From a1a1644f8039f1b913e59ac4035970c9f505a808 Mon Sep 17 00:00:00 2001
From: Dylan Hellems <dylanhellems@gmail.com>
Date: Thu, 7 Feb 2019 10:38:16 -0500
Subject: [PATCH] Add optional permissions_boundary (#265)

* Add optional permissions_boundary

* Update CHANGELOG
---
 CHANGELOG.md | 1 +
 README.md    | 1 +
 cluster.tf   | 1 +
 variables.tf | 5 +++++
 workers.tf   | 1 +
 5 files changed, 9 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 23aba08..5e3f651 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -11,6 +11,7 @@ project adheres to [Semantic Versioning](http://semver.org/).
 
 ##### Added
 
+- Ability to specify a permissions_boundary for IAM roles (by @dylanhellems)
 - Ability to configure force_delete for the worker group ASG (by @stefansedich)
 - Ability to configure worker group ASG tags (by @stefansedich)
 - Added EBS optimized mapping for the g3s.xlarge instance type (by @stefansedich)
diff --git a/README.md b/README.md
index 291ece5..5d33836 100644
--- a/README.md
+++ b/README.md
@@ -130,6 +130,7 @@ MIT Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-a
 | map\_roles\_count | The count of roles in the map_roles list. | string | `"0"` | no |
 | map\_users | Additional IAM users to add to the aws-auth configmap. See examples/eks_test_fixture/variables.tf for example format. | list | `[]` | no |
 | map\_users\_count | The count of roles in the map_users list. | string | `"0"` | no |
+| permissions\_boundary | If provided, all IAM roles will be created with this permissions boundary attached. | string | `""` | no |
 | subnets | A list of subnets to place the EKS cluster and workers within. | list | n/a | yes |
 | tags | A map of tags to add to all resources. | map | `{}` | no |
 | vpc\_id | VPC where the cluster and workers will be deployed. | string | n/a | yes |
diff --git a/cluster.tf b/cluster.tf
index 9903882..604b004 100644
--- a/cluster.tf
+++ b/cluster.tf
@@ -52,6 +52,7 @@ resource "aws_security_group_rule" "cluster_https_worker_ingress" {
 resource "aws_iam_role" "cluster" {
   name_prefix           = "${var.cluster_name}"
   assume_role_policy    = "${data.aws_iam_policy_document.cluster_assume_role_policy.json}"
+  permissions_boundary  = "${var.permissions_boundary}"
   force_detach_policies = true
 }
 
diff --git a/variables.tf b/variables.tf
index bf1bcaf..77d0f0a 100644
--- a/variables.tf
+++ b/variables.tf
@@ -216,3 +216,8 @@ variable "worker_create_security_group" {
   description = "Whether to create a security group for the workers or attach the workers to `worker_security_group_id`."
   default     = true
 }
+
+variable "permissions_boundary" {
+  description = "If provided, all IAM roles will be created with this permissions boundary attached."
+  default     = ""
+}
diff --git a/workers.tf b/workers.tf
index af3d503..557ca76 100644
--- a/workers.tf
+++ b/workers.tf
@@ -114,6 +114,7 @@ resource "aws_security_group_rule" "workers_ingress_cluster_https" {
 resource "aws_iam_role" "workers" {
   name_prefix           = "${aws_eks_cluster.this.name}"
   assume_role_policy    = "${data.aws_iam_policy_document.workers_assume_role_policy.json}"
+  permissions_boundary  = "${var.permissions_boundary}"
   force_detach_policies = true
 }