Support IAM permission boundaries

[copumpkin]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

AWS just released IAM permission boundaries, a very cool new feature that allows us to let IAM principals do stuff with IAM without granting them effective admin powers.

Read more here.

New or Affected Resource(s)

• aws_iam_user
• aws_iam_role

Potential Terraform Configuration

It would likely just be another optional attribute on each of those resources to specify a managed policy ARN representing the permissions boundary.

References

• https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html?icmpid=docs_iam_console

[bflad]

Pull requests submitted:

• aws_iam_role data source: data-source/aws_iam_role: Add permissions_boundary attribute #5186
• aws_iam_role resource: resource/aws_iam_role: Add permissions_boundary argument #5184
• aws_iam_user data source: data-source/aws_iam_user: Add permissions_boundary attribute #5187
• aws_iam_user resource: resource/aws_iam_user: Add permissions_boundary argument #5183

[copumpkin]

Beautiful, thanks!

[copumpkin]

Looks like all the PRs are merged, and I think will all be in by 1.30. Thanks again for all the work 😄

[bflad]

Indeed! All support will be in version 1.30.0 of the AWS provider, releasing middle of this week. 👍

[bflad]

These have all been released in version 1.30.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

[nusnewob]

Doesn't seem to support multiple permission boundary policies, any plan to support it?

[lorengordon]

@nusnewob Can you explain more what you mean? Looks to me like the AWS implementation supports a single policy as the permission boundary, and you can only attach one permission boundary on a role or user.

[ramphort]

@lorengordon I think he means writting stuff like this

resource "aws_iam_policy_attachment" "test" {
name = "test"
users = ["${var.profile_username}"]
policy_arn = "${aws_iam_policy.policy.arn}"
boundary_policy_arn = "${aws_iam_policy.policy_boundary.arn}"
}

But yet, we cannot add a boundary_policy_arn field

UPDATE

My bad, we can do this only on creation

resource "aws_iam_user" "lb" {
user = "${aws_iam_user.lb.name}"
permissions_boundary = "${aws_iam_policy.policy.arn}"
}

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!