From b9715a4c2b78ec90c2370dcecb1c04ff54f3beea Mon Sep 17 00:00:00 2001
From: Chen Weiguang <chen.weiguang@gmail.com>
Date: Tue, 22 Sep 2020 17:58:38 +0800
Subject: [PATCH] Add `permissions_boundary` for created IAM role.

---
 modules/vault-cluster/main.tf      | 2 ++
 modules/vault-cluster/variables.tf | 8 +++++++-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/modules/vault-cluster/main.tf b/modules/vault-cluster/main.tf
index 55ad08a8..d6c3a567 100644
--- a/modules/vault-cluster/main.tf
+++ b/modules/vault-cluster/main.tf
@@ -246,6 +246,8 @@ resource "aws_iam_role" "instance_role" {
   name_prefix        = var.cluster_name
   assume_role_policy = data.aws_iam_policy_document.instance_role.json
 
+  permissions_boundary = var.iam_permissions_boundary
+
   # aws_iam_instance_profile.instance_profile in this module sets create_before_destroy to true, which means
   # everything it depends on, including this resource, must set it as well, or you'll get cyclic dependency errors
   # when you try to do a terraform destroy.
diff --git a/modules/vault-cluster/variables.tf b/modules/vault-cluster/variables.tf
index 5d2276d0..df58075c 100644
--- a/modules/vault-cluster/variables.tf
+++ b/modules/vault-cluster/variables.tf
@@ -235,4 +235,10 @@ variable "dynamo_table_region" {
   description = "Table region used for the instance policy. Uses the current region if not supplied. Global tables should use `*` to allow for a cross region deployment to write to their respective table"
   type        = string
   default     = ""
-}
\ No newline at end of file
+}
+
+variable "iam_permissions_boundary" {
+  description = "If set, restricts the created IAM role to the given permissions boundary"
+  type        = string
+  default     = null
+}