Merge branch 'master' into patch-1

jaydeland · web-flow · commit a53a0917be85 · 2023-03-21T15:06:57.000-04:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,20 @@
 
 All notable changes to this project will be documented in this file.
 
+### [5.14.1](https://github.com/terraform-aws-modules/terraform-aws-iam/compare/v5.14.0...v5.14.1) (2023-03-21)
+
+
+### Bug Fixes
+
+* Update self manage policy to support users with path ([#335](https://github.com/terraform-aws-modules/terraform-aws-iam/issues/335)) ([9a8d5cb](https://github.com/terraform-aws-modules/terraform-aws-iam/commit/9a8d5cb68da61f8bf19e45051f2faf399026dd44))
+
+## [5.14.0](https://github.com/terraform-aws-modules/terraform-aws-iam/compare/v5.13.0...v5.14.0) (2023-03-17)
+
+
+### Features
+
+* Update efs_csi policy to support resource tagging ([#352](https://github.com/terraform-aws-modules/terraform-aws-iam/issues/352)) ([47cb7a2](https://github.com/terraform-aws-modules/terraform-aws-iam/commit/47cb7a234786c0ce3d3eb9f403d975a17823ba76))
+
 ## [5.13.0](https://github.com/terraform-aws-modules/terraform-aws-iam/compare/v5.12.0...v5.13.0) (2023-03-10)
 
 
diff --git a/examples/iam-group-with-policies/main.tf b/examples/iam-group-with-policies/main.tf
@@ -14,6 +14,7 @@ module "iam_user2" {
   source = "../../modules/iam-user"
 
   name = "user2"
+  path = "/developers/"
 
   create_iam_user_login_profile = false
   create_iam_access_key         = false
diff --git a/modules/iam-group-with-policies/policies.tf b/modules/iam-group-with-policies/policies.tf
@@ -35,7 +35,10 @@ data "aws_iam_policy_document" "iam_self_management" {
       "iam:GetUser"
     ]
 
-    resources = ["arn:${local.partition}:iam::${local.aws_account_id}:user/$${aws:username}"]
+    resources = [
+      "arn:${local.partition}:iam::${local.aws_account_id}:user/$${aws:username}",
+      "arn:${local.partition}:iam::${local.aws_account_id}:user/*/$${aws:username}"
+    ]
   }
 
   statement {
@@ -50,7 +53,10 @@ data "aws_iam_policy_document" "iam_self_management" {
       "iam:UpdateAccessKey"
     ]
 
-    resources = ["arn:${local.partition}:iam::${local.aws_account_id}:user/$${aws:username}"]
+    resources = [
+      "arn:${local.partition}:iam::${local.aws_account_id}:user/$${aws:username}",
+      "arn:${local.partition}:iam::${local.aws_account_id}:user/*/$${aws:username}"
+    ]
   }
 
   statement {
@@ -65,7 +71,10 @@ data "aws_iam_policy_document" "iam_self_management" {
       "iam:UploadSigningCertificate"
     ]
 
-    resources = ["arn:${local.partition}:iam::${local.aws_account_id}:user/$${aws:username}"]
+    resources = [
+      "arn:${local.partition}:iam::${local.aws_account_id}:user/$${aws:username}",
+      "arn:${local.partition}:iam::${local.aws_account_id}:user/*/$${aws:username}"
+    ]
   }
 
   statement {
@@ -81,7 +90,10 @@ data "aws_iam_policy_document" "iam_self_management" {
       "iam:UploadSSHPublicKey"
     ]
 
-    resources = ["arn:${local.partition}:iam::${local.aws_account_id}:user/$${aws:username}"]
+    resources = [
+      "arn:${local.partition}:iam::${local.aws_account_id}:user/$${aws:username}",
+      "arn:${local.partition}:iam::${local.aws_account_id}:user/*/$${aws:username}"
+    ]
   }
 
   statement {
@@ -97,7 +109,10 @@ data "aws_iam_policy_document" "iam_self_management" {
       "iam:UpdateServiceSpecificCredential"
     ]
 
-    resources = ["arn:${local.partition}:iam::${local.aws_account_id}:user/$${aws:username}"]
+    resources = [
+      "arn:${local.partition}:iam::${local.aws_account_id}:user/$${aws:username}",
+      "arn:${local.partition}:iam::${local.aws_account_id}:user/*/$${aws:username}"
+    ]
   }
 
   statement {
@@ -124,8 +139,10 @@ data "aws_iam_policy_document" "iam_self_management" {
       "iam:ResyncMFADevice"
     ]
 
-    resources = ["arn:${local.partition}:iam::${local.aws_account_id}:user/$${aws:username}"]
-
+    resources = [
+      "arn:${local.partition}:iam::${local.aws_account_id}:user/$${aws:username}",
+      "arn:${local.partition}:iam::${local.aws_account_id}:user/*/$${aws:username}"
+    ]
   }
 
   statement {
diff --git a/modules/iam-role-for-service-accounts-eks/policies.tf b/modules/iam-role-for-service-accounts-eks/policies.tf
@@ -341,6 +341,17 @@ data "aws_iam_policy_document" "efs_csi" {
     }
   }
 
