From 8041529083876ba214c8910b1c428dc652bfe308 Mon Sep 17 00:00:00 2001 From: Gibby Date: Fri, 12 Nov 2021 13:24:31 -0500 Subject: [PATCH 1/6] Add support for path and permissions_boundary to IAM role --- main.tf | 2 ++ variables.tf | 12 ++++++++++++ 2 files changed, 14 insertions(+) diff --git a/main.tf b/main.tf index 3020b03..3336b68 100644 --- a/main.tf +++ b/main.tf @@ -100,6 +100,8 @@ resource "aws_iam_role" "default" { name = module.this.id assume_role_policy = data.aws_iam_policy_document.role.json force_detach_policies = true + path = var.iam_role_path + permissions_boundary = var.iam_permissions_boundary tags = module.this.tags } diff --git a/variables.tf b/variables.tf index e71790b..be1d0dc 100644 --- a/variables.tf +++ b/variables.tf @@ -246,6 +246,18 @@ variable "extra_permissions" { description = "List of action strings which will be added to IAM service account permissions." } +variable "iam_role_path" { + type = string + default = null + description = "Path to the role." +} + +variable "iam_permissions_boundary" { + type = string + default = null + description = "ARN of the policy that is used to set the permissions boundary for the role." +} + variable "encryption_enabled" { type = bool default = false From 178a33ed1d4488c3efd046bdda288c07e0882037 Mon Sep 17 00:00:00 2001 From: cloudpossebot <11232728+cloudpossebot@users.noreply.github.com> Date: Fri, 12 Nov 2021 18:26:21 +0000 Subject: [PATCH 2/6] Auto Format --- README.md | 2 ++ docs/terraform.md | 2 ++ 2 files changed, 4 insertions(+) diff --git a/README.md b/README.md index 611f35c..29f27c6 100644 --- a/README.md +++ b/README.md @@ -230,6 +230,8 @@ Available targets: | [git\_clone\_depth](#input\_git\_clone\_depth) | Truncate git history to this many commits. | `number` | `null` | no | | [github\_token](#input\_github\_token) | (Optional) GitHub auth token environment variable (`GITHUB_TOKEN`) | `string` | `""` | no | | [github\_token\_type](#input\_github\_token\_type) | Storage type of GITHUB\_TOKEN environment variable (`PARAMETER_STORE`, `PLAINTEXT`, `SECRETS_MANAGER`) | `string` | `"PARAMETER_STORE"` | no | +| [iam\_permissions\_boundary](#input\_iam\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the role. | `string` | `null` | no | +| [iam\_role\_path](#input\_iam\_role\_path) | Path to the role. | `string` | `null` | no | | [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | | [image\_repo\_name](#input\_image\_repo\_name) | (Optional) ECR repository name to store the Docker image built by this module. Used as CodeBuild ENV variable when building Docker images. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html | `string` | `"UNSET"` | no | | [image\_tag](#input\_image\_tag) | (Optional) Docker image tag in the ECR repository, e.g. 'latest'. Used as CodeBuild ENV variable when building Docker images. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html | `string` | `"latest"` | no | diff --git a/docs/terraform.md b/docs/terraform.md index 2701d90..05d6a9d 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -74,6 +74,8 @@ | [git\_clone\_depth](#input\_git\_clone\_depth) | Truncate git history to this many commits. | `number` | `null` | no | | [github\_token](#input\_github\_token) | (Optional) GitHub auth token environment variable (`GITHUB_TOKEN`) | `string` | `""` | no | | [github\_token\_type](#input\_github\_token\_type) | Storage type of GITHUB\_TOKEN environment variable (`PARAMETER_STORE`, `PLAINTEXT`, `SECRETS_MANAGER`) | `string` | `"PARAMETER_STORE"` | no | +| [iam\_permissions\_boundary](#input\_iam\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the role. | `string` | `null` | no | +| [iam\_role\_path](#input\_iam\_role\_path) | Path to the role. | `string` | `null` | no | | [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | | [image\_repo\_name](#input\_image\_repo\_name) | (Optional) ECR repository name to store the Docker image built by this module. Used as CodeBuild ENV variable when building Docker images. