feat: add permissions boundary support for all IAM roles (#95)

kav · claude · josmo · web-flow · commit 8abfeeb4f5f8 · 2026-03-05T11:38:45.000-06:00
Co-authored-by: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
Co-authored-by: Joachim Hill-Grannec &lt;joachim.hill@gmail.com&gt;
diff --git a/main.tf b/main.tf
@@ -7,10 +7,12 @@ terraform {
     }
   }
 }
-data "aws_partition" "current" {} # Used for GovCloud/China partition-aware ARN construction
+data "aws_partition" "current" {}
+data "aws_caller_identity" "current" {}
 
 locals {
-  is_arm = can(regex("[a-zA-Z]+\\d+g[a-z]*\\..+", var.stack_pelotech_nat_instance_type))
+  permissions_boundary_arn = var.permissions_boundary != "" ? "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:policy/${var.permissions_boundary}" : null
+  is_arm                   = can(regex("[a-zA-Z]+\\d+g[a-z]*\\..+", var.stack_pelotech_nat_instance_type))
   admin_access_entries = {
     for index, item in var.stack_admin_arns : "admin_${index}" => {
       principal_arn = item
@@ -152,15 +154,16 @@ resource "aws_vpc_endpoint" "eks_vpc_endpoints" {
 }
 
 module "eks" {
-  source                     = "terraform-aws-modules/eks/aws"
-  version                    = "21.15.1"
-  name                       = var.stack_name
-  kubernetes_version         = var.eks_cluster_version
-  create                     = var.stack_create
-  create_node_security_group = var.create_node_security_group
-  endpoint_private_access    = true
-  endpoint_public_access     = var.cluster_endpoint_public_access
-  enabled_log_types          = var.cluster_enabled_log_types
+  source                        = "terraform-aws-modules/eks/aws"
+  version                       = "21.15.1"
+  name                          = var.stack_name
+  kubernetes_version            = var.eks_cluster_version
+  create                        = var.stack_create
+  create_node_security_group    = var.create_node_security_group
+  iam_role_permissions_boundary = local.permissions_boundary_arn
+  endpoint_private_access       = true
+  endpoint_public_access        = var.cluster_endpoint_public_access
+  enabled_log_types             = var.cluster_enabled_log_types
 
   vpc_id         = var.stack_existing_vpc_config != null ? var.stack_existing_vpc_config.vpc_id : module.vpc.vpc_id
   subnet_ids     = var.stack_existing_vpc_config != null ? var.stack_existing_vpc_config.subnet_ids : module.vpc.private_subnets
@@ -175,6 +178,7 @@ module "eks" {
   eks_managed_node_groups = var.stack_enable_default_eks_managed_node_group ? {
     "initial-${var.stack_name}" = {
       iam_role_use_name_prefix       = false
+      iam_role_permissions_boundary  = local.permissions_boundary_arn
       instance_types                 = var.initial_instance_types
       min_size                       = var.initial_node_min_size
       max_size                       = var.initial_node_max_size
@@ -243,6 +247,8 @@ module "karpenter" {
   iam_role_use_name_prefix                = false
   node_iam_role_use_name_prefix           = false
   create_pod_identity_association         = false
+  iam_role_permissions_boundary_arn       = local.permissions_boundary_arn
+  node_iam_role_permissions_boundary      = local.permissions_boundary_arn
   iam_role_source_assume_policy_documents = [data.aws_iam_policy_document.source.json]
   tags = merge(var.stack_tags, {
   })
@@ -265,6 +271,7 @@ module "load_balancer_controller_irsa_role" {
       namespace_service_accounts = ["alb:aws-load-balancer-controller"]
     }
   }
+  permissions_boundary = local.permissions_boundary_arn
   tags = merge(var.stack_tags, {
   })
 }
@@ -285,6 +292,7 @@ module "ebs_csi_driver_irsa_role" {
       namespace_service_accounts = ["kube-system:ebs-csi-driver"]
     }
   }
+  permissions_boundary = local.permissions_boundary_arn
   tags = merge(var.stack_tags, {
   })
 }
@@ -329,6 +337,7 @@ module "s3_driver_irsa_role" {
       namespace_service_accounts = ["kube-system:s3-csi-driver"]
     }
   }
+  permissions_boundary = local.permissions_boundary_arn
   tags = merge(var.stack_tags, {
   })
 }
@@ -351,6 +360,7 @@ module "external_dns_irsa_role" {
       namespace_service_accounts = ["external-dns:external-dns-controller"]
     }
   }
+  permissions_boundary = local.permissions_boundary_arn
   tags = merge(var.stack_tags, {
   })
 }
@@ -374,6 +384,7 @@ module "cert_manager_irsa_role" {
       namespace_service_accounts = ["cert-manager:cert-manager"]
     }
   }
+  permissions_boundary = local.permissions_boundary_arn
   tags = merge(var.stack_tags, {
   })
 }
diff --git a/variables.tf b/variables.tf
@@ -211,3 +211,9 @@ variable "create_node_security_group" {
   default     = false
   description = "Whether to create a dedicated security group for EKS managed node groups. When true, the node_security_group_id output is populated."
 }
+
+variable "permissions_boundary" {
+  type        = string
+  default     = ""
+  description = "IAM permissions boundary policy name applied to all IAM roles. When set, constructs full ARN from the current account and partition."
+}

