cein/feature/add-iam-permissions-boundary-input (#120)

* Add new `iam_role_permissions_boundary` variable Add new `iam_role_permissions_boundary` variable with a default of empty string and place it in `aws_iam_role.elasticsearch_user.permissions_boundary` * Add `iam_role_permissions_boundary` input to `README.md` * Auto Format * Update `docs/terraform.md` to reflect new `iam_role_permissions_boundary` input Update `README.md` `iam_role_permissions_boundary` to reflect generated input from `docs/terraform.md` * Update `iam_role_permissions_boundary` default value from `string` to `null` * Update `README.md` to reflect `iam_role_permissions_boundary` Co-authored-by: cloudpossebot <11232728+cloudpossebot@users.noreply.github.com>
cloudposse · Dec 13, 2021 · 3c8645e · 3c8645e
1 parent 25652f2
commit 3c8645e
Show file tree

Hide file tree

Showing 4 changed files with 10 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -248,6 +248,7 @@ Available targets:
 | <a name="input_iam_authorizing_role_arns"></a> [iam\_authorizing\_role\_arns](#input\_iam\_authorizing\_role\_arns) | List of IAM role ARNs to permit to assume the Elasticsearch user role | `list(string)` | `[]` | no |
 | <a name="input_iam_role_arns"></a> [iam\_role\_arns](#input\_iam\_role\_arns) | List of IAM role ARNs to permit access to the Elasticsearch domain | `list(string)` | `[]` | no |
 | <a name="input_iam_role_max_session_duration"></a> [iam\_role\_max\_session\_duration](#input\_iam\_role\_max\_session\_duration) | The maximum session duration (in seconds) for the user role. Can have a value from 1 hour to 12 hours | `number` | `3600` | no |
+| <a name="input_iam_role_permissions_boundary"></a> [iam\_role\_permissions\_boundary](#input\_iam\_role\_permissions\_boundary) | The ARN of the permissions boundary policy which will be attached to the Elasticsearch user role | `string` | `null` | no |
 | <a name="input_id_length_limit"></a> [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).<br>Set to `0` for unlimited length.<br>Set to `null` for keep the existing setting, which defaults to `0`.<br>Does not affect `id_full`. | `number` | `null` | no |
 | <a name="input_ingress_port_range_end"></a> [ingress\_port\_range\_end](#input\_ingress\_port\_range\_end) | End number for allowed port range. (e.g. `443`) | `number` | `65535` | no |
 | <a name="input_ingress_port_range_start"></a> [ingress\_port\_range\_start](#input\_ingress\_port\_range\_start) | Start number for allowed port range. (e.g. `443`) | `number` | `0` | no |

diff --git a/docs/terraform.md b/docs/terraform.md
@@ -85,6 +85,7 @@
 | <a name="input_iam_authorizing_role_arns"></a> [iam\_authorizing\_role\_arns](#input\_iam\_authorizing\_role\_arns) | List of IAM role ARNs to permit to assume the Elasticsearch user role | `list(string)` | `[]` | no |
 | <a name="input_iam_role_arns"></a> [iam\_role\_arns](#input\_iam\_role\_arns) | List of IAM role ARNs to permit access to the Elasticsearch domain | `list(string)` | `[]` | no |
 | <a name="input_iam_role_max_session_duration"></a> [iam\_role\_max\_session\_duration](#input\_iam\_role\_max\_session\_duration) | The maximum session duration (in seconds) for the user role. Can have a value from 1 hour to 12 hours | `number` | `3600` | no |
+| <a name="input_iam_role_permissions_boundary"></a> [iam\_role\_permissions\_boundary](#input\_iam\_role\_permissions\_boundary) | The ARN of the permissions boundary policy which will be attached to the Elasticsearch user role | `string` | `null` | no |
 | <a name="input_id_length_limit"></a> [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).<br>Set to `0` for unlimited length.<br>Set to `null` for keep the existing setting, which defaults to `0`.<br>Does not affect `id_full`. | `number` | `null` | no |
 | <a name="input_ingress_port_range_end"></a> [ingress\_port\_range\_end](#input\_ingress\_port\_range\_end) | End number for allowed port range. (e.g. `443`) | `number` | `65535` | no |
 | <a name="input_ingress_port_range_start"></a> [ingress\_port\_range\_start](#input\_ingress\_port\_range\_start) | Start number for allowed port range. (e.g. `443`) | `number` | `0` | no |

diff --git a/main.tf b/main.tf
@@ -73,6 +73,8 @@ resource "aws_iam_role" "elasticsearch_user" {
   tags               = module.user_label.tags
 
   max_session_duration = var.iam_role_max_session_duration
+
+  permissions_boundary = var.iam_role_permissions_boundary
 }
 
 data "aws_iam_policy_document" "assume_role" {

diff --git a/variables.tf b/variables.tf
@@ -88,6 +88,12 @@ variable "iam_role_arns" {
   description = "List of IAM role ARNs to permit access to the Elasticsearch domain"
 }
 
+variable "iam_role_permissions_boundary" {
+  type        = string
+  default     = null
+  description = "The ARN of the permissions boundary policy which will be attached to the Elasticsearch user role"
+}
+
 variable "iam_authorizing_role_arns" {
   type        = list(string)
   default     = []