Add support for path and permissions_boundary to IAM role (#99)

Gibby · Gibby · cloudpossebot · web-flow · commit 3cfe8694b377 · 2022-06-21T16:22:06.000-04:00
* Add support for path and permissions_boundary to IAM role

* Auto Format

* Also need to support path for IAM policy

* Auto Format

* Update variables.tf

* Auto Format

Co-authored-by: Gibby &lt;git@twoitguys&gt;
Co-authored-by: cloudpossebot &lt;11232728+cloudpossebot@users.noreply.github.com&gt;
Co-authored-by: nitrocode &lt;nitrocode@users.noreply.github.com&gt;
diff --git a/README.md b/README.md
@@ -239,6 +239,9 @@ Available targets:
 | <a name="input_git_clone_depth"></a> [git\_clone\_depth](#input\_git\_clone\_depth) | Truncate git history to this many commits. | `number` | `null` | no |
 | <a name="input_github_token"></a> [github\_token](#input\_github\_token) | (Optional) GitHub auth token environment variable (`GITHUB_TOKEN`) | `string` | `""` | no |
 | <a name="input_github_token_type"></a> [github\_token\_type](#input\_github\_token\_type) | Storage type of GITHUB\_TOKEN environment variable (`PARAMETER_STORE`, `PLAINTEXT`, `SECRETS_MANAGER`) | `string` | `"PARAMETER_STORE"` | no |
+| <a name="input_iam_permissions_boundary"></a> [iam\_permissions\_boundary](#input\_iam\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the role. | `string` | `null` | no |
+| <a name="input_iam_policy_path"></a> [iam\_policy\_path](#input\_iam\_policy\_path) | Path to the policy. | `string` | `"/service-role/"` | no |
+| <a name="input_iam_role_path"></a> [iam\_role\_path](#input\_iam\_role\_path) | Path to the role. | `string` | `null` | no |
 | <a name="input_id_length_limit"></a> [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).<br>Set to `0` for unlimited length.<br>Set to `null` for keep the existing setting, which defaults to `0`.<br>Does not affect `id_full`. | `number` | `null` | no |
 | <a name="input_image_repo_name"></a> [image\_repo\_name](#input\_image\_repo\_name) | (Optional) ECR repository name to store the Docker image built by this module. Used as CodeBuild ENV variable when building Docker images. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html | `string` | `"UNSET"` | no |
 | <a name="input_image_tag"></a> [image\_tag](#input\_image\_tag) | (Optional) Docker image tag in the ECR repository, e.g. 'latest'. Used as CodeBuild ENV variable when building Docker images. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html | `string` | `"latest"` | no |
diff --git a/docs/terraform.md b/docs/terraform.md
@@ -79,6 +79,9 @@
 | <a name="input_git_clone_depth"></a> [git\_clone\_depth](#input\_git\_clone\_depth) | Truncate git history to this many commits. | `number` | `null` | no |
 | <a name="input_github_token"></a> [github\_token](#input\_github\_token) | (Optional) GitHub auth token environment variable (`GITHUB_TOKEN`) | `string` | `""` | no |
 | <a name="input_github_token_type"></a> [github\_token\_type](#input\_github\_token\_type) | Storage type of GITHUB\_TOKEN environment variable (`PARAMETER_STORE`, `PLAINTEXT`, `SECRETS_MANAGER`) | `string` | `"PARAMETER_STORE"` | no |
+| <a name="input_iam_permissions_boundary"></a> [iam\_permissions\_boundary](#input\_iam\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the role. | `string` | `null` | no |
+| <a name="input_iam_policy_path"></a> [iam\_policy\_path](#input\_iam\_policy\_path) | Path to the policy. | `string` | `"/service-role/"` | no |
+| <a name="input_iam_role_path"></a> [iam\_role\_path](#input\_iam\_role\_path) | Path to the role. | `string` | `null` | no |
 | <a name="input_id_length_limit"></a> [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).<br>Set to `0` for unlimited length.<br>Set to `null` for keep the existing setting, which defaults to `0`.<br>Does not affect `id_full`. | `number` | `null` | no |
 | <a name="input_image_repo_name"></a> [image\_repo\_name](#input\_image\_repo\_name) | (Optional) ECR repository name to store the Docker image built by this module. Used as CodeBuild ENV variable when building Docker images. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html | `string` | `"UNSET"` | no |
 | <a name="input_image_tag"></a> [image\_tag](#input\_image\_tag) | (Optional) Docker image tag in the ECR repository, e.g. 'latest'. Used as CodeBuild ENV variable when building Docker images. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html | `string` | `"latest"` | no |
diff --git a/main.tf b/main.tf
@@ -99,6 +99,8 @@ resource "aws_iam_role" "default" {
   name                  = module.this.id
   assume_role_policy    = data.aws_iam_policy_document.role.json
   force_detach_policies = true
+  path                  = var.iam_role_path
+  permissions_boundary  = var.iam_permissions_boundary
   tags                  = module.this.tags
 }
 
@@ -122,7 +124,7 @@ data "aws_iam_policy_document" "role" {
 resource "aws_iam_policy" "default" {
   count  = module.this.enabled ? 1 : 0
   name   = module.this.id
-  path   = "/service-role/"
+  path   = var.iam_policy_path
   policy = data.aws_iam_policy_document.combined_permissions.json
   tags   = module.this.tags
 }
@@ -131,7 +133,7 @@ resource "aws_iam_policy" "default_cache_bucket" {
   count = module.this.enabled && local.s3_cache_enabled ? 1 : 0
 
   name   = "${module.this.id}-cache-bucket"
-  path   = "/service-role/"
+  path   = var.iam_policy_path
   policy = join("", data.aws_iam_policy_document.permissions_cache_bucket.*.json)
   tags   = module.this.tags
 }
diff --git a/variables.tf b/variables.tf
@@ -260,6 +260,24 @@ variable "extra_permissions" {
   description = "List of action strings which will be added to IAM service account permissions."
 }
 
+variable "iam_role_path" {
+  type        = string
+  default     = null
+  description = "Path to the role."
+}
+
+variable "iam_policy_path" {
+  type        = string
+  default     = "/service-role/"
+  description = "Path to the policy."
+}
+
+variable "iam_permissions_boundary" {
+  type        = string
+  default     = null
+  description = "ARN of the policy that is used to set the permissions boundary for the role."
+}
+
 variable "encryption_enabled" {
   type        = bool
   default     = false
