From a96bc38c48c751ab04905fc8bc8f7777cb03c1e7 Mon Sep 17 00:00:00 2001
From: Alex Biju <abiju@chanzuckerberg.com>
Date: Mon, 19 Sep 2022 14:30:17 -0500
Subject: [PATCH] feat: add source role arns

---
 aws-assume-role-policy/main.tf      | 11 +++++++++++
 aws-assume-role-policy/variables.tf |  5 +++++
 2 files changed, 16 insertions(+)

diff --git a/aws-assume-role-policy/main.tf b/aws-assume-role-policy/main.tf
index ec11d530..7cbce948 100644
--- a/aws-assume-role-policy/main.tf
+++ b/aws-assume-role-policy/main.tf
@@ -10,6 +10,17 @@ data "aws_iam_policy_document" "assume-role" {
     }
   }
 
+  dynamic "statement" {
+    for_each = var.source_role_arns
+    content {
+      principals {
+        type        = "AWS"
+        identifiers = [statement.value]
+      }
+      actions = ["sts:AssumeRole", "sts:TagSession"]
+    }
+  }
+
   dynamic "statement" {
     for_each = var.saml_idp_arns
 
diff --git a/aws-assume-role-policy/variables.tf b/aws-assume-role-policy/variables.tf
index 6bb51c5a..dd142d42 100644
--- a/aws-assume-role-policy/variables.tf
+++ b/aws-assume-role-policy/variables.tf
@@ -23,6 +23,11 @@ variable "source_account_ids" {
   description = "The source AWS account IDs to establish a trust relationship. Ignored if empty or not provided."
 }
 
+variable "source_role_arns" {
+  type        = list(string)
+  description = "The source AWS roles to establish a trust relationship. Ignored if empty or not provided."
+}
+
 variable "saml_idp_arns" {
   type        = set(string)
   default     = []