Add support for per-role permission boundaries

README.md

@@ -137,6 +137,7 @@ We recommend you install the following CLI tools:
 | <a name="input_operator_role_prefix"></a> [operator\_role\_prefix](#input\_operator\_role\_prefix) | User-defined prefix for generated AWS operator policies. Use "account-role-prefix" in case no value provided. | `string` | `null` | no |
 | <a name="input_path"></a> [path](#input\_path) | The arn path for the account/operator roles as well as their policies. Must begin and end with '/'. | `string` | `"/"` | no |
 | <a name="input_permissions_boundary"></a> [permissions\_boundary](#input\_permissions\_boundary) | The ARN of the policy that is used to set the permissions boundary for the IAM roles in STS clusters. | `string` | `""` | no |
+| <a name="input_permissions_boundary_overrides"></a> [permissions\_boundary\_overrides](#input\_permissions\_boundary\_overrides) | Map of AWS role names to custom permission boundary ARNs. If not set for a role, uses the default permissions\_boundary | `map(string)` | `{}` | no |
 | <a name="input_pod_cidr"></a> [pod\_cidr](#input\_pod\_cidr) | Block of IP addresses from which Pod IP addresses are allocated, for example "10.128.0.0/14". | `string` | `null` | no |
 | <a name="input_private"></a> [private](#input\_private) | Restrict master API endpoint and application routes to direct, private connectivity. (default: false) | `bool` | `false` | no |
 | <a name="input_properties"></a> [properties](#input\_properties) | User defined properties. | `map(string)` | `null` | no |

main.tf

@@ -17,10 +17,11 @@ module "account_iam_resources" {
   source = "./modules/account-iam-resources"
   count  = var.create_account_roles ? 1 : 0
 
-  account_role_prefix  = local.account_role_prefix
-  path                 = local.path
-  permissions_boundary = var.permissions_boundary
-  tags                 = var.tags
+  account_role_prefix            = local.account_role_prefix
+  path                           = local.path
+  permissions_boundary           = var.permissions_boundary
+  permissions_boundary_overrides = var.permissions_boundary_overrides
+  tags                           = var.tags
 }
 
 ############################
@@ -46,11 +47,12 @@ module "operator_roles" {
   source = "./modules/operator-roles"
   count  = var.create_operator_roles ? 1 : 0
 
-  operator_role_prefix = local.operator_role_prefix
-  path                 = local.path
-  oidc_endpoint_url    = var.create_oidc ? module.oidc_config_and_provider[0].oidc_endpoint_url : var.oidc_endpoint_url
-  tags                 = var.tags
-  permissions_boundary = var.permissions_boundary
+  operator_role_prefix           = local.operator_role_prefix
+  path                           = local.path
+  oidc_endpoint_url              = var.create_oidc ? module.oidc_config_and_provider[0].oidc_endpoint_url : var.oidc_endpoint_url
+  tags                           = var.tags
+  permissions_boundary           = var.permissions_boundary
+  permissions_boundary_overrides = var.permissions_boundary_overrides
 }
 
 ############################

modules/account-iam-resources/README.md

@@ -63,6 +63,7 @@ No modules.
 | <a name="input_account_role_prefix"></a> [account\_role\_prefix](#input\_account\_role\_prefix) | Prefix to be used when creating the account roles | `string` | `"tf-acc"` | no |
 | <a name="input_path"></a> [path](#input\_path) | (Optional) The arn path for the account/operator roles as well as their policies. Must begin and end with '/'. | `string` | `"/"` | no |
 | <a name="input_permissions_boundary"></a> [permissions\_boundary](#input\_permissions\_boundary) | The ARN of the policy that is used to set the permissions boundary for the IAM roles in STS clusters. | `string` | `""` | no |
+| <a name="input_permissions_boundary_overrides"></a> [permissions\_boundary\_overrides](#input\_permissions\_boundary\_overrides) | Map of AWS role names to custom permission boundary ARNs. If not set for a role, uses the default permissions\_boundary | `map(string)` | `{}` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | List of AWS resource tags to apply. | `map(string)` | `null` | no |
 
 ## Outputs

modules/account-iam-resources/main.tf

@@ -9,10 +9,10 @@ locals {
       principal_identifier = "arn:${data.aws_partition.current.partition}:iam::${data.rhcs_info.current.ocm_aws_account_id}:role/RH-Managed-OpenShift-Installer"
     },
     {
-      role_name            = "HCP-ROSA-Support"
-      role_type            = "support"
-      policy_details       = "arn:aws:iam::aws:policy/service-role/ROSASRESupportPolicy"
-      principal_type       = "AWS"
+      role_name      = "HCP-ROSA-Support"
+      role_type      = "support"
+      policy_details = "arn:aws:iam::aws:policy/service-role/ROSASRESupportPolicy"
+      principal_type = "AWS"
       // This is a SRE RH Support role which is used to assume this support role
       principal_identifier = data.rhcs_hcp_policies.all_policies.account_role_policies["sts_support_rh_sre_role"]
     },
@@ -46,11 +46,15 @@ data "aws_iam_policy_document" "custom_trust_policy" {
 }
 
 resource "aws_iam_role" "account_role" {
-  count                = local.account_roles_count
-  name                 = substr("${local.account_role_prefix_valid}-${local.account_roles_properties[count.index].role_name}-Role", 0, 64)
-  permissions_boundary = var.permissions_boundary
-  path                 = local.path
-  assume_role_policy   = data.aws_iam_policy_document.custom_trust_policy[count.index].json
+  count = local.account_roles_count
+  name  = substr("${local.account_role_prefix_valid}-${local.account_roles_properties[count.index].role_name}-Role", 0, 64)
+  permissions_boundary = lookup(
+    var.permissions_boundary_overrides,
+    local.account_roles_properties[count.index].role_name,
+    var.permissions_boundary
+  )
+  path               = local.path
+  assume_role_policy = data.aws_iam_policy_document.custom_trust_policy[count.index].json
 
