From 0fa3f251714127179307b9efd81d1cdf0caade99 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20Morej=C3=B3n?= Date: Wed, 15 Sep 2021 13:55:26 +0200 Subject: [PATCH] Add permissions_boundary as a variable (#23) * Add permissions_boundary as a variable Signed-off-by: Manuel Morejon * Auto Format Co-authored-by: cloudpossebot <11232728+cloudpossebot@users.noreply.github.com> --- README.md | 5 +++-- docs/terraform.md | 5 +++-- iam.tf | 4 +++- variables.tf | 8 +++++++- 4 files changed, 16 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 12f32d5..9bcb3ae 100644 --- a/README.md +++ b/README.md @@ -140,7 +140,7 @@ Available targets: | Name | Source | Version | |------|--------|---------| -| [role](#module\_role) | cloudposse/iam-role/aws | 0.11.0 | +| [role](#module\_role) | cloudposse/iam-role/aws | 0.13.0 | | [this](#module\_this) | cloudposse/label/null | 0.24.1 | ## Resources @@ -169,7 +169,8 @@ Available targets: | [label\_value\_case](#input\_label\_value\_case) | The letter case of output label values (also used in `tags` and `id`).
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Default value: `lower`. | `string` | `null` | no | | [name](#input\_name) | Solution name, e.g. 'app' or 'jenkins' | `string` | `null` | no | | [namespace](#input\_namespace) | Namespace, which could be your organization name or abbreviation, e.g. 'eg' or 'cp' | `string` | `null` | no | -| [principals](#input\_principals) | Map of service name as key and a list of ARNs to allow assuming the role as value. (e.g. map(`AWS`, list(`arn:aws:iam:::role/admin`))) | `map` | 
{
  "Service": [
    "ec2.amazonaws.com"
  ]
}
| no | +| [permissions\_boundary](#input\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the role | `string` | `""` | no | +| [principals](#input\_principals) | Map of service name as key and a list of ARNs to allow assuming the role as value. (e.g. map(`AWS`, list(`arn:aws:iam:::role/admin`))) | `map(any)` | 
{
  "Service": [
    "ec2.amazonaws.com"
  ]
}
| no | | [regex\_replace\_chars](#input\_regex\_replace\_chars) | Regex to replace chars with empty string in `namespace`, `environment`, `stage` and `name`.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | | [retention\_in\_days](#input\_retention\_in\_days) | Number of days you want to retain log events in the log group | `string` | `"30"` | no | | [stage](#input\_stage) | Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | diff --git a/docs/terraform.md b/docs/terraform.md index 57efe6d..97eec2f 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -16,7 +16,7 @@ | Name | Source | Version | |------|--------|---------| -| [role](#module\_role) | cloudposse/iam-role/aws | 0.11.0 | +| [role](#module\_role) | cloudposse/iam-role/aws | 0.13.0 | | [this](#module\_this) | cloudposse/label/null | 0.24.1 | ## Resources @@ -45,7 +45,8 @@ | [label\_value\_case](#input\_label\_value\_case) | The letter case of output label values (also used in `tags` and `id`).
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Default value: `lower`. | `string` | `null` | no | | [name](#input\_name) | Solution name, e.g. 'app' or 'jenkins' | `string` | `null` | no | | [namespace](#input\_namespace) | Namespace, which could be your organization name or abbreviation, e.g. 'eg' or 'cp' | `string` | `null` | no | -| [principals](#input\_principals) | Map of service name as key and a list of ARNs to allow assuming the role as value. (e.g. map(`AWS`, list(`arn:aws:iam:::role/admin`))) | `map` | 
{
  "Service": [
    "ec2.amazonaws.com"
  ]
}
| no | +| [permissions\_boundary](#input\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the role | `string` | `""` | no | +| [principals](#input\_principals) | Map of service name as key and a list of ARNs to allow assuming the role as value. (e.g. map(`AWS`, list(`arn:aws:iam:::role/admin`))) | `map(any)` | 
{
  "Service": [
    "ec2.amazonaws.com"
  ]
}
| no | | [regex\_replace\_chars](#input\_regex\_replace\_chars) | Regex to replace chars with empty string in `namespace`, `environment`, `stage` and `name`.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | | [retention\_in\_days](#input\_retention\_in\_days) | Number of days you want to retain log events in the log group | `string` | `"30"` | no | | [stage](#input\_stage) | Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | diff --git a/iam.tf b/iam.tf index 47b674c..cbd2bee 100644 --- a/iam.tf +++ b/iam.tf @@ -1,6 +1,6 @@ module "role" { source = "cloudposse/iam-role/aws" - version = "0.11.0" + version = "0.13.0" attributes = compact(concat(module.this.attributes, ["log", "group"])) @@ -13,6 +13,8 @@ module "role" { data.aws_iam_policy_document.log_agent.json, ] + permissions_boundary = var.permissions_boundary + context = module.this.context } diff --git a/variables.tf b/variables.tf index 8d75e07..658577f 100644 --- a/variables.tf +++ b/variables.tf @@ -15,7 +15,7 @@ variable "stream_names" { } variable "principals" { - type = map + type = map(any) description = "Map of service name as key and a list of ARNs to allow assuming the role as value. (e.g. map(`AWS`, list(`arn:aws:iam:::role/admin`)))" default = { @@ -32,3 +32,9 @@ variable "additional_permissions" { type = list(string) description = "Additional permissions granted to assumed role" } + +variable "permissions_boundary" { + type = string + default = "" + description = "ARN of the policy that is used to set the permissions boundary for the role" +}