feat: s3 bucket wif - support multiple subjects with partial matching

malhussan · malhussan · commit a00b0b5a27ab · 2025-12-11T22:44:50.000+01:00
diff --git a/modules/aks/starterkit/buildingblock/README.md b/modules/aks/starterkit/buildingblock/README.md
@@ -15,7 +15,7 @@ This documentation is intended as a reference documentation for cloud foundation
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_meshstack"></a> [meshstack](#requirement\_meshstack) | 0.9.0 |
+| <a name="requirement_meshstack"></a> [meshstack](#requirement\_meshstack) | 0.15.0 |
 
 ## Modules
 
@@ -25,15 +25,15 @@ No modules.
 
 | Name | Type |
 |------|------|
-| [meshstack_building_block_v2.github_actions_dev](https://registry.terraform.io/providers/meshcloud/meshstack/0.9.0/docs/resources/building_block_v2) | resource |
-| [meshstack_building_block_v2.github_actions_prod](https://registry.terraform.io/providers/meshcloud/meshstack/0.9.0/docs/resources/building_block_v2) | resource |
-| [meshstack_building_block_v2.repo](https://registry.terraform.io/providers/meshcloud/meshstack/0.9.0/docs/resources/building_block_v2) | resource |
-| [meshstack_project.dev](https://registry.terraform.io/providers/meshcloud/meshstack/0.9.0/docs/resources/project) | resource |
-| [meshstack_project.prod](https://registry.terraform.io/providers/meshcloud/meshstack/0.9.0/docs/resources/project) | resource |
-| [meshstack_project_user_binding.creator_dev_admin](https://registry.terraform.io/providers/meshcloud/meshstack/0.9.0/docs/resources/project_user_binding) | resource |
-| [meshstack_project_user_binding.creator_prod_admin](https://registry.terraform.io/providers/meshcloud/meshstack/0.9.0/docs/resources/project_user_binding) | resource |
-| [meshstack_tenant_v4.dev](https://registry.terraform.io/providers/meshcloud/meshstack/0.9.0/docs/resources/tenant_v4) | resource |
-| [meshstack_tenant_v4.prod](https://registry.terraform.io/providers/meshcloud/meshstack/0.9.0/docs/resources/tenant_v4) | resource |
+| [meshstack_building_block_v2.github_actions_dev](https://registry.terraform.io/providers/meshcloud/meshstack/0.15.0/docs/resources/building_block_v2) | resource |
+| [meshstack_building_block_v2.github_actions_prod](https://registry.terraform.io/providers/meshcloud/meshstack/0.15.0/docs/resources/building_block_v2) | resource |
+| [meshstack_building_block_v2.repo](https://registry.terraform.io/providers/meshcloud/meshstack/0.15.0/docs/resources/building_block_v2) | resource |
+| [meshstack_project.dev](https://registry.terraform.io/providers/meshcloud/meshstack/0.15.0/docs/resources/project) | resource |
+| [meshstack_project.prod](https://registry.terraform.io/providers/meshcloud/meshstack/0.15.0/docs/resources/project) | resource |
+| [meshstack_project_user_binding.creator_dev_admin](https://registry.terraform.io/providers/meshcloud/meshstack/0.15.0/docs/resources/project_user_binding) | resource |
+| [meshstack_project_user_binding.creator_prod_admin](https://registry.terraform.io/providers/meshcloud/meshstack/0.15.0/docs/resources/project_user_binding) | resource |
+| [meshstack_tenant_v4.dev](https://registry.terraform.io/providers/meshcloud/meshstack/0.15.0/docs/resources/tenant_v4) | resource |
+| [meshstack_tenant_v4.prod](https://registry.terraform.io/providers/meshcloud/meshstack/0.15.0/docs/resources/tenant_v4) | resource |
 
 ## Inputs
 
diff --git a/modules/aws/s3_bucket/backplane/README.md b/modules/aws/s3_bucket/backplane/README.md
@@ -22,8 +22,11 @@ module "aws_s3_bucket_backplane" {
   workload_identity_federation = {
     issuer   = "https://your-oidc-issuer"
     audience = "your-audience"
-    subject  = "system:serviceaccount:your-namespace:your-service-account-name"
-  } # Optional, if not provided, workload identity federation will not be set up and IAM access keys will be created
+    subjects = [
+      "system:serviceaccount:your-namespace:your-service-account-name",  # Exact match
+      "system:serviceaccount:your-namespace:*",                          # Wildcard match
+    ]
+  } # Optional, if not provided, IAM access keys will be created instead
 }
 
 output "aws_s3_bucket_backplane" {
@@ -62,7 +65,7 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_workload_identity_federation"></a> [workload\_identity\_federation](#input\_workload\_identity\_federation) | Set these options to add a trusted identity provider from meshStack to allow workload identity federation for authentication which can be used instead of access keys. | <pre>object({<br>    issuer   = string,<br>    audience = string,<br>    subject  = string,<br>  })</pre> | `null` | no |
+| <a name="input_workload_identity_federation"></a> [workload\_identity\_federation](#input\_workload\_identity\_federation) | Set these options to add a trusted identity provider from meshStack to allow workload identity federation for authentication which can be used instead of access keys. Supports multiple subjects for migration paths and wildcard patterns (e.g., 'system:serviceaccount:namespace:*'). | <pre>object({<br>    issuer   = string,<br>    audience = string,<br>    subjects = list(string)<br>  })</pre> | `null` | no |
 
 ## Outputs
 
diff --git a/modules/aws/s3_bucket/backplane/iam.tf b/modules/aws/s3_bucket/backplane/iam.tf
@@ -66,10 +66,10 @@ data "aws_iam_policy_document" "workload_identity_federation" {
     }
 
     condition {
-      test     = "StringEquals"
+      test     = "StringLike"
       variable = "${trimprefix(var.workload_identity_federation.issuer, "https://")}:sub"
 
-      values = [var.workload_identity_federation.subject]
+      values = var.workload_identity_federation.subjects
     }
   }
 }
diff --git a/modules/aws/s3_bucket/backplane/variables.tf b/modules/aws/s3_bucket/backplane/variables.tf
@@ -2,8 +2,8 @@ variable "workload_identity_federation" {
   type = object({
     issuer   = string,
     audience = string,
-    subject  = string,
+    subjects = list(string)
   })
   default     = null
-  description = "Set these options to add a trusted identity provider from meshStack to allow workload identity federation for authentication which can be used instead of access keys."
+  description = "Set these options to add a trusted identity provider from meshStack to allow workload identity federation for authentication which can be used instead of access keys. Supports multiple subjects for migration paths and wildcard patterns (e.g., 'system:serviceaccount:namespace:*')."
 }

Original file line number	Diff line number	Diff line change
`@@ -66,10 +66,10 @@ data "aws_iam_policy_document" "workload_identity_federation" {`
`66`	`66`	`}`
`67`	`67`
`68`	`68`	`condition {`
`69`		`- test = "StringEquals"`
	`69`	`+ test = "StringLike"`
`70`	`70`	`variable = "${trimprefix(var.workload_identity_federation.issuer, "https://")}:sub"`
`71`	`71`
`72`		`- values = [var.workload_identity_federation.subject]`
	`72`	`+ values = var.workload_identity_federation.subjects`
`73`	`73`	`}`
`74`	`74`	`}`
`75`	`75`	`}`