   tags = merge(var.tags, {
     red-hat-managed       = true
@@ -85,9 +89,9 @@ resource "time_sleep" "account_iam_resources_wait" {
   destroy_duration = "10s"
   create_duration  = "10s"
   triggers = {
-    account_iam_role_name = jsonencode([ for value in aws_iam_role.account_role : value.name])
+    account_iam_role_name = jsonencode([for value in aws_iam_role.account_role : value.name])
     account_roles_arn     = jsonencode({ for idx, value in aws_iam_role.account_role : local.account_roles_properties[idx].role_name => value.arn })
-    account_policy_arns   = jsonencode([ for value in aws_iam_role_policy_attachment.account_role_policy_attachment : value.policy_arn])
+    account_policy_arns   = jsonencode([for value in aws_iam_role_policy_attachment.account_role_policy_attachment : value.policy_arn])
     account_role_prefix   = local.account_role_prefix_valid
     path                  = local.path
   }

modules/account-iam-resources/variables.tf

@@ -1,7 +1,7 @@
 variable "account_role_prefix" {
-  type    = string
+  type        = string
   description = "Prefix to be used when creating the account roles"
-  default = "tf-acc"
+  default     = "tf-acc"
 }
 
 variable "path" {
@@ -16,6 +16,12 @@ variable "permissions_boundary" {
   default     = ""
 }
 
+variable "permissions_boundary_overrides" {
+  description = "Map of AWS role names to custom permission boundary ARNs. If not set for a role, uses the default permissions_boundary"
+  type        = map(string)
+  default     = {}
+}
+
 variable "tags" {
   description = "List of AWS resource tags to apply."
   type        = map(string)

modules/operator-roles/README.md

@@ -67,6 +67,7 @@ No modules.
 | <a name="input_operator_role_prefix"></a> [operator\_role\_prefix](#input\_operator\_role\_prefix) | Prefix to be used when creating the operator roles | `string` | n/a | yes |
 | <a name="input_path"></a> [path](#input\_path) | (Optional) The arn path for the account/operator roles as well as their policies. Must begin and end with '/'. | `string` | `"/"` | no |
 | <a name="input_permissions_boundary"></a> [permissions\_boundary](#input\_permissions\_boundary) | The ARN of the policy that is used to set the permissions boundary for the IAM roles in STS clusters. | `string` | `""` | no |
+| <a name="input_permissions_boundary_overrides"></a> [permissions\_boundary\_overrides](#input\_permissions\_boundary\_overrides) | Map of AWS role names to custom permission boundary ARNs. If not set for a role, uses the default permissions\_boundary | `map(string)` | `{}` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | List of AWS resource tags to apply. | `map(string)` | `null` | no |
 
 ## Outputs

modules/operator-roles/variables.tf

@@ -1,5 +1,5 @@
 variable "operator_role_prefix" {
-  type = string
+  type        = string
   description = "Prefix to be used when creating the operator roles"
 }
 
@@ -15,6 +15,12 @@ variable "permissions_boundary" {
   default     = ""
 }
 
+variable "permissions_boundary_overrides" {
+  description = "Map of AWS role names to custom permission boundary ARNs. If not set for a role, uses the default permissions_boundary"
+  type        = map(string)
+  default     = {}
+}
+
 variable "tags" {
   description = "List of AWS resource tags to apply."
   type        = map(string)

variables.tf

@@ -267,6 +267,12 @@ variable "permissions_boundary" {
   description = "The ARN of the policy that is used to set the permissions boundary for the IAM roles in STS clusters."
 }
 
+variable "permissions_boundary_overrides" {
+  description = "Map of AWS role names to custom permission boundary ARNs. If not set for a role, uses the default permissions_boundary"
+  type        = map(string)
+  default     = {}
+}
+
 ##############################################################
 # Account Roles
 ##############################################################
@@ -322,7 +328,7 @@ variable "oidc_endpoint_url" {
 }
 
 variable "machine_pools" {
-  type = map(any)
+  type        = map(any)
   default     = {}
   description = "Provides a generic approach to add multiple machine pools after the creation of the cluster. This variable allows users to specify configurations for multiple machine pools in a flexible and customizable manner, facilitating the management of resources post-cluster deployment. For additional details regarding the variables utilized, refer to the [machine-pool sub-module](./modules/machine-pool). For non-primitive variables (such as maps, lists, and objects), supply the JSON-encoded string."
 }
@@ -336,7 +342,7 @@ variable "identity_providers" {
 variable "kubelet_configs" {
   type        = map(any)
   default     = {}
-  description = "Provides a generic approach to add multiple kubelet configs after the creation of the cluster. This variable allows users to specify configurations for multiple kubelet configs in a flexible and customizable manner, facilitating the management of resources post-cluster deployment. For additional details regarding the variables utilized, refer to the [idp sub-module](./modules/kubelet-configs). For non-primitive variables (such as maps, lists, and objects), supply the JSON-encoded string." 
+  description = "Provides a generic approach to add multiple kubelet configs after the creation of the cluster. This variable allows users to specify configurations for multiple kubelet configs in a flexible and customizable manner, facilitating the management of resources post-cluster deployment. For additional details regarding the variables utilized, refer to the [idp sub-module](./modules/kubelet-configs). For non-primitive variables (such as maps, lists, and objects), supply the JSON-encoded string."
 }
 
 variable "ignore_machine_pools_deletion_error" {