From b0f51fdbe5d75d87160b3341d1b81edb806f1ebf Mon Sep 17 00:00:00 2001 From: Ryan Date: Tue, 22 Dec 2020 18:43:08 +0800 Subject: [PATCH] feat: Add permissions boundary to fargate execution IAM role (#1108) --- fargate.tf | 1 + modules/fargate/README.md | 1 + modules/fargate/fargate.tf | 11 ++++++----- modules/fargate/variables.tf | 6 ++++++ 4 files changed, 14 insertions(+), 5 deletions(-) diff --git a/fargate.tf b/fargate.tf index 6ba03cbd89..413c582a9c 100644 --- a/fargate.tf +++ b/fargate.tf @@ -5,6 +5,7 @@ module "fargate" { create_fargate_pod_execution_role = var.create_fargate_pod_execution_role fargate_pod_execution_role_name = var.fargate_pod_execution_role_name fargate_profiles = var.fargate_profiles + permissions_boundary = var.permissions_boundary iam_path = var.iam_path iam_policy_arn_prefix = local.policy_arn_prefix subnets = var.subnets diff --git a/modules/fargate/README.md b/modules/fargate/README.md index f22dbb0731..592ac2ee9e 100644 --- a/modules/fargate/README.md +++ b/modules/fargate/README.md @@ -38,6 +38,7 @@ No requirements. | fargate\_profiles | Fargate profiles to create. See `fargate_profile` keys section in README.md for more details | `any` | `{}` | no | | iam\_path | IAM roles will be created on this path. | `string` | `"/"` | no | | iam\_policy\_arn\_prefix | IAM policy prefix with the correct AWS partition. | `string` | n/a | yes | +| permissions\_boundary | If provided, all IAM roles will be created with this permissions boundary attached. | `string` | `null` | no | | subnets | A list of subnets for the EKS Fargate profiles. | `list(string)` | `[]` | no | | tags | A map of tags to add to all resources. | `map(string)` | `{}` | no | diff --git a/modules/fargate/fargate.tf b/modules/fargate/fargate.tf index f3592ba27f..f618e47cbd 100644 --- a/modules/fargate/fargate.tf +++ b/modules/fargate/fargate.tf @@ -1,9 +1,10 @@ resource "aws_iam_role" "eks_fargate_pod" { - count = local.create_eks && var.create_fargate_pod_execution_role ? 1 : 0 - name_prefix = format("%s-fargate", var.cluster_name) - assume_role_policy = data.aws_iam_policy_document.eks_fargate_pod_assume_role[0].json - tags = var.tags - path = var.iam_path + count = local.create_eks && var.create_fargate_pod_execution_role ? 1 : 0 + name_prefix = format("%s-fargate", var.cluster_name) + assume_role_policy = data.aws_iam_policy_document.eks_fargate_pod_assume_role[0].json + permissions_boundary = var.permissions_boundary + tags = var.tags + path = var.iam_path } resource "aws_iam_role_policy_attachment" "eks_fargate_pod" { diff --git a/modules/fargate/variables.tf b/modules/fargate/variables.tf index 745f13c462..acfd69bd96 100644 --- a/modules/fargate/variables.tf +++ b/modules/fargate/variables.tf @@ -38,6 +38,12 @@ variable "fargate_profiles" { default = {} } +variable "permissions_boundary" { + description = "If provided, all IAM roles will be created with this permissions boundary attached." + type = string + default = null +} + variable "subnets" { description = "A list of subnets for the EKS Fargate profiles." type = list(string)