Support multiple roles per repo

This module currently offers the input variable `var.aws_iam_role_names`
that allows a custom IAM role name to be specified for each repo, and
the input variable `var.github_custom_claim` that allows a custom OIDC
claim to be specified for each repo.

There are some notable limitations to the current implementations of
`var.aws_iam_role_names` and `var.github_custom_claim`:

- Only one role name can be specified per repo
- Only one custom OIDC claim can be specified per repo.

This commit will update `var.aws_iam_role_names` to address these
limitations. Instead of only accepting a single role name per repo, the
variable will now also support a map for each repo. Each key of the map
should be the custom role name, and each value should be a list of
custom claims to add to the role trust policy.

```hcl
aws_iam_role_names = {
  "really-long-github-org-name/really-long-github-repo-name" = {
    "read-only-role" = ["*"],
    "write-role"     = ["ref:refs/heads/main", "ref_type:tag"],
    "custom-role"    = ["*"],
  }
}
```

For backwards compatibility, `var.aws_iam_role_names` will continue to
support the old format:

```hcl
aws_iam_role_names = {
  "really-long-github-org-name/really-long-github-repo-name" = "custom-role-name"
}
```

Author: br3ndonland

main.tf

@@ -17,6 +17,22 @@ locals {
       ]
     )
   }
+  aws_iam_roles = merge([
+    for key, value in local.github_repos : can(tomap(try(var.aws_iam_role_names[value], ""))) ? {
+      for role_name, claims in var.aws_iam_role_names[value] :
+      "${key}-${substr(role_name, 0, 64)}" => {
+        claims    = claims
+        repo      = value
+        role_name = substr(role_name, 0, 64)
+      }
+      } : {
+      "${key}" = {
+        claims    = [var.github_custom_claim]
+        repo      = value
+        role_name = substr(try(var.aws_iam_role_names[value], local.aws_iam_role_name_defaults[key]), 0, 64)
+      }
+    }
+  ]...)
   github_repos       = { for repo in var.github_repos : lower(replace(repo, "/", "-")) => repo }
   oidc_client_ids    = ["sts.amazonaws.com"]
   oidc_issuer_domain = "token.actions.githubusercontent.com"
@@ -40,7 +56,7 @@ resource "aws_iam_openid_connect_provider" "github" {
 # https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_identity-vs-resource.html
 
 data "aws_iam_policy_document" "role_trust_policy" {
-  for_each = local.github_repos
+  for_each = local.aws_iam_roles
   statement {
     actions = ["sts:AssumeRoleWithWebIdentity", "sts:TagSession"]
     principals {
@@ -55,7 +71,7 @@ data "aws_iam_policy_document" "role_trust_policy" {
     condition {
       test     = "StringLike"
       variable = "${local.oidc_issuer_domain}:sub"
-      values   = ["repo:${each.value}:${var.github_custom_claim}"]
+      values   = [for claim in each.value.claims : "repo:${each.value.repo}:${claim}"]
     }
   }
 }
@@ -64,12 +80,8 @@ data "aws_iam_policy_document" "role_trust_policy" {
 # https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp.html
 
 resource "aws_iam_role" "github_actions_oidc" {
-  for_each           = local.github_repos
+  for_each           = local.aws_iam_roles
   assume_role_policy = data.aws_iam_policy_document.role_trust_policy[each.key].json
-  description        = "IAM assumed role for GitHub Actions in the ${each.value} repo"
-  name = (
-    length(lookup(var.aws_iam_role_names, each.value, "")) != 0
-    ? substr(var.aws_iam_role_names[each.value], 0, 64)
-    : substr(local.aws_iam_role_name_defaults[each.key], 0, 64)
-  )
+  description        = "IAM assumed role for GitHub Actions in the ${each.value.repo} repo"
+  name               = each.value.role_name
 }

outputs.tf

@@ -1,11 +1,11 @@
 output "aws_iam_roles" {
-  depends_on  = [aws_iam_role.github_actions_oidc]
   description = "ARNs and names of AWS IAM roles that have been provisioned"
   value = {
-    for key, value in local.github_repos :
+    for key, value in aws_iam_role.github_actions_oidc :
     key => {
-      arn  = aws_iam_role.github_actions_oidc[key].arn
-      name = aws_iam_role.github_actions_oidc[key].name
+      arn  = value.arn
+      name = value.name
+      repo = local.aws_iam_roles[key].repo
     }
   }
 }

variables.tf

@@ -1,20 +1,45 @@
 variable "aws_iam_role_names" {
   description = <<-DESCRIPTION
     Optional mapping of GitHub repos to names of IAM roles that will be assumed by GitHub for OIDC.
-    If set, the IAM role name for the repo will be exactly the variable value (64 characters max).
 
-    Example: `{ "really-long-github-org-name/really-long-github-repo-name" = "custom-role-name" }`
-
-    If unset, the default IAM role name for each repo will be
+    If unset, a single IAM role will be provisioned for each repo with the name in the format
     `<aws_iam_role_prefix><aws_iam_role_separator><repo_owner><aws_iam_role_separator><repo_name>`,
     truncated to 64 characters.
+
+    If set, IAM role names will be as provided, truncated to 64 characters (the max length enforced by IAM).
+    Optionally, a list of custom claims can be provided for each role.
+    For more details on what can be specified in these claims, see the
+    [OIDC reference docs](https://docs.github.com/en/actions/reference/security/oidc) and
+    [OIDC how-to for AWS](https://docs.github.com/en/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-aws).
+
+    Examples:
+
+    ```hcl
+    aws_iam_role_names = {
+      "really-long-github-org-name/really-long-github-repo-name" = "custom-role-name"
+    }
+    ```
+
+    ```hcl
+    aws_iam_role_names = {
+      "really-long-github-org-name/really-long-github-repo-name" = {
+        "read-only-role" = ["*"],
+        "write-role"     = ["ref:refs/heads/main", "ref_type:tag"],
+        "custom-role"    = ["*"],
+      }
+    }
+    ```
   DESCRIPTION
-  type        = map(string)
-  default     = {}
+  type        = map(any)
+  default     = null
   validation {
     condition     = alltrue([for key, value in var.aws_iam_role_names : length(value) <= 64])
     error_message = "The IAM role name must be less than or equal to 64 characters."
   }
+  validation {
+    condition     = alltrue([for key, value in var.aws_iam_role_names : can(tostring(value)) || can(tomap(value))])
+    error_message = "The IAM role names should be supplied as either a single string or a map."
+  }
 }
 
 variable "aws_iam_role_prefix" {