Adding support for permission boundary for IAM Role creation (#31)

Author: gthomson31

README.md

@@ -56,7 +56,7 @@ In order to run all checks at any point run the following command:
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.32.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.31.0 |
 
 ## Modules
 
@@ -77,28 +77,29 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_ecs_cluster_arn"></a> [ecs\_cluster\_arn](#input\_ecs\_cluster\_arn) | The ECS Cluster where the scheduled task will run. | `any` | n/a | yes |
-| <a name="input_ecs_execution_task_role_arn"></a> [ecs\_execution\_task\_role\_arn](#input\_ecs\_execution\_task\_role\_arn) | (Required) The task definition execution role. The Amazon Resource Name (ARN) of the IAM role to be used for this target when the rule is triggered. | `any` | n/a | yes |
-| <a name="input_ecs_task_role_arn"></a> [ecs\_task\_role\_arn](#input\_ecs\_task\_role\_arn) | (Optional) The task definition role. The Amazon Resource Name (ARN) of the IAM role to be used for this target when the rule is triggered. | `any` | `null` | no |
-| <a name="input_event_rule_description"></a> [event\_rule\_description](#input\_event\_rule\_description) | (Optional) The description of the rule. | `any` | `null` | no |
-| <a name="input_event_rule_event_bus_name"></a> [event\_rule\_event\_bus\_name](#input\_event\_rule\_event\_bus\_name) | (Optional) The event bus to associate with this rule. If you omit this, the default event bus is used. | `any` | `null` | no |
-| <a name="input_event_rule_event_pattern"></a> [event\_rule\_event\_pattern](#input\_event\_rule\_event\_pattern) | (Optional) The event pattern described a JSON object. At least one of schedule\_expression or event\_pattern is required. | `any` | `null` | no |
+| <a name="input_ecs_cluster_arn"></a> [ecs\_cluster\_arn](#input\_ecs\_cluster\_arn) | The ECS Cluster where the scheduled task will run. | `string` | n/a | yes |
+| <a name="input_ecs_execution_task_role_arn"></a> [ecs\_execution\_task\_role\_arn](#input\_ecs\_execution\_task\_role\_arn) | (Required) The task definition execution role. The Amazon Resource Name (ARN) of the IAM role to be used for this target when the rule is triggered. | `string` | n/a | yes |
+| <a name="input_ecs_task_role_arn"></a> [ecs\_task\_role\_arn](#input\_ecs\_task\_role\_arn) | (Optional) The task definition role. The Amazon Resource Name (ARN) of the IAM role to be used for this target when the rule is triggered. | `string` | `null` | no |
+| <a name="input_event_rule_description"></a> [event\_rule\_description](#input\_event\_rule\_description) | (Optional) The description of the rule. | `string` | `null` | no |
+| <a name="input_event_rule_event_bus_name"></a> [event\_rule\_event\_bus\_name](#input\_event\_rule\_event\_bus\_name) | (Optional) The event bus to associate with this rule. If you omit this, the default event bus is used. | `string` | `null` | no |
+| <a name="input_event_rule_event_pattern"></a> [event\_rule\_event\_pattern](#input\_event\_rule\_event\_pattern) | (Optional) The event pattern described a JSON object. At least one of schedule\_expression or event\_pattern is required. | `string` | `null` | no |
 | <a name="input_event_rule_is_enabled"></a> [event\_rule\_is\_enabled](#input\_event\_rule\_is\_enabled) | (Optional) Whether the rule should be enabled (defaults to true). | `bool` | `true` | no |
-| <a name="input_event_rule_name"></a> [event\_rule\_name](#input\_event\_rule\_name) | The name of the rule. | `any` | n/a | yes |
-| <a name="input_event_rule_role_arn"></a> [event\_rule\_role\_arn](#input\_event\_rule\_role\_arn) | (Optional) The Amazon Resource Name (ARN) associated with the role that is used for target invocation. | `any` | `null` | no |
-| <a name="input_event_rule_schedule_expression"></a> [event\_rule\_schedule\_expression](#input\_event\_rule\_schedule\_expression) | (Optional) The scheduling expression. For example, cron(0 20 * * ? *) or rate(5 minutes). At least one of event\_rule\_schedule\_expression or event\_rule\_event\_pattern is required. Can only be used on the default event bus. | `any` | `null` | no |
+| <a name="input_event_rule_name"></a> [event\_rule\_name](#input\_event\_rule\_name) | The name of the rule. | `string` | n/a | yes |
+| <a name="input_event_rule_role_arn"></a> [event\_rule\_role\_arn](#input\_event\_rule\_role\_arn) | (Optional) The Amazon Resource Name (ARN) associated with the role that is used for target invocation. | `string` | `null` | no |
+| <a name="input_event_rule_schedule_expression"></a> [event\_rule\_schedule\_expression](#input\_event\_rule\_schedule\_expression) | (Optional) The scheduling expression. For example, cron(0 20 * * ? *) or rate(5 minutes). At least one of event\_rule\_schedule\_expression or event\_rule\_event\_pattern is required. Can only be used on the default event bus. | `string` | `null` | no |
