Add optional permissions_boundary (#265)

dylanhellems · max-rocket-internet · commit a1a1644f8039 · 2019-02-07T16:38:16.000+01:00
* Add optional permissions_boundary

* Update CHANGELOG
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -11,6 +11,7 @@ project adheres to [Semantic Versioning](http://semver.org/).
 
 ##### Added
 
+- Ability to specify a permissions_boundary for IAM roles (by @dylanhellems)
 - Ability to configure force_delete for the worker group ASG (by @stefansedich)
 - Ability to configure worker group ASG tags (by @stefansedich)
 - Added EBS optimized mapping for the g3s.xlarge instance type (by @stefansedich)
diff --git a/README.md b/README.md
@@ -130,6 +130,7 @@ MIT Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-a
 | map\_roles\_count | The count of roles in the map_roles list. | string | `"0"` | no |
 | map\_users | Additional IAM users to add to the aws-auth configmap. See examples/eks_test_fixture/variables.tf for example format. | list | `[]` | no |
 | map\_users\_count | The count of roles in the map_users list. | string | `"0"` | no |
+| permissions\_boundary | If provided, all IAM roles will be created with this permissions boundary attached. | string | `""` | no |
 | subnets | A list of subnets to place the EKS cluster and workers within. | list | n/a | yes |
 | tags | A map of tags to add to all resources. | map | `{}` | no |
 | vpc\_id | VPC where the cluster and workers will be deployed. | string | n/a | yes |
diff --git a/cluster.tf b/cluster.tf
@@ -52,6 +52,7 @@ resource "aws_security_group_rule" "cluster_https_worker_ingress" {
 resource "aws_iam_role" "cluster" {
   name_prefix           = "${var.cluster_name}"
   assume_role_policy    = "${data.aws_iam_policy_document.cluster_assume_role_policy.json}"
+  permissions_boundary  = "${var.permissions_boundary}"
   force_detach_policies = true
 }
 
diff --git a/variables.tf b/variables.tf
@@ -216,3 +216,8 @@ variable "worker_create_security_group" {
   description = "Whether to create a security group for the workers or attach the workers to `worker_security_group_id`."
   default     = true
 }
+
+variable "permissions_boundary" {
+  description = "If provided, all IAM roles will be created with this permissions boundary attached."
+  default     = ""
+}
diff --git a/workers.tf b/workers.tf
@@ -114,6 +114,7 @@ resource "aws_security_group_rule" "workers_ingress_cluster_https" {
 resource "aws_iam_role" "workers" {
   name_prefix           = "${aws_eks_cluster.this.name}"
   assume_role_policy    = "${data.aws_iam_policy_document.workers_assume_role_policy.json}"
+  permissions_boundary  = "${var.permissions_boundary}"
   force_detach_policies = true
 }
 

Original file line number	Diff line number	Diff line change
`@@ -52,6 +52,7 @@ resource "aws_security_group_rule" "cluster_https_worker_ingress" {`
`52`	`52`	`resource "aws_iam_role" "cluster" {`
`53`	`53`	`name_prefix = "${var.cluster_name}"`
`54`	`54`	`assume_role_policy = "${data.aws_iam_policy_document.cluster_assume_role_policy.json}"`
	`55`	`+ permissions_boundary = "${var.permissions_boundary}"`
`55`	`56`	`force_detach_policies = true`
`56`	`57`	`}`
`57`	`58`
Original file line number	Diff line number	Diff line change
`@@ -216,3 +216,8 @@ variable "worker_create_security_group" {`
`216`	`216`	description = "Whether to create a security group for the workers or attach the workers to `worker_security_group_id`."
`217`	`217`	`default = true`
`218`	`218`	`}`
	`219`	`+`
	`220`	`+variable "permissions_boundary" {`
	`221`	`+ description = "If provided, all IAM roles will be created with this permissions boundary attached."`
	`222`	`+ default = ""`
	`223`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -114,6 +114,7 @@ resource "aws_security_group_rule" "workers_ingress_cluster_https" {`
`114`	`114`	`resource "aws_iam_role" "workers" {`
`115`	`115`	`name_prefix = "${aws_eks_cluster.this.name}"`
`116`	`116`	`assume_role_policy = "${data.aws_iam_policy_document.workers_assume_role_policy.json}"`
	`117`	`+ permissions_boundary = "${var.permissions_boundary}"`
`117`	`118`	`force_detach_policies = true`
`118`	`119`	`}`
`119`	`120`