diff --git a/README.md b/README.md
index bdd00aa..ac685e4 100644
--- a/README.md
+++ b/README.md
@@ -137,6 +137,7 @@ We recommend you install the following CLI tools:
| [operator\_role\_prefix](#input\_operator\_role\_prefix) | User-defined prefix for generated AWS operator policies. Use "account-role-prefix" in case no value provided. | `string` | `null` | no |
| [path](#input\_path) | The arn path for the account/operator roles as well as their policies. Must begin and end with '/'. | `string` | `"/"` | no |
| [permissions\_boundary](#input\_permissions\_boundary) | The ARN of the policy that is used to set the permissions boundary for the IAM roles in STS clusters. | `string` | `""` | no |
+| [permissions\_boundary\_overrides](#input\_permissions\_boundary\_overrides) | Map of AWS role names to custom permission boundary ARNs. If not set for a role, uses the default permissions\_boundary | `map(string)` | `{}` | no |
| [pod\_cidr](#input\_pod\_cidr) | Block of IP addresses from which Pod IP addresses are allocated, for example "10.128.0.0/14". | `string` | `null` | no |
| [private](#input\_private) | Restrict master API endpoint and application routes to direct, private connectivity. (default: false) | `bool` | `false` | no |
| [properties](#input\_properties) | User defined properties. | `map(string)` | `null` | no |
diff --git a/main.tf b/main.tf
index 8e9b822..24fea70 100644
--- a/main.tf
+++ b/main.tf
@@ -17,10 +17,11 @@ module "account_iam_resources" {
source = "./modules/account-iam-resources"
count = var.create_account_roles ? 1 : 0
- account_role_prefix = local.account_role_prefix
- path = local.path
- permissions_boundary = var.permissions_boundary
- tags = var.tags
+ account_role_prefix = local.account_role_prefix
+ path = local.path
+ permissions_boundary = var.permissions_boundary
+ permissions_boundary_overrides = var.permissions_boundary_overrides
+ tags = var.tags
}
############################
@@ -46,11 +47,12 @@ module "operator_roles" {
source = "./modules/operator-roles"
count = var.create_operator_roles ? 1 : 0
- operator_role_prefix = local.operator_role_prefix
- path = local.path
- oidc_endpoint_url = var.create_oidc ? module.oidc_config_and_provider[0].oidc_endpoint_url : var.oidc_endpoint_url
- tags = var.tags
- permissions_boundary = var.permissions_boundary
+ operator_role_prefix = local.operator_role_prefix
+ path = local.path
+ oidc_endpoint_url = var.create_oidc ? module.oidc_config_and_provider[0].oidc_endpoint_url : var.oidc_endpoint_url
+ tags = var.tags
+ permissions_boundary = var.permissions_boundary
+ permissions_boundary_overrides = var.permissions_boundary_overrides
}
############################
diff --git a/modules/account-iam-resources/README.md b/modules/account-iam-resources/README.md
index c1d749c..2492537 100644
--- a/modules/account-iam-resources/README.md
+++ b/modules/account-iam-resources/README.md
@@ -63,6 +63,7 @@ No modules.
