fix: Properly configure fully qualified audiences

Author: Andres Montalban

modules/iam-assumable-role-with-oidc/README.md

@@ -44,6 +44,7 @@ No modules.
 | <a name="input_force_detach_policies"></a> [force\_detach\_policies](#input\_force\_detach\_policies) | Whether policies should be detached from this role when destroying | `bool` | `false` | no |
 | <a name="input_max_session_duration"></a> [max\_session\_duration](#input\_max\_session\_duration) | Maximum CLI/API session duration in seconds between 3600 and 43200 | `number` | `3600` | no |
 | <a name="input_number_of_role_policy_arns"></a> [number\_of\_role\_policy\_arns](#input\_number\_of\_role\_policy\_arns) | Number of IAM policies to attach to IAM role | `number` | `null` | no |
+| <a name="input_oidc_audiences_with_wildcards"></a> [oidc\_audiences\_with\_wildcards](#input\_oidc\_audiences\_with\_wildcards) | The audiences using wildcards to be added to the role policy. | `set(string)` | `[]` | no |
 | <a name="input_oidc_fully_qualified_audiences"></a> [oidc\_fully\_qualified\_audiences](#input\_oidc\_fully\_qualified\_audiences) | The audience to be added to the role policy. Set to sts.amazonaws.com for cross-account assumable role. Leave empty otherwise. | `set(string)` | `[]` | no |
 | <a name="input_oidc_fully_qualified_subjects"></a> [oidc\_fully\_qualified\_subjects](#input\_oidc\_fully\_qualified\_subjects) | The fully qualified OIDC subjects to be added to the role policy | `set(string)` | `[]` | no |
 | <a name="input_oidc_subjects_with_wildcards"></a> [oidc\_subjects\_with\_wildcards](#input\_oidc\_subjects\_with\_wildcards) | The OIDC subject using wildcards to be added to the role policy | `set(string)` | `[]` | no |

modules/iam-assumable-role-with-oidc/main.tf

@@ -75,11 +75,21 @@ data "aws_iam_policy_document" "assume_role_with_oidc" {
         for_each = length(var.oidc_fully_qualified_audiences) > 0 ? local.urls : []
 
         content {
-          test     = "StringLike"
+          test     = "StringEquals"
           variable = "${statement.value}:aud"
           values   = var.oidc_fully_qualified_audiences
         }
       }
+
+      dynamic "condition" {
+        for_each = length(var.oidc_audiences_with_wildcards) > 0 ? local.urls : []
+
+        content {
+          test     = "StringLike"
+          variable = "${statement.value}:aud"
+          values   = var.oidc_audiences_with_wildcards
+        }
+      }
     }
   }
 }

modules/iam-assumable-role-with-oidc/variables.tf

@@ -94,6 +94,12 @@ variable "oidc_fully_qualified_audiences" {
   default     = []
 }
 
+variable "oidc_audiences_with_wildcards" {
+  description = "The audiences using wildcards to be added to the role policy."
+  type        = set(string)
+  default     = []
+}
+
 variable "force_detach_policies" {
   description = "Whether policies should be detached from this role when destroying"
   type        = bool

wrappers/iam-assumable-role-with-oidc/main.tf

@@ -9,6 +9,7 @@ module "wrapper" {
   force_detach_policies          = try(each.value.force_detach_policies, var.defaults.force_detach_policies, false)
   max_session_duration           = try(each.value.max_session_duration, var.defaults.max_session_duration, 3600)
   number_of_role_policy_arns     = try(each.value.number_of_role_policy_arns, var.defaults.number_of_role_policy_arns, null)
+  oidc_audiences_with_wildcards  = try(each.value.oidc_audiences_with_wildcards, var.defaults.oidc_audiences_with_wildcards, [])
   oidc_fully_qualified_audiences = try(each.value.oidc_fully_qualified_audiences, var.defaults.oidc_fully_qualified_audiences, [])
   oidc_fully_qualified_subjects  = try(each.value.oidc_fully_qualified_subjects, var.defaults.oidc_fully_qualified_subjects, [])
   oidc_subjects_with_wildcards   = try(each.value.oidc_subjects_with_wildcards, var.defaults.oidc_subjects_with_wildcards, [])