appvia · KashifSaadat · May 15, 2024
diff --git a/modules/role/README.md b/modules/role/README.md
@@ -108,17 +108,11 @@ No modules.
 
 | Name | Type |
 |------|------|
-| [aws_iam_policy.tfstate_apply](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
-| [aws_iam_policy.tfstate_plan](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
-| [aws_iam_policy.tfstate_remote](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_role.ro](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.rw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.sr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy_attachment.ro](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.rw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
-| [aws_iam_role_policy_attachment.tfstate_apply](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
-| [aws_iam_role_policy_attachment.tfstate_plan](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
-| [aws_iam_role_policy_attachment.tfstate_remote](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_openid_connect_provider.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_openid_connect_provider) | data source |
 | [aws_iam_policy_document.base](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -136,12 +130,14 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_additional_audiences"></a> [additional\_audiences](#input\_additional\_audiences) | Additional audiences to be allowed in the OIDC federation mapping | `list(string)` | `[]` | no |
-| <a name="input_common_provider"></a> [common\_provider](#input\_common\_provider) | The name of a common OIDC provider to be used as the trust for the role | `string` | `""` | no |
+| <a name="input_common_provider"></a> [common\_provider](#input\_common\_provider) | The name of a common OIDC provider to be used as the trust for the role | `string` | `"github"` | no |
 | <a name="input_custom_provider"></a> [custom\_provider](#input\_custom\_provider) | An object representing an `aws_iam_openid_connect_provider` resource | <pre>object({<br>    url                    = string<br>    audiences              = list(string)<br>    subject_reader_mapping = string<br>    subject_branch_mapping = string<br>    subject_tag_mapping    = string<br>  })</pre> | `null` | no |
 | <a name="input_description"></a> [description](#input\_description) | Description of the role being created | `string` | n/a | yes |
+| <a name="input_enable_branch_suffix_on_statefile"></a> [enable\_branch\_suffix\_on\_statefile](#input\_enable\_branch\_suffix\_on\_statefile) | Add the protected branch as a suffix on the statefile name, e.g. <repo>-<branch>.tfstate | `bool` | `false` | no |
 | <a name="input_force_detach_policies"></a> [force\_detach\_policies](#input\_force\_detach\_policies) | Flag to force detachment of policies attached to the IAM role. | `bool` | `null` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name of the role to create | `string` | n/a | yes |
-| <a name="input_permission_boundary"></a> [permission\_boundary](#input\_permission\_boundary) | The name of the policy that is used to set the permissions boundary for the IAM role | `string` | n/a | yes |
+| <a name="input_permission_boundary"></a> [permission\_boundary](#input\_permission\_boundary) | The name of the policy that is used to set the permissions boundary for the IAM role | `string` | `null` | no |
+| <a name="input_permission_boundary_arn"></a> [permission\_boundary\_arn](#input\_permission\_boundary\_arn) | The full ARN of the permission boundary to attach to the role | `string` | `null` | no |
 | <a name="input_protected_branch"></a> [protected\_branch](#input\_protected\_branch) | The name of the protected branch under which the read-write role can be assumed | `string` | `"main"` | no |
 | <a name="input_protected_tag"></a> [protected\_tag](#input\_protected\_tag) | The name of the protected tag under which the read-write role can be assume | `string` | `"*"` | no |
 | <a name="input_read_only_inline_policies"></a> [read\_only\_inline\_policies](#input\_read\_only\_inline\_policies) | Inline policies map with policy name as key and json as value. | `map(string)` | `{}` | no |
@@ -150,7 +146,8 @@ No modules.
 | <a name="input_read_write_inline_policies"></a> [read\_write\_inline\_policies](#input\_read\_write\_inline\_policies) | Inline policies map with policy name as key and json as value. | `map(string)` | `{}` | no |
 | <a name="input_read_write_max_session_duration"></a> [read\_write\_max\_session\_duration](#input\_read\_write\_max\_session\_duration) | The maximum session duration (in seconds) that you want to set for the specified role | `number` | `null` | no |
 | <a name="input_read_write_policy_arns"></a> [read\_write\_policy\_arns](#input\_read\_write\_policy\_arns) | List of IAM policy ARNs to attach to the read-write role | `list(string)` | `[]` | no |
-| <a name="input_repository"></a> [repository](#input\_repository) | List of repositories to be allowed i nthe OIDC federation mapping | `string` | n/a | yes |
+| <a name="input_region"></a> [region](#input\_region) | The region in which the role will be used (defaulting to the provider region) | `string` | `null` | no |
+| <a name="input_repository"></a> [repository](#input\_repository) | List of repositories to be allowed in the OIDC federation mapping | `string` | n/a | yes |
 | <a name="input_role_path"></a> [role\_path](#input\_role\_path) | Path under which to create IAM role. | `string` | `null` | no |
 | <a name="input_shared_repositories"></a> [shared\_repositories](#input\_shared\_repositories) | List of repositories to provide read access to the remote state | `list(string)` | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Tags to apply resoures created by this module | `map(string)` | n/a | yes |

diff --git a/modules/role/locals.tf b/modules/role/locals.tf
@@ -49,4 +49,5 @@ locals {
   template_keys_regex = "{(repo|type|ref)}"
   # The prefix for the terraform state key in the S3 bucket
   tf_state_prefix = format("%s-%s", local.account_id, local.region)
+  tf_state_suffix = var.enable_branch_suffix_on_statefile ? format("-%s", var.protected_branch) : ""
 }
diff --git a/modules/role/policies.tf b/modules/role/policies.tf
@@ -20,7 +20,7 @@ data "aws_iam_policy_document" "base" {
     ]
 
     resources = [
-      format("arn:aws:s3:::%s-tfstate/%s.tfstate", local.tf_state_prefix, local.repo_name)
+      format("arn:aws:s3:::%s-tfstate/%s%s.tfstate", local.tf_state_prefix, local.repo_name, local.tf_state_suffix),
     ]
   }
 }
@@ -56,7 +56,7 @@ data "aws_iam_policy_document" "tfstate_apply" {
     ]
 
     resources = [
-      format("arn:aws:s3:::%s-tfstate/%s.tfstate", local.tf_state_prefix, local.repo_name)
+      format("arn:aws:s3:::%s-tfstate/%s%s.tfstate", local.tf_state_prefix, local.repo_name, local.tf_state_suffix)
     ]
   }
 }

diff --git a/modules/role/variables.tf b/modules/role/variables.tf
@@ -39,9 +39,15 @@ variable "additional_audiences" {
   description = "Additional audiences to be allowed in the OIDC federation mapping"
 }
 
+variable "enable_branch_suffix_on_statefile" {
+  type        = bool
+  default     = false
+  description = "Add the protected branch as a suffix on the statefile name, e.g. <repo>-<branch>.tfstate"
+}
+
 variable "repository" {
   type        = string
-  description = "List of repositories to be allowed i nthe OIDC federation mapping"
+  description = "List of repositories to be allowed in the OIDC federation mapping"
 }
 
 variable "shared_repositories" {