feat(sfn-state-machine): add permissions_boundary support for IAM role (#34)

posquit0 · web-flow · commit 3139e34ea049 · 2026-02-25T16:55:48.000+09:00
diff --git a/modules/sfn-state-machine/iam.tf b/modules/sfn-state-machine/iam.tf
@@ -60,6 +60,8 @@ module "role" {
     var.iam_role.inline_policies,
   )
 
+  permissions_boundary = var.iam_role.permissions_boundary
+
   resource_group_enabled = false
   module_tags_enabled    = false
 
diff --git a/modules/sfn-state-machine/variables.tf b/modules/sfn-state-machine/variables.tf
@@ -80,6 +80,7 @@ variable "iam_role" {
     (Optional) `enabled` - Whether to create a default IAM role managed by this module.
     (Optional) `policies` - A list of IAM policies ARNs to attach to IAM role.
     (Optional) `inline_policies` - Map of inline IAM policies to attach to IAM role. (`name` => `policy`).
+    (Optional) `permissions_boundary` - The ARN of the IAM policy to use as permissions boundary for the default IAM role.
   EOF
   type = object({
     enabled = optional(bool, true)
@@ -88,8 +89,9 @@ variable "iam_role" {
       condition = string
       values    = list(string)
     })), [])
-    policies        = optional(list(string), [])
-    inline_policies = optional(map(string), {})
+    policies             = optional(list(string), [])
+    inline_policies      = optional(map(string), {})
+    permissions_boundary = optional(string)
   })
   default  = {}
   nullable = false

Original file line number	Diff line number	Diff line change
`@@ -60,6 +60,8 @@ module "role" {`
`60`	`60`	`var.iam_role.inline_policies,`
`61`	`61`	`)`
`62`	`62`
	`63`	`+ permissions_boundary = var.iam_role.permissions_boundary`
	`64`	`+`
`63`	`65`	`resource_group_enabled = false`
`64`	`66`	`module_tags_enabled = false`
`65`	`67`