Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: allow passing in a permissions boundary #115

Open
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

joelmccoy
Copy link

what

Allows a permissions_boundary to be passed in to this module.

why

The cloudwatch logs module being referenced in this module creates an IAM role. Currently there is no way to set a permissions boundary for this role (which make's it impossible to use this module in an environment that requires permission boundaries). This PR allows a boundary to be set and then passed into the sub module that contains IAM resources.

references

@joelmccoy joelmccoy requested review from a team as code owners November 1, 2024 20:22
@mergify mergify bot added the triage Needs triage label Nov 1, 2024
variables.tf Outdated

variable "permissions_boundary" {
type = string
default = ""
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can this default to null instead?

Suggested change
default = ""
default = null

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please regenerate the docs

I believe you can run

make init
# one of the below should work
make docker/readme
make readme

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

main.tf Outdated
@@ -137,6 +137,8 @@ module "cloudwatch_log" {

retention_in_days = var.retention_in_days

permissions_boundary = var.permissions_boundary
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What do you think of prefixing the inlut with logging_ so it's flear the perm boundary is for the cloudwatch logging module's resources ?

Suggested change
permissions_boundary = var.permissions_boundary
permissions_boundary = var.logging_permissions_boundary

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good call. made this change

variables.tf Outdated
@@ -200,3 +200,9 @@ variable "transport_protocol" {
error_message = "Invalid protocol type must be one of: udp, tcp."
}
}

variable "permissions_boundary" {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Related to https://github.com/cloudposse/terraform-aws-ec2-client-vpn/pull/115/files#r1853814788

Suggested change
variable "permissions_boundary" {
variable "logging_permissions_boundary" {

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
triage Needs triage
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants