diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index f7f40520..05e799a8 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
repos:
- repo: https://github.com/antonbabenko/pre-commit-terraform
- rev: v1.62.3
+ rev: v1.76.0
hooks:
- id: terraform_fmt
- id: terraform_validate
@@ -23,6 +23,6 @@ repos:
- '--args=--only=terraform_standard_module_structure'
- '--args=--only=terraform_workspace_remote'
- repo: https://github.com/pre-commit/pre-commit-hooks
- rev: v4.1.0
+ rev: v4.3.0
hooks:
- id: check-merge-conflict
diff --git a/README.md b/README.md
index dc8e8528..de73cca4 100644
--- a/README.md
+++ b/README.md
@@ -377,6 +377,7 @@ allow_github_webhooks = true
| [max\_session\_duration](#input\_max\_session\_duration) | Maximum session duration (in seconds) for ecs task execution role. Default is 3600. | `number` | `null` | no |
| [mount\_points](#input\_mount\_points) | Container mount points. This is a list of maps, where each map should contain a `containerPath` and `sourceVolume`. The `readOnly` key is optional. | `list(any)` | `[]` | no |
| [name](#input\_name) | Name to use on all resources created (VPC, ALB, etc) | `string` | `"atlantis"` | no |
+| [path](#input\_path) | If provided, all IAM roles will be created with this path. | `string` | `"/"` | no |
| [permissions\_boundary](#input\_permissions\_boundary) | If provided, all IAM roles will be created with this permissions boundary attached. | `string` | `null` | no |
| [policies\_arn](#input\_policies\_arn) | A list of the ARN of the policies you want to apply | `list(string)` | `null` | no |
| [private\_subnet\_ids](#input\_private\_subnet\_ids) | A list of IDs of existing private subnets inside the VPC | `list(string)` | `[]` | no |
diff --git a/examples/github-complete/main.tf b/examples/github-complete/main.tf
index c5c2611f..3fa9f6df 100644
--- a/examples/github-complete/main.tf
+++ b/examples/github-complete/main.tf
@@ -78,6 +78,10 @@ module "atlantis" {
# Trusted roles
trusted_principals = ["ssm.amazonaws.com"]
+ # IAM role options
+ permissions_boundary = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/cloud/developer-boundary-policy"
+ path = "/delegatedadmin/developer/"
+
# Atlantis
atlantis_github_user = var.github_user
atlantis_github_user_token = var.github_token
diff --git a/main.tf b/main.tf
index f414cedb..7b66568c 100644
--- a/main.tf
+++ b/main.tf
@@ -454,7 +454,7 @@ resource "aws_efs_file_system" "this" {
resource "aws_efs_mount_target" "this" {
# we coalescelist in order to specify the resource keys when we create the subnets using the VPC or they're specified for us. This works around the for_each value depends on attributes which can't be determined until apply error
for_each = {
- for k, v in zipmap(coalescelist(var.private_subnets, var.private_subnet_ids), local.private_subnet_ids) : k => v
+ for k, v in zipmap(coalescelist(var.private_subnets, var.private_subnet_ids, [""]), local.private_subnet_ids) : k => v
if var.enable_ephemeral_storage == false
}
@@ -534,6 +534,7 @@ resource "aws_iam_role" "ecs_task_execution" {
assume_role_policy = data.aws_iam_policy_document.ecs_tasks.json
max_session_duration = var.max_session_duration
permissions_boundary = var.permissions_boundary
+ path = var.path
tags = local.tags
}
diff --git a/variables.tf b/variables.tf
index aa22444c..274b1a3a 100644
--- a/variables.tf
+++ b/variables.tf
@@ -305,6 +305,12 @@ variable "permissions_boundary" {
default = null
}
+variable "path" {
+ description = "If provided, all IAM roles will be created with this path."
+ type = string
+ default = "/"
+}
+
variable "policies_arn" {
description = "A list of the ARN of the policies you want to apply"
type = list(string)