From 1f4555a102c29f9b4b37654ab1b7f344087f8d5f Mon Sep 17 00:00:00 2001
From: Falk Schykowski <schykowski@neozo.de>
Date: Mon, 18 Nov 2024 11:09:05 +0700
Subject: [PATCH] Modify Flow Log IAM Role Assumption Policy to allow
 additional conditions

---
 README.md        |  1 +
 variables.tf     | 10 ++++++++++
 vpc-flow-logs.tf |  9 +++++++++
 3 files changed, 20 insertions(+)

diff --git a/README.md b/README.md
index ac08bbbe7..97d959771 100644
--- a/README.md
+++ b/README.md
@@ -452,6 +452,7 @@ No modules.
 | <a name="input_external_nat_ip_ids"></a> [external\_nat\_ip\_ids](#input\_external\_nat\_ip\_ids) | List of EIP IDs to be assigned to the NAT Gateways (used in combination with reuse\_nat\_ips) | `list(string)` | `[]` | no |
 | <a name="input_external_nat_ips"></a> [external\_nat\_ips](#input\_external\_nat\_ips) | List of EIPs to be used for `nat_public_ips` output (used in combination with reuse\_nat\_ips and external\_nat\_ip\_ids) | `list(string)` | `[]` | no |
 | <a name="input_flow_log_cloudwatch_iam_role_arn"></a> [flow\_log\_cloudwatch\_iam\_role\_arn](#input\_flow\_log\_cloudwatch\_iam\_role\_arn) | The ARN for the IAM role that's used to post flow logs to a CloudWatch Logs log group. When flow\_log\_destination\_arn is set to ARN of Cloudwatch Logs, this argument needs to be provided | `string` | `""` | no |
+| <a name="input_flow_log_cloudwatch_iam_role_conditions"></a> [flow\_log\_cloudwatch\_iam\_role\_conditions](#input\_flow\_log\_cloudwatch\_iam\_role\_conditions) | Additional conditions of the CloudWatch role assumption policy | <pre>list(object({<br/>    test     = string<br/>    variable = string<br/>    values   = list(string)<br/>  }))</pre> | `[]` | no |
 | <a name="input_flow_log_cloudwatch_log_group_class"></a> [flow\_log\_cloudwatch\_log\_group\_class](#input\_flow\_log\_cloudwatch\_log\_group\_class) | Specified the log class of the log group. Possible values are: STANDARD or INFREQUENT\_ACCESS | `string` | `null` | no |
 | <a name="input_flow_log_cloudwatch_log_group_kms_key_id"></a> [flow\_log\_cloudwatch\_log\_group\_kms\_key\_id](#input\_flow\_log\_cloudwatch\_log\_group\_kms\_key\_id) | The ARN of the KMS Key to use when encrypting log data for VPC flow logs | `string` | `null` | no |
 | <a name="input_flow_log_cloudwatch_log_group_name_prefix"></a> [flow\_log\_cloudwatch\_log\_group\_name\_prefix](#input\_flow\_log\_cloudwatch\_log\_group\_name\_prefix) | Specifies the name prefix of CloudWatch Log Group for VPC flow logs | `string` | `"/aws/vpc-flow-log/"` | no |
diff --git a/variables.tf b/variables.tf
index 39521ae15..095cc8bdf 100644
--- a/variables.tf
+++ b/variables.tf
@@ -1597,6 +1597,16 @@ variable "create_flow_log_cloudwatch_iam_role" {
   default     = false
 }
 
+variable "flow_log_cloudwatch_iam_role_conditions" {
+  description = "Additional conditions of the CloudWatch role assumption policy"
+  type = list(object({
+    test     = string
+    variable = string
+    values   = list(string)
+  }))
+  default = []
+}
+
 variable "flow_log_cloudwatch_iam_role_arn" {
   description = "The ARN for the IAM role that's used to post flow logs to a CloudWatch Logs log group. When flow_log_destination_arn is set to ARN of Cloudwatch Logs, this argument needs to be provided"
   type        = string
diff --git a/vpc-flow-logs.tf b/vpc-flow-logs.tf
index d44cd4d75..4c2910546 100644
--- a/vpc-flow-logs.tf
+++ b/vpc-flow-logs.tf
@@ -100,6 +100,15 @@ data "aws_iam_policy_document" "flow_log_cloudwatch_assume_role" {
     effect = "Allow"
 
     actions = ["sts:AssumeRole"]
+
+    dynamic "condition" {
+      for_each = var.flow_log_cloudwatch_iam_role_conditions
+      content {
+        test     = condition.value.test
+        variable = condition.value.variable
+        values   = condition.value.values
+      }
+    }
   }
 }