Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding support for permission boundary for IAM Role creation #31

Merged
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 17 additions & 16 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ In order to run all checks at any point run the following command:

| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.32.0 |
| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.31.0 |

## Modules

Expand All @@ -77,28 +77,29 @@ No modules.

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_ecs_cluster_arn"></a> [ecs\_cluster\_arn](#input\_ecs\_cluster\_arn) | The ECS Cluster where the scheduled task will run. | `any` | n/a | yes |
| <a name="input_ecs_execution_task_role_arn"></a> [ecs\_execution\_task\_role\_arn](#input\_ecs\_execution\_task\_role\_arn) | (Required) The task definition execution role. The Amazon Resource Name (ARN) of the IAM role to be used for this target when the rule is triggered. | `any` | n/a | yes |
| <a name="input_ecs_task_role_arn"></a> [ecs\_task\_role\_arn](#input\_ecs\_task\_role\_arn) | (Optional) The task definition role. The Amazon Resource Name (ARN) of the IAM role to be used for this target when the rule is triggered. | `any` | `null` | no |
| <a name="input_event_rule_description"></a> [event\_rule\_description](#input\_event\_rule\_description) | (Optional) The description of the rule. | `any` | `null` | no |
| <a name="input_event_rule_event_bus_name"></a> [event\_rule\_event\_bus\_name](#input\_event\_rule\_event\_bus\_name) | (Optional) The event bus to associate with this rule. If you omit this, the default event bus is used. | `any` | `null` | no |
| <a name="input_event_rule_event_pattern"></a> [event\_rule\_event\_pattern](#input\_event\_rule\_event\_pattern) | (Optional) The event pattern described a JSON object. At least one of schedule\_expression or event\_pattern is required. | `any` | `null` | no |
| <a name="input_ecs_cluster_arn"></a> [ecs\_cluster\_arn](#input\_ecs\_cluster\_arn) | The ECS Cluster where the scheduled task will run. | `string` | n/a | yes |
| <a name="input_ecs_execution_task_role_arn"></a> [ecs\_execution\_task\_role\_arn](#input\_ecs\_execution\_task\_role\_arn) | (Required) The task definition execution role. The Amazon Resource Name (ARN) of the IAM role to be used for this target when the rule is triggered. | `string` | n/a | yes |
| <a name="input_ecs_task_role_arn"></a> [ecs\_task\_role\_arn](#input\_ecs\_task\_role\_arn) | (Optional) The task definition role. The Amazon Resource Name (ARN) of the IAM role to be used for this target when the rule is triggered. | `string` | `null` | no |
| <a name="input_event_rule_description"></a> [event\_rule\_description](#input\_event\_rule\_description) | (Optional) The description of the rule. | `string` | `null` | no |
| <a name="input_event_rule_event_bus_name"></a> [event\_rule\_event\_bus\_name](#input\_event\_rule\_event\_bus\_name) | (Optional) The event bus to associate with this rule. If you omit this, the default event bus is used. | `string` | `null` | no |
| <a name="input_event_rule_event_pattern"></a> [event\_rule\_event\_pattern](#input\_event\_rule\_event\_pattern) | (Optional) The event pattern described a JSON object. At least one of schedule\_expression or event\_pattern is required. | `string` | `null` | no |
| <a name="input_event_rule_is_enabled"></a> [event\_rule\_is\_enabled](#input\_event\_rule\_is\_enabled) | (Optional) Whether the rule should be enabled (defaults to true). | `bool` | `true` | no |
| <a name="input_event_rule_name"></a> [event\_rule\_name](#input\_event\_rule\_name) | The name of the rule. | `any` | n/a | yes |
| <a name="input_event_rule_role_arn"></a> [event\_rule\_role\_arn](#input\_event\_rule\_role\_arn) | (Optional) The Amazon Resource Name (ARN) associated with the role that is used for target invocation. | `any` | `null` | no |
| <a name="input_event_rule_schedule_expression"></a> [event\_rule\_schedule\_expression](#input\_event\_rule\_schedule\_expression) | (Optional) The scheduling expression. For example, cron(0 20 * * ? *) or rate(5 minutes). At least one of event\_rule\_schedule\_expression or event\_rule\_event\_pattern is required. Can only be used on the default event bus. | `any` | `null` | no |
| <a name="input_event_rule_name"></a> [event\_rule\_name](#input\_event\_rule\_name) | The name of the rule. | `string` | n/a | yes |
| <a name="input_event_rule_role_arn"></a> [event\_rule\_role\_arn](#input\_event\_rule\_role\_arn) | (Optional) The Amazon Resource Name (ARN) associated with the role that is used for target invocation. | `string` | `null` | no |
| <a name="input_event_rule_schedule_expression"></a> [event\_rule\_schedule\_expression](#input\_event\_rule\_schedule\_expression) | (Optional) The scheduling expression. For example, cron(0 20 * * ? *) or rate(5 minutes). At least one of event\_rule\_schedule\_expression or event\_rule\_event\_pattern is required. Can only be used on the default event bus. | `string` | `null` | no |