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html | `string` | `"UNSET"` | no | | [image\_tag](#input\_image\_tag) | (Optional) Docker image tag in the ECR repository, e.g. 'latest'. Used as CodeBuild ENV variable when building Docker images. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html | `string` | `"latest"` | no | From 8a4044a680d712414ff96c60d68ec0d0bbc481fb Mon Sep 17 00:00:00 2001 From: Gibby Date: Fri, 12 Nov 2021 14:14:00 -0500 Subject: [PATCH 3/6] Also need to support path for IAM policy --- main.tf | 4 ++-- variables.tf | 6 ++++++ 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index 3336b68..0fd0470 100644 --- a/main.tf +++ b/main.tf @@ -125,7 +125,7 @@ data "aws_iam_policy_document" "role" { resource "aws_iam_policy" "default" { count = module.this.enabled ? 1 : 0 name = module.this.id - path = "/service-role/" + path = var.iam_policy_path policy = data.aws_iam_policy_document.combined_permissions.json } @@ -134,7 +134,7 @@ resource "aws_iam_policy" "default_cache_bucket" { name = "${module.this.id}-cache-bucket" - path = "/service-role/" + path = var.iam_policy_path policy = join("", data.aws_iam_policy_document.permissions_cache_bucket.*.json) } diff --git a/variables.tf b/variables.tf index be1d0dc..3135e09 100644 --- a/variables.tf +++ b/variables.tf @@ -252,6 +252,12 @@ variable "iam_role_path" { description = "Path to the role." } +variable "iam_policy_path" { + type = string + default = "/service-role/" + description = "Path to the role." +} + variable "iam_permissions_boundary" { type = string default = null From 052d56b31f110ba537c7aeba51c968b8f0f7db0f Mon Sep 17 00:00:00 2001 From: cloudpossebot <11232728+cloudpossebot@users.noreply.github.com> Date: Fri, 12 Nov 2021 19:14:37 +0000 Subject: [PATCH 4/6] Auto Format --- README.md | 1 + docs/terraform.md | 1 + 2 files changed, 2 insertions(+) diff --git a/README.md b/README.md index 29f27c6..d8983ea 100644 --- a/README.md +++ b/README.md @@ -231,6 +231,7 @@ Available targets: | [github\_token](#input\_github\_token) | (Optional) GitHub auth token environment variable (`GITHUB_TOKEN`) | `string` | `""` | no | | [github\_token\_type](#input\_github\_token\_type) | Storage type of GITHUB\_TOKEN environment variable (`PARAMETER_STORE`, `PLAINTEXT`, `SECRETS_MANAGER`) | `string` | `"PARAMETER_STORE"` | no | | [iam\_permissions\_boundary](#input\_iam\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the role. | `string` | `null` | no | +| [iam\_policy\_path](#input\_iam\_policy\_path) | Path to the role. | `string` | `"/service-role/"` | no | | [iam\_role\_path](#input\_iam\_role\_path) | Path to the role. | `string` | `null` | no | | [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | | [image\_repo\_name](#input\_image\_repo\_name) | (Optional) ECR repository name to store the Docker image built by this module. Used as CodeBuild ENV variable when building Docker images. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html | `string` | `"UNSET"` | no | diff --git a/docs/terraform.md b/docs/terraform.md index 05d6a9d..3265dac 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -75,6 +75,7 @@ | [github\_token](#input\_github\_token) | (Optional) GitHub auth token environment variable (`GITHUB_TOKEN`) | `string` | `""` | no | | [github\_token\_type](#input\_github\_token\_type) | Storage type of GITHUB\_TOKEN environment variable (`PARAMETER_STORE`, `PLAINTEXT`, `SECRETS_MANAGER`) | `string` | `"PARAMETER_STORE"` | no | | [iam\_permissions\_boundary](#input\_iam\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the role. | `string` | `null` | no | +| [iam\_policy\_path](#input\_iam\_policy\_path) | Path to the role. | `string` | `"/service-role/"` | no | | [iam\_role\_path](#input\_iam\_role\_path) | Path to the role. | `string` | `null` | no | | [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | | [image\_repo\_name](#input\_image\_repo\_name) | (Optional) ECR repository name to store the Docker image built by this module. Used as CodeBuild ENV variable when building Docker images. