Skip to content

v0.22.0

Latest
Latest
Compare
Choose a tag to compare
@cloudposse-releaser cloudposse-releaser released this 04 Jun 17:40
· 4 commits to refs/heads/main since this release
v0.22.0
c22a368
feat: Allow overriding the whole assume policy @pablotp (#86) ## what

Adds the assume_role_policy_document variable, allowing users to provide a complete JSON assume role policy for the IAM role. When set, this overrides the principals, assume_role_conditions, and assume_role_actions variables.

why

This enables advanced use cases where a custom trust policy is needed, offering more flexibility than the module’s built-in policy generation. If not set, the module’s default behavior remains unchanged.

Example of an assume policy that couldn't be generated before

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::111122223333:role/app-prod-ci-agent",
          "AROAEXAMPLEID1",
          "arn:aws:iam::444455556666:role/ci-agent",
          "arn:aws:iam::111122223333:role/app-prod-use1-mz-4-ci-agent"
        ]
      },
      "Action": "sts:AssumeRole"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::444455556666:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/EXAMPLEOIDC"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "oidc.eks.us-east-1.amazonaws.com/id/EXAMPLEOIDC:sub": "system:serviceaccount:ci:ci-agent"
        }
      }
    }
  ]
}

With the previous implementation, you could not generate the second statement with a different action (sts:AssumeRoleWithWebIdentity) and a different condition for the Federated principal.

references

Cleanup Go mod for tests @Benbentwo (#87) This pull request updates the `go.mod` file in the `test/src` directory to modernize the Go toolchain and dependencies. The most important changes include upgrading the Go version, introducing a new toolchain, and updating or adding several dependencies to newer versions.

Go toolchain updates:

  • Upgraded Go version from 1.16 to 1.23.0 and added the toolchain go1.24.3 specification for better compatibility and performance.

Dependency updates:

  • Updated existing dependencies to newer versions, including github.com/klauspost/compress (to v1.16.7) and github.com/stretchr/testify (to v1.10.0).
  • Added new dependencies, such as github.com/hashicorp/go-cleanhttp (v0.5.2), github.com/hashicorp/go-safetemp (v1.0.0), and github.com/zclconf/go-cty (v1.15.0), to enhance functionality and support for modern features.
  • Removed outdated dependencies, such as cloud.google.com/go/compute and github.com/aws/aws-sdk-go, which are no longer required.

🤖 Automatic Updates

Replace Makefile with atmos.yaml @osterman (#84) ## what - Remove `Makefile` - Add `atmos.yaml`

why

  • Replace build-harness with atmos for readme genration

References

  • DEV-3229 Migrate from build-harness to atmos

Contributors

osterman, Benbentwo, and pablotp
Assets 2
Loading