| <a name="input_event_target_ecs_target_assign_public_ip"></a> [event\_target\_ecs\_target\_assign\_public\_ip](#input\_event\_target\_ecs\_target\_assign\_public\_ip) | (Optional) Assign a public IP address to the ENI. Default false. | `bool` | `false` | no |
| <a name="input_event_target_ecs_target_group"></a> [event\_target\_ecs\_target\_group](#input\_event\_target\_ecs\_target\_group) | (Optional) Specifies an ECS task group for the task. The maximum length is 255 characters. | `any` | `null` | no |
| <a name="input_event_target_ecs_target_group"></a> [event\_target\_ecs\_target\_group](#input\_event\_target\_ecs\_target\_group) | (Optional) Specifies an ECS task group for the task. The maximum length is 255 characters. | `string` | `null` | no |
| <a name="input_event_target_ecs_target_platform_version"></a> [event\_target\_ecs\_target\_platform\_version](#input\_event\_target\_ecs\_target\_platform\_version) | (Optional) Specifies the platform version for the task. Specify only the numeric portion of the platform version, such as 1.1.0. For more information about valid platform versions, see AWS Fargate Platform Versions. Default to LATEST. | `string` | `"LATEST"` | no |
| <a name="input_event_target_ecs_target_propagate_tags"></a> [event\_target\_ecs\_target\_propagate\_tags](#input\_event\_target\_ecs\_target\_propagate\_tags) | (Optional) Specifies whether to propagate the tags from the task definition to the task. If no value is specified, the tags are not propagated. Tags can only be propagated to the task during task creation. Valid values: `TASK_DEFINITION` or leave empty to avoid propagation. | `string` | `""` | no |
| <a name="input_event_target_ecs_target_security_groups"></a> [event\_target\_ecs\_target\_security\_groups](#input\_event\_target\_ecs\_target\_security\_groups) | (Optional) The security groups associated with the task or service. If you do not specify a security group, the default security group for the VPC is used. | `list(any)` | `null` | no |
| <a name="input_event_target_ecs_target_subnets"></a> [event\_target\_ecs\_target\_subnets](#input\_event\_target\_ecs\_target\_subnets) | The subnets associated with the task or service. | `list(any)` | n/a | yes |
| <a name="input_event_target_ecs_target_task_count"></a> [event\_target\_ecs\_target\_task\_count](#input\_event\_target\_ecs\_target\_task\_count) | (Optional) The number of tasks to create based on the TaskDefinition. The default is 1. | `number` | `1` | no |
| <a name="input_event_target_ecs_target_task_definition_arn"></a> [event\_target\_ecs\_target\_task\_definition\_arn](#input\_event\_target\_ecs\_target\_task\_definition\_arn) | (Required) The ARN of the task definition to use if the event target is an Amazon ECS cluster. | `any` | n/a | yes |
| <a name="input_event_target_input"></a> [event\_target\_input](#input\_event\_target\_input) | (Optional) Valid JSON text passed to the target. Conflicts with event\_target\_input\_path. | `any` | `null` | no |
| <a name="input_event_target_input_path"></a> [event\_target\_input\_path](#input\_event\_target\_input\_path) | (Optional) The value of the JSONPath that is used for extracting part of the matched event when passing it to the target. Conflicts with event\_target\_input. | `any` | `null` | no |
| <a name="input_event_target_target_id"></a> [event\_target\_target\_id](#input\_event\_target\_target\_id) | (Optional) The unique target assignment ID. If missing, will generate a random, unique id. | `any` | `null` | no |
| <a name="input_name_prefix"></a> [name\_prefix](#input\_name\_prefix) | Name prefix for resources on AWS. | `any` | n/a | yes |
| <a name="input_event_target_ecs_target_task_definition_arn"></a> [event\_target\_ecs\_target\_task\_definition\_arn](#input\_event\_target\_ecs\_target\_task\_definition\_arn) | (Required) The ARN of the task definition to use if the event target is an Amazon ECS cluster. | `string` | n/a | yes |
| <a name="input_event_target_input"></a> [event\_target\_input](#input\_event\_target\_input) | (Optional) Valid JSON text passed to the target. Conflicts with event\_target\_input\_path. | `string` | `null` | no |
| <a name="input_event_target_input_path"></a> [event\_target\_input\_path](#input\_event\_target\_input\_path) | (Optional) The value of the JSONPath that is used for extracting part of the matched event when passing it to the target. Conflicts with event\_target\_input. | `string` | `null` | no |
| <a name="input_event_target_target_id"></a> [event\_target\_target\_id](#input\_event\_target\_target\_id) | (Optional) The unique target assignment ID. If missing, will generate a random, unique id. | `string` | `null` | no |
| <a name="input_name_prefix"></a> [name\_prefix](#input\_name\_prefix) | Name prefix for resources on AWS. | `string` | n/a | yes |
| <a name="input_permissions_boundary"></a> [permissions\_boundary](#input\_permissions\_boundary) | (Optional) The ARN of the policy that is used to set the permissions boundary for the role. | `string` | `null` | no |

