hashicorp · gdavison · Sep 1, 2022 · Jun 8, 2022 · Jun 15, 2022 · Jun 15, 2022
@@ -0,0 +1,3 @@
+```release-note:enhancement
+provider: Add `source_identity` argument to `assume_role` block
+```
@@ -200,6 +200,11 @@ func (p *fwprovider) GetSchema(ctx context.Context) (tfsdk.Schema, diag.Diagnost
 						Optional:    true,
 						Description: "An identifier for the assumed role session.",
 					},
+					"source_identity": {
+						Type:        types.StringType,
+						Optional:    true,
+						Description: "Source identity specified by the principal assuming the role.",
+					},
 					"tags": {
 						Type:        types.MapType{ElemType: types.StringType},
 						Optional:    true,

@@ -2211,7 +2211,7 @@ func providerConfigure(ctx context.Context, d *schema.ResourceData, terraformVer
 
 	if l, ok := d.Get("assume_role").([]interface{}); ok && len(l) > 0 && l[0] != nil {
 		config.AssumeRole = expandAssumeRole(l[0].(map[string]interface{}))
-		log.Printf("[INFO] assume_role configuration set: (ARN: %q, SessionID: %q, ExternalID: %q)", config.AssumeRole.RoleARN, config.AssumeRole.SessionName, config.AssumeRole.ExternalID)
+		log.Printf("[INFO] assume_role configuration set: (ARN: %q, SessionID: %q, ExternalID: %q, SourceIdentity: %q)", config.AssumeRole.RoleARN, config.AssumeRole.SessionName, config.AssumeRole.ExternalID, config.AssumeRole.SourceIdentity)
 	}
 
 	if l, ok := d.Get("assume_role_with_web_identity").([]interface{}); ok && len(l) > 0 && l[0] != nil {
@@ -2304,6 +2304,12 @@ func assumeRoleSchema() *schema.Schema {
 					Description:  "An identifier for the assumed role session.",
 					ValidateFunc: validAssumeRoleSessionName,
 				},
+				"source_identity": {
+					Type:         schema.TypeString,
+					Optional:     true,
+					Description:  "Source identity specified by the principal assuming the role.",
+					ValidateFunc: validAssumeRoleSourceIdentity,
+				},
 				"tags": {
 					Type:        schema.TypeMap,
 					Optional:    true,
@@ -2438,6 +2444,10 @@ func expandAssumeRole(m map[string]interface{}) *awsbase.AssumeRole {
 		assumeRole.SessionName = v
 	}
 
+	if v, ok := m["source_identity"].(string); ok && v != "" {
+		assumeRole.SourceIdentity = v
+	}
+
 	if tagMapRaw, ok := m["tags"].(map[string]interface{}); ok && len(tagMapRaw) > 0 {
 		assumeRole.Tags = make(map[string]string)
 

@@ -29,3 +29,8 @@ var validAssumeRoleSessionName = validation.All(
 	validation.StringLenBetween(2, 64),
 	validation.StringMatch(regexp.MustCompile(`[\w+=,.@\-]*`), ""),
 )
+
+var validAssumeRoleSourceIdentity = validation.All(
+	validation.StringLenBetween(2, 64),
+	validation.StringMatch(regexp.MustCompile(`[\w+=,.@\-]*`), ""),
+)
@@ -261,6 +261,7 @@ See the [assume role documentation](https://docs.aws.amazon.com/cli/latest/userg
 |Policy|`policy`|N/A|
 |Policy ARNs|`policy_arns`|N/A|
 |Session Name|`session_name`|`role_session_name`|
+|Source Identity|`source_identity`|N/A|
 |Tags|`tags`|N/A|
 |Transitive Tag Keys|`transitive_tag_keys`|N/A|
 
@@ -459,29 +460,38 @@ In addition to [generic `provider` arguments](https://www.terraform.io/docs/conf
 
 The `assume_role` configuration block supports the following arguments:
 
-* `duration` - (Optional, Conflicts with `duration_seconds`) Duration of the assume role session. You can provide a value from 15 minutes up to the maximum session duration setting for the role. Represented by a string such as `1h`, `2h45m`, or `30m15s`.
-* `duration_seconds` - (Optional, **Deprecated** use `duration` instead) Number of seconds to restrict the assume role session duration. You can provide a value from 900 seconds (15 minutes) up to the maximum session duration setting for the role.
+* `duration` - (Optional, Conflicts with `duration_seconds`) Duration of the assume role session.
+  You can provide a value from 15 minutes up to the maximum session duration setting for the role.
+  Represented by a string such as `1h`, `2h45m`, or `30m15s`.
+* `duration_seconds` - (Optional, **Deprecated** use `duration` instead) Number of seconds to restrict the assume role session duration.
+  You can provide a value from 900 seconds (15 minutes) up to the maximum session duration setting for the role.
 * `external_id` - (Optional) External identifier to use when assuming the role.
 * `policy` - (Optional) IAM Policy JSON describing further restricting permissions for the IAM Role being assumed.
 * `policy_arns` - (Optional) Set of Amazon Resource Names (ARNs) of IAM Policies describing further restricting permissions for the IAM Role being assumed.
 * `role_arn` - (Required) ARN of the IAM Role to assume.
 * `session_name` - (Optional) Session name to use when assuming the role.
+* `source_identity` - (Optional) Source identity specified by the principal assuming the role.
 * `tags` - (Optional) Map of assume role session tags.
 * `transitive_tag_keys` - (Optional) Set of assume role session tag keys to pass to any subsequent sessions.
 
 ### assume_role_with_web_identity Configuration Block
 
 The `assume_role_with_web_identity` configuration block supports the following arguments:
 
-* `duration` - (Optional) Duration of the assume role session. You can provide a value from 15 minutes up to the maximum session duration setting for the role. Represented by a string such as `1h`, `2h45m`, or `30m15s`.
+* `duration` - (Optional) Duration of the assume role session.
+  You can provide a value from 15 minutes up to the maximum session duration setting for the role.
+  Represented by a string such as `1h`, `2h45m`, or `30m15s`.
 * `policy` - (Optional) IAM Policy JSON describing further restricting permissions for the IAM Role being assumed.
 * `policy_arns` - (Optional) Set of Amazon Resource Names (ARNs) of IAM Policies describing further restricting permissions for the IAM Role being assumed.
-* `role_arn` - (Required) ARN of the IAM Role to assume. Can also be set with the `AWS_ROLE_ARN` environment variable.
-* `session_name` - (Optional) Session name to use when assuming the role. Can also be set with the `AWS_ROLE_SESSION_NAME` environment variable.
+* `role_arn` - (Required) ARN of the IAM Role to assume.
+  Can also be set with the `AWS_ROLE_ARN` environment variable.
+* `session_name` - (Optional) Session name to use when assuming the role.
+  Can also be set with the `AWS_ROLE_SESSION_NAME` environment variable.
 * `web_identity_token` - (Optional) Value of a web identity token from an OpenID Connect (OIDC) or OAuth provider.
   One of `web_identity_token` or `web_identity_token_file` is required.
 * `web_identity_token_file` - (Optional) File containing a web identity token from an OpenID Connect (OIDC) or OAuth provider.
-  One of `web_identity_token_file` or `web_identity_token` is required. Can also be set with the `AWS_WEB_IDENTITY_TOKEN_FILE` environment variable.
+  One of `web_identity_token_file` or `web_identity_token` is required.
+  Can also be set with the `AWS_WEB_IDENTITY_TOKEN_FILE` environment variable.
 
 ### default_tags Configuration Block