feat: add condition_operator field to allow overriding StringEquals w…

…ith StringLike (#610)
chanzuckerberg · Jul 24, 2024 · 86bab99 · 86bab99
1 parent 064b640
commit 86bab99
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 9 deletions.
diff --git a/aws-assume-role-policy/main.tf b/aws-assume-role-policy/main.tf
@@ -52,7 +52,7 @@ data "aws_iam_policy_document" "assume-role" {
 
       actions = ["sts:AssumeRoleWithWebIdentity", "sts:TagSession"]
       condition {
-        test     = "StringEquals"
+        test     = "${oidc.value["condition_operator"]}"
         variable = "${oidc.value["provider"]}:${oidc.value["jwt_condition"]}"
         values   = oidc.value["client_ids"]
       }

diff --git a/aws-assume-role-policy/variables.tf b/aws-assume-role-policy/variables.tf
@@ -38,10 +38,11 @@ variable "saml_idp_arns" {
 variable "oidc" {
   type = list(object(
     {
-      idp_arn : string,                      # the AWS IAM IDP arn
-      client_ids : list(string),             # a list of oidc client ids
-      provider : string,                     # your provider url, such as foo.okta.com
-      jwt_condition: optional(string, "aud") # the condition to allow the JWT token
+      idp_arn : string,                                      # the AWS IAM IDP arn
+      client_ids : list(string),                             # a list of oidc client ids
+      provider : string,                                     # your provider url, such as foo.okta.com
+      jwt_condition : optional(string, "aud"),               # the condition to allow the JWT token
+      condition_operator : optional(string, "StringEquals"), # the condition operator for the iam statement
     }
   ))
   default     = []

diff --git a/aws-iam-role-crossacct/variables.tf b/aws-iam-role-crossacct/variables.tf
@@ -29,10 +29,11 @@ variable "source_role_arns" {
 variable "oidc" {
   type = list(object(
     {
-      idp_arn : string,               # the AWS IAM IDP arn
-      client_ids : list(string),      # a list of oidc client ids
-      provider : string,              # your provider url, such as foo.okta.com
-      jwt_condition: optional(string) # the condition to allow the JWT token
+      idp_arn : string,                      # the AWS IAM IDP arn
+      client_ids : list(string),             # a list of oidc client ids
+      provider : string,                     # your provider url, such as foo.okta.com
+      jwt_condition : optional(string),      # the condition to allow the JWT token
+      condition_operator : optional(string), # the condition operator for the iam statement
     }
   ))