feat: add permissions boundaries for IAM entities support (#288)

It might be a case when iam roles can be created with
predefined boundaries. This PR introduce such capabilities
by providing permissions_boundary_arn option
Currently single permissions_boundary_arn will be applied
to all iam_roles provisioned by this module

Signed-off-by: Sergiy Kulanov <[email protected]>

Co-authored-by: nozaq <[email protected]>

README.md

@@ -192,6 +192,7 @@ This module is composed of several submodules and each of which can be used inde
 | <a name="input_no_mfa_console_signin_enabled"></a> [no\_mfa\_console\_signin\_enabled](#input\_no\_mfa\_console\_signin\_enabled) | The boolean flag whether the no\_mfa\_console\_signin alarm is enabled or not. No resources are created when set to false. | `bool` | no |
 | <a name="input_organizations_changes_enabled"></a> [organizations\_changes\_enabled](#input\_organizations\_changes\_enabled) | The boolean flag whether the organizations\_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no |
 | <a name="input_password_reuse_prevention"></a> [password\_reuse\_prevention](#input\_password\_reuse\_prevention) | The number of previous passwords that users are prevented from reusing. | `number` | no |
+| <a name="input_permissions_boundary_arn"></a> [permissions\_boundary\_arn](#input\_permissions\_boundary\_arn) | The permissions boundary ARN for all IAM Roles, provisioned by this module | `string` | no |
 | <a name="input_require_lowercase_characters"></a> [require\_lowercase\_characters](#input\_require\_lowercase\_characters) | Whether to require lowercase characters for user passwords. | `bool` | no |
 | <a name="input_require_numbers"></a> [require\_numbers](#input\_require\_numbers) | Whether to require numbers for user passwords. | `bool` | no |
 | <a name="input_require_symbols"></a> [require\_symbols](#input\_require\_symbols) | Whether to require symbols for user passwords. | `bool` | no |

config_baselines.tf

@@ -43,6 +43,8 @@ resource "aws_iam_role" "recorder" {
   name               = var.config_iam_role_name
   assume_role_policy = data.aws_iam_policy_document.recorder_assume_role_policy[0].json
 
+  permissions_boundary = var.permissions_boundary_arn
+
   tags = var.tags
 }
 
@@ -630,6 +632,8 @@ resource "aws_iam_role" "config_organization" {
   name_prefix        = var.config_aggregator_name_prefix
   assume_role_policy = data.aws_iam_policy_document.config_organization_assume_role_policy[0].json
 
+  permissions_boundary = var.permissions_boundary_arn
+
   tags = var.tags
 }
 

main.tf

@@ -43,6 +43,7 @@ module "iam_baseline" {
 
   support_iam_role_name           = var.support_iam_role_name
   support_iam_role_principal_arns = var.support_iam_role_principal_arns
+  permissions_boundary_arn        = var.permissions_boundary_arn
   minimum_password_length         = var.minimum_password_length
   password_reuse_prevention       = var.password_reuse_prevention
   require_lowercase_characters    = var.require_lowercase_characters
@@ -75,6 +76,7 @@ module "cloudtrail_baseline" {
   cloudwatch_logs_retention_in_days = var.cloudwatch_logs_retention_in_days
   iam_role_name                     = var.cloudtrail_iam_role_name
   iam_role_policy_name              = var.cloudtrail_iam_role_policy_name
+  permissions_boundary_arn          = var.permissions_boundary_arn
   key_deletion_window_in_days       = var.cloudtrail_key_deletion_window_in_days
   region                            = var.region
   s3_bucket_name                    = local.audit_log_bucket_id

modules/cloudtrail-baseline/README.md

@@ -36,6 +36,7 @@ Enable CloudTrail in all regions and deliver events to CloudWatch Logs. CloudTra
 | <a name="input_is_organization_trail"></a> [is\_organization\_trail](#input\_is\_organization\_trail) | Specifies whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. | `bool` | no |
 | <a name="input_key_deletion_window_in_days"></a> [key\_deletion\_window\_in\_days](#input\_key\_deletion\_window\_in\_days) | Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days. Defaults to 30 days. | `number` | no |
 | <a name="input_lambda_invocation_logging_lambdas"></a> [lambda\_invocation\_logging\_lambdas](#input\_lambda\_invocation\_logging\_lambdas) | The list of lambda ARNs on which to enable invocation logging. | `list(string)` | no |
+| <a name="input_permissions_boundary_arn"></a> [permissions\_boundary\_arn](#input\_permissions\_boundary\_arn) | The permissions boundary ARN for all IAM Roles, provisioned by this module | `string` | no |
 | <a name="input_s3_key_prefix"></a> [s3\_key\_prefix](#input\_s3\_key\_prefix) | The prefix for the specified S3 bucket. | `string` | no |
 | <a name="input_s3_object_level_logging_buckets"></a> [s3\_object\_level\_logging\_buckets](#input\_s3\_object\_level\_logging\_buckets) | The list of S3 bucket ARNs on which to enable object-level logging. | `list(string)` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Specifies object tags key and value. This applies to all resources created by this module. | `map(string)` | no |

