From 3cfe8694b377d915b5eda294793883e73a7a4455 Mon Sep 17 00:00:00 2001 From: Gibby <503761+Gibby@users.noreply.github.com> Date: Tue, 21 Jun 2022 16:22:06 -0400 Subject: [PATCH] Add support for path and permissions_boundary to IAM role (#99) * Add support for path and permissions_boundary to IAM role * Auto Format * Also need to support path for IAM policy * Auto Format * Update variables.tf * Auto Format Co-authored-by: Gibby Co-authored-by: cloudpossebot <11232728+cloudpossebot@users.noreply.github.com> Co-authored-by: nitrocode --- README.md | 3 +++ docs/terraform.md | 3 +++ main.tf | 6 ++++-- variables.tf | 18 ++++++++++++++++++ 4 files changed, 28 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index fac794c..a759957 100644 --- a/README.md +++ b/README.md @@ -239,6 +239,9 @@ Available targets: | [git\_clone\_depth](#input\_git\_clone\_depth) | Truncate git history to this many commits. | `number` | `null` | no | | [github\_token](#input\_github\_token) | (Optional) GitHub auth token environment variable (`GITHUB_TOKEN`) | `string` | `""` | no | | [github\_token\_type](#input\_github\_token\_type) | Storage type of GITHUB\_TOKEN environment variable (`PARAMETER_STORE`, `PLAINTEXT`, `SECRETS_MANAGER`) | `string` | `"PARAMETER_STORE"` | no | +| [iam\_permissions\_boundary](#input\_iam\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the role. | `string` | `null` | no | +| [iam\_policy\_path](#input\_iam\_policy\_path) | Path to the policy. | `string` | `"/service-role/"` | no | +| [iam\_role\_path](#input\_iam\_role\_path) | Path to the role. | `string` | `null` | no | | [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | | [image\_repo\_name](#input\_image\_repo\_name) | (Optional) ECR repository name to store the Docker image built by this module. Used as CodeBuild ENV variable when building Docker images. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html | `string` | `"UNSET"` | no | | [image\_tag](#input\_image\_tag) | (Optional) Docker image tag in the ECR repository, e.g. 'latest'. Used as CodeBuild ENV variable when building Docker images. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html | `string` | `"latest"` | no | diff --git a/docs/terraform.md b/docs/terraform.md index c71c18d..6360ee3 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -79,6 +79,9 @@ | [git\_clone\_depth](#input\_git\_clone\_depth) | Truncate git history to this many commits. | `number` | `null` | no | | [github\_token](#input\_github\_token) | (Optional) GitHub auth token environment variable (`GITHUB_TOKEN`) | `string` | `""` | no | | [github\_token\_type](#input\_github\_token\_type) | Storage type of GITHUB\_TOKEN environment variable (`PARAMETER_STORE`, `PLAINTEXT`, `SECRETS_MANAGER`) | `string` | `"PARAMETER_STORE"` | no | +| [iam\_permissions\_boundary](#input\_iam\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the role. | `string` | `null` | no | +| [iam\_policy\_path](#input\_iam\_policy\_path) | Path to the policy. | `string` | `"/service-role/"` | no | +| [iam\_role\_path](#input\_iam\_role\_path) | Path to the role. | `string` | `null` | no | | [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | | [image\_repo\_name](#input\_image\_repo\_name) | (Optional) ECR repository name to store the Docker image built by this module. Used as CodeBuild ENV variable when building Docker images. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html | `string` | `"UNSET"` | no | | [image\_tag](#input\_image\_tag) | (Optional) Docker image tag in the ECR repository, e.g. 'latest'. Used as CodeBuild ENV variable when building Docker images. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html | `string` | `"latest"` | no | diff --git a/main.tf b/main.tf index 4b80ee1..6001028 100644 --- a/main.tf +++ b/main.tf @@ -99,6 +99,8 @@ resource "aws_iam_role" "default" { name = module.this.id assume_role_policy = data.aws_iam_policy_document.role.json force_detach_policies = true + path = var.iam_role_path + permissions_boundary = var.iam_permissions_boundary tags = module.this.tags } @@ -122,7 +124,7 @@ data "aws_iam_policy_document" "role" { resource "aws_iam_policy" "default" { count = module.this.enabled ? 1 : 0 name = module.this.id - path = "/service-role/" + path = var.iam_policy_path policy = data.aws_iam_policy_document.combined_permissions.json tags = module.this.tags } @@ -131,7 +133,7 @@ resource "aws_iam_policy" "default_cache_bucket" { count = module.this.enabled && local.s3_cache_enabled ? 1 : 0 name = "${module.this.id}-cache-bucket" - path = "/service-role/" + path = var.iam_policy_path policy = join("", data.aws_iam_policy_document.permissions_cache_bucket.*.json) tags = module.this.tags } diff --git a/variables.tf b/variables.tf index e8bbb77..57c9bf2 100644 --- a/variables.tf +++ b/variables.tf @@ -260,6 +260,24 @@ variable "extra_permissions" { description = "List of action strings which will be added to IAM service account permissions." } +variable "iam_role_path" { + type = string + default = null + description = "Path to the role." +} + +variable "iam_policy_path" { + type = string + default = "/service-role/" + description = "Path to the policy." +} + +variable "iam_permissions_boundary" { + type = string + default = null + description = "ARN of the policy that is used to set the permissions boundary for the role." +} + variable "encryption_enabled" { type = bool default = false