Merge pull request #11 from troydieter/feature/add-permissions_bounda…

…ry-option

Added permissions_boundary variable, input and added to README descri…

README.md

@@ -57,6 +57,7 @@ module "lambda-scheduler" {
   rds_schedule = "true"
   default = "{\"mon\": {\"start\": [7], \"stop\": [19]},\"tue\": {\"start\": [7], \"stop\": [19]},\"wed\": {\"start\": [9, 22], \"stop\": [19]},\"thu\": {\"start\": [7], \"stop\": [2,19]}, \"fri\": {\"start\": [7], \"stop\": [19]}, \"sat\": {\"start\": [22]}, \"sun\": {\"stop\": [7]}}"
   time = "Europe/London"
+  permissions_boundary = "arn:aws:iam::AWSACCTID:policy/optional-permissions-boundary-ARN"
 }
 ```
 ## variables
@@ -99,6 +100,9 @@ Default for default is:
 ### time
 Timezone to use for scheduler. Can be 'local', 'gmt' or an Olson timezone from https://gist.github.com/ykessler/3349954. default is 'gmt'. local time is for the AWS region.
 
+### permissions_boundary
+An optional AWS IAM permissions boundary ARN to be attached to the AWS IAM role. default = "".
+
 ### ec2_schedule
 Whether to do scheduling for EC2 instances. default = "true".
 

main.tf

@@ -16,6 +16,7 @@ resource "aws_cloudwatch_event_target" "check-scheduler-event-lambda-target" {
 # IAM Role for Lambda function
 resource "aws_iam_role" "scheduler_lambda" {
   name               = "${var.resource_name_prefix}scheduler_lambda"
+  permissions_boundary = var.permissions_boundary != "" ? var.permissions_boundary : ""
   assume_role_policy = <<EOF
 {
   "Version": "2012-10-17",

variables.tf

@@ -14,6 +14,12 @@ variable "schedule_tag_force" {
   description = "Whether to force the EC2 or RDS instance to have the default schedule tag is no schedule tag exists for the instance."
 }
 
+variable "permissions_boundary" {
+  type 		  = string
+  default 	  = ""
+  description = "AWS IAM Permissions Boundary ARN to be attached to the IAM Role"
+}
+
 variable "exclude" {
   default     = ""
   description = "common separated list of EC2 and RDS instance ids to exclude from scheduling."