diff --git a/README.md b/README.md
index c21e8bf..af4641f 100644
--- a/README.md
+++ b/README.md
@@ -310,6 +310,7 @@ Available targets:
| [mixed\_instances\_policy](#input\_mixed\_instances\_policy) | policy to used mixed group of on demand/spot of differing types. Launch template is automatically generated. https://www.terraform.io/docs/providers/aws/r/autoscaling_group.html#mixed_instances_policy-1 | object({
instances_distribution = object({
on_demand_allocation_strategy = string
on_demand_base_capacity = number
on_demand_percentage_above_base_capacity = number
spot_allocation_strategy = string
spot_instance_pools = number
spot_max_price = string
})
override = list(object({
instance_type = string
weighted_capacity = number
}))
}) | `null` | no |
| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no |
| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no |
+| [permissions\_boundary](#input\_permissions\_boundary) | Provide an existing permissions boundary to attach to the default role | `string` | `null` | no |
| [placement](#input\_placement) | The placement specifications of the instances | object({
affinity = string
availability_zone = string
group_name = string
host_id = string
tenancy = string
}) | `null` | no |
| [placement\_group](#input\_placement\_group) | The name of the placement group into which you'll launch your instances, if any | `string` | `""` | no |
| [protect\_from\_scale\_in](#input\_protect\_from\_scale\_in) | Allows setting instance protection. The autoscaling group will not select instances with this setting for terminination during scale in events | `bool` | `false` | no |
@@ -461,7 +462,7 @@ In general, PRs are welcome. We follow the typical "fork-and-pull" Git workflow.
## Copyright
-Copyright © 2017-2021 [Cloud Posse, LLC](https://cpco.io/copyright)
+Copyright © 2017-2022 [Cloud Posse, LLC](https://cpco.io/copyright)
diff --git a/docs/terraform.md b/docs/terraform.md
index b08c9ea..aff1fdf 100644
--- a/docs/terraform.md
+++ b/docs/terraform.md
@@ -102,6 +102,7 @@
| [mixed\_instances\_policy](#input\_mixed\_instances\_policy) | policy to used mixed group of on demand/spot of differing types. Launch template is automatically generated. https://www.terraform.io/docs/providers/aws/r/autoscaling_group.html#mixed_instances_policy-1 | object({
instances_distribution = object({
on_demand_allocation_strategy = string
on_demand_base_capacity = number
on_demand_percentage_above_base_capacity = number
spot_allocation_strategy = string
spot_instance_pools = number
spot_max_price = string
})
override = list(object({
instance_type = string
weighted_capacity = number
}))
}) | `null` | no |
| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no |
| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no |
+| [permissions\_boundary](#input\_permissions\_boundary) | Provide an existing permissions boundary to attach to the default role | `string` | `null` | no |
| [placement](#input\_placement) | The placement specifications of the instances | object({
affinity = string
availability_zone = string
group_name = string
host_id = string
tenancy = string
}) | `null` | no |
| [placement\_group](#input\_placement\_group) | The name of the placement group into which you'll launch your instances, if any | `string` | `""` | no |
| [protect\_from\_scale\_in](#input\_protect\_from\_scale\_in) | Allows setting instance protection. The autoscaling group will not select instances with this setting for terminination during scale in events | `bool` | `false` | no |
diff --git a/main.tf b/main.tf
index e350034..ce6c09d 100644
--- a/main.tf
+++ b/main.tf
@@ -34,10 +34,11 @@ data "aws_iam_policy_document" "assume_role" {
}
resource "aws_iam_role" "default" {
- count = local.enabled && var.use_existing_aws_iam_instance_profile == false ? 1 : 0
- name = module.label.id
- assume_role_policy = join("", data.aws_iam_policy_document.assume_role.*.json)
- tags = module.label.tags
+ count = local.enabled && var.use_existing_aws_iam_instance_profile == false ? 1 : 0
+ name = module.label.id
+ assume_role_policy = join("", data.aws_iam_policy_document.assume_role.*.json)
+ tags = module.label.tags
+ permissions_boundary = var.permissions_boundary
}
resource "aws_iam_role_policy_attachment" "amazon_eks_worker_node_policy" {
diff --git a/variables.tf b/variables.tf
index 19accb1..089629e 100644
--- a/variables.tf
+++ b/variables.tf
@@ -413,6 +413,12 @@ variable "use_existing_aws_iam_instance_profile" {
default = false
}
+variable "permissions_boundary" {
+ type = string
+ description = "Provide an existing permissions boundary to attach to the default role"
+ default = null
+}
+
variable "workers_role_policy_arns" {
type = list(string)
default = []