add permissions_boundary var to rift role

titilambert · titilambert · commit fc2b21656660 · 2025-09-11T13:48:35.000-04:00
diff --git a/rift_compute/iam.tf b/rift_compute/iam.tf
@@ -17,6 +17,7 @@ resource "aws_iam_role" "rift_compute_manager" {
       }
     ]
   })
+  permissions_boundary = var.rift_role_permissions_boundary_arn
 }
 
 resource "aws_iam_policy" "manage_rift_compute" {
diff --git a/rift_compute/variables.tf b/rift_compute/variables.tf
@@ -149,3 +149,9 @@ variable "additional_s3_read_access_buckets" {
   description = "List of additional S3 bucket names in the dataplane account that the rift compute role should have read access to. The role will be granted GetObject, ListBucket, HeadObject, and HeadBucket permissions for these buckets."
   default     = []
 }
+
+variable "rift_role_permissions_boundary_arn" {
+  type        = string
+  description = "ARN of the policy that is used to set the permissions boundary for the rift compute role"
+  default     = null
+}

Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,7 @@ resource "aws_iam_role" "rift_compute_manager" {`
`17`	`17`	`}`
`18`	`18`	`]`
`19`	`19`	`})`
	`20`	`+ permissions_boundary = var.rift_role_permissions_boundary_arn`
`20`	`21`	`}`
`21`	`22`
`22`	`23`	`resource "aws_iam_policy" "manage_rift_compute" {`