Provide additional flexibility for assume_role_policy

[pjungels-paraport]

I was frustrated to find that there's not a way to achieve this type of trust policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::ACCOUNT_NUM:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "SomeExternalId"
        }
      }
    }
  ]
}

We can already add additional principals as trusted entities to the assume_role policy document. It would be great if we could also add additional statement blocks to the assume_role policy doc.

[antonbabenko]

This is a good point. There are multiple ways users can build the policies (even assume_role policies), so we probably need to implement it in a way similar to this one which will be in addition to the existing statement block in assume_role policy document:

terraform-aws-lambda/iam.tf

Lines 302 to 338 in 8556dbc

	dynamic "statement" {
	for_each = var.policy_statements
	content {
	sid = lookup(statement.value, "sid", replace(statement.key, "/[^0-9A-Za-z]*/", ""))
	effect = lookup(statement.value, "effect", null)
	actions = lookup(statement.value, "actions", null)
	not_actions = lookup(statement.value, "not_actions", null)
	resources = lookup(statement.value, "resources", null)
	not_resources = lookup(statement.value, "not_resources", null)
	dynamic "principals" {
	for_each = lookup(statement.value, "principals", [])
	content {
	type = principals.value.type
	identifiers = principals.value.identifiers
	}
	}
	dynamic "not_principals" {
	for_each = lookup(statement.value, "not_principals", [])
	content {
	type = not_principals.value.type
	identifiers = not_principals.value.identifiers
	}
	}
	dynamic "condition" {
	for_each = lookup(statement.value, "condition", [])
	content {
	test = condition.value.test
	variable = condition.value.variable
	values = condition.value.values
	}
	}
	}
	}

PR is welcome.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.