appvia · bobdoah · Aug 2, 2023
diff --git a/README.md b/README.md
@@ -80,6 +80,7 @@ The `terraform-docs` utility is used to generate this README. Follow the below s
 | <a name="input_kms_key_administrators"></a> [kms\_key\_administrators](#input\_kms\_key\_administrators) | A list of IAM ARNs for EKS key administrators. If no value is provided, the current caller identity is used to ensure at least one key admin is available | `list(string)` | `[]` | no |
 | <a name="input_kube_proxy_addon_version"></a> [kube\_proxy\_addon\_version](#input\_kube\_proxy\_addon\_version) | Kube Proxy Addon version to use | `string` | `"v1.25.11-eksbuild.1"` | no |
 | <a name="input_node_security_group_additional_rules"></a> [node\_security\_group\_additional\_rules](#input\_node\_security\_group\_additional\_rules) | List of additional security group rules to add to the node security group created. Set `source_cluster_security_group = true` inside rules to set the `cluster_security_group` as source | `any` | `{}` | no |
+| <a name="input_permissions_boundary_policy_arn"></a> [permissions\_boundary\_policy\_arn](#input\_permissions\_boundary\_policy\_arn) | ARN of the AWS permissions boundary policy to apply to IAM roles | `string` | `""` | no |
 | <a name="input_subnet_ids"></a> [subnet\_ids](#input\_subnet\_ids) | A list of private Subnet IDs to launch the Wayfinder EKS Nodes onto | `list(string)` | n/a | yes |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources created | `map(string)` | `{}` | no |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | The VPC ID for the Wayfinder EKS Cluster to be built within | `string` | n/a | yes |

diff --git a/autoscaler.tf b/autoscaler.tf
@@ -13,6 +13,7 @@ module "autoscaler_irsa_role" {
       namespace_service_accounts = ["kube-system:autoscaler"]
     }
   }
+  role_permissions_boundary_arn = var.permissions_boundary_policy_arn
 }
 
 resource "helm_release" "metrics_server" {

diff --git a/cert-manager.tf b/cert-manager.tf
@@ -13,6 +13,7 @@ module "certmanager_irsa_role" {
       namespace_service_accounts = ["cert-manager:cert-manager"]
     }
   }
+  role_permissions_boundary_arn = var.permissions_boundary_policy_arn
 }
 
 resource "helm_release" "certmanager" {

diff --git a/eks.tf b/eks.tf
@@ -132,4 +132,5 @@ module "irsa-ebs-csi-driver" {
       namespace_service_accounts = ["kube-system:ebs-csi-controller-sa"]
     }
   }
+  role_permissions_boundary_arn = var.permissions_boundary_policy_arn
 }
diff --git a/external-dns.tf b/external-dns.tf
@@ -12,6 +12,8 @@ module "externaldns_irsa_role" {
       namespace_service_accounts = ["external-dns:external-dns"]
     }
   }
+  role_permissions_boundary_arn = var.permissions_boundary_policy_arn
+
 }
 
 resource "helm_release" "external-dns" {

diff --git a/modules/cloudaccess/variables.tf b/modules/cloudaccess/variables.tf
@@ -32,3 +32,9 @@ variable "workspace_id" {
   description = "A Wayfinder workspace ID if Roles are to be kept unique to a workspace"
   type        = string
 }
+
+variable "permissions_boundary_policy_arn" {
+  description = "ARN of the AWS permissions boundary policy to apply to IAM roles"
+  type        = string
+  default     = ""
+}
diff --git a/modules/cloudaccess/wf_cluster_manager.tf b/modules/cloudaccess/wf_cluster_manager.tf
@@ -4,12 +4,13 @@ module "iam_role_cluster_manager" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
   version = "5.17.0"
 
