expose param to set permissions boundary on roles (#761)

infra/examples-dev/aws-all/main.tf

@@ -126,6 +126,7 @@ module "psoxy" {
   aws_ssm_key_id                       = var.project_aws_kms_key_arn
   use_api_gateway_v2                   = var.use_api_gateway_v2
   aws_lambda_execution_role_policy_arn = var.aws_lambda_execution_role_policy_arn
+  iam_roles_permissions_boundary       = var.iam_roles_permissions_boundary
   secrets_store_implementation         = var.secrets_store_implementation
   bulk_sanitized_expiration_days       = var.bulk_sanitized_expiration_days
   bulk_input_expiration_days           = var.bulk_input_expiration_days

infra/examples-dev/aws-all/variables.tf

@@ -36,6 +36,12 @@ variable "aws_region" {
   default     = "us-east-1"
 }
 
+variable "iam_roles_permissions_boundary" {
+  type        = string
+  description = "*beta* ARN of the permissions boundary to attach to IAM roles created by this module."
+  default     = null
+}
+
 variable "default_tags" {
   type        = map(string)
   description = "Tags to apply to all resources created by this configuration. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs#default_tags for more info."

infra/modules/aws-host/main.tf

@@ -42,6 +42,7 @@ module "psoxy" {
   api_function_name_prefix       = "${lower(module.env_id.id)}-"
   use_api_gateway_v2             = local.use_api_gateway_v2
   logs_kms_key_arn               = var.logs_kms_key_arn
+  iam_roles_permissions_boundary = var.iam_roles_permissions_boundary
 }
 
 
@@ -138,6 +139,7 @@ module "api_connector" {
   vpc_config                            = var.vpc_config
   api_gateway_v2                        = module.psoxy.api_gateway_v2
   aws_lambda_execution_role_policy_arn  = var.aws_lambda_execution_role_policy_arn
+  iam_roles_permissions_boundary        = var.iam_roles_permissions_boundary
   todos_as_local_files                  = var.todos_as_local_files
   todo_step                             = var.todo_step
 
@@ -198,6 +200,7 @@ module "bulk_connector" {
   vpc_config                           = var.vpc_config
   aws_lambda_execution_role_policy_arn = var.aws_lambda_execution_role_policy_arn
   provision_bucket_public_access_block = var.provision_bucket_public_access_block
+  iam_roles_permissions_boundary       = var.iam_roles_permissions_boundary
   todos_as_local_files                 = var.todos_as_local_files
 
 

infra/modules/aws-host/variables.tf

@@ -61,6 +61,11 @@ variable "aws_lambda_execution_role_policy_arn" {
   default     = null
 }
 
+variable "iam_roles_permissions_boundary" {
+  type        = string
+  description = "*beta* ARN of the permissions boundary to attach to IAM roles created by this module."
+  default     = null
+}
 
 variable "caller_gcp_service_account_ids" {
   type        = list(string)

infra/modules/aws-psoxy-bulk-existing/main.tf

@@ -22,6 +22,8 @@ module "psoxy_lambda" {
   vpc_config                           = var.vpc_config
   secrets_store_implementation         = var.secrets_store_implementation
   aws_lambda_execution_role_policy_arn = var.aws_lambda_execution_role_policy_arn
+  iam_roles_permissions_boundary       = var.iam_roles_permissions_boundary
+
 
   environment_variables = merge(
     var.environment_variables,

infra/modules/aws-psoxy-bulk-existing/variables.tf

@@ -152,6 +152,12 @@ variable "memory_size_mb" {
   default     = 512
 }
 
+variable "iam_roles_permissions_boundary" {
+  type        = string
+  description = "*beta* ARN of the permissions boundary to attach to IAM roles created by this module."
+  default     = null
+}
+
 variable "vpc_config" {
   type = object({
     # ipv6_allowed_for_dual_stack = optional(bool, false)

