feat: changing the boundary parameter to a name rather than full arn

gambol99 · gambol99 · commit 97e843562d32 · 2024-03-29T12:40:33.000Z
diff --git a/examples/role/main.tf b/examples/role/main.tf
@@ -13,7 +13,7 @@ module "common_provider_example" {
   repository = "appvia/something"
 
   // Set the permission boundary for both the read-only and read-write role
-  permission_boundary_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
+  permission_boundary = "AdministratorAccess"
 
   // List of policy ARNs to attach to the read-only role
   read_only_policy_arns = [
diff --git a/modules/role/data.tf b/modules/role/data.tf
@@ -1,2 +1,5 @@
+
+## Retrieve the current AWS account identity 
 data "aws_caller_identity" "current" {}
+## Retrieve the current AWS region
 data "aws_region" "current" {}
diff --git a/modules/role/locals.tf b/modules/role/locals.tf
@@ -24,6 +24,8 @@ locals {
       subject_tag_mapping    = "project_path:{repo}:ref_type:{type}:ref:{ref}"
     }
   }
+  # The full ARN of the permission boundary to attach to the role
+  permission_boundary_arn = format("arn:aws:iam::%s:policy/%s", data.aws_caller_identity.current.account_id, var.permission_boundary)
 }
 
 locals {
diff --git a/modules/role/main.tf b/modules/role/main.tf
@@ -44,7 +44,7 @@ resource "aws_iam_role" "ro" {
 
   force_detach_policies = var.force_detach_policies
   max_session_duration  = var.read_only_max_session_duration
-  permissions_boundary  = var.permission_boundary_arn
+  permissions_boundary  = local.permission_boundary_arn
 
   dynamic "inline_policy" {
     for_each = var.read_only_inline_policies
@@ -119,7 +119,7 @@ resource "aws_iam_role" "rw" {
 
   force_detach_policies = var.force_detach_policies
   max_session_duration  = var.read_write_max_session_duration
-  permissions_boundary  = var.permission_boundary_arn
+  permissions_boundary  = local.permission_boundary_arn
 
   dynamic "inline_policy" {
     for_each = var.read_write_inline_policies
diff --git a/modules/role/variables.tf b/modules/role/variables.tf
@@ -104,14 +104,12 @@ variable "force_detach_policies" {
   description = "Flag to force detachment of policies attached to the IAM role."
 }
 
-variable "permission_boundary_arn" {
+variable "permission_boundary" {
   type        = string
-  default     = null
-  description = "The ARN of the policy that is used to set the permissions boundary for the IAM role"
+  description = "The name of the policy that is used to set the permissions boundary for the IAM role"
 }
 
 variable "tags" {
   type        = map(string)
-  default     = {}
   description = "Tags to apply resoures created by this module"
 }

Original file line number	Diff line number	Diff line change
`@@ -24,6 +24,8 @@ locals {`
`24`	`24`	`subject_tag_mapping = "project_path:{repo}:ref_type:{type}:ref:{ref}"`
`25`	`25`	`}`
`26`	`26`	`}`
	`27`	`+ # The full ARN of the permission boundary to attach to the role`
	`28`	`+ permission_boundary_arn = format("arn:aws:iam::%s:policy/%s", data.aws_caller_identity.current.account_id, var.permission_boundary)`
`27`	`29`	`}`
`28`	`30`
`29`	`31`	`locals {`
Original file line number	Diff line number	Diff line change
`@@ -104,14 +104,12 @@ variable "force_detach_policies" {`
`104`	`104`	`description = "Flag to force detachment of policies attached to the IAM role."`
`105`	`105`	`}`
`106`	`106`
`107`		`-variable "permission_boundary_arn" {`
	`107`	`+variable "permission_boundary" {`
`108`	`108`	`type = string`
`109`		`- default = null`
`110`		`- description = "The ARN of the policy that is used to set the permissions boundary for the IAM role"`
	`109`	`+ description = "The name of the policy that is used to set the permissions boundary for the IAM role"`
`111`	`110`	`}`
`112`	`111`
`113`	`112`	`variable "tags" {`
`114`	`113`	`type = map(string)`
`115`		`- default = {}`
`116`	`114`	`description = "Tags to apply resoures created by this module"`
`117`	`115`	`}`