Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Add permissions boundary for IAM role #104

Merged
merged 6 commits into from
Jun 10, 2020
Merged

feat: Add permissions boundary for IAM role #104

merged 6 commits into from
Jun 10, 2020

Conversation

edersonbrilhante
Copy link
Contributor

@edersonbrilhante edersonbrilhante commented Feb 10, 2020
edited
Loading

Description
This PR will close issue #115. Allowing to create "aws_iam_role" "rds_enhanced_monitoring" when AWS is set to use permissions boundary in an IAM role creation.

Motivation and Context
In my case, my AWS account I am using permissions boundary to avoid creating a new role with bigger permissions. So any new role must set this boundary.
To run the resource aws_iam_role. rds_enhanced_monitoring, it is needed to set permissions boundary.

Breaking Changes
None

@edersonbrilhante
Copy link
Contributor Author

Hey team.
Can you check is this PR makes sense?
I updated with the last changes from master

@bobbydeveaux
Copy link

Awesome @edersonbrilhante - using this now!!

@zephinzer
Copy link

zephinzer commented Jun 2, 2020
edited
Loading

Bump, having the same use case! Btw I think it would be better if the purpose of the permission_boundary was better indicated for the consumer, eg. iam_enhanced_monitoring_permission_boundary.

@edersonbrilhante
Copy link
Contributor Author

@zephinzer I think it is a good idea. I can change, but I would like more feedback before changing.

@david-wells-1
Copy link

@edersonbrilhante personally I would keep the code as is - but you could add more detail or a link in the Readme if you want to better explain the purpose of the permission boundary. The permission boundary isn't actually for enhanced_monitoring.

@zephinzer
Copy link

zephinzer commented Jun 10, 2020
edited
Loading

@david-wells-1 it seems it's for the iam user created for the enhanced_monitoring (we're currently maintaining our own fork for this feature, would be good to have this in the main module because it seems like enterprises that are on AWS tend to impose a permissions boundary as a form of control over subaccounts)

antonbabenko
antonbabenko reviewed Jun 10, 2020
View reviewed changes
variables.tf
variable "permissions_boundary" {
description = "The ARN of the policy that is used to set the permissions boundary for the role."
type = string
default = null
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe the default value should be null for people who don't want to enforce any permissions_boundary. I have updated it.

@antonbabenko antonbabenko changed the title Add permissions boundary aws iam role feat: Add permissions boundary for IAM role Jun 10, 2020
@antonbabenko antonbabenko merged commit 2363d43 into terraform-aws-modules:master Jun 10, 2020
@antonbabenko
Copy link
Member

Thanks, everyone!

v2.18.0 has been released.

@bryantbiggs bryantbiggs mentioned this pull request Jun 11, 2020
Closed
@github-actions
Copy link

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 15, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@antonbabenko antonbabenko antonbabenko left review comments

@david-wells-1 david-wells-1 david-wells-1 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@edersonbrilhante @bobbydeveaux @zephinzer @david-wells-1 @antonbabenko