chore(deps): update terraform github.com/cloudposse/terraform-aws-iam-role to v0.23.0 (main)

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
github.com/cloudposse/terraform-aws-iam-role	module	minor	tags/0.4.0 → v0.23.0

---

Release Notes

cloudposse/terraform-aws-iam-role (github.com/cloudposse/terraform-aws-iam-role)

v0.23.0

Compare Source

fix: adding tags to the aws_iam_instance_profile object @​rrusso1982 (#​83)

what

This adds the tags used for other objects in the module to the aws_iam_instance_profile object.

why

To promote consistency in tagging between deployed aws objects for this module

references

🤖 Automatic Updates

Fix go version in tests @​osterman (#​90)

what

• Update go 1.24

why

• Error loading shared library libresolv.so.2 in Go 1.20

References

• https://sweetops.slack.com/archives/G014YEKDH4K/p1746672149263629
• https://github.com/golang/go/issues/59305#issuecomment-1488478737
• https://github.com/cloudposse/terraform-aws-cloudfront-s3-cdn/pull/294/#issuecomment-2859195553

v0.22.0

Compare Source

feat: Allow overriding the whole assume policy @​pablotp (#​86)

what

Adds the assume_role_policy_document variable, allowing users to provide a complete JSON assume role policy for the IAM role. When set, this overrides the principals, assume_role_conditions, and assume_role_actions variables.

why

This enables advanced use cases where a custom trust policy is needed, offering more flexibility than the module’s built-in policy generation. If not set, the module’s default behavior remains unchanged.

Example of an assume policy that couldn't be generated before

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::111122223333:role/app-prod-ci-agent",
          "AROAEXAMPLEID1",
          "arn:aws:iam::444455556666:role/ci-agent",
          "arn:aws:iam::111122223333:role/app-prod-use1-mz-4-ci-agent"
        ]
      },
      "Action": "sts:AssumeRole"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::444455556666:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/EXAMPLEOIDC"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "oidc.eks.us-east-1.amazonaws.com/id/EXAMPLEOIDC:sub": "system:serviceaccount:ci:ci-agent"
        }
      }
    }
  ]
}

With the previous implementation, you could not generate the second statement with a different action (sts:AssumeRoleWithWebIdentity) and a different condition for the Federated principal.

references

• Alternative to #​85
• When this feature is released, the Atmos component will be updated: cloudposse-terraform-components/aws-iam-role#29

Cleanup Go mod for tests @​Benbentwo (#​87)

This pull request updates the `go.mod` file in the `test/src` directory to modernize the Go toolchain and dependencies. The most important changes include upgrading the Go version, introducing a new toolchain, and updating or adding several dependencies to newer versions.

Go toolchain updates:

• Upgraded Go version from 1.16 to 1.23.0 and added the toolchain go1.24.3 specification for better compatibility and performance.

Dependency updates:

• Updated existing dependencies to newer versions, including github.com/klauspost/compress (to v1.16.7) and github.com/stretchr/testify (to v1.10.0).
• Added new dependencies, such as github.com/hashicorp/go-cleanhttp (v0.5.2), github.com/hashicorp/go-safetemp (v1.0.0), and github.com/zclconf/go-cty (v1.15.0), to enhance functionality and support for modern features.
• Removed outdated dependencies, such as cloud.google.com/go/compute and github.com/aws/aws-sdk-go, which are no longer required.

🤖 Automatic Updates

Replace Makefile with atmos.yaml @​osterman (#​84)

what

• Remove Makefile
• Add atmos.yaml

why

• Replace build-harness with atmos for readme genration

References

• DEV-3229 Migrate from build-harness to atmos

v0.21.0

Compare Source

Bugfix/remove tags enabled @​IrinaZarzu (#​82)

what

• Removed the tags_enabled variable and set the tags as {}.

why

• Since tags from contex.tf is used to set the tags as {}, the variable tags_enabled is no longer needed.

