diff --git a/README.md b/README.md
index f950ca01..ce59f8ac 100644
--- a/README.md
+++ b/README.md
@@ -260,7 +260,8 @@ allow_github_webhooks = true
| start\_timeout | Time duration (in seconds) to wait before giving up on resolving dependencies for a container | `number` | `30` | no |
| stop\_timeout | Time duration (in seconds) to wait before the container is forcefully killed if it doesn't exit normally on its own | `number` | `30` | no |
| tags | A map of tags to use on all resources | `map(string)` | `{}` | no |
-| trusted\_principals | A list of principals, in addition to ecs-tasks.amazonaws.com, that can assume the task role | `list(string)` | `[]` | no |
+| trusted\_entities | A list of users or roles, that can assume the task role | `list(string)` | `[]` | no |
+| trusted\_principals | A list of services, in addition to ecs-tasks.amazonaws.com, that can assume the task role | `list(string)` | `[]` | no |
| ulimits | Container ulimit settings. This is a list of maps, where each map should contain "name", "hardLimit" and "softLimit" | list(object({
name = string
hardLimit = number
softLimit = number
})) | `null` | no |
| user | The user to run as inside the container. Can be any of these formats: user, user:group, uid, uid:gid, user:gid, uid:group. The default (null) will use the container's configured `USER` directive or root if not set. | `string` | `null` | no |
| volumes\_from | A list of VolumesFrom maps which contain "sourceContainer" (name of the container that has the volumes to mount) and "readOnly" (whether the container can write to the volume) | list(object({
sourceContainer = string
readOnly = bool
})) | `[]` | no |
diff --git a/examples/github-complete/main.tf b/examples/github-complete/main.tf
index 0d149f89..ece5bb2c 100644
--- a/examples/github-complete/main.tf
+++ b/examples/github-complete/main.tf
@@ -62,6 +62,7 @@ module "atlantis" {
# Security
trusted_principals = var.trusted_principals
+ trusted_entities = [data.aws_caller_identity.caller_arn]
# DNS
route53_zone_name = var.domain
diff --git a/main.tf b/main.tf
index 0a8aeec9..7bfd25b5 100644
--- a/main.tf
+++ b/main.tf
@@ -375,6 +375,11 @@ data "aws_iam_policy_document" "ecs_tasks" {
type = "Service"
identifiers = compact(distinct(concat(["ecs-tasks.amazonaws.com"], var.trusted_principals)))
}
+
+ principals {
+ type = "AWS"
+ identifiers = compact(distinct(var.trusted_entities))
+ }
}
}
diff --git a/variables.tf b/variables.tf
index 9bfcd763..b1a42900 100644
--- a/variables.tf
+++ b/variables.tf
@@ -246,7 +246,13 @@ variable "policies_arn" {
}
variable "trusted_principals" {
- description = "A list of principals, in addition to ecs-tasks.amazonaws.com, that can assume the task role"
+ description = "A list of services, in addition to ecs-tasks.amazonaws.com, that can assume the task role"
+ type = list(string)
+ default = []
+}
+
+variable "trusted_entities" {
+ description = "A list of users or roles, that can assume the task role"
type = list(string)
default = []
}