cein/feature/add-iam-permissions-boundary-input (#120)

Cein-Markey · cloudpossebot · web-flow · commit 3c8645e01ca4 · 2021-12-13T12:26:35.000-07:00
* Add new `iam_role_permissions_boundary` variable

Add new `iam_role_permissions_boundary` variable with a default of empty
string and place it in `aws_iam_role.elasticsearch_user.permissions_boundary`

* Add `iam_role_permissions_boundary` input to `README.md`

* Auto Format

* Update `docs/terraform.md` to reflect new `iam_role_permissions_boundary` input

Update `README.md` `iam_role_permissions_boundary` to reflect generated
input from `docs/terraform.md`

* Update `iam_role_permissions_boundary` default value from `string` to `null`

* Update `README.md` to reflect `iam_role_permissions_boundary`

Co-authored-by: cloudpossebot &lt;11232728+cloudpossebot@users.noreply.github.com&gt;
diff --git a/README.md b/README.md
@@ -248,6 +248,7 @@ Available targets:
 | <a name="input_iam_authorizing_role_arns"></a> [iam\_authorizing\_role\_arns](#input\_iam\_authorizing\_role\_arns) | List of IAM role ARNs to permit to assume the Elasticsearch user role | `list(string)` | `[]` | no |
 | <a name="input_iam_role_arns"></a> [iam\_role\_arns](#input\_iam\_role\_arns) | List of IAM role ARNs to permit access to the Elasticsearch domain | `list(string)` | `[]` | no |
 | <a name="input_iam_role_max_session_duration"></a> [iam\_role\_max\_session\_duration](#input\_iam\_role\_max\_session\_duration) | The maximum session duration (in seconds) for the user role. Can have a value from 1 hour to 12 hours | `number` | `3600` | no |
+| <a name="input_iam_role_permissions_boundary"></a> [iam\_role\_permissions\_boundary](#input\_iam\_role\_permissions\_boundary) | The ARN of the permissions boundary policy which will be attached to the Elasticsearch user role | `string` | `null` | no |
 | <a name="input_id_length_limit"></a> [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).<br>Set to `0` for unlimited length.<br>Set to `null` for keep the existing setting, which defaults to `0`.<br>Does not affect `id_full`. | `number` | `null` | no |
 | <a name="input_ingress_port_range_end"></a> [ingress\_port\_range\_end](#input\_ingress\_port\_range\_end) | End number for allowed port range. (e.g. `443`) | `number` | `65535` | no |
 | <a name="input_ingress_port_range_start"></a> [ingress\_port\_range\_start](#input\_ingress\_port\_range\_start) | Start number for allowed port range. (e.g. `443`) | `number` | `0` | no |
diff --git a/docs/terraform.md b/docs/terraform.md
@@ -85,6 +85,7 @@
 | <a name="input_iam_authorizing_role_arns"></a> [iam\_authorizing\_role\_arns](#input\_iam\_authorizing\_role\_arns) | List of IAM role ARNs to permit to assume the Elasticsearch user role | `list(string)` | `[]` | no |
 | <a name="input_iam_role_arns"></a> [iam\_role\_arns](#input\_iam\_role\_arns) | List of IAM role ARNs to permit access to the Elasticsearch domain | `list(string)` | `[]` | no |
 | <a name="input_iam_role_max_session_duration"></a> [iam\_role\_max\_session\_duration](#input\_iam\_role\_max\_session\_duration) | The maximum session duration (in seconds) for the user role. Can have a value from 1 hour to 12 hours | `number` | `3600` | no |
+| <a name="input_iam_role_permissions_boundary"></a> [iam\_role\_permissions\_boundary](#input\_iam\_role\_permissions\_boundary) | The ARN of the permissions boundary policy which will be attached to the Elasticsearch user role | `string` | `null` | no |
 | <a name="input_id_length_limit"></a> [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).<br>Set to `0` for unlimited length.<br>Set to `null` for keep the existing setting, which defaults to `0`.<br>Does not affect `id_full`. | `number` | `null` | no |
 | <a name="input_ingress_port_range_end"></a> [ingress\_port\_range\_end](#input\_ingress\_port\_range\_end) | End number for allowed port range. (e.g. `443`) | `number` | `65535` | no |
 | <a name="input_ingress_port_range_start"></a> [ingress\_port\_range\_start](#input\_ingress\_port\_range\_start) | Start number for allowed port range. (e.g. `443`) | `number` | `0` | no |
diff --git a/main.tf b/main.tf
@@ -73,6 +73,8 @@ resource "aws_iam_role" "elasticsearch_user" {
   tags               = module.user_label.tags
 
   max_session_duration = var.iam_role_max_session_duration
+
+  permissions_boundary = var.iam_role_permissions_boundary
 }
 
 data "aws_iam_policy_document" "assume_role" {
diff --git a/variables.tf b/variables.tf
@@ -88,6 +88,12 @@ variable "iam_role_arns" {
   description = "List of IAM role ARNs to permit access to the Elasticsearch domain"
 }
 
+variable "iam_role_permissions_boundary" {
+  type        = string
+  default     = null
+  description = "The ARN of the permissions boundary policy which will be attached to the Elasticsearch user role"
+}
+
 variable "iam_authorizing_role_arns" {
   type        = list(string)
   default     = []

Original file line number	Diff line number	Diff line change
`@@ -73,6 +73,8 @@ resource "aws_iam_role" "elasticsearch_user" {`
`73`	`73`	`tags = module.user_label.tags`
`74`	`74`
`75`	`75`	`max_session_duration = var.iam_role_max_session_duration`
	`76`	`+`
	`77`	`+ permissions_boundary = var.iam_role_permissions_boundary`
`76`	`78`	`}`
`77`	`79`
`78`	`80`	`data "aws_iam_policy_document" "assume_role" {`