Description
Currently, the module allows setting a global permissions_boundary ARN applied uniformly across all IAM roles created by the account_iam_resources and operator_roles modules. However, some environments require finer control over permissions boundaries due to organizational or compliance constraints. Also a boundary that encapsulates every single role might be too large for the max number of characters in a policy.
We could add a new variable to both modules (and the main module):
variable "permissions_boundary_overrides" {
description = "Map of AWS role names to custom permission boundary ARNs. If not set for a role, uses the default permissions_boundary"
type = map(string)
default = {}
}The variable would allow a user to specify custom permission boundary ARNs on a per-role basis. If there is no override for a role, the module falls back to using the default permissions_boundary using a lookup, for example in account_iam_resources:
permissions_boundary = lookup(
var.permissions_boundary_overrides,
local.account_roles_properties[count.index].role_name,
var.permissions_boundary
)We can keep this backwards-compatible if permissions_boundary_overrides is not set we are then falling back to permissions_boundary.
Example:
module "rosa_deployment" {
...
permissions_boundary = "arn:aws:iam::123456789012:policy/DefaultBoundary"
permissions_boundary_overrides = {
"kube-system-control-plane-operator" = "arn:aws:iam::123456789012:policy/ControlPlaneOperatorBoundary",
"HCP-ROSA-Installer" = "arn:aws:iam::123456789012:policy/InstallerBoundary"
}
}```