feat: Add permissions boundary to ecs task iam role (#176)

Author: ryanoolala

README.md

@@ -245,6 +245,7 @@ allow_github_webhooks        = true
 | internal | Whether the load balancer is internal or external | `bool` | `false` | no |
 | mount\_points | Container mount points. This is a list of maps, where each map should contain a `containerPath` and `sourceVolume`. The `readOnly` key is optional. | `list` | `[]` | no |
 | name | Name to use on all resources created (VPC, ALB, etc) | `string` | `"atlantis"` | no |
+| permissions\_boundary | If provided, all IAM roles will be created with this permissions boundary attached. | `string` | `null` | no |
 | policies\_arn | A list of the ARN of the policies you want to apply | `list(string)` | <pre>[<br>  "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"<br>]</pre> | no |
 | private\_subnet\_ids | A list of IDs of existing private subnets inside the VPC | `list(string)` | `[]` | no |
 | private\_subnets | A list of private subnets inside the VPC | `list(string)` | `[]` | no |

main.tf

@@ -379,8 +379,9 @@ data "aws_iam_policy_document" "ecs_tasks" {
 }
 
 resource "aws_iam_role" "ecs_task_execution" {
-  name               = "${var.name}-ecs_task_execution"
-  assume_role_policy = data.aws_iam_policy_document.ecs_tasks.json
+  name                 = "${var.name}-ecs_task_execution"
+  assume_role_policy   = data.aws_iam_policy_document.ecs_tasks.json
+  permissions_boundary = var.permissions_boundary
 
   tags = local.tags
 }

variables.tf

@@ -233,6 +233,12 @@ variable "ecs_service_assign_public_ip" {
   default     = false
 }
 
+variable "permissions_boundary" {
+  description = "If provided, all IAM roles will be created with this permissions boundary attached."
+  type        = string
+  default     = null
+}
+
 variable "policies_arn" {
   description = "A list of the ARN of the policies you want to apply"
   type        = list(string)