feat: Add support for STS Session Tags

This commit adds support to the `iam-assumable-role-with-oidc` module
for enabling and configuring STS Session tags on the role trust policy.

Docs: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html

examples/iam-assumable-role-with-oidc/README.md

@@ -32,6 +32,7 @@ No providers.
 |------|--------|---------|
 | <a name="module_iam_assumable_role_admin"></a> [iam\_assumable\_role\_admin](#module\_iam\_assumable\_role\_admin) | ../../modules/iam-assumable-role-with-oidc | n/a |
 | <a name="module_iam_assumable_role_self_assume"></a> [iam\_assumable\_role\_self\_assume](#module\_iam\_assumable\_role\_self\_assume) | ../../modules/iam-assumable-role-with-oidc | n/a |
+| <a name="module_iam_assumable_role_session_tags"></a> [iam\_assumable\_role\_session\_tags](#module\_iam\_assumable\_role\_session\_tags) | ../../modules/iam-assumable-role-with-oidc | n/a |
 
 ## Resources
 

examples/iam-assumable-role-with-oidc/main.tf

@@ -50,3 +50,27 @@ module "iam_assumable_role_self_assume" {
 
   oidc_fully_qualified_subjects = ["system:serviceaccount:default:sa1", "system:serviceaccount:default:sa2"]
 }
+
+#####################################
+# IAM assumable role with session tags
+#####################################
+module "iam_assumable_role_session_tags" {
+  source = "../../modules/iam-assumable-role-with-oidc"
+
+  create_role = true
+
+  role_name = "role-with-oidc-self-assume"
+
+  tags = {
+    Role = "role-with-oidc-self-assume"
+  }
+
+  provider_url = "oidc.eks.eu-west-1.amazonaws.com/id/BA9E170D464AF7B92084EF72A69B9DC8"
+
+  role_policy_arns = [
+    "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
+  ]
+
+  enable_session_tags = true
+  oidc_session_tags   = { "Environment" : "example" }
+}

modules/iam-assumable-role-with-oidc/README.md

@@ -41,11 +41,13 @@ No modules.
 | <a name="input_allow_self_assume_role"></a> [allow\_self\_assume\_role](#input\_allow\_self\_assume\_role) | Determines whether to allow the role to be [assume itself](https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/) | `bool` | `false` | no |
 | <a name="input_aws_account_id"></a> [aws\_account\_id](#input\_aws\_account\_id) | The AWS account ID where the OIDC provider lives, leave empty to use the account for the AWS provider | `string` | `""` | no |
 | <a name="input_create_role"></a> [create\_role](#input\_create\_role) | Whether to create a role | `bool` | `false` | no |
+| <a name="input_enable_session_tags"></a> [enable\_session\_tags](#input\_enable\_session\_tags) | Should the trust policy allow the `sts:TagSession` permission? | `bool` | `false` | no |
 | <a name="input_force_detach_policies"></a> [force\_detach\_policies](#input\_force\_detach\_policies) | Whether policies should be detached from this role when destroying | `bool` | `false` | no |
 | <a name="input_max_session_duration"></a> [max\_session\_duration](#input\_max\_session\_duration) | Maximum CLI/API session duration in seconds between 3600 and 43200 | `number` | `3600` | no |
 | <a name="input_number_of_role_policy_arns"></a> [number\_of\_role\_policy\_arns](#input\_number\_of\_role\_policy\_arns) | Number of IAM policies to attach to IAM role | `number` | `null` | no |
 | <a name="input_oidc_fully_qualified_audiences"></a> [oidc\_fully\_qualified\_audiences](#input\_oidc\_fully\_qualified\_audiences) | The audience to be added to the role policy. Set to sts.amazonaws.com for cross-account assumable role. Leave empty otherwise. | `set(string)` | `[]` | no |
 | <a name="input_oidc_fully_qualified_subjects"></a> [oidc\_fully\_qualified\_subjects](#input\_oidc\_fully\_qualified\_subjects) | The fully qualified OIDC subjects to be added to the role policy | `set(string)` | `[]` | no |
+| <a name="input_oidc_session_tags"></a> [oidc\_session\_tags](#input\_oidc\_session\_tags) | OIDC Session Tags to apply to trust policy | `map(string)` | `{}` | no |
 | <a name="input_oidc_subjects_with_wildcards"></a> [oidc\_subjects\_with\_wildcards](#input\_oidc\_subjects\_with\_wildcards) | The OIDC subject using wildcards to be added to the role policy | `set(string)` | `[]` | no |
 | <a name="input_provider_url"></a> [provider\_url](#input\_provider\_url) | URL of the OIDC Provider. Use provider\_urls to specify several URLs. | `string` | `""` | no |
 | <a name="input_provider_urls"></a> [provider\_urls](#input\_provider\_urls) | List of URLs of the OIDC Providers | `list(string)` | `[]` | no |