Original file line number	Diff line number	Diff line change
`@@ -7,10 +7,12 @@ terraform {`
`7`	`7`	`}`
`8`	`8`	`}`
`9`	`9`	`}`
`10`		`-data "aws_partition" "current" {} # Used for GovCloud/China partition-aware ARN construction`
	`10`	`+data "aws_partition" "current" {}`
	`11`	`+data "aws_caller_identity" "current" {}`
`11`	`12`
`12`	`13`	`locals {`
`13`		`- is_arm = can(regex("[a-zA-Z]+\\d+g[a-z]*\\..+", var.stack_pelotech_nat_instance_type))`
	`14`	`+ permissions_boundary_arn = var.permissions_boundary != "" ? "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:policy/${var.permissions_boundary}" : null`
	`15`	`+ is_arm = can(regex("[a-zA-Z]+\\d+g[a-z]*\\..+", var.stack_pelotech_nat_instance_type))`
`14`	`16`	`admin_access_entries = {`
`15`	`17`	`for index, item in var.stack_admin_arns : "admin_${index}" => {`
`16`	`18`	`principal_arn = item`
`@@ -152,15 +154,16 @@ resource "aws_vpc_endpoint" "eks_vpc_endpoints" {`
`152`	`154`	`}`
`153`	`155`
`154`	`156`	`module "eks" {`
`155`		`- source = "terraform-aws-modules/eks/aws"`
`156`		`- version = "21.15.1"`
`157`		`- name = var.stack_name`
`158`		`- kubernetes_version = var.eks_cluster_version`
`159`		`- create = var.stack_create`
`160`		`- create_node_security_group = var.create_node_security_group`
`161`		`- endpoint_private_access = true`
`162`		`- endpoint_public_access = var.cluster_endpoint_public_access`
`163`		`- enabled_log_types = var.cluster_enabled_log_types`
	`157`	`+ source = "terraform-aws-modules/eks/aws"`
	`158`	`+ version = "21.15.1"`
	`159`	`+ name = var.stack_name`
	`160`	`+ kubernetes_version = var.eks_cluster_version`
	`161`	`+ create = var.stack_create`
	`162`	`+ create_node_security_group = var.create_node_security_group`
	`163`	`+ iam_role_permissions_boundary = local.permissions_boundary_arn`
	`164`	`+ endpoint_private_access = true`
	`165`	`+ endpoint_public_access = var.cluster_endpoint_public_access`
	`166`	`+ enabled_log_types = var.cluster_enabled_log_types`
`164`	`167`
`165`	`168`	`vpc_id = var.stack_existing_vpc_config != null ? var.stack_existing_vpc_config.vpc_id : module.vpc.vpc_id`
`166`	`169`	`subnet_ids = var.stack_existing_vpc_config != null ? var.stack_existing_vpc_config.subnet_ids : module.vpc.private_subnets`
`@@ -175,6 +178,7 @@ module "eks" {`
`175`	`178`	`eks_managed_node_groups = var.stack_enable_default_eks_managed_node_group ? {`
