Merge pull request #207 from dsaidgovsg/feat--perms-boundary

Add `permissions_boundary` for created IAM role.
hashicorp · Jan 26, 2021 · ae88203 · ae88203
2 parents ab06327 + 4ab7068
commit ae88203
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 0 deletions.
diff --git a/modules/consul-cluster/main.tf b/modules/consul-cluster/main.tf
@@ -216,6 +216,8 @@ resource "aws_iam_role" "instance_role" {
   name_prefix        = var.cluster_name
   assume_role_policy = data.aws_iam_policy_document.instance_role.json
 
+  permissions_boundary = var.iam_permissions_boundary
+
   # aws_iam_instance_profile.instance_profile in this module sets create_before_destroy to true, which means
   # everything it depends on, including this resource, must set it as well, or you'll get cyclic dependency errors
   # when you try to do a terraform destroy.

diff --git a/modules/consul-cluster/variables.tf b/modules/consul-cluster/variables.tf
@@ -278,6 +278,12 @@ variable "iam_instance_profile_name" {
   default     = null
 }
 
+variable "iam_permissions_boundary" {
+  description = "If set, restricts the created IAM role to the given permissions boundary"
+  type        = string
+  default     = null
+}
+
 variable "protect_from_scale_in" {
   description = "(Optional) Allows setting instance protection. The autoscaling group will not select instances with this setting for termination during scale in events."
   type        = bool