| [account\_role\_prefix](#input\_account\_role\_prefix) | Prefix to be used when creating the account roles | `string` | `"tf-acc"` | no |
| [path](#input\_path) | (Optional) The arn path for the account/operator roles as well as their policies. Must begin and end with '/'. | `string` | `"/"` | no |
| [permissions\_boundary](#input\_permissions\_boundary) | The ARN of the policy that is used to set the permissions boundary for the IAM roles in STS clusters. | `string` | `""` | no |
+| [permissions\_boundary\_overrides](#input\_permissions\_boundary\_overrides) | Map of AWS role names to custom permission boundary ARNs. If not set for a role, uses the default permissions\_boundary | `map(string)` | `{}` | no |
| [tags](#input\_tags) | List of AWS resource tags to apply. | `map(string)` | `null` | no |
## Outputs
diff --git a/modules/account-iam-resources/main.tf b/modules/account-iam-resources/main.tf
index 17716a7..ee52be2 100644
--- a/modules/account-iam-resources/main.tf
+++ b/modules/account-iam-resources/main.tf
@@ -9,10 +9,10 @@ locals {
principal_identifier = "arn:${data.aws_partition.current.partition}:iam::${data.rhcs_info.current.ocm_aws_account_id}:role/RH-Managed-OpenShift-Installer"
},
{
- role_name = "HCP-ROSA-Support"
- role_type = "support"
- policy_details = "arn:aws:iam::aws:policy/service-role/ROSASRESupportPolicy"
- principal_type = "AWS"
+ role_name = "HCP-ROSA-Support"
+ role_type = "support"
+ policy_details = "arn:aws:iam::aws:policy/service-role/ROSASRESupportPolicy"
+ principal_type = "AWS"
// This is a SRE RH Support role which is used to assume this support role
principal_identifier = data.rhcs_hcp_policies.all_policies.account_role_policies["sts_support_rh_sre_role"]
},
@@ -46,11 +46,15 @@ data "aws_iam_policy_document" "custom_trust_policy" {
}
resource "aws_iam_role" "account_role" {
- count = local.account_roles_count
- name = substr("${local.account_role_prefix_valid}-${local.account_roles_properties[count.index].role_name}-Role", 0, 64)
- permissions_boundary = var.permissions_boundary
- path = local.path
- assume_role_policy = data.aws_iam_policy_document.custom_trust_policy[count.index].json
+ count = local.account_roles_count
+ name = substr("${local.account_role_prefix_valid}-${local.account_roles_properties[count.index].role_name}-Role", 0, 64)
+ permissions_boundary = lookup(
+ var.permissions_boundary_overrides,
+ local.account_roles_properties[count.index].role_name,
+ var.permissions_boundary
+ )
+ path = local.path
+ assume_role_policy = data.aws_iam_policy_document.custom_trust_policy[count.index].json
tags = merge(var.tags, {
red-hat-managed = true
@@ -85,9 +89,9 @@ resource "time_sleep" "account_iam_resources_wait" {
destroy_duration = "10s"
create_duration = "10s"
triggers = {
- account_iam_role_name = jsonencode([ for value in aws_iam_role.account_role : value.name])
+ account_iam_role_name = jsonencode([for value in aws_iam_role.account_role : value.name])
account_roles_arn = jsonencode({ for idx, value in aws_iam_role.account_role : local.account_roles_properties[idx].role_name => value.arn })
- account_policy_arns = jsonencode([ for value in aws_iam_role_policy_attachment.account_role_policy_attachment : value.policy_arn])
+ account_policy_arns = jsonencode([for value in aws_iam_role_policy_attachment.account_role_policy_attachment : value.policy_arn])
account_role_prefix = local.account_role_prefix_valid
path = local.path
}
diff --git a/modules/account-iam-resources/variables.tf b/modules/account-iam-resources/variables.tf
index 9397f5c..b055215 100644
--- a/modules/account-iam-resources/variables.tf
+++ b/modules/account-iam-resources/variables.tf
@@ -1,7 +1,7 @@
variable "account_role_prefix" {
- type = string
+ type = string
description = "Prefix to be used when creating the account roles"
- default = "tf-acc"
+ default = "tf-acc"
}
variable "path" {
@@ -16,6 +16,12 @@ variable "permissions_boundary" {
default = ""
}
+variable "permissions_boundary_overrides" {
+ description = "Map of AWS role names to custom permission boundary ARNs. If not set for a role, uses the default permissions_boundary"
+ type = map(string)
+ default = {}
+}
+
variable "tags" {
description = "List of AWS resource tags to apply."
