Merge pull request #231 from dsaidgovsg/feat--perms-boundary

Add `permissions_boundary` for created IAM role.
hashicorp · Jan 26, 2021 · a0bc093 · a0bc093
2 parents 372aae4 + b9715a4
commit a0bc093
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 1 deletion.
diff --git a/modules/vault-cluster/main.tf b/modules/vault-cluster/main.tf
@@ -246,6 +246,8 @@ resource "aws_iam_role" "instance_role" {
   name_prefix        = var.cluster_name
   assume_role_policy = data.aws_iam_policy_document.instance_role.json
 
+  permissions_boundary = var.iam_permissions_boundary
+
   # aws_iam_instance_profile.instance_profile in this module sets create_before_destroy to true, which means
   # everything it depends on, including this resource, must set it as well, or you'll get cyclic dependency errors
   # when you try to do a terraform destroy.

diff --git a/modules/vault-cluster/variables.tf b/modules/vault-cluster/variables.tf
@@ -235,4 +235,10 @@ variable "dynamo_table_region" {
   description = "Table region used for the instance policy. Uses the current region if not supplied. Global tables should use `*` to allow for a cross region deployment to write to their respective table"
   type        = string
   default     = ""
-}
+}
+
+variable "iam_permissions_boundary" {
+  description = "If set, restricts the created IAM role to the given permissions boundary"
+  type        = string
+  default     = null
+}