xpk/terraform-aws-eks
1
0
Fork 0
mirror of https://github.com/terraform-aws-modules/terraform-aws-eks.git synced 2025-09-09 19:32:58 +08:00
Code Activity

Add optional permissions_boundary (#265)

Browse Source 
* Add optional permissions_boundary

* Update CHANGELOG
This commit is contained in:
Dylan Hellems
2019-02-07 10:38:16 -05:00
committed by Max Williams
parent a23c43caf2
commit a1a1644f80
5 changed files with 9 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
CHANGELOG.md
+1
View File
@@ -11,6 +11,7 @@ project adheres to [Semantic Versioning](http://semver.org/).
##### Added ##### Added
- Ability to specify a permissions_boundary for IAM roles (by @dylanhellems)
- Ability to configure force_delete for the worker group ASG (by @stefansedich) - Ability to configure force_delete for the worker group ASG (by @stefansedich)
- Ability to configure worker group ASG tags (by @stefansedich) - Ability to configure worker group ASG tags (by @stefansedich)
- Added EBS optimized mapping for the g3s.xlarge instance type (by @stefansedich) - Added EBS optimized mapping for the g3s.xlarge instance type (by @stefansedich)
README.md
+1
View File
@@ -130,6 +130,7 @@ MIT Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-a
| map\_roles\_count | The count of roles in the map_roles list. | string | `"0"` | no | | map\_roles\_count | The count of roles in the map_roles list. | string | `"0"` | no |
| map\_users | Additional IAM users to add to the aws-auth configmap. See examples/eks_test_fixture/variables.tf for example format. | list | `[]` | no | | map\_users | Additional IAM users to add to the aws-auth configmap. See examples/eks_test_fixture/variables.tf for example format. | list | `[]` | no |
| map\_users\_count | The count of roles in the map_users list. | string | `"0"` | no | | map\_users\_count | The count of roles in the map_users list. | string | `"0"` | no |
| permissions\_boundary | If provided, all IAM roles will be created with this permissions boundary attached. | string | `""` | no |
| subnets | A list of subnets to place the EKS cluster and workers within. | list | n/a | yes | | subnets | A list of subnets to place the EKS cluster and workers within. | list | n/a | yes |
| tags | A map of tags to add to all resources. | map | `{}` | no | | tags | A map of tags to add to all resources. | map | `{}` | no |
| vpc\_id | VPC where the cluster and workers will be deployed. | string | n/a | yes | | vpc\_id | VPC where the cluster and workers will be deployed. | string | n/a | yes |
cluster.tf
+1
View File
@@ -52,6 +52,7 @@ resource "aws_security_group_rule" "cluster_https_worker_ingress" {
resource "aws_iam_role" "cluster" { resource "aws_iam_role" "cluster" {
name_prefix = "${var.cluster_name}" name_prefix = "${var.cluster_name}"
assume_role_policy = "${data.aws_iam_policy_document.cluster_assume_role_policy.json}" assume_role_policy = "${data.aws_iam_policy_document.cluster_assume_role_policy.json}"
permissions_boundary = "${var.permissions_boundary}"
force_detach_policies = true force_detach_policies = true
} }
variables.tf
+5
View File
@@ -216,3 +216,8 @@ variable "worker_create_security_group" {
description = "Whether to create a security group for the workers or attach the workers to `worker_security_group_id`." description = "Whether to create a security group for the workers or attach the workers to `worker_security_group_id`."
default = true default = true
} }
variable "permissions_boundary" {
description = "If provided, all IAM roles will be created with this permissions boundary attached."
default = ""
}
workers.tf
+1
View File
@@ -114,6 +114,7 @@ resource "aws_security_group_rule" "workers_ingress_cluster_https" {
resource "aws_iam_role" "workers" { resource "aws_iam_role" "workers" {
name_prefix = "${aws_eks_cluster.this.name}" name_prefix = "${aws_eks_cluster.this.name}"
assume_role_policy = "${data.aws_iam_policy_document.workers_assume_role_policy.json}" assume_role_policy = "${data.aws_iam_policy_document.workers_assume_role_policy.json}"
permissions_boundary = "${var.permissions_boundary}"
force_detach_policies = true force_detach_policies = true
} }