-  create_role             = true
-  role_name               = "wf-ClusterManager${local.resource_suffix}"
-  role_description        = "Create and manage EKS Kubernetes clusters"
-  role_requires_mfa       = false
-  custom_role_policy_arns = [module.iam_policy_cluster_manager[0].arn]
-  trusted_role_arns       = [var.wayfinder_iam_role_arn]
+  create_role                   = true
+  role_name                     = "wf-ClusterManager${local.resource_suffix}"
+  role_description              = "Create and manage EKS Kubernetes clusters"
+  role_requires_mfa             = false
+  custom_role_policy_arns       = [module.iam_policy_cluster_manager[0].arn]
+  trusted_role_arns             = [var.wayfinder_iam_role_arn]
+  role_permissions_boundary_arn = var.permissions_boundary_policy_arn
 }
 
 module "iam_policy_cluster_manager" {

diff --git a/modules/cloudaccess/wf_dns_zone_manager.tf b/modules/cloudaccess/wf_dns_zone_manager.tf
@@ -4,12 +4,13 @@ module "iam_role_dns_zone_manager" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
   version = "5.17.0"
 
-  create_role             = true
-  role_name               = "wf-DNSZoneManager${local.resource_suffix}"
-  role_description        = "Create and manage Route 53 DNS Zones for automated DNS management"
-  role_requires_mfa       = false
-  custom_role_policy_arns = [module.iam_policy_dns_zone_manager[0].arn]
-  trusted_role_arns       = [var.wayfinder_iam_role_arn]
+  create_role                   = true
+  role_name                     = "wf-DNSZoneManager${local.resource_suffix}"
+  role_description              = "Create and manage Route 53 DNS Zones for automated DNS management"
+  role_requires_mfa             = false
+  custom_role_policy_arns       = [module.iam_policy_dns_zone_manager[0].arn]
+  trusted_role_arns             = [var.wayfinder_iam_role_arn]
+  role_permissions_boundary_arn = var.permissions_boundary_policy_arn
 }
 
 module "iam_policy_dns_zone_manager" {

diff --git a/modules/cloudaccess/wf_network_manager.tf b/modules/cloudaccess/wf_network_manager.tf
@@ -4,12 +4,13 @@ module "iam_role_network_manager" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
   version = "5.17.0"
 
-  create_role             = true
-  role_name               = "wf-NetworkManager${local.resource_suffix}"
-  role_description        = "Create and manage VPCs for EKS clusters"
-  role_requires_mfa       = false
-  custom_role_policy_arns = [module.iam_policy_network_manager[0].arn]
-  trusted_role_arns       = [var.wayfinder_iam_role_arn]
+  create_role                   = true
+  role_name                     = "wf-NetworkManager${local.resource_suffix}"
+  role_description              = "Create and manage VPCs for EKS clusters"
+  role_requires_mfa             = false
+  custom_role_policy_arns       = [module.iam_policy_network_manager[0].arn]
+  trusted_role_arns             = [var.wayfinder_iam_role_arn]
+  role_permissions_boundary_arn = var.permissions_boundary_policy_arn
 }
 
 module "iam_policy_network_manager" {

diff --git a/variables.tf b/variables.tf
@@ -182,3 +182,9 @@ variable "aws_vpc_cni_addon_version" {
   type        = string
   default     = "v1.12.6-eksbuild.2"
 }
+
+variable "permissions_boundary_policy_arn" {
+  description = "ARN of the AWS permissions boundary policy to apply to IAM roles"
+  type        = string
+  default     = ""
+}
diff --git a/wayfinder.tf b/wayfinder.tf
@@ -127,6 +127,7 @@ module "wayfinder_irsa_role" {
       namespace_service_accounts = ["wayfinder:wayfinder-admin"]
     }
   }
+  role_permissions_boundary_arn = var.permissions_boundary_policy_arn
 }
 
 resource "helm_release" "wayfinder" {
-Original file line number
+Diff line change
@@ Expand Up / @@ -13,6 +13,7 @@ module "autoscaler_irsa_role" { @@
           namespace_service_accounts = ["kube-system:autoscaler"]
         }
       }
+      role_permissions_boundary_arn = var.permissions_boundary_policy_arn
     }
     resource "helm_release" "metrics_server" {
@@ Expand Down @@