fix: Add condition to IAM assume role policy

Author: baolsen

iam.tf

@@ -135,26 +135,32 @@ resource "aws_iam_role_policy" "ecr_required" {
 }
 
 data "aws_iam_policy_document" "assume_role" {
-  count = local.create_iam_role ? 1 : 0
   statement {
     effect = "Allow"
-
     principals {
       type        = "Service"
       identifiers = ["codebuild.amazonaws.com"]
     }
-
     actions = ["sts:AssumeRole"]
+    condition {
+      test     = "StringEquals"
+      variable = "aws:SourceAccount"
+      values   = [data.aws_caller_identity.current.account_id]
+    }
   }
 }
 
+locals {
+  assume_role_policy = var.iam_role_assume_role_policy == null ? data.aws_iam_policy_document.assume_role.json : var.iam_role_assume_role_policy
+}
+
 ################################################################################
 # Create role
 ################################################################################
 resource "aws_iam_role" "this" {
   count                = local.create_iam_role ? 1 : 0
   name                 = var.name
-  assume_role_policy   = data.aws_iam_policy_document.assume_role[0].json
+  assume_role_policy   = local.assume_role_policy
   permissions_boundary = var.iam_role_permissions_boundary == null ? null : var.iam_role_permissions_boundary
 }
 

variables.tf

@@ -120,6 +120,12 @@ variable "iam_role_name" {
   default     = null
 }
 
+variable "iam_role_assume_role_policy" {
+  description = "The IAM role assume role policy document to use. If not specified then a default is used."
+  type        = string
+  default     = null
+}
+
 variable "iam_role_policies" {
   description = "Map of IAM role policy ARNs to attach to the IAM role"
   type        = map(string)