tecton-ai · titilambert · Sep 12, 2025 · Sep 11, 2025 · Sep 12, 2025
diff --git a/deployment/roles.tf b/deployment/roles.tf
@@ -40,6 +40,7 @@ resource "aws_iam_role" "cross_account_role" {
       ]
     })
   }
+  permissions_boundary = var.deployment_role_permissions_boundary_arn
 }
 
 data "aws_iam_policy_document" "cross_account_role_assume_role_metadata" {

diff --git a/deployment/variables.tf b/deployment/variables.tf
@@ -130,4 +130,10 @@ variable "include_crossaccount_bucket_access" {
   type        = bool
   description = "Whether to grant direct cross-account bucket access"
   default     = true
-}
+}
+
+variable "deployment_role_permissions_boundary_arn" {
+  type        = string
+  description = "ARN of the policy that is used to set the permissions boundary for the deployment role"
+  default     = null
+}
diff --git a/modules/dataplane_rift/infrastructure.tf b/modules/dataplane_rift/infrastructure.tf
@@ -25,6 +25,7 @@ module "tecton" {
   kms_key_id                         = var.kms_key_id
   controlplane_access_only           = var.controlplane_access_only
   include_crossaccount_bucket_access = var.include_crossaccount_bucket_access
+  deployment_role_permissions_boundary_arn = var.deployment_role_permissions_boundary_arn
 }
 
 
@@ -58,6 +59,8 @@ module "rift" {
   use_network_firewall = var.use_network_firewall
   # Domains can be extended as needed:
   additional_allowed_egress_domains = var.additional_allowed_egress_domains
+
+  rift_role_permissions_boundary_arn = var.rift_role_permissions_boundary_arn
 }
 
 # S3 module to store outputs
@@ -89,4 +92,4 @@ module "tecton_outputs" {
     nat_gateway_public_ips         = module.rift.nat_gateway_public_ips
     rift_compute_security_group_id = module.rift.rift_compute_security_group_id
   }
-}
+}
diff --git a/modules/dataplane_rift/variables.tf b/modules/dataplane_rift/variables.tf
@@ -132,3 +132,15 @@ variable "outputs_location_config" {
     type = "tecton_hosted_presigned"
   }
 }
+
+variable "deployment_role_permissions_boundary_arn" {
+  type        = string
+  description = "ARN of the policy that is used to set the permissions boundary for the deployment role"
+  default     = null
+}
+
+variable "rift_role_permissions_boundary_arn" {
+  type        = string
+  description = "ARN of the policy that is used to set the permissions boundary for the rift compute roles"
+  default     = null
+}
diff --git a/rift_compute/iam.tf b/rift_compute/iam.tf
@@ -17,6 +17,7 @@ resource "aws_iam_role" "rift_compute_manager" {
       }
     ]
   })
+  permissions_boundary = var.rift_role_permissions_boundary_arn
 }
 
 resource "aws_iam_policy" "manage_rift_compute" {
@@ -57,6 +58,7 @@ resource "aws_iam_role" "rift_compute" {
       }
     ]
   })
+  permissions_boundary = var.rift_role_permissions_boundary_arn
 }
 
 resource "aws_iam_instance_profile" "rift_compute" {

diff --git a/rift_compute/variables.tf b/rift_compute/variables.tf
@@ -149,3 +149,9 @@ variable "additional_s3_read_access_buckets" {
   description = "List of additional S3 bucket names in the dataplane account that the rift compute role should have read access to. The role will be granted GetObject, ListBucket, HeadObject, and HeadBucket permissions for these buckets."
   default     = []
 }
+
+variable "rift_role_permissions_boundary_arn" {
+  type        = string
+  description = "ARN of the policy that is used to set the permissions boundary for the rift compute roles"
+  default     = null
+}
-Original file line number
+Diff line change
@@ Expand Up / @@ -40,6 +40,7 @@ resource "aws_iam_role" "cross_account_role" { @@
           ]
         })
       }
+      permissions_boundary = var.deployment_role_permissions_boundary_arn
     }
     data "aws_iam_policy_document" "cross_account_role_assume_role_metadata" {
@@ Expand Down @@