Permission boundary (#16)

d62678bc · Piotr Pieprzycki · Anton Babenko · 8b04e3e3 · d62678bc · d62678bc
Commit d62678bc authored Feb 19, 2019 by Piotr Pieprzycki Committed by Anton Babenko Feb 19, 2019
6 changed files
--- a/modules/iam-assumable-roles/README.md
+++ b/modules/iam-assumable-roles/README.md
@@ -13,6 +13,7 @@ Trusted resources can be any [IAM ARNs](https://docs.aws.amazon.com/IAM/latest/U
 | admin_role_name | IAM role with admin access | string | `admin` | no |
 | admin_role_path | Path of admin IAM role | string | `/` | no |
 | admin_role_policy_arn | Policy ARN to use for admin role | string | `arn:aws:iam::aws:policy/AdministratorAccess` | no |
+| admin_role_permissions_boundary_arn | Policy ARN to use for admin permission boundary | string | `` | no |
 | admin_role_requires_mfa | Whether admin role requires MFA | string | `true` | no |
 | create_admin_role | Whether to create admin role | string | `false` | no |
 | create_poweruser_role | Whether to create poweruser role | string | `false` | no |
@@ -21,11 +22,13 @@ Trusted resources can be any [IAM ARNs](https://docs.aws.amazon.com/IAM/latest/U
 | mfa_age | Max age of valid MFA (in seconds) for roles which require MFA | string | `86400` | no |
 | poweruser_role_name | IAM role with poweruser access | string | `poweruser` | no |
 | poweruser_role_path | Path of poweruser IAM role | string | `/` | no |
-| poweruser_role_policy_arn | Policy ARN to use for admin role | string | `arn:aws:iam::aws:policy/PowerUserAccess` | no |
+| poweruser_role_policy_arn | Policy ARN to use for poweruser role | string | `arn:aws:iam::aws:policy/PowerUserAccess` | no |
+| poweruser_role_permissions_boundary_arn | Policy ARN to use for poweruser permission boundary | string | `` | no |
 | poweruser_role_requires_mfa | Whether poweruser role requires MFA | string | `true` | no |
 | readonly_role_name | IAM role with readonly access | string | `readonly` | no |
 | readonly_role_path | Path of readonly IAM role | string | `/` | no |
 | readonly_role_policy_arn | Policy ARN to use for readonly role | string | `arn:aws:iam::aws:policy/ReadOnlyAccess` | no |
+| readonly_role_permissions_boundary_arn | Policy ARN to use for readonly permission boundary | string | `` | no |
 | readonly_role_requires_mfa | Whether readonly role requires MFA | string | `true` | no |
 | trusted_role_arns | ARNs of AWS entities who can assume these roles | string | `<list>` | no |


--- a/modules/iam-assumable-roles/main.tf
+++ b/modules/iam-assumable-roles/main.tf
@@ -44,6 +44,8 @@ resource "aws_iam_role" "admin" {
  path                 = "${var.admin_role_path}"
  max_session_duration = "${var.max_session_duration}"

+  permissions_boundary = "${var.admin_role_permissions_boundary_arn}"
+
  assume_role_policy = "${var.admin_role_requires_mfa ? data.aws_iam_policy_document.assume_role_with_mfa.json : data.aws_iam_policy_document.assume_role.json}"
 }

@@ -69,6 +71,8 @@ resource "aws_iam_role" "poweruser" {
  path                 = "${var.poweruser_role_path}"
  max_session_duration = "${var.max_session_duration}"

+  permissions_boundary = "${var.poweruser_role_permissions_boundary_arn}"
+
  assume_role_policy = "${var.poweruser_role_requires_mfa ? data.aws_iam_policy_document.assume_role_with_mfa.json : data.aws_iam_policy_document.assume_role.json}"
 }

@@ -87,5 +91,7 @@ resource "aws_iam_role" "readonly" {
  path                 = "${var.readonly_role_path}"
  max_session_duration = "${var.max_session_duration}"

+  permissions_boundary = "${var.readonly_role_permissions_boundary_arn}"
+
  assume_role_policy = "${var.readonly_role_requires_mfa ?  data.aws_iam_policy_document.assume_role_with_mfa.json : data.aws_iam_policy_document.assume_role.json}"
 }
--- a/modules/iam-assumable-roles/variables.tf
+++ b/modules/iam-assumable-roles/variables.tf
@@ -34,6 +34,11 @@ variable "admin_role_policy_arn" {
  default     = "arn:aws:iam::aws:policy/AdministratorAccess"
 }

+variable "admin_role_permissions_boundary_arn" {
+  description = "Permissions boundary ARN to use for admin role"
+  default     = ""
+}
+
 # Poweruser
 variable "create_poweruser_role" {
  description = "Whether to create poweruser role"
@@ -60,6 +65,11 @@ variable "poweruser_role_policy_arn" {
  default     = "arn:aws:iam::aws:policy/PowerUserAccess"
 }

+variable "poweruser_role_permissions_boundary_arn" {
+  description = "Permissions boundary ARN to use for admin role"
+  default     = ""
+}
+
 # Readonly
 variable "create_readonly_role" {
  description = "Whether to create readonly role"
@@ -86,6 +96,11 @@ variable "readonly_role_policy_arn" {
  default     = "arn:aws:iam::aws:policy/ReadOnlyAccess"
 }

+variable "readonly_role_permissions_boundary_arn" {
+  description = "Permissions boundary ARN to use for admin role"
+  default     = ""
+}
+
 variable "max_session_duration" {
  description = "Maximum CLI/API session duration in seconds between 3600 and 43200"
  default     = 3600

--- a/modules/iam-user/README.md
+++ b/modules/iam-user/README.md
@@ -32,6 +32,7 @@ This module outputs commands and PGP messages which can be decrypted either usin
 | password_length | The length of the generated password | string | `20` | no |
 | password_reset_required | Whether the user should be forced to reset the generated password on first login. | string | `true` | no |
 | path | Desired path for the IAM user | string | `/` | no |
+| permissions_boundary | The policy that is used to set the permissions boundary for the user | string | `` | no |
 | pgp_key | Either a base-64 encoded PGP public key, or a keybase username in the form keybase:username. Used to encrypt password and access key. | string | `` | no |
 | ssh_key_encoding | Specifies the public key encoding format to use in the response. To retrieve the public key in ssh-rsa format, use SSH. To retrieve the public key in PEM format, use PEM | string | `SSH` | no |
 | ssh_public_key | The SSH public key. The public key must be encoded in ssh-rsa format or PEM format | string | `` | no |

--- a/modules/iam-user/main.tf
+++ b/modules/iam-user/main.tf
@@ -4,6 +4,7 @@ resource "aws_iam_user" "this" {
  name          = "${var.name}"
  path          = "${var.path}"
  force_destroy = "${var.force_destroy}"
+  permissions_boundary = "${var.permissions_boundary}"
 }

 resource "aws_iam_user_login_profile" "this" {

--- a/modules/iam-user/variables.tf
+++ b/modules/iam-user/variables.tf
@@ -56,3 +56,8 @@ variable "ssh_public_key" {
  description = "The SSH public key. The public key must be encoded in ssh-rsa format or PEM format"
  default     = ""
 }
+
+variable "permissions_boundary" {
+  description = "The ARN of the policy that is used to set the permissions boundary for the user."
+  default = ""
+}
\ No newline at end of file