modules/cloudtrail-baseline/main.tf

@@ -29,6 +29,8 @@ resource "aws_iam_role" "cloudwatch_delivery" {
   name               = var.iam_role_name
   assume_role_policy = data.aws_iam_policy_document.cloudwatch_delivery_assume_policy.json
 
+  permissions_boundary = var.permissions_boundary_arn
+
   tags = var.tags
 }
 

modules/cloudtrail-baseline/variables.tf

@@ -51,6 +51,12 @@ variable "iam_role_policy_name" {
   default     = "CloudTrail-CloudWatch-Delivery-Policy"
 }
 
+variable "permissions_boundary_arn" {
+  description = "The permissions boundary ARN for all IAM Roles, provisioned by this module"
+  type        = string
+  default     = ""
+}
+
 variable "key_deletion_window_in_days" {
   description = "Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days. Defaults to 30 days."
   type        = number

modules/iam-baseline/README.md

@@ -30,6 +30,7 @@
 | <a name="input_max_password_age"></a> [max\_password\_age](#input\_max\_password\_age) | The number of days that an user password is valid. | `number` | no |
 | <a name="input_minimum_password_length"></a> [minimum\_password\_length](#input\_minimum\_password\_length) | Minimum length to require for user passwords. | `number` | no |
 | <a name="input_password_reuse_prevention"></a> [password\_reuse\_prevention](#input\_password\_reuse\_prevention) | The number of previous passwords that users are prevented from reusing. | `number` | no |
+| <a name="input_permissions_boundary_arn"></a> [permissions\_boundary\_arn](#input\_permissions\_boundary\_arn) | The permissions boundary ARN for all IAM Roles, provisioned by this module | `string` | no |
 | <a name="input_require_lowercase_characters"></a> [require\_lowercase\_characters](#input\_require\_lowercase\_characters) | Whether to require lowercase characters for user passwords. | `bool` | no |
 | <a name="input_require_numbers"></a> [require\_numbers](#input\_require\_numbers) | Whether to require numbers for user passwords. | `bool` | no |
 | <a name="input_require_symbols"></a> [require\_symbols](#input\_require\_symbols) | Whether to require symbols for user passwords. | `bool` | no |

modules/iam-baseline/main.tf

@@ -35,6 +35,8 @@ resource "aws_iam_role" "support" {
   name               = var.support_iam_role_name
   assume_role_policy = data.aws_iam_policy_document.support_assume_policy.json
 
+  permissions_boundary = var.permissions_boundary_arn
+
   tags = var.tags
 }
 

modules/iam-baseline/variables.tf

@@ -4,6 +4,12 @@ variable "support_iam_role_name" {
   default     = "IAM-Support"
 }
 
+variable "permissions_boundary_arn" {
+  description = "The permissions boundary ARN for all IAM Roles, provisioned by this module"
+  type        = string
+  default     = ""
+}
+
 variable "support_iam_role_principal_arns" {
   type        = list(any)
   description = "List of ARNs of the IAM principal elements by which the support role could be assumed."

variables.tf

@@ -33,6 +33,12 @@ variable "member_accounts" {
   default = []
 }
 
+variable "permissions_boundary_arn" {
+  description = "The permissions boundary ARN for all IAM Roles, provisioned by this module"
+  type        = string
+  default     = ""
+}
+
 variable "target_regions" {
   description = "A list of regions to set up with this module."
   type        = list(string)

vpc_baselines.tf

@@ -29,6 +29,8 @@ resource "aws_iam_role" "flow_logs_publisher" {
   name               = var.vpc_iam_role_name
   assume_role_policy = data.aws_iam_policy_document.flow_logs_publisher_assume_role_policy[0].json
 
+  permissions_boundary = var.permissions_boundary_arn
+
   tags = var.tags
 }