feat: added the ability to support multiple repositories

Author: gambol99

examples/role/main.tf

@@ -65,3 +65,53 @@ module "common_provider_example" {
     Name = "Example Common Provider"
   }
 }
+
+## Provision a role with multiple repositories
+module "mutlple_repositories" {
+  source = "../../modules/role"
+
+  // Basic role details
+  name        = "test-common-role"
+  description = "Creates a role using the GitHub OIDC provider"
+  tags        = {}
+  repositories = [
+    "appvia/app1",
+    "appvia/app2",
+  ]
+  permission_boundary_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
+  read_only_policy_arns   = ["arn:aws:iam::aws:policy/ReadOnlyAccess"]
+  read_write_policy_arns  = ["arn:aws:iam::aws:policy/AdministratorAccess"]
+
+  read_only_inline_policies = {
+    "additional" = jsonencode({
+      Version = "2012-10-17"
+      Statement = [
+        {
+          Effect = "Allow"
+          Action = [
+            "s3:GetObject",
+            "s3:ListBucket",
+          ]
+          Resource = "*"
+        },
+      ]
+    })
+  }
+
+  read_write_inline_policies = {
+    "additional" = jsonencode({
+      Version = "2012-10-17"
+      Statement = [
+        {
+          Effect = "Allow"
+          Action = [
+            "s3:GetObject",
+            "s3:PutObject",
+            "s3:ListBucket",
+          ]
+          Resource = "*"
+        },
+      ]
+    })
+  }
+}

examples/test-bitbucket/README.md

@@ -4,7 +4,7 @@ locals {
   account = var.account_id
 
   ## Use provided region or default to the current region
-  region = coalesce(var.region, data.aws_region.current.name)
+  region = coalesce(var.region, data.aws_region.current.region)
 
   ## Terraform state bucket name
   tf_state_bucket = format("%s-%s-tfstate", local.account, local.region)

examples/test-bitbucket/main.tf

@@ -578,7 +578,6 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_description"></a> [description](#input\_description) | Description of the role being created | `string` | n/a | yes |
 | <a name="input_name"></a> [name](#input\_name) | Name of the role to create | `string` | n/a | yes |
-| <a name="input_repository"></a> [repository](#input\_repository) | Repository to be allowed in the OIDC federation mapping | `string` | n/a | yes |
 | <a name="input_tags"></a> [tags](#input\_tags) | Tags to apply resoures created by this module | `map(string)` | n/a | yes |
 | <a name="input_account_id"></a> [account\_id](#input\_account\_id) | The AWS account ID to create the role in | `string` | `null` | no |
 | <a name="input_additional_audiences"></a> [additional\_audiences](#input\_additional\_audiences) | Additional audiences to be allowed in the OIDC federation mapping | `list(string)` | `[]` | no |
@@ -598,12 +597,11 @@ No modules.
 | <a name="input_read_write_max_session_duration"></a> [read\_write\_max\_session\_duration](#input\_read\_write\_max\_session\_duration) | The maximum session duration (in seconds) that you want to set for the specified role | `number` | `null` | no |
 | <a name="input_read_write_policy_arns"></a> [read\_write\_policy\_arns](#input\_read\_write\_policy\_arns) | List of IAM policy ARNs to attach to the read-write role | `list(string)` | `[]` | no |
 | <a name="input_region"></a> [region](#input\_region) | The region in which the role will be used (defaulting to the provider region) | `string` | `null` | no |
-| <a name="input_repository_uuid"></a> [repository\_uuid](#input\_repository\_uuid) | Repository UUID. You can get it in the repository settings in the OpenID connect provider. | `string` | `null` | no |
+| <a name="input_repositories"></a> [repositories](#input\_repositories) | A collection of repositories to to bind the permissions | `list(string)` | `[]` | no |
+| <a name="input_repository"></a> [repository](#input\_repository) | Repository to be allowed in the OIDC federation mapping | `string` | `null` | no |
 | <a name="input_role_path"></a> [role\_path](#input\_role\_path) | Path under which to create IAM role. | `string` | `null` | no |
 | <a name="input_shared_repositories"></a> [shared\_repositories](#input\_shared\_repositories) | List of repositories to provide read access to the remote state | `list(string)` | `[]` | no |
 | <a name="input_tf_state_suffix"></a> [tf\_state\_suffix](#input\_tf\_state\_suffix) | A suffix for the terraform statefile, e.g. <repo>-<tf\_state\_suffix>.tfstate | `string` | `""` | no |
-| <a name="input_workspace_name"></a> [workspace\_name](#input\_workspace\_name) | The name of the workspace. | `string` | `null` | no |
-| <a name="input_workspace_uuid"></a> [workspace\_uuid](#input\_workspace\_uuid) | Workspace UUID. You can get it in the repository settings in the OpenID connect provider. Don't include the brackets and make sure it is lower cased. | `string` | `null` | no |
 
