feat: Add support for permissions boundary on enhanced monitoring role (

#483)

README.md

@@ -290,6 +290,7 @@ Users have the ability to:
 | <a name="input_monitoring_role_arn"></a> [monitoring\_role\_arn](#input\_monitoring\_role\_arn) | The ARN for the IAM role that permits RDS to send enhanced monitoring metrics to CloudWatch Logs. Must be specified if monitoring\_interval is non-zero | `string` | `null` | no |
 | <a name="input_monitoring_role_description"></a> [monitoring\_role\_description](#input\_monitoring\_role\_description) | Description of the monitoring IAM role | `string` | `null` | no |
 | <a name="input_monitoring_role_name"></a> [monitoring\_role\_name](#input\_monitoring\_role\_name) | Name of the IAM role which will be created when create\_monitoring\_role is enabled | `string` | `"rds-monitoring-role"` | no |
+| <a name="input_monitoring_role_permissions_boundary"></a> [monitoring\_role\_permissions\_boundary](#input\_monitoring\_role\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the monitoring IAM role | `string` | `null` | no |
 | <a name="input_monitoring_role_use_name_prefix"></a> [monitoring\_role\_use\_name\_prefix](#input\_monitoring\_role\_use\_name\_prefix) | Determines whether to use `monitoring_role_name` as is or create a unique identifier beginning with `monitoring_role_name` as the specified prefix | `bool` | `false` | no |
 | <a name="input_multi_az"></a> [multi\_az](#input\_multi\_az) | Specifies if the RDS instance is multi-AZ | `bool` | `false` | no |
 | <a name="input_network_type"></a> [network\_type](#input\_network\_type) | The type of network stack to use | `string` | `null` | no |

main.tf

@@ -119,17 +119,18 @@ module "db_instance" {
   performance_insights_retention_period = var.performance_insights_retention_period
   performance_insights_kms_key_id       = var.performance_insights_enabled ? var.performance_insights_kms_key_id : null
 
-  replicate_source_db             = var.replicate_source_db
-  replica_mode                    = var.replica_mode
-  backup_retention_period         = var.backup_retention_period
-  backup_window                   = var.backup_window
-  max_allocated_storage           = var.max_allocated_storage
-  monitoring_interval             = var.monitoring_interval
-  monitoring_role_arn             = var.monitoring_role_arn
-  monitoring_role_name            = var.monitoring_role_name
-  monitoring_role_use_name_prefix = var.monitoring_role_use_name_prefix
-  monitoring_role_description     = var.monitoring_role_description
-  create_monitoring_role          = var.create_monitoring_role
+  replicate_source_db                  = var.replicate_source_db
+  replica_mode                         = var.replica_mode
+  backup_retention_period              = var.backup_retention_period
+  backup_window                        = var.backup_window
+  max_allocated_storage                = var.max_allocated_storage
+  monitoring_interval                  = var.monitoring_interval
+  monitoring_role_arn                  = var.monitoring_role_arn
+  monitoring_role_name                 = var.monitoring_role_name
+  monitoring_role_use_name_prefix      = var.monitoring_role_use_name_prefix
+  monitoring_role_description          = var.monitoring_role_description
+  create_monitoring_role               = var.create_monitoring_role
+  monitoring_role_permissions_boundary = var.monitoring_role_permissions_boundary
 
   character_set_name = var.character_set_name
   timezone           = var.timezone

variables.tf

@@ -217,6 +217,12 @@ variable "create_monitoring_role" {
   default     = false
 }
 
+variable "monitoring_role_permissions_boundary" {
+  description = "ARN of the policy that is used to set the permissions boundary for the monitoring IAM role"
+  type        = string
+  default     = null
+}
+
 variable "allow_major_version_upgrade" {
   description = "Indicates that major version upgrades are allowed. Changing this parameter does not result in an outage and the change is asynchronously applied as soon as possible"
   type        = bool