references

• Closes #​81

v0.20.0

Compare Source

feat: support inline policies @​nitrocode (#​79)

what

• support inline policies

why

• Most of the time users want to create a specific policy for a specific role and don't realize that the same policy can be accidentally reused for another purpose which makes it difficult to delete the role and policy
• Inline policies do not need to be tagged
• If a managed policy is updated and is attached to multiple roles, now it will impact multiple roles

references

• closes #​78

🤖 Automatic Updates

Migrate new test account @​osterman (#​77)

what

• Update .github/settings.yml
• Update .github/chatops.yml files

why

• Re-apply .github/settings.yml from org level to get terratest environment
• Migrate to new test account

References

• DEV-388 Automate clean up of test account in new organization
• DEV-387 Update terratest to work on a shared workflow instead of a dispatch action
• DEV-386 Update terratest to use new testing account with GitHub OIDC

Update .github/settings.yml @​osterman (#​76)

what

• Update .github/settings.yml
• Drop .github/auto-release.yml files

why

• Re-apply .github/settings.yml from org level
• Use organization level auto-release settings

references

• DEV-1242 Add protected tags with Repository Rulesets on GitHub

Update .github/settings.yml @​osterman (#​75)

what

• Update .github/settings.yml
• Drop .github/auto-release.yml files

why

• Re-apply .github/settings.yml from org level
• Use organization level auto-release settings

references

• DEV-1242 Add protected tags with Repository Rulesets on GitHub

Update .github/settings.yml @​osterman (#​74)

what

• Update .github/settings.yml
• Drop .github/auto-release.yml files

why

• Re-apply .github/settings.yml from org level
• Use organization level auto-release settings

references

• DEV-1242 Add protected tags with Repository Rulesets on GitHub

Update release workflow to allow pull-requests: write @​osterman (#​72)

what

• Update workflow (.github/workflows/release.yaml) to have permission to comment on PR

why

• So we can support commenting on PRs with a link to the release

Update GitHub Workflows to use shared workflows from '.github' repo @​osterman (#​71)

what

• Update workflows (.github/workflows) to use shared workflows from .github repo

why

• Reduce nested levels of reusable workflows

Update GitHub Workflows to Fix ReviewDog TFLint Action @​osterman (#​70)

what

• Update workflows (.github/workflows) to add issue: write permission needed by ReviewDog tflint action

why

• The ReviewDog action will comment with line-level suggestions based on linting failures

Update GitHub workflows @​osterman (#​69)

what

• Update workflows (.github/workflows/settings.yaml)

why

• Support new readme generation workflow.
• Generate banners

Use GitHub Action Workflows from `cloudposse/.github` Repo @​osterman (#​66)

what

• Install latest GitHub Action Workflows

why

• Use shared workflows from cldouposse/.github repository
• Simplify management of workflows from centralized hub of configuration

Bump golang.org/x/net from 0.0.0-20220421235706-1d1ef9303861 to 0.17.0 in /test/src @​dependabot (#​65)

Bumps [golang.org/x/net](https://redirect.github.com/golang/net) from 0.0.0-20220421235706-1d1ef9303861 to 0.17.0.

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

Add GitHub Settings @​osterman (#​62)

what

• Install a repository config (.github/settings.yaml)

why

• Programmatically manage GitHub repo settings

Update Scaffolding @​osterman (#​60)

what

• Reran make readme to rebuild README.md from README.yaml
• Migrate to square badges
• Add scaffolding for repo settings and Mergify

why

• Upstream template changed in the .github repo
• Work better with repository rulesets
• Modernize look & feel

v0.19.0

Compare Source

IAM Role name length limit @​goruha (#​58)

what

• Fix IAM role name length limit

why

• Fix IAM role name length limited to 64

Sync github @​max-lobur (#​54)

Rebuild github dir from the template

v0.18.0

Compare Source

• No changes

v0.17.0

Compare Source

Update main.tf @​karinatitov (#​50)

have a chance to configure the name of the policy

what

• With this change i want to have an ability to provide a custom name for the policy

why

• the resources i'm working with were not created in the same way this module assumes
• to have a chance to configure the name of the policy

git.io->cloudposse.tools update @​dylanbannon (#​46)

what and why

Change all references to git.io/build-harness into cloudposse.tools/build-harness, since git.io redirects will stop working on April 29th, 2022.