 | <a name="input_event_target_ecs_target_assign_public_ip"></a> [event\_target\_ecs\_target\_assign\_public\_ip](#input\_event\_target\_ecs\_target\_assign\_public\_ip) | (Optional) Assign a public IP address to the ENI. Default false. | `bool` | `false` | no |
-| <a name="input_event_target_ecs_target_group"></a> [event\_target\_ecs\_target\_group](#input\_event\_target\_ecs\_target\_group) | (Optional) Specifies an ECS task group for the task. The maximum length is 255 characters. | `any` | `null` | no |
+| <a name="input_event_target_ecs_target_group"></a> [event\_target\_ecs\_target\_group](#input\_event\_target\_ecs\_target\_group) | (Optional) Specifies an ECS task group for the task. The maximum length is 255 characters. | `string` | `null` | no |
 | <a name="input_event_target_ecs_target_platform_version"></a> [event\_target\_ecs\_target\_platform\_version](#input\_event\_target\_ecs\_target\_platform\_version) | (Optional) Specifies the platform version for the task. Specify only the numeric portion of the platform version, such as 1.1.0. For more information about valid platform versions, see AWS Fargate Platform Versions. Default to LATEST. | `string` | `"LATEST"` | no |
 | <a name="input_event_target_ecs_target_propagate_tags"></a> [event\_target\_ecs\_target\_propagate\_tags](#input\_event\_target\_ecs\_target\_propagate\_tags) | (Optional) Specifies whether to propagate the tags from the task definition to the task. If no value is specified, the tags are not propagated. Tags can only be propagated to the task during task creation. Valid values: `TASK_DEFINITION` or leave empty to avoid propagation. | `string` | `""` | no |
 | <a name="input_event_target_ecs_target_security_groups"></a> [event\_target\_ecs\_target\_security\_groups](#input\_event\_target\_ecs\_target\_security\_groups) | (Optional) The security groups associated with the task or service. If you do not specify a security group, the default security group for the VPC is used. | `list(any)` | `null` | no |
 | <a name="input_event_target_ecs_target_subnets"></a> [event\_target\_ecs\_target\_subnets](#input\_event\_target\_ecs\_target\_subnets) | The subnets associated with the task or service. | `list(any)` | n/a | yes |
 | <a name="input_event_target_ecs_target_task_count"></a> [event\_target\_ecs\_target\_task\_count](#input\_event\_target\_ecs\_target\_task\_count) | (Optional) The number of tasks to create based on the TaskDefinition. The default is 1. | `number` | `1` | no |
-| <a name="input_event_target_ecs_target_task_definition_arn"></a> [event\_target\_ecs\_target\_task\_definition\_arn](#input\_event\_target\_ecs\_target\_task\_definition\_arn) | (Required) The ARN of the task definition to use if the event target is an Amazon ECS cluster. | `any` | n/a | yes |
-| <a name="input_event_target_input"></a> [event\_target\_input](#input\_event\_target\_input) | (Optional) Valid JSON text passed to the target. Conflicts with event\_target\_input\_path. | `any` | `null` | no |
-| <a name="input_event_target_input_path"></a> [event\_target\_input\_path](#input\_event\_target\_input\_path) | (Optional) The value of the JSONPath that is used for extracting part of the matched event when passing it to the target. Conflicts with event\_target\_input. | `any` | `null` | no |
-| <a name="input_event_target_target_id"></a> [event\_target\_target\_id](#input\_event\_target\_target\_id) | (Optional) The unique target assignment ID. If missing, will generate a random, unique id. | `any` | `null` | no |
-| <a name="input_name_prefix"></a> [name\_prefix](#input\_name\_prefix) | Name prefix for resources on AWS. | `any` | n/a | yes |
+| <a name="input_event_target_ecs_target_task_definition_arn"></a> [event\_target\_ecs\_target\_task\_definition\_arn](#input\_event\_target\_ecs\_target\_task\_definition\_arn) | (Required) The ARN of the task definition to use if the event target is an Amazon ECS cluster. | `string` | n/a | yes |
+| <a name="input_event_target_input"></a> [event\_target\_input](#input\_event\_target\_input) | (Optional) Valid JSON text passed to the target. Conflicts with event\_target\_input\_path. | `string` | `null` | no |
+| <a name="input_event_target_input_path"></a> [event\_target\_input\_path](#input\_event\_target\_input\_path) | (Optional) The value of the JSONPath that is used for extracting part of the matched event when passing it to the target. Conflicts with event\_target\_input. | `string` | `null` | no |
+| <a name="input_event_target_target_id"></a> [event\_target\_target\_id](#input\_event\_target\_target\_id) | (Optional) The unique target assignment ID. If missing, will generate a random, unique id. | `string` | `null` | no |
+| <a name="input_name_prefix"></a> [name\_prefix](#input\_name\_prefix) | Name prefix for resources on AWS. | `string` | n/a | yes |
+| <a name="input_permissions_boundary"></a> [permissions\_boundary](#input\_permissions\_boundary) | (Optional) The ARN of the policy that is used to set the permissions boundary for the role. | `string` | `null` | no |
 