 ## Outputs
 

examples/test-bitbucket/terraform.tf

@@ -1,9 +1,3 @@
-locals {
-  workspace_name  = var.workspace_name
-  workspace_uuid  = var.workspace_uuid
-  repository_uuid = var.repository_uuid
-}
-
 locals {
   # The current account ID, if not provided
   account_id = var.account_id != null ? var.account_id : data.aws_caller_identity.current.account_id
@@ -37,29 +31,14 @@ locals {
       subject_env_mapping = ""
       subject_tag_mapping = "project_path:{repo}:ref_type:{type}:ref:{ref}"
     }
-
-    bitbucket = {
-      url = local.workspace_name != null ? "https://api.bitbucket.org/2.0/workspaces/${local.workspace_name}/pipelines-config/identity/oidc" : ""
-
-      audiences = local.workspace_uuid != null ? [
-        "ari:cloud:bitbucket::workspace/${local.workspace_uuid}",
-      ] : []
-
-      subject_reader_mapping = local.repository_uuid != null ? "${local.repository_uuid}:*" : ""
-      subject_branch_mapping = local.repository_uuid != null ? "${local.repository_uuid}:*" : ""
-      subject_env_mapping    = ""
-      subject_tag_mapping    = ""
-    }
   }
   # The devired permission_boundary arn 
   permission_boundary_by_name = var.permission_boundary != null ? format("arn:aws:iam::%s:policy/%s", local.account_id, var.permission_boundary) : null
   # The full ARN of the permission boundary to attach to the role
   permission_boundary_arn = var.permission_boundary_arn == null ? local.permission_boundary_by_name : var.permission_boundary_arn
   # The region where the iam role will be used 
   region = var.region != null ? var.region : data.aws_region.current.region
-}
 
-locals {
   # Find the source control provider from supplied list
   common_provider = lookup(local.common_providers, var.common_provider, null)
   # The selected provider from the supplied list

modules/remote_state/locals.tf

@@ -15,7 +15,6 @@ data "aws_iam_policy_document" "readonly_assume_role" {
 
     principals {
       type = "Federated"
-
       identifiers = [
         data.aws_iam_openid_connect_provider.this.arn
       ]
@@ -27,21 +26,26 @@ data "aws_iam_policy_document" "readonly_assume_role" {
       values   = concat(local.selected_provider.audiences, var.additional_audiences)
     }
 
-    condition {
-      test     = "StringLike"
-      variable = format("%s:sub", trimprefix(local.selected_provider.url, "https://"))
-      values = [
-        format(replace(local.selected_provider.subject_reader_mapping, format("/%s/", local.template_keys_regex), "%s"), [
-          for v in flatten(regexall(local.template_keys_regex, local.selected_provider.subject_reader_mapping)) : {
-            repo = var.repository
-          }[v]
-        ]...)
-      ]
+    ## Support the repositories variable
+    dynamic "condition" {
+      for_each = toset(concat([var.repository], var.repositories))
+
+      content {
+        test     = "StringLike"
+        variable = format("%s:sub", trimprefix(local.selected_provider.url, "https://"))
+        values = [
+          format(replace(local.selected_provider.subject_reader_mapping, format("/%s/", local.template_keys_regex), "%s"), [
+            for v in flatten(regexall(local.template_keys_regex, local.selected_provider.subject_reader_mapping)) : {
+              repo = condition.value
+            }[v]
+          ]...)
+        ]
+      }
     }
   }
 }
 