modules/iam-assumable-role-with-oidc/main.tf

@@ -6,8 +6,10 @@ locals {
     for url in compact(distinct(concat(var.provider_urls, [var.provider_url]))) :
     replace(url, "https://", "")
   ]
-  number_of_role_policy_arns = coalesce(var.number_of_role_policy_arns, length(var.role_policy_arns))
-  role_name_condition        = var.role_name != null ? var.role_name : "${var.role_name_prefix}*"
+  number_of_role_policy_arns      = coalesce(var.number_of_role_policy_arns, length(var.role_policy_arns))
+  role_name_condition             = var.role_name != null ? var.role_name : "${var.role_name_prefix}*"
+  trust_policy_session_tag_action = var.enable_session_tags ? ["sts:TagSession"] : []
+  trust_policy_actions            = concat(["sts:AssumeRoleWithWebIdentity"], local.trust_policy_session_tag_action)
 }
 
 data "aws_caller_identity" "current" {}
@@ -43,7 +45,7 @@ data "aws_iam_policy_document" "assume_role_with_oidc" {
 
     content {
       effect  = "Allow"
-      actions = ["sts:AssumeRoleWithWebIdentity"]
+      actions = local.trust_policy_actions
 
       principals {
         type = "Federated"
@@ -80,6 +82,16 @@ data "aws_iam_policy_document" "assume_role_with_oidc" {
           values   = var.oidc_fully_qualified_audiences
         }
       }
+
+      dynamic "condition" {
+        for_each = var.enable_session_tags ? var.oidc_session_tags : {}
+
+        content {
+          test     = "StringLike"
+          variable = "aws:RequestTag/${condition.key}"
+          values   = [condition.value]
+        }
+      }
     }
   }
 }

modules/iam-assumable-role-with-oidc/variables.tf

@@ -105,3 +105,15 @@ variable "allow_self_assume_role" {
   type        = bool
   default     = false
 }
+
+variable "enable_session_tags" {
+  description = "Should the trust policy allow the `sts:TagSession` permission?"
+  type        = bool
+  default     = false
+}
+
+variable "oidc_session_tags" {
+  description = "OIDC Session Tags to apply to trust policy"
+  type        = map(string)
+  default     = {}
+}

wrappers/iam-assumable-role-with-oidc/main.tf

@@ -6,11 +6,13 @@ module "wrapper" {
   allow_self_assume_role         = try(each.value.allow_self_assume_role, var.defaults.allow_self_assume_role, false)
   aws_account_id                 = try(each.value.aws_account_id, var.defaults.aws_account_id, "")
   create_role                    = try(each.value.create_role, var.defaults.create_role, false)
+  enable_session_tags            = try(each.value.enable_session_tags, var.defaults.enable_session_tags, false)
   force_detach_policies          = try(each.value.force_detach_policies, var.defaults.force_detach_policies, false)
   max_session_duration           = try(each.value.max_session_duration, var.defaults.max_session_duration, 3600)
   number_of_role_policy_arns     = try(each.value.number_of_role_policy_arns, var.defaults.number_of_role_policy_arns, null)
   oidc_fully_qualified_audiences = try(each.value.oidc_fully_qualified_audiences, var.defaults.oidc_fully_qualified_audiences, [])
   oidc_fully_qualified_subjects  = try(each.value.oidc_fully_qualified_subjects, var.defaults.oidc_fully_qualified_subjects, [])
+  oidc_session_tags              = try(each.value.oidc_session_tags, var.defaults.oidc_session_tags, {})
   oidc_subjects_with_wildcards   = try(each.value.oidc_subjects_with_wildcards, var.defaults.oidc_subjects_with_wildcards, [])
   provider_url                   = try(each.value.provider_url, var.defaults.provider_url, "")
   provider_urls                  = try(each.value.provider_urls, var.defaults.provider_urls, [])