changes
@nitrocode
Copy link
Member

/terratest

@nitrocode
Copy link
Member

Tests are failing. Try running the tests locally.

@pablotp pablotp force-pushed the allow-set-custom-assume-policy branch from 4746f86 to cc2e3c0 Compare June 3, 2025 13:51
@pablotp
Copy link
Contributor Author

pablotp commented Jun 3, 2025
edited
Loading

Tests are failing. Try running the tests locally.

The errors seem related to go setup. Locally, I pass this stage.

Screenshot 2025-06-03 at 15 58 28

Any help figuring out what is broken is very welcome 🙏🏻

@nitrocode
Copy link
Member

nitrocode commented Jun 3, 2025
edited
Loading

cc @goruha tests are failing in the setup. What would you recommend?

Here is the previous commit 4746f86 with the failed tests.

Benbentwo
Benbentwo requested changes Jun 3, 2025
View reviewed changes
Copy link
Member

@Benbentwo Benbentwo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, couple small changes

@pablotp pablotp requested review from nitrocode and Benbentwo June 3, 2025 19:45
@pablotp
Copy link
Contributor Author

pablotp commented Jun 3, 2025

@Benbentwo, thank you for the prompt review! I've just addressed your comments. Please let me know if I missed anything.

@pablotp pablotp force-pushed the allow-set-custom-assume-policy branch from 8a0e64f to 775ec99 Compare June 3, 2025 19:47
nitrocode
nitrocode reviewed Jun 3, 2025
View reviewed changes
@nitrocode
Copy link
Member

/terratest

@nitrocode nitrocode requested a review from goruha June 3, 2025 22:36
@Benbentwo
Copy link
Member

/terratest

@Benbentwo Benbentwo added the minor New features that do not break anything label Jun 4, 2025
Benbentwo
Benbentwo previously approved these changes Jun 4, 2025
View reviewed changes
@mergify mergify bot removed the triage Needs triage label Jun 4, 2025
@Benbentwo Benbentwo mentioned this pull request Jun 4, 2025
Closed
@Benbentwo Benbentwo force-pushed the allow-set-custom-assume-policy branch from b31ea55 to 6596e35 Compare June 4, 2025 17:21
@Benbentwo
Copy link
Member

/terratest

@Benbentwo Benbentwo merged commit 5b0a38f into cloudposse:main Jun 4, 2025
48 checks passed
@github-actions GitHub Actions
Copy link

github-actions bot commented Jun 4, 2025

These changes were released in v0.22.0.

@pablotp pablotp mentioned this pull request Jun 4, 2025
Merged
@pablotp pablotp mentioned this pull request Jun 16, 2025
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nitrocode nitrocode nitrocode left review comments

@milldr milldr milldr approved these changes

@Benbentwo Benbentwo Benbentwo approved these changes

@hans-d hans-d Awaiting requested review from hans-d hans-d is a code owner automatically assigned from cloudposse/contributors

@gberenice gberenice Awaiting requested review from gberenice gberenice is a code owner automatically assigned from cloudposse/contributors

@goruha goruha Awaiting requested review from goruha

Assignees
No one assigned
Labels
minor New features that do not break anything
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@pablotp @nitrocode @Benbentwo @milldr