infra/modules/aws-psoxy-bulk/main.tf

@@ -46,6 +46,7 @@ module "psoxy_lambda" {
   log_retention_in_days                = var.log_retention_days
   vpc_config                           = var.vpc_config
   aws_lambda_execution_role_policy_arn = var.aws_lambda_execution_role_policy_arn
+  iam_roles_permissions_boundary       = var.iam_roles_permissions_boundary
 
   environment_variables = merge(
     var.environment_variables,

infra/modules/aws-psoxy-bulk/variables.tf

@@ -83,6 +83,12 @@ variable "aws_lambda_execution_role_policy_arn" {
   default     = null
 }
 
+variable "iam_roles_permissions_boundary" {
+  type        = string
+  description = "*beta* ARN of the permissions boundary to attach to IAM roles created by this module."
+  default     = null
+}
+
 variable "log_retention_days" {
   type        = number
   description = "number of days to retain logs in CloudWatch for this psoxy instance"

infra/modules/aws-psoxy-lambda/main.tf

@@ -119,6 +119,8 @@ resource "aws_iam_role" "iam_for_lambda" {
     ]
   })
 
+  permissions_boundary = var.iam_roles_permissions_boundary
+
   lifecycle {
     ignore_changes = [
       tags

infra/modules/aws-psoxy-lambda/variables.tf

@@ -141,6 +141,11 @@ variable "global_secrets_manager_secret_arns" {
   default     = {}
 }
 
+variable "iam_roles_permissions_boundary" {
+  type        = string
+  description = "*beta* ARN of the permissions boundary to attach to IAM roles created by this module."
+  default     = null
+}
 
 # TODO: remove after v0.4.x
 variable "function_parameters" {

infra/modules/aws-psoxy-rest/main.tf

@@ -56,6 +56,8 @@ module "psoxy_lambda" {
   vpc_config                           = var.vpc_config
   secrets_store_implementation         = var.secrets_store_implementation
   aws_lambda_execution_role_policy_arn = var.aws_lambda_execution_role_policy_arn
+  iam_roles_permissions_boundary       = var.iam_roles_permissions_boundary
+
 
   environment_variables = merge(
     var.environment_variables,

infra/modules/aws-psoxy-rest/variables.tf

@@ -63,6 +63,12 @@ variable "ssm_kms_key_ids" {
   default     = {}
 }
 
+variable "iam_roles_permissions_boundary" {
+  type        = string
+  description = "*beta* ARN of the permissions boundary to attach to IAM roles created by this module."
+  default     = null
+}
+
 variable "log_retention_days" {
   type        = number
   description = "number of days to retain logs in CloudWatch for this psoxy instance"

infra/modules/aws/main.tf

@@ -45,8 +45,9 @@ data "aws_region" "current" {}
 
 # role that Worklytics user will use to call the API
 resource "aws_iam_role" "api-caller" {
-  name        = "${var.deployment_id}Caller"
-  description = "role for AWS principals that may invoke the psoxy instance or read an instance's output"
+  name                 = "${var.deployment_id}Caller"
+  description          = "role for AWS principals that may invoke the psoxy instance or read an instance's output"
+  permissions_boundary = var.iam_roles_permissions_boundary
 
   # who can assume this role
   assume_role_policy = jsonencode({
@@ -67,6 +68,8 @@ resource "aws_iam_role" "api-caller" {
     )
   })
 
+
+
   lifecycle {
     ignore_changes = [
       tags

infra/modules/aws/variables.tf

@@ -111,3 +111,9 @@ variable "logs_kms_key_arn" {
   description = "AWS KMS key ARN to use to encrypt lambdas' logs. NOTE: ensure CloudWatch is setup to use this key (cloudwatch principal has perms, log group in same region as key, etc) - see https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html ."
   default     = null
 }
+
+variable "iam_roles_permissions_boundary" {
+  type        = string
+  description = "*beta* ARN of the permissions boundary to attach to IAM roles created by this module."
+  default     = null
+}