+  statement {
+    actions   = ["elasticfilesystem:TagResource"]
+    resources = ["*"]
+
+    condition {
+      test     = "StringLike"
+      variable = "aws:RequestTag/efs.csi.aws.com/cluster"
+      values   = ["true"]
+    }
+  }
+
   statement {
     actions   = ["elasticfilesystem:DeleteAccessPoint"]
     resources = ["*"]

Original file line number	Diff line number	Diff line change
`@@ -35,7 +35,10 @@ data "aws_iam_policy_document" "iam_self_management" {`
`35`	`35`	`"iam:GetUser"`
`36`	`36`	`]`
`37`	`37`
`38`		`- resources = ["arn:${local.partition}:iam::${local.aws_account_id}:user/$${aws:username}"]`
	`38`	`+ resources = [`
	`39`	`+ "arn:${local.partition}:iam::${local.aws_account_id}:user/$${aws:username}",`
	`40`	`+ "arn:${local.partition}:iam::${local.aws_account_id}:user/*/$${aws:username}"`
	`41`	`+ ]`
`39`	`42`	`}`
`40`	`43`
`41`	`44`	`statement {`
`@@ -50,7 +53,10 @@ data "aws_iam_policy_document" "iam_self_management" {`
`50`	`53`	`"iam:UpdateAccessKey"`
`51`	`54`	`]`
`52`	`55`
`53`		`- resources = ["arn:${local.partition}:iam::${local.aws_account_id}:user/$${aws:username}"]`
	`56`	`+ resources = [`
	`57`	`+ "arn:${local.partition}:iam::${local.aws_account_id}:user/$${aws:username}",`
	`58`	`+ "arn:${local.partition}:iam::${local.aws_account_id}:user/*/$${aws:username}"`
	`59`	`+ ]`
`54`	`60`	`}`
`55`	`61`
`56`	`62`	`statement {`
`@@ -65,7 +71,10 @@ data "aws_iam_policy_document" "iam_self_management" {`
`65`	`71`	`"iam:UploadSigningCertificate"`
`66`	`72`	`]`
`67`	`73`
`68`		`- resources = ["arn:${local.partition}:iam::${local.aws_account_id}:user/$${aws:username}"]`
	`74`	`+ resources = [`
	`75`	`+ "arn:${local.partition}:iam::${local.aws_account_id}:user/$${aws:username}",`
	`76`	`+ "arn:${local.partition}:iam::${local.aws_account_id}:user/*/$${aws:username}"`
	`77`	`+ ]`
`69`	`78`	`}`
`70`	`79`
`71`	`80`	`statement {`
`@@ -81,7 +90,10 @@ data "aws_iam_policy_document" "iam_self_management" {`
`81`	`90`	`"iam:UploadSSHPublicKey"`
`82`	`91`	`]`
`83`	`92`
`84`		`- resources = ["arn:${local.partition}:iam::${local.aws_account_id}:user/$${aws:username}"]`
	`93`	`+ resources = [`
	`94`	`+ "arn:${local.partition}:iam::${local.aws_account_id}:user/$${aws:username}",`
	`95`	`+ "arn:${local.partition}:iam::${local.aws_account_id}:user/*/$${aws:username}"`
	`96`	`+ ]`
`85`	`97`	`}`
`86`	`98`
`87`	`99`	`statement {`
`@@ -97,7 +109,10 @@ data "aws_iam_policy_document" "iam_self_management" {`
`97`	`109`	`"iam:UpdateServiceSpecificCredential"`
`98`	`110`	`]`
`99`	`111`
`100`		`- resources = ["arn:${local.partition}:iam::${local.aws_account_id}:user/$${aws:username}"]`
	`112`	`+ resources = [`
	`113`	`+ "arn:${local.partition}:iam::${local.aws_account_id}:user/$${aws:username}",`
	`114`	`+ "arn:${local.partition}:iam::${local.aws_account_id}:user/*/$${aws:username}"`
	`115`	`+ ]`
`101`	`116`	`}`
`102`	`117`
`103`	`118`	`statement {`
`@@ -124,8 +139,10 @@ data "aws_iam_policy_document" "iam_self_management" {`
`124`	`139`	`"iam:ResyncMFADevice"`
`125`	`140`	`]`
`126`	`141`
`127`		`- resources = ["arn:${local.partition}:iam::${local.aws_account_id}:user/$${aws:username}"]`
`128`		`-`
	`142`	`+ resources = [`
	`143`	`+ "arn:${local.partition}:iam::${local.aws_account_id}:user/$${aws:username}",`
	`144`	`+ "arn:${local.partition}:iam::${local.aws_account_id}:user/*/$${aws:username}"`
	`145`	`+ ]`
`129`	`146`	`}`
`130`	`147`
`131`	`148`	`statement {`