From 46851852d4b8b3c504ba351dbcf4edddcf536d8b Mon Sep 17 00:00:00 2001
From: Chen Weiguang <chen.weiguang@gmail.com>
Date: Tue, 22 Sep 2020 17:56:35 +0800
Subject: [PATCH] Add `permissions_boundary` for created IAM role.

---
 modules/nomad-cluster/main.tf      | 2 ++
 modules/nomad-cluster/variables.tf | 5 +++++
 2 files changed, 7 insertions(+)

diff --git a/modules/nomad-cluster/main.tf b/modules/nomad-cluster/main.tf
index b7074df..3bbfd75 100644
--- a/modules/nomad-cluster/main.tf
+++ b/modules/nomad-cluster/main.tf
@@ -193,6 +193,8 @@ resource "aws_iam_role" "instance_role" {
   name_prefix        = var.cluster_name
   assume_role_policy = data.aws_iam_policy_document.instance_role.json
 
+  permissions_boundary = var.iam_permissions_boundary
+
   # aws_iam_instance_profile.instance_profile in this module sets create_before_destroy to true, which means
   # everything it depends on, including this resource, must set it as well, or you'll get cyclic dependency errors
   # when you try to do a terraform destroy.
diff --git a/modules/nomad-cluster/variables.tf b/modules/nomad-cluster/variables.tf
index 2f23225..75c78af 100644
--- a/modules/nomad-cluster/variables.tf
+++ b/modules/nomad-cluster/variables.tf
@@ -228,3 +228,8 @@ variable "protect_from_scale_in" {
   default     = false
 }
 
+variable "iam_permissions_boundary" {
+  description = "If set, restricts the created IAM role to the given permissions boundary"
+  type        = string
+  default     = null
+}