 ## Outputs
 

main.tf

@@ -33,6 +33,8 @@ resource "aws_iam_role" "scheduled_task_cw_event_role" {
   count              = var.event_rule_role_arn == null ? 1 : 0
   name               = "${var.name_prefix}-st-cw-role"
   assume_role_policy = data.aws_iam_policy_document.scheduled_task_cw_event_role_assume_role_policy.json
+
+  permissions_boundary = var.permissions_boundary == null ? null : var.permissions_boundary
 }
 
 resource "aws_iam_role_policy" "scheduled_task_cw_event_role_cloudwatch_policy" {

variables.tf

@@ -3,44 +3,51 @@
 #------------------------------------------------------------------------------
 variable "name_prefix" {
   description = "Name prefix for resources on AWS."
+  type        = string
 }
 
 #------------------------------------------------------------------------------
 # CLOUDWATCH EVENT RULE
 #------------------------------------------------------------------------------
 variable "event_rule_name" {
   description = "The name of the rule."
+  type        = string
 }
 
 variable "event_rule_schedule_expression" {
   description = "(Optional) The scheduling expression. For example, cron(0 20 * * ? *) or rate(5 minutes). At least one of event_rule_schedule_expression or event_rule_event_pattern is required. Can only be used on the default event bus."
   default     = null
+  type        = string
 }
 
 variable "event_rule_event_bus_name" {
   description = "(Optional) The event bus to associate with this rule. If you omit this, the default event bus is used."
   default     = null
+  type        = string
 }
 