## Outputs

Expand Down
2 changes: 2 additions & 0 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,8 @@ resource "aws_iam_role" "scheduled_task_cw_event_role" {
count = var.event_rule_role_arn == null ? 1 : 0
name = "${var.name_prefix}-st-cw-role"
assume_role_policy = data.aws_iam_policy_document.scheduled_task_cw_event_role_assume_role_policy.json

permissions_boundary = var.permissions_boundary == null ? null : var.permissions_boundary
}

resource "aws_iam_role_policy" "scheduled_task_cw_event_role_cloudwatch_policy" {
Expand Down
33 changes: 28 additions & 5 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -3,44 +3,51 @@
#------------------------------------------------------------------------------
variable "name_prefix" {
description = "Name prefix for resources on AWS."
type = string
}

#------------------------------------------------------------------------------
# CLOUDWATCH EVENT RULE
#------------------------------------------------------------------------------
variable "event_rule_name" {
description = "The name of the rule."
type = string
}

variable "event_rule_schedule_expression" {
description = "(Optional) The scheduling expression. For example, cron(0 20 * * ? *) or rate(5 minutes). At least one of event_rule_schedule_expression or event_rule_event_pattern is required. Can only be used on the default event bus."
default = null
type = string
}

variable "event_rule_event_bus_name" {
description = "(Optional) The event bus to associate with this rule. If you omit this, the default event bus is used."
default = null
type = string
}

variable "event_rule_event_pattern" {
description = "(Optional) The event pattern described a JSON object. At least one of schedule_expression or event_pattern is required."
default = null
type = string
}

variable "event_rule_description" {
description = "(Optional) The description of the rule."
default = null
type = string
}

variable "event_rule_role_arn" {
description = "(Optional) The Amazon Resource Name (ARN) associated with the role that is used for target invocation."
default = null
type = string
}

variable "event_rule_is_enabled" {
description = "(Optional) Whether the rule should be enabled (defaults to true)."
type = bool
default = true
type = bool
}

#------------------------------------------------------------------------------
Expand All @@ -49,49 +56,58 @@ variable "event_rule_is_enabled" {
variable "event_target_target_id" {
description = "(Optional) The unique target assignment ID. If missing, will generate a random, unique id."
default = null
type = string
}

variable "ecs_cluster_arn" {
description = "The ECS Cluster where the scheduled task will run."
type = string
}

variable "event_target_input" {
description = "(Optional) Valid JSON text passed to the target. Conflicts with event_target_input_path."
default = null
type = string
}

variable "event_target_input_path" {
description = " (Optional) The value of the JSONPath that is used for extracting part of the matched event when passing it to the target. Conflicts with event_target_input."
default = null
type = string
}

variable "ecs_execution_task_role_arn" {
description = "(Required) The task definition execution role. The Amazon Resource Name (ARN) of the IAM role to be used for this target when the rule is triggered."
type = string
}

variable "ecs_task_role_arn" {
description = "(Optional) The task definition role. The Amazon Resource Name (ARN) of the IAM role to be used for this target when the rule is triggered."
default = null
type = string
}

variable "event_target_ecs_target_group" {
description = "(Optional) Specifies an ECS task group for the task. The maximum length is 255 characters."
default = null
type = string
}

variable "event_target_ecs_target_platform_version" {
description = "(Optional) Specifies the platform version for the task. Specify only the numeric portion of the platform version, such as 1.1.0. For more information about valid platform versions, see AWS Fargate Platform Versions. Default to LATEST."
default = "LATEST"
type = string
}

variable "event_target_ecs_target_task_count" {
description = "(Optional) The number of tasks to create based on the TaskDefinition. The default is 1."
type = number
default = 1
type = number
}

variable "event_target_ecs_target_task_definition_arn" {
description = "(Required) The ARN of the task definition to use if the event target is an Amazon ECS cluster."
type = string
}

variable "event_target_ecs_target_subnets" {
Expand All @@ -101,18 +117,25 @@ variable "event_target_ecs_target_subnets" {

variable "event_target_ecs_target_security_groups" {
description = "(Optional) The security groups associated with the task or service. If you do not specify a security group, the default security group for the VPC is used."
type = list(any)
default = null
type = list(any)
}

variable "event_target_ecs_target_assign_public_ip" {
description = "(Optional) Assign a public IP address to the ENI. Default false."
type = bool
default = false
type = bool

}

variable "event_target_ecs_target_propagate_tags" {
description = "(Optional) Specifies whether to propagate the tags from the task definition to the task. If no value is specified, the tags are not propagated. Tags can only be propagated to the task during task creation. Valid values: `TASK_DEFINITION` or leave empty to avoid propagation."
type = string
default = ""
type = string
}

variable "permissions_boundary" {
description = "(Optional) The ARN of the policy that is used to set the permissions boundary for the role."
default = null
type = string
}