type = map(string)
diff --git a/modules/operator-roles/README.md b/modules/operator-roles/README.md
index 8794167..8fa985a 100644
--- a/modules/operator-roles/README.md
+++ b/modules/operator-roles/README.md
@@ -67,6 +67,7 @@ No modules.
| [operator\_role\_prefix](#input\_operator\_role\_prefix) | Prefix to be used when creating the operator roles | `string` | n/a | yes |
| [path](#input\_path) | (Optional) The arn path for the account/operator roles as well as their policies. Must begin and end with '/'. | `string` | `"/"` | no |
| [permissions\_boundary](#input\_permissions\_boundary) | The ARN of the policy that is used to set the permissions boundary for the IAM roles in STS clusters. | `string` | `""` | no |
+| [permissions\_boundary\_overrides](#input\_permissions\_boundary\_overrides) | Map of AWS role names to custom permission boundary ARNs. If not set for a role, uses the default permissions\_boundary | `map(string)` | `{}` | no |
| [tags](#input\_tags) | List of AWS resource tags to apply. | `map(string)` | `null` | no |
## Outputs
diff --git a/modules/operator-roles/variables.tf b/modules/operator-roles/variables.tf
index e16cd09..3e19ee0 100644
--- a/modules/operator-roles/variables.tf
+++ b/modules/operator-roles/variables.tf
@@ -1,5 +1,5 @@
variable "operator_role_prefix" {
- type = string
+ type = string
description = "Prefix to be used when creating the operator roles"
}
@@ -15,6 +15,12 @@ variable "permissions_boundary" {
default = ""
}
+variable "permissions_boundary_overrides" {
+ description = "Map of AWS role names to custom permission boundary ARNs. If not set for a role, uses the default permissions_boundary"
+ type = map(string)
+ default = {}
+}
+
variable "tags" {
description = "List of AWS resource tags to apply."
type = map(string)
diff --git a/variables.tf b/variables.tf
index a164692..c8c42d0 100644
--- a/variables.tf
+++ b/variables.tf
@@ -267,6 +267,12 @@ variable "permissions_boundary" {
description = "The ARN of the policy that is used to set the permissions boundary for the IAM roles in STS clusters."
}
+variable "permissions_boundary_overrides" {
+ description = "Map of AWS role names to custom permission boundary ARNs. If not set for a role, uses the default permissions_boundary"
+ type = map(string)
+ default = {}
+}
+
##############################################################
# Account Roles
##############################################################
@@ -322,7 +328,7 @@ variable "oidc_endpoint_url" {
}
variable "machine_pools" {
- type = map(any)
+ type = map(any)
default = {}
description = "Provides a generic approach to add multiple machine pools after the creation of the cluster. This variable allows users to specify configurations for multiple machine pools in a flexible and customizable manner, facilitating the management of resources post-cluster deployment. For additional details regarding the variables utilized, refer to the [machine-pool sub-module](./modules/machine-pool). For non-primitive variables (such as maps, lists, and objects), supply the JSON-encoded string."
}
@@ -336,7 +342,7 @@ variable "identity_providers" {
variable "kubelet_configs" {
type = map(any)
default = {}
- description = "Provides a generic approach to add multiple kubelet configs after the creation of the cluster. This variable allows users to specify configurations for multiple kubelet configs in a flexible and customizable manner, facilitating the management of resources post-cluster deployment. For additional details regarding the variables utilized, refer to the [idp sub-module](./modules/kubelet-configs). For non-primitive variables (such as maps, lists, and objects), supply the JSON-encoded string."
+ description = "Provides a generic approach to add multiple kubelet configs after the creation of the cluster. This variable allows users to specify configurations for multiple kubelet configs in a flexible and customizable manner, facilitating the management of resources post-cluster deployment. For additional details regarding the variables utilized, refer to the [idp sub-module](./modules/kubelet-configs). For non-primitive variables (such as maps, lists, and objects), supply the JSON-encoded string."
}
variable "ignore_machine_pools_deletion_error" {