References

• DEV-143

v0.16.2

Compare Source

🚀 Enhancements

Add enabled check to data source @​nitrocode (#​45)

what

• Add enabled check to data source
• Add TestExamplesCompleteDisabled check

why

• Prevent creation if enabled is false

references

• https://github.com/cloudposse/terraform-aws-s3-bucket/pull/148

v0.16.1

Compare Source

🚀 Enhancements

Disabling all tags in all iam resources @​jamengual (#​44)

what

• In https://github.com/cloudposse/terraform-aws-iam-role/pull/43 I added the option to disable role tags but in environments where roles are created under very strict controls, the policy tags for the roles sometimes can't be tagged. This change disable tags for all IAM related resources.

why

• to disable tags for role-related things. Use one variable instead of two.

references

• https://github.com/cloudposse/terraform-aws-iam-role/pull/43

v0.16.0

Compare Source

Making tags for roles optional @​jamengual (#​43)

what

• Make role tags optional

why

• Restrictive policy boundaries do not allow tag roles in highly secure environments.

v0.15.0

Compare Source

allow to set role and policy path @​1david5 (#​40)

what

• Add path argument to role and policy resources

why

• Allow users to set path for role and policy

v0.14.1

Compare Source

Fix: Fix Variable Description Typo for `var.use_fullname` @​korenyoni (#​36)

what

• Fix variable description typo introduced in #​35 for var.use_fullname

why

• Minor typo (unmatched right bracket).

references

• #​35

Drop unused null provider @​Xerkus (#​34)

what

• Drop hashicorp/null provider from dependencies

why

• As far as I can tell the null provider is not used and I do not think it is needed for any kind of indirect dependency
• I think it was needed at some point for terraform-null-label

references

• Closes #​31

Fix: fix variable description for `var.use_fullname`, run `make github/init` @​korenyoni (#​35)

what

• Fix variable description for var.use_fullname.
• Run make github/init.

why

• The var.use_fullname variable description is incorrect and refers to ECR repositories instead of IAM roles.
• Running make github/init will update GHA-workflow related files (and CODEOWNERS), the former of which is required for the no-release label (which allows for consolidating multiple small PRs such as this into one release).

references

• N/A

🚀 Enhancements

Add tags to policy @​nitrocode (#​37)

what

• Add tags to policy

why

• Tag it all

references

N/A

v0.14.0

Compare Source

Add assume role policy conditions and managed iam policies @​sebastianmacarescu (#​33)

what

• option to attach AWS Managed IAM policies to created role
• option to add conditions to trust policy

why

• we should be able to use aws managed policies (or any other policies) and not create new ones dedicated for this role
• we should be able to add conditions on who can assume this role (mfa enabled, be part of organization, specific session name, etc)

references

• closes #​24
• documentation for conditions: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
• documentation for conditions in trust role policies: https://aws.amazon.com/blogs/security/how-to-use-trust-policies-with-iam-roles/

v0.13.0

Compare Source

Add permissions_boundary as a variable @​mmorejon (#​30)

what

• Add permissions_boundary as a parameter

why

• This parameter is missing in the module as an option.

references

• iam_role#permissions_boundary

Signed-off-by: Manuel Morejon manuel@mmorejon.io

v0.12.0

Compare Source

update assume actions variable to support multiple actions @​mcalhoun (#​29)

what

• Rename the assume_role_action variable to assume_role_actions
• Update the assume_role_action to allow multiple actions
• Update the default action to include sts:TagSession

why

• Allow the flexibility of adding multiple actions to the trust policy

NOTE: THIS PR CONTAINS A BACKWARD-INCOMPATIBLE CHANGE

v0.11.0

Compare Source

Add instance profile @​sebastianmacarescu (#​27)

what

• add option to create instance profile for the role

why

• we should be able to use this module to create a role for an ec2 instance

references

• https://github.com/cloudposse/terraform-aws-iam-role/issues/26

v0.10.1

Compare Source

🤖 Automatic Updates

Update context.tf @​cloudpossebot (#​28)

what

This is an auto-generated PR that updates the context.tf file to the latest version from cloudposse/terraform-null-label

why

To support all the features of the context interface.