 variable "event_rule_event_pattern" {
   description = "(Optional) The event pattern described a JSON object. At least one of schedule_expression or event_pattern is required."
   default     = null
+  type        = string
 }
 
 variable "event_rule_description" {
   description = "(Optional) The description of the rule."
   default     = null
+  type        = string
 }
 
 variable "event_rule_role_arn" {
   description = "(Optional) The Amazon Resource Name (ARN) associated with the role that is used for target invocation."
   default     = null
+  type        = string
 }
 
 variable "event_rule_is_enabled" {
   description = "(Optional) Whether the rule should be enabled (defaults to true)."
-  type        = bool
   default     = true
+  type        = bool
 }
 
 #------------------------------------------------------------------------------
@@ -49,49 +56,58 @@ variable "event_rule_is_enabled" {
 variable "event_target_target_id" {
   description = "(Optional) The unique target assignment ID. If missing, will generate a random, unique id."
   default     = null
+  type        = string
 }
 
 variable "ecs_cluster_arn" {
   description = "The ECS Cluster where the scheduled task will run."
+  type        = string
 }
 
 variable "event_target_input" {
   description = "(Optional) Valid JSON text passed to the target. Conflicts with event_target_input_path."
   default     = null
+  type        = string
 }
 
 variable "event_target_input_path" {
   description = " (Optional) The value of the JSONPath that is used for extracting part of the matched event when passing it to the target. Conflicts with event_target_input."
   default     = null
+  type        = string
 }
 
 variable "ecs_execution_task_role_arn" {
   description = "(Required) The task definition execution role. The Amazon Resource Name (ARN) of the IAM role to be used for this target when the rule is triggered."
+  type        = string
 }
 
 variable "ecs_task_role_arn" {
   description = "(Optional) The task definition role. The Amazon Resource Name (ARN) of the IAM role to be used for this target when the rule is triggered."
   default     = null
+  type        = string
 }
 
 variable "event_target_ecs_target_group" {
   description = "(Optional) Specifies an ECS task group for the task. The maximum length is 255 characters."
   default     = null
+  type        = string
 }
 
 variable "event_target_ecs_target_platform_version" {
   description = "(Optional) Specifies the platform version for the task. Specify only the numeric portion of the platform version, such as 1.1.0. For more information about valid platform versions, see AWS Fargate Platform Versions. Default to LATEST."
   default     = "LATEST"
+  type        = string
 }
 
 variable "event_target_ecs_target_task_count" {
   description = "(Optional) The number of tasks to create based on the TaskDefinition. The default is 1."
-  type        = number
   default     = 1
+  type        = number
 }
 
 variable "event_target_ecs_target_task_definition_arn" {
   description = "(Required) The ARN of the task definition to use if the event target is an Amazon ECS cluster."
+  type        = string
 }
 
 variable "event_target_ecs_target_subnets" {
@@ -101,18 +117,25 @@ variable "event_target_ecs_target_subnets" {
 
 variable "event_target_ecs_target_security_groups" {
   description = "(Optional) The security groups associated with the task or service. If you do not specify a security group, the default security group for the VPC is used."
-  type        = list(any)
   default     = null
+  type        = list(any)
 }
 
 variable "event_target_ecs_target_assign_public_ip" {
   description = "(Optional) Assign a public IP address to the ENI. Default false."
-  type        = bool
   default     = false
+  type        = bool
+
 }
 
 variable "event_target_ecs_target_propagate_tags" {
   description = "(Optional) Specifies whether to propagate the tags from the task definition to the task. If no value is specified, the tags are not propagated. Tags can only be propagated to the task during task creation. Valid values: `TASK_DEFINITION` or leave empty to avoid propagation."
-  type        = string
   default     = ""
+  type        = string
 }
+
+variable "permissions_boundary" {
+  description = "(Optional) The ARN of the policy that is used to set the permissions boundary for the role."
+  default     = null
+  type        = string
+}