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html | `string` | `"UNSET"` | no | From 831b1a177ded1715bc35e65cfb35aa84712adef2 Mon Sep 17 00:00:00 2001 From: nitrocode Date: Wed, 17 Nov 2021 20:44:53 -0600 Subject: [PATCH 5/6] Update variables.tf --- variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/variables.tf b/variables.tf index 3135e09..bde07b3 100644 --- a/variables.tf +++ b/variables.tf @@ -255,7 +255,7 @@ variable "iam_role_path" { variable "iam_policy_path" { type = string default = "/service-role/" - description = "Path to the role." + description = "Path to the policy." } variable "iam_permissions_boundary" { From 4d944d701e8fa8755eb8f50c73379bb8cd9d94a8 Mon Sep 17 00:00:00 2001 From: cloudpossebot <11232728+cloudpossebot@users.noreply.github.com> Date: Thu, 18 Nov 2021 02:45:22 +0000 Subject: [PATCH 6/6] Auto Format --- README.md | 2 +- docs/terraform.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index d8983ea..8a9425d 100644 --- a/README.md +++ b/README.md @@ -231,7 +231,7 @@ Available targets: | [github\_token](#input\_github\_token) | (Optional) GitHub auth token environment variable (`GITHUB_TOKEN`) | `string` | `""` | no | | [github\_token\_type](#input\_github\_token\_type) | Storage type of GITHUB\_TOKEN environment variable (`PARAMETER_STORE`, `PLAINTEXT`, `SECRETS_MANAGER`) | `string` | `"PARAMETER_STORE"` | no | | [iam\_permissions\_boundary](#input\_iam\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the role. | `string` | `null` | no | -| [iam\_policy\_path](#input\_iam\_policy\_path) | Path to the role. | `string` | `"/service-role/"` | no | +| [iam\_policy\_path](#input\_iam\_policy\_path) | Path to the policy. | `string` | `"/service-role/"` | no | | [iam\_role\_path](#input\_iam\_role\_path) | Path to the role. | `string` | `null` | no | | [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | | [image\_repo\_name](#input\_image\_repo\_name) | (Optional) ECR repository name to store the Docker image built by this module. Used as CodeBuild ENV variable when building Docker images. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html | `string` | `"UNSET"` | no | diff --git a/docs/terraform.md b/docs/terraform.md index 3265dac..4b164f5 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -75,7 +75,7 @@ | [github\_token](#input\_github\_token) | (Optional) GitHub auth token environment variable (`GITHUB_TOKEN`) | `string` | `""` | no | | [github\_token\_type](#input\_github\_token\_type) | Storage type of GITHUB\_TOKEN environment variable (`PARAMETER_STORE`, `PLAINTEXT`, `SECRETS_MANAGER`) | `string` | `"PARAMETER_STORE"` | no | | [iam\_permissions\_boundary](#input\_iam\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the role. | `string` | `null` | no | -| [iam\_policy\_path](#input\_iam\_policy\_path) | Path to the role. | `string` | `"/service-role/"` | no | +| [iam\_policy\_path](#input\_iam\_policy\_path) | Path to the policy. | `string` | `"/service-role/"` | no | | [iam\_role\_path](#input\_iam\_role\_path) | Path to the role. | `string` | `null` | no | | [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | | [image\_repo\_name](#input\_image\_repo\_name) | (Optional) ECR repository name to store the Docker image built by this module. Used as CodeBuild ENV variable when building Docker images. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html | `string` | `"UNSET"` | no |