`176`	`179`	`"initial-${var.stack_name}" = {`
`177`	`180`	`iam_role_use_name_prefix = false`
	`181`	`+ iam_role_permissions_boundary = local.permissions_boundary_arn`
`178`	`182`	`instance_types = var.initial_instance_types`
`179`	`183`	`min_size = var.initial_node_min_size`
`180`	`184`	`max_size = var.initial_node_max_size`
`@@ -243,6 +247,8 @@ module "karpenter" {`
`243`	`247`	`iam_role_use_name_prefix = false`
`244`	`248`	`node_iam_role_use_name_prefix = false`
`245`	`249`	`create_pod_identity_association = false`
	`250`	`+ iam_role_permissions_boundary_arn = local.permissions_boundary_arn`
	`251`	`+ node_iam_role_permissions_boundary = local.permissions_boundary_arn`
`246`	`252`	`iam_role_source_assume_policy_documents = [data.aws_iam_policy_document.source.json]`
`247`	`253`	`tags = merge(var.stack_tags, {`
`248`	`254`	`})`
`@@ -265,6 +271,7 @@ module "load_balancer_controller_irsa_role" {`
`265`	`271`	`namespace_service_accounts = ["alb:aws-load-balancer-controller"]`
`266`	`272`	`}`
`267`	`273`	`}`
	`274`	`+ permissions_boundary = local.permissions_boundary_arn`
`268`	`275`	`tags = merge(var.stack_tags, {`
`269`	`276`	`})`
`270`	`277`	`}`
`@@ -285,6 +292,7 @@ module "ebs_csi_driver_irsa_role" {`
`285`	`292`	`namespace_service_accounts = ["kube-system:ebs-csi-driver"]`
`286`	`293`	`}`
`287`	`294`	`}`
	`295`	`+ permissions_boundary = local.permissions_boundary_arn`
`288`	`296`	`tags = merge(var.stack_tags, {`
`289`	`297`	`})`
`290`	`298`	`}`
`@@ -329,6 +337,7 @@ module "s3_driver_irsa_role" {`
`329`	`337`	`namespace_service_accounts = ["kube-system:s3-csi-driver"]`
`330`	`338`	`}`
`331`	`339`	`}`
	`340`	`+ permissions_boundary = local.permissions_boundary_arn`
`332`	`341`	`tags = merge(var.stack_tags, {`
`333`	`342`	`})`
`334`	`343`	`}`
`@@ -351,6 +360,7 @@ module "external_dns_irsa_role" {`
`351`	`360`	`namespace_service_accounts = ["external-dns:external-dns-controller"]`
`352`	`361`	`}`
`353`	`362`	`}`
	`363`	`+ permissions_boundary = local.permissions_boundary_arn`
`354`	`364`	`tags = merge(var.stack_tags, {`
`355`	`365`	`})`
`356`	`366`	`}`
`@@ -374,6 +384,7 @@ module "cert_manager_irsa_role" {`
`374`	`384`	`namespace_service_accounts = ["cert-manager:cert-manager"]`
`375`	`385`	`}`
`376`	`386`	`}`
	`387`	`+ permissions_boundary = local.permissions_boundary_arn`
`377`	`388`	`tags = merge(var.stack_tags, {`
`378`	`389`	`})`
`379`	`390`	`}`