-## Provision the read only role
+## Provision a read only role to run terraform plan
 resource "aws_iam_role" "ro" {
   name                  = local.readonly_role_name
   description           = var.description
@@ -80,16 +84,11 @@ resource "aws_iam_role_policy_attachment" "ro" {
 ## Craft the trust policy for the read write role
 data "aws_iam_policy_document" "readwrite_assume_role" {
   statement {
-    actions = [
-      "sts:AssumeRoleWithWebIdentity",
-    ]
-
+    actions = ["sts:AssumeRoleWithWebIdentity"]
     principals {
       type = "Federated"
 
-      identifiers = [
-        data.aws_iam_openid_connect_provider.this.arn
-      ]
+      identifiers = [data.aws_iam_openid_connect_provider.this.arn]
     }
 
     condition {
@@ -98,33 +97,37 @@ data "aws_iam_policy_document" "readwrite_assume_role" {
       values   = concat(local.selected_provider.audiences, var.additional_audiences)
     }
 
-    condition {
-      test     = "StringLike"
-      variable = format("%s:sub", trimprefix(local.selected_provider.url, "https://"))
-      values = compact([
-        var.protected_by.branch != null ? format(replace(local.selected_provider.subject_branch_mapping, format("/%s/", local.template_keys_regex), "%s"), [
-          for v in flatten(regexall(local.template_keys_regex, local.selected_provider.subject_branch_mapping)) : {
-            repo = var.repository
-            type = "branch"
-            ref  = var.protected_by.branch
-          }[v]
-        ]...) : "",
-
-        var.protected_by.environment != null ? format(replace(local.selected_provider.subject_env_mapping, format("/%s/", local.template_keys_regex), "%s"), [
-          for v in flatten(regexall(local.template_keys_regex, local.selected_provider.subject_env_mapping)) : {
-            repo = var.repository
-            env  = var.protected_by.environment
-          }[v]
-        ]...) : "",
-
-        var.protected_by.tag != null ? format(replace(local.selected_provider.subject_tag_mapping, format("/%s/", local.template_keys_regex), "%s"), [
-          for v in flatten(regexall(local.template_keys_regex, local.selected_provider.subject_tag_mapping)) : {
-            repo = var.repository
-            type = "tag"
-            ref  = var.protected_by.tag
-          }[v]
-        ]...) : ""
-      ])
+    dynamic "condition" {
+      for_each = toset(concat([var.repository], var.repositories))
+
+      content {
+        test     = "StringLike"
+        variable = format("%s:sub", trimprefix(local.selected_provider.url, "https://"))
+        values = compact([
+          var.protected_by.branch != null ? format(replace(local.selected_provider.subject_branch_mapping, format("/%s/", local.template_keys_regex), "%s"), [
+            for v in flatten(regexall(local.template_keys_regex, local.selected_provider.subject_branch_mapping)) : {
+              repo = condition.value
+              type = "branch"
+              ref  = var.protected_by.branch
+            }[v]
+          ]...) : "",
+
+          var.protected_by.environment != null ? format(replace(local.selected_provider.subject_env_mapping, format("/%s/", local.template_keys_regex), "%s"), [
+            for v in flatten(regexall(local.template_keys_regex, local.selected_provider.subject_env_mapping)) : {
+              repo = condition.value
+              env  = var.protected_by.environment
+            }[v]
+          ]...) : "",
+
+          var.protected_by.tag != null ? format(replace(local.selected_provider.subject_tag_mapping, format("/%s/", local.template_keys_regex), "%s"), [
+            for v in flatten(regexall(local.template_keys_regex, local.selected_provider.subject_tag_mapping)) : {
+              repo = condition.value
+              type = "tag"
+              ref  = var.protected_by.tag
+            }[v]
+          ]...) : ""
+        ])
+      }
     }
   }
 }
@@ -168,16 +171,11 @@ resource "aws_iam_role_policy_attachment" "rw" {
 ## Craft the trust policy for the state reader role
 data "aws_iam_policy_document" "state_reader_assume_role" {
   statement {
-    actions = [
-      "sts:AssumeRoleWithWebIdentity",
-    ]
+    actions = ["sts:AssumeRoleWithWebIdentity"]
 
     principals {
-      type = "Federated"
-
-      identifiers = [
-        data.aws_iam_openid_connect_provider.this.arn
-      ]
+      type        = "Federated"
+      identifiers = [data.aws_iam_openid_connect_provider.this.arn]
     }
 
     condition {