diff --git a/modules/role/README.md b/modules/role/README.md
index ef0d6ff..01f5690 100644
--- a/modules/role/README.md
+++ b/modules/role/README.md
@@ -108,17 +108,11 @@ No modules.
| Name | Type |
|------|------|
-| [aws_iam_policy.tfstate_apply](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
-| [aws_iam_policy.tfstate_plan](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
-| [aws_iam_policy.tfstate_remote](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_role.ro](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role.rw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role.sr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role_policy_attachment.ro](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.rw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
-| [aws_iam_role_policy_attachment.tfstate_apply](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
-| [aws_iam_role_policy_attachment.tfstate_plan](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
-| [aws_iam_role_policy_attachment.tfstate_remote](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_iam_openid_connect_provider.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_openid_connect_provider) | data source |
| [aws_iam_policy_document.base](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -136,12 +130,14 @@ No modules.
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [additional\_audiences](#input\_additional\_audiences) | Additional audiences to be allowed in the OIDC federation mapping | `list(string)` | `[]` | no |
-| [common\_provider](#input\_common\_provider) | The name of a common OIDC provider to be used as the trust for the role | `string` | `""` | no |
+| [common\_provider](#input\_common\_provider) | The name of a common OIDC provider to be used as the trust for the role | `string` | `"github"` | no |
| [custom\_provider](#input\_custom\_provider) | An object representing an `aws_iam_openid_connect_provider` resource | object({
url = string
audiences = list(string)
subject_reader_mapping = string
subject_branch_mapping = string
subject_tag_mapping = string
}) | `null` | no |
| [description](#input\_description) | Description of the role being created | `string` | n/a | yes |
+| [enable\_branch\_suffix\_on\_statefile](#input\_enable\_branch\_suffix\_on\_statefile) | Add the protected branch as a suffix on the statefile name, e.g. -.tfstate | `bool` | `false` | no |
| [force\_detach\_policies](#input\_force\_detach\_policies) | Flag to force detachment of policies attached to the IAM role. | `bool` | `null` | no |
| [name](#input\_name) | Name of the role to create | `string` | n/a | yes |
-| [permission\_boundary](#input\_permission\_boundary) | The name of the policy that is used to set the permissions boundary for the IAM role | `string` | n/a | yes |
+| [permission\_boundary](#input\_permission\_boundary) | The name of the policy that is used to set the permissions boundary for the IAM role | `string` | `null` | no |
+| [permission\_boundary\_arn](#input\_permission\_boundary\_arn) | The full ARN of the permission boundary to attach to the role | `string` | `null` | no |
| [protected\_branch](#input\_protected\_branch) | The name of the protected branch under which the read-write role can be assumed | `string` | `"main"` | no |
| [protected\_tag](#input\_protected\_tag) | The name of the protected tag under which the read-write role can be assume | `string` | `"*"` | no |
| [read\_only\_inline\_policies](#input\_read\_only\_inline\_policies) | Inline policies map with policy name as key and json as value. | `map(string)` | `{}` | no |
@@ -150,7 +146,8 @@ No modules.
| [read\_write\_inline\_policies](#input\_read\_write\_inline\_policies) | Inline policies map with policy name as key and json as value. | `map(string)` | `{}` | no |
| [read\_write\_max\_session\_duration](#input\_read\_write\_max\_session\_duration) | The maximum session duration (in seconds) that you want to set for the specified role | `number` | `null` | no |
| [read\_write\_policy\_arns](#input\_read\_write\_policy\_arns) | List of IAM policy ARNs to attach to the read-write role | `list(string)` | `[]` | no |
-| [repository](#input\_repository) | List of repositories to be allowed i nthe OIDC federation mapping | `string` | n/a | yes |
+| [region](#input\_region) | The region in which the role will be used (defaulting to the provider region) | `string` | `null` | no |
+| [repository](#input\_repository) | List of repositories to be allowed in the OIDC federation mapping | `string` | n/a | yes |
| [role\_path](#input\_role\_path) | Path under which to create IAM role. | `string` | `null` | no |
| [shared\_repositories](#input\_shared\_repositories) | List of repositories to provide read access to the remote state | `list(string)` | `[]` | no |
| [tags](#input\_tags) | Tags to apply resoures created by this module | `map(string)` | n/a | yes |
diff --git a/modules/role/locals.tf b/modules/role/locals.tf
index 1dc9446..3f1d927 100644
--- a/modules/role/locals.tf
+++ b/modules/role/locals.tf
@@ -49,4 +49,5 @@ locals {
template_keys_regex = "{(repo|type|ref)}"
# The prefix for the terraform state key in the S3 bucket
tf_state_prefix = format("%s-%s", local.account_id, local.region)
+ tf_state_suffix = var.enable_branch_suffix_on_statefile ? format("-%s", var.protected_branch) : ""
}
diff --git a/modules/role/policies.tf b/modules/role/policies.tf
index b2cd7fb..6851052 100644
--- a/modules/role/policies.tf
+++ b/modules/role/policies.tf
@@ -20,7 +20,7 @@ data "aws_iam_policy_document" "base" {
]
resources = [
- format("arn:aws:s3:::%s-tfstate/%s.tfstate", local.tf_state_prefix, local.repo_name)
+ format("arn:aws:s3:::%s-tfstate/%s%s.tfstate", local.tf_state_prefix, local.repo_name, local.tf_state_suffix),
]
}
}
@@ -56,7 +56,7 @@ data "aws_iam_policy_document" "tfstate_apply" {
]
resources = [
- format("arn:aws:s3:::%s-tfstate/%s.tfstate", local.tf_state_prefix, local.repo_name)
+ format("arn:aws:s3:::%s-tfstate/%s%s.tfstate", local.tf_state_prefix, local.repo_name, local.tf_state_suffix)
]
}
}
diff --git a/modules/role/variables.tf b/modules/role/variables.tf
index 75a1944..d8849bc 100644
--- a/modules/role/variables.tf
+++ b/modules/role/variables.tf
@@ -39,9 +39,15 @@ variable "additional_audiences" {
description = "Additional audiences to be allowed in the OIDC federation mapping"
}
+variable "enable_branch_suffix_on_statefile" {
+ type = bool
+ default = false
+ description = "Add the protected branch as a suffix on the statefile name, e.g. -.tfstate"
+}
+
variable "repository" {
type = string
- description = "List of repositories to be allowed i nthe OIDC federation mapping"
+ description = "List of repositories to be allowed in the OIDC federation mapping"
}
variable "shared_repositories" {