Skip to content

Releases: terraform-aws-modules/terraform-aws-iam

v6.2.3

29 Oct 15:21
@antonbabenko antonbabenko
v6.2.3
7279fc4

Choose a tag to compare

View all tags
v6.2.3 Latest
Latest

6.2.3 (2025-10-29)

Bug Fixes

  • Use the aws_service_principal data source to retrieve the correct service principal for IRSA policies (#628) (673fb44)
Assets 2
Loading

v6.2.2

21 Oct 08:52
@antonbabenko antonbabenko
v6.2.2
f336f09

Choose a tag to compare

View all tags
v6.2.2

6.2.2 (2025-10-21)

Bug Fixes

  • Update CI workflow versions to latest (#626) (45cc1f8)
Loading

v6.2.1

26 Aug 14:33
@antonbabenko antonbabenko
v6.2.1
dc7a9f3

Choose a tag to compare

View all tags
v6.2.1

6.2.1 (2025-08-26)

Bug Fixes

  • Correct iam-group variable name mis-spelling (#610) (cf4e77b)
Loading

v6.2.0

22 Aug 19:43
@antonbabenko antonbabenko
v6.2.0
677a921

Choose a tag to compare

View all tags
v6.2.0

6.2.0 (2025-08-22)

Features

  • Implement user inline policy for iam-user (#607) (1c2dfd7)
Loading

v6.1.2

19 Aug 15:16
@antonbabenko antonbabenko
v6.1.2
03d1b49

Choose a tag to compare

View all tags
v6.1.2

6.1.2 (2025-08-19)

Bug Fixes

  • Modify BitBucket provider URL extraction to be more robust when none or multiple URLs are provided (#605) (e3e724d)
Loading

v6.1.1

18 Aug 12:07
@antonbabenko antonbabenko
v6.1.1
3c66adc

Choose a tag to compare

View all tags
v6.1.1

6.1.1 (2025-08-18)

Bug Fixes

  • Remove any secretsmanager:* permissions if no secret ARNs are provided to IRSA external-secrets permissions (#599) (d610954)
Loading

v6.1.0

14 Aug 21:53
@antonbabenko antonbabenko
v6.1.0
1ed6f73

Choose a tag to compare

View all tags
v6.1.0

6.1.0 (2025-08-14)

Features

  • Add default IRSA policy name, fix incorrect policy attachment for iam-user (#594) (f111832)
Loading

v6.0.1

14 Aug 17:01
@antonbabenko antonbabenko
v6.0.1
8b2ab9d

Choose a tag to compare

View all tags
v6.0.1

6.0.1 (2025-08-14)

Bug Fixes

  • Remove broken IRSA migrations.tf; add default IRSA policy descriptions for backwards compat (#592) (e56f84d)
Loading

v6.0.0

13 Aug 19:51
@antonbabenko antonbabenko
v6.0.0
4d779a5

Choose a tag to compare

View all tags
v6.0.0

6.0.0 (2025-08-13)

âš  BREAKING CHANGES

  • Upgrade AWS provider and min required Terraform version to 6.0 and 1.5.7 respectively (#585)

See docs/UPGRADE-6.0.md for further details

List of backwards incompatible changes

  • Terraform v1.5.7 is now minimum supported version

  • AWS provider v6.0.0 is now minimum supported version

  • The ability to allow roles to assume their own roles has been removed. This was previously added as part of helping users mitigate https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/. Going forward, users will need to mitigate this on the application side (i.e. - do not have a role assume itself), or update the trust policy in their implementation to continue using this behavior. It is strongly recommended to mitigate this by not having the role assume itself.

  • iam-account:

    • The aws_caller_identity data source and associated outputs have been removed. Users should instead use the data source directly in their configuration

  • iam-assumable-role has been renamed to iam-role

  • iam-assumable-role-with-oidc has been merged into iam-role

  • iam-assumable-role-with-saml has been merged into iam-role

  • iam-assumable-roles has been removed; iam-role should be used instead

  • iam-assumable-roles-with-saml has been removed; iam-role should be used instead

  • iam-github-oidc-provider has been renamed to iam-oidc-provider

  • iam-github-oidc-role has been merged into iam-role

  • iam-group-with-policies has been renamed to iam-group

  • iam-group-with-assumable-roles-policy has been merged into iam-group

  • iam-eks-role has been removed; iam-role-for-service-accounts or eks-pod-identity should be used instead

  • iam-role-for-service-accounts-eks has been renamed to iam-role-for-service-accounts

    • Individual policy creation and attachment has been consolidated under one policy creation and attachment
    • Default values that enable permissive permissions have been removed; users will need to be explicit about the scope of access (i.e. ARNs) they provide when enabling permissions
    • AppMesh policy support has been removed due to service reaching end of support

Additional changes

Modified

  • Variable definitions now contain detailed object types in place of the previously used any type

  • iam-group

    • Policy management has been updated to support extending the policy created by the sub-module, as well as adding additional policies that will be attached to the group
    • The role assumption permissions has been removed from the policy; users can extend the policy to add this if needed via permissions
    • Default create conditional is now true instead of false

  • iam-role

    • The use of individual variables to control/manipulate the assume role trust policy have been replaced by a generic trust_policy_permissions variable. This allows for any number of custom statements to be added to the role's trust policy.
    • custom_role_policy_arns has been renamed to policies and now accepts a map of name: policy-arn pairs; this allows for both existing policies and policies that will get created at the same time as the role. This also replaces the admin, readonly, and poweruser policy ARN variables and their associated attach_*_policy variables.
    • Default create conditional is now true instead of false
    • force_detach_policies has been removed; this is now always true
    • Support for inline policies has been added

  • iam-role-for-service-accounts

    • Support for inline policies has been added
Loading

v5.60.0

08 Aug 14:53
@antonbabenko antonbabenko
v5.60.0
c29ec1e

Choose a tag to compare

View all tags
v5.60.0

5.60.0 (2025-08-08)

Features

  • Add ssm:GetParametersByPath for external secrets (#583) (8e4541d)
Loading