feat: add option to attach a permissions boundary

quentin-laplanche · quentin-laplanche · commit 51e23ee9e954 · 2024-08-14T10:41:02.000+02:00
diff --git a/modules/services/cloud-bench/README.md b/modules/services/cloud-bench/README.md
@@ -55,6 +55,7 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_is_organizational"></a> [is\_organizational](#input\_is\_organizational) | true/false whether secure-for-cloud should be deployed in an organizational setup (all accounts of org) or not (only on default aws provider account) | `bool` | `false` | no |
 | <a name="input_name"></a> [name](#input\_name) | The name of the IAM Role that will be created. | `string` | `"sfc-cloudbench"` | no |
+| <a name="input_permissions_boundary_arn"></a> [permissions\_boundary\_arn](#input\_permissions\_boundary\_arn) | ARN of a permissions boundary policy to attach to the cloudbench role | `string` | `null` | no |
 | <a name="input_provision_caller_account"></a> [provision\_caller\_account](#input\_provision\_caller\_account) | true/false whether to provision the aws provider account (if is\_organizational=true management account, if is\_organizational=false it will depend on the provider setup on the caller module | `bool` | `true` | no |
 | <a name="input_region"></a> [region](#input\_region) | Default region for resource creation in organization mode | `string` | `"eu-central-1"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | customization of tags to be assigned to all resources. <br/>always include 'product' default tag for resource-group proper functioning.<br/>can also make use of the [provider-level `default-tags`](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#default_tags) | `map(string)` | <pre>{<br>  "product": "sysdig-secure-for-cloud"<br>}</pre> | no |
diff --git a/modules/services/cloud-bench/main.tf b/modules/services/cloud-bench/main.tf
@@ -69,9 +69,10 @@ data "aws_iam_policy_document" "trust_relationship" {
 resource "aws_iam_role" "cloudbench_role" {
   count = var.is_organizational && !var.provision_caller_account ? 0 : 1
 
-  name               = var.name
-  assume_role_policy = data.aws_iam_policy_document.trust_relationship.json
-  tags               = var.tags
+  name                 = var.name
+  assume_role_policy   = data.aws_iam_policy_document.trust_relationship.json
+  tags                 = var.tags
+  permissions_boundary = var.permissions_boundary_arn
 }
 
 
diff --git a/modules/services/cloud-bench/variables.tf b/modules/services/cloud-bench/variables.tf
@@ -34,3 +34,9 @@ variable "tags" {
     "product" = "sysdig-secure-for-cloud"
   }
 }
+
+variable "permissions_boundary_arn" {
+  type        = string
+  description = "ARN of a permissions boundary policy to attach to the cloudbench role"
+  default     = null
+}

Original file line number	Diff line number	Diff line change
`@@ -34,3 +34,9 @@ variable "tags" {`
`34`	`34`	`"product" = "sysdig-secure-for-cloud"`
`35`	`35`	`}`
`36`	`36`	`}`
	`37`	`+`
	`38`	`+variable "permissions_boundary_arn" {`
	`39`	`+ type = string`
	`40`	`+ description = "ARN of a permissions boundary policy to attach to the cloudbench role"`
	`41`	`+ default = null`
	`42`	`+}`