v0.10.0

Compare Source

what

• Replace "cloudposse/terraform-aws-iam-policy-document-aggregator" with https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#example-of-merging-override-documents

why

• Reduce complexity

v0.10.0

Compare Source

what

• Replace "cloudposse/terraform-aws-iam-policy-document-aggregator" with https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#example-of-merging-override-documents

why

• Reduce complexity

v0.9.3

Compare Source

🤖 Automatic Updates

Update README.md and docs @​cloudpossebot (#​20)

what

This is an auto-generated PR that updates the README.md and docs

why

To have most recent changes of README.md and doc from origin templates

v0.9.2

Compare Source

🚀 Enhancements

adding tags for role @​roock (#​6)

Adding tags for role

v0.9.1

Compare Source

🤖 Automatic Updates

Update Terraform cloudposse/iam-policy-document-aggregator/aws to v0.8.0 @​renovate (#​23)

This PR contains the following updates:

Package	Type	Update	Change
cloudposse/iam-policy-document-aggregator/aws (source)	terraform	minor	0.6.0 -> 0.8.0

---

Release Notes

cloudposse/terraform-aws-iam-policy-document-aggregator

v0.8.0

Compare Source

minimum required Terraform version bumped to 0.13.0, context.tf updated, readme updated @​&#​8203;maximmi (#&#​8203;25)

what

• update context.tf to v0.23.0
• minimum required Terraform version bumped to 0.13.0
• readme updated, Bridgecrew compliance badges added

why

• It allows for setting the letter case of tag names and labels
• we have dropped support for Terraform 0.12
• To be able see and fix the recommendations from Bridgecrew so we can position our modules as standards compliant

v0.7.0

Compare Source

Terraform 0.14 upgrade @​&#​8203;maximmi (#&#​8203;24)

what

• Upgrade to support Terraform 0.14 and bring up to current Cloud Posse standard

why

• Support Terraform 0.14

v0.9.0

Compare Source

context.tf updated to v0.24.1, minimum required Terraform version bumped to 0.13.0 when needed, readme updated @​maximmi (#​22)

what

• update context.tf to v0.24.1
• minimum required Terraform version bumped to 0.13.0
• readme updated, Bridgecrew compliance badges added

why

• It allows for setting the letter case of tag names and labels, back compatibility with context v0.22.0 and below
• we have dropped support for Terraform 0.12
• To be able see and fix the recommendations from Bridgecrew so we can position our modules as standards compliant

v0.8.0

Compare Source

Terraform 0.14 upgrade @​maximmi (#​21)

what

• Upgrade to support Terraform 0.14 and bring up to current Cloud Posse standard

why

• Support Terraform 0.14

v0.7.0

Compare Source

Terraform 0.14 upgrade @​woz5999 (#​19)

what

fixes and updates for tf 0.14 compatibility

v0.6.1

Compare Source

add assume_role_action var @​woz5999 (#​17)

what

provide the ability to specify a different assume role action

why

allows these roles to be assumed by users signing in with SAML integrations

v0.6.0

Compare Source

Update to TF 0.12/0.13. Update to `context.tf`. Update tests to `go` modules. Update example @​aknysh (#​15)

what

• Update to TF 0.12/0.13
• Update to context.tf
• Update tests to go modules
• Update example

why

• Standardization and interoperability
• Keep the module up to date

v0.5.0

Compare Source

Add Github actions @​aknysh (#​16)

what

• Add Github actions

why

• For testing the module

Rename `kms_master_key_id` to `kms_master_key_arn` @​goruha (#​10)

What

• Rename kms_master_key_id to kms_master_key_arn

Why

• To solve confusing of variable, because really it expects arn https://www.terraform.io/docs/providers/aws/r/s3_bucket.html#enable-default-server-side-encryption

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[mergify]

/terratest