feat: add option to attach a permissions boundary

quentin-laplanche · quentin-laplanche · commit 92a76c2e8a51 · 2024-08-14T10:27:57.000+02:00
It is now possible to attach a permissions boundary to
the cloudbench role.
diff --git a/modules/services/cloud-bench/main.tf b/modules/services/cloud-bench/main.tf
@@ -69,9 +69,10 @@ data "aws_iam_policy_document" "trust_relationship" {
 resource "aws_iam_role" "cloudbench_role" {
   count = var.is_organizational && !var.provision_caller_account ? 0 : 1
 
-  name               = var.name
-  assume_role_policy = data.aws_iam_policy_document.trust_relationship.json
-  tags               = var.tags
+  name                 = var.name
+  assume_role_policy   = data.aws_iam_policy_document.trust_relationship.json
+  tags                 = var.tags
+  permissions_boundary = var.permissions_boundary_arn
 }
 
 
diff --git a/modules/services/cloud-bench/variables.tf b/modules/services/cloud-bench/variables.tf
@@ -34,3 +34,9 @@ variable "tags" {
     "product" = "sysdig-secure-for-cloud"
   }
 }
+
+variable "permissions_boundary_arn" {
+  type        = string
+  description = "ARN of a permissions boundary policy to attach to the cloudbench role"
+  default     = null
+}

Original file line number	Diff line number	Diff line change
`@@ -34,3 +34,9 @@ variable "tags" {`
`34`	`34`	`"product" = "sysdig-secure-for-cloud"`
`35`	`35`	`}`
`36`	`36`	`}`
	`37`	`+`
	`38`	`+variable "permissions_boundary_arn" {`
	`39`	`+ type = string`
	`40`	`+ description = "ARN of a permissions boundary policy to attach to the cloudbench role"`
	`41`	`+ default = null`
	`42`	`+}`