탐색 도움말
가입하기 로그인
AFS
/
xdr-terraform-modules
2
0
포크 0
파일 이슈 0 풀 리퀘스트 0 위키
트리: 5713a943b8
브랜치 태그
xdr-terraform-m...
/
submodules
/
iam
/
okta_saml_roles
/
assume_role_policy-okta_saml.tf

assume_role_policy-okta_saml.tf 2.1 KB
히스토리 Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273 
  1. data "aws_iam_policy_document" "okta_saml_assume_role_policy" {
    2. 

  2.   statement {
    3. 

  3.     sid    = "AllowAssumeRoleViaOkta"
    4. 

  4.     effect = "Allow"
    5. 

  5.     principals {
    6. 

  6.       type        = "Federated"
    7. 

  7.       identifiers = [aws_iam_saml_provider.okta.arn]
    8. 

  8.     }
    9. 

  9. 

  10.     actions = [
    11. 

  11.       "sts:AssumeRoleWithSAML",
    12. 

  12.     ]
    13. 

  13. 

  14.     condition {
    15. 

  15.       test     = "StringEquals"
    16. 

  16.       variable = "SAML:aud"
    17. 

  17.       values = [
    18. 

  18.         local.saml_signin_page[local.aws_partition]
    19. 

  19.       ]
    20. 

  20.     }
    21. 

  21.   }
    22. 

  22. 

  23.   # Note this could be a security issue.  We are counting on 
    24. 

  24.   # All of the other roles, groups, etc in the account to have reasonable
    25. 

  25.   # limitations on sts:AssumeRole
    26. 

  26.   statement {
    27. 

  27.     sid    = "AllowAssumeRoleFromOtherRolesInThisAccount"
    28. 

  28.     effect = "Allow"
    29. 

  29.     principals {
    30. 

  30.       type = "AWS"
    31. 

  31.       identifiers = [
    32. 

  32.         "arn:${local.aws_partition}:iam::${local.aws_account}:root"
    33. 

  33.       ]
    34. 

  34.     }
    35. 

  35. 

  36.     actions = [
    37. 

  37.       "sts:AssumeRole",
    38. 

  38.     ]
    39. 

  39.   }
    40. 

  40. }
    41. 

  41. 

  42. # Notice the source_json here.  I had forgotten how this worked and
    43. 

  43. # had to refresh myself.  See terraform AWS provider docs at
    44. 

  44. # https://www.terraform.io/docs/providers/aws/d/iam_policy_document.html
    45. 

  45. #   "Statements with non-blank sids in the current policy document will overwrite 
    46. 

  46. #    statements with the same sid in the source json."
    47. 

  47. # The idea here is that IF var.trusted_arns is set, then we append a new SID
    48. 

  48. # to the policy to enable AssumeRole from other accounts.
    49. 

  49. #
    50. 

  50. # This ties to local.tf:
    51. 

  51. # assume_role_policy = (length(var.trusted_arns) > 0) ? 
    52. 

  52. # data.aws_iam_policy_document.okta_saml_plus_crossaccount_assume_role_policy.json : 
    53. 

  53. # data.aws_iam_policy_document.okta_saml_assume_role_policy.json
    54. 

  54. #
    55. 

  55. # Maybe that local should be defined here in this file and not in locals.tf, not sure which
    56. 

  56. # is clearer.
    57. 

  57. data "aws_iam_policy_document" "okta_saml_plus_crossaccount_assume_role_policy" {
    58. 

  58. 

  59.   source_json = data.aws_iam_policy_document.okta_saml_assume_role_policy.json
    60. 

  60. 

  61.   statement {
    62. 

  62.     sid    = "AllowAssumeRoleFromOtherAccounts"
    63. 

  63.     effect = "Allow"
    64. 

  64.     principals {
    65. 

  65.       type        = "AWS"
    66. 

  66.       identifiers = var.trusted_arns
    67. 

  67.     }
    68. 

  68. 

  69.     actions = [
    70. 

  70.       "sts:AssumeRole",
    71. 

  71.     ]
    72. 

  72.   }
    73. 

  73. }
    74.