Add CIDR limitation to OIDC IAM Role

[alecsiemerink]

Is your request related to a new offering from AWS?

Is this functionality available in the AWS provider for Terraform? See CHANGELOG.md, too.

• Yes ✅: At least > V3

Is your request related to a problem? Please describe.

We want to secure our Terraform deployment pipelines which already use OIDC on a self-hosted GitHub Actions runner. We want to be able to limit the CIDR from which this role can be used.

Describe the solution you'd like.

In the module declaration, I want to be able to pass a CIDR list like this:

module "iam_github_oidc_role" {
  source    = "terraform-aws-modules/iam/aws//modules/iam-github-oidc-role"

  # This should be updated to suit your organization, repository, references/branches, etc.
  subjects = ["terraform-aws-modules/terraform-aws-iam:*"]

  policies = {
    S3ReadOnly = "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
  }
  allowed_cidr = ['x.x.x.x/x", "x.x.x.x/x"]


  tags = {
    Environment = "test"
  }
}

Describe alternatives you've considered.

Doing this through the console:

Additional context

[github-actions]

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

[github-actions]

This issue was automatically closed because of stale in 10 days

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.