From b87373712671560e774b9733004111795495c377 Mon Sep 17 00:00:00 2001
From: GongYi <topikachu@163.com>
Date: Mon, 25 Jul 2022 08:11:46 +0800
Subject: [PATCH] feat(aws-eks-iam-role): add permissions_boundary to
 eks-iam-role (#29)

Co-authored-by: gongy <yi.gong@microfocus.com>
Co-authored-by: cloudpossebot <11232728+cloudpossebot@users.noreply.github.com>
Co-authored-by: nitrocode <7775707+nitrocode@users.noreply.github.com>
---
 .github/auto-release.yml |  1 -
 .github/renovate.json    |  2 +-
 README.md                |  1 +
 docs/terraform.md        |  1 +
 main.tf                  | 11 ++++++-----
 variables.tf             |  6 ++++++
 6 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/.github/auto-release.yml b/.github/auto-release.yml
index b45efb7..17cd39c 100644
--- a/.github/auto-release.yml
+++ b/.github/auto-release.yml
@@ -17,7 +17,6 @@ version-resolver:
     - 'bugfix'
     - 'bug'
     - 'hotfix'
-    - 'no-release'
   default: 'minor'
 
 categories:
diff --git a/.github/renovate.json b/.github/renovate.json
index ae4f0aa..a780298 100644
--- a/.github/renovate.json
+++ b/.github/renovate.json
@@ -4,9 +4,9 @@
     ":preserveSemverRanges"
   ],
   "labels": ["auto-update"],
+  "dependencyDashboardAutoclose": true,
   "enabledManagers": ["terraform"],
   "terraform": {
     "ignorePaths": ["**/context.tf", "examples/**"]
   }
 }
-
diff --git a/README.md b/README.md
index 0850d4f..cf9d711 100644
--- a/README.md
+++ b/README.md
@@ -216,6 +216,7 @@ Available targets:
 | <a name="input_labels_as_tags"></a> [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.<br>Default is to include all labels.<br>Tags with empty values will not be included in the `tags` output.<br>Set to `[]` to suppress all generated tags.<br>**Notes:**<br>  The value of the `name` tag, if included, will be the `id`, not the `name`.<br>  Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be<br>  changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` | <pre>[<br>  "default"<br>]</pre> | no |
 | <a name="input_name"></a> [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.<br>This is the only ID element not also included as a `tag`.<br>The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no |
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no |
+| <a name="input_permissions_boundary"></a> [permissions\_boundary](#input\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the role. | `string` | `null` | no |
 | <a name="input_regex_replace_chars"></a> [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.<br>Characters matching the regex will be removed from the ID elements.<br>If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
 | <a name="input_service_account_name"></a> [service\_account\_name](#input\_service\_account\_name) | Kubernetes ServiceAccount name | `string` | n/a | yes |
 | <a name="input_service_account_namespace"></a> [service\_account\_namespace](#input\_service\_account\_namespace) | Kubernetes Namespace where service account is deployed | `string` | n/a | yes |
diff --git a/docs/terraform.md b/docs/terraform.md
index 2435420..23ce40d 100644
--- a/docs/terraform.md
+++ b/docs/terraform.md
@@ -52,6 +52,7 @@
 | <a name="input_labels_as_tags"></a> [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.<br>Default is to include all labels.<br>Tags with empty values will not be included in the `tags` output.<br>Set to `[]` to suppress all generated tags.<br>**Notes:**<br>  The value of the `name` tag, if included, will be the `id`, not the `name`.<br>  Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be<br>  changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` | <pre>[<br>  "default"<br>]</pre> | no |
 | <a name="input_name"></a> [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.<br>This is the only ID element not also included as a `tag`.<br>The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no |
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no |
+| <a name="input_permissions_boundary"></a> [permissions\_boundary](#input\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the role. | `string` | `null` | no |
 | <a name="input_regex_replace_chars"></a> [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.<br>Characters matching the regex will be removed from the ID elements.<br>If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
 | <a name="input_service_account_name"></a> [service\_account\_name](#input\_service\_account\_name) | Kubernetes ServiceAccount name | `string` | n/a | yes |
 | <a name="input_service_account_namespace"></a> [service\_account\_namespace](#input\_service\_account\_namespace) | Kubernetes Namespace where service account is deployed | `string` | n/a | yes |
diff --git a/main.tf b/main.tf
index 28c3cc0..e2586a2 100644
--- a/main.tf
+++ b/main.tf
@@ -51,11 +51,12 @@ module "service_account_label" {
 }
 
 resource "aws_iam_role" "service_account" {
-  count              = local.enabled ? 1 : 0
-  name               = module.service_account_label.id
-  description        = format("Role assumed by EKS ServiceAccount %s", local.service_account_id)
-  assume_role_policy = data.aws_iam_policy_document.service_account_assume_role[0].json
-  tags               = module.service_account_label.tags
+  count                = local.enabled ? 1 : 0
+  name                 = module.service_account_label.id
+  description          = format("Role assumed by EKS ServiceAccount %s", local.service_account_id)
+  assume_role_policy   = data.aws_iam_policy_document.service_account_assume_role[0].json
+  tags                 = module.service_account_label.tags
+  permissions_boundary = var.permissions_boundary
 }
 
 data "aws_iam_policy_document" "service_account_assume_role" {
diff --git a/variables.tf b/variables.tf
index 82583df..aa4d6cd 100644
--- a/variables.tf
+++ b/variables.tf
@@ -40,3 +40,9 @@ variable "eks_cluster_oidc_issuer_url" {
     error_message = "The eks_cluster_oidc_issuer_url value must have a value."
   }
 }
+
+variable "permissions_boundary" {
+  type        = string
+  description = "ARN of the policy that is used to set the permissions boundary for the role."
+  default     = null
+}