From b195f3e678f9237369fff3e80a01f76604975642 Mon Sep 17 00:00:00 2001
From: PePe Amengual <jose.amengual@gmail.com>
Date: Fri, 8 Apr 2022 14:42:33 -0700
Subject: [PATCH 1/4] adding policy boundary to roles and optional tags

---
 modules/account-settings/main.tf      |  4 +++-
 modules/account-settings/variables.tf | 12 ++++++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/modules/account-settings/main.tf b/modules/account-settings/main.tf
index 8a94a8e..b64d840 100644
--- a/modules/account-settings/main.tf
+++ b/modules/account-settings/main.tf
@@ -28,7 +28,7 @@ data "aws_iam_policy_document" "api_gateway_permissions" {
 
 module "role" {
   source  = "cloudposse/iam-role/aws"
-  version = "0.14.0"
+  version = "0.16.0"
 
   enabled = local.create_iam_role
   #name         = module.iam_role_label.id
@@ -46,6 +46,8 @@ module "role" {
   policy_document_count = 1
   policy_description    = "Allow API Gateway to send logs to CloudWatch IAM policy"
   role_description      = "Allow API Gateway to send logs to CloudWatch"
+  permission_boundary   = var.permission_boundary
+  role_tags_enabled     = var.role_tags_enabled
 
   context = module.this.context
 }
diff --git a/modules/account-settings/variables.tf b/modules/account-settings/variables.tf
index ff489ed..06e56d4 100644
--- a/modules/account-settings/variables.tf
+++ b/modules/account-settings/variables.tf
@@ -3,3 +3,15 @@ variable "iam_role_arn" {
   description = "ARN of the IAM role for API Gateway to use. If not specified, a new role will be created."
   default     = null
 }
+
+variable "role_tags_enabled" {
+  type        = string
+  description = "Enable/disable tags on IAM roles"
+  default     = true
+}
+
+variable "permissions_boundary" {
+  type        = string
+  default     = ""
+  description = "ARN of the policy that is used to set the permissions boundary for the role"
+}
\ No newline at end of file

From 92d3bfc9d4c8b1fa68795200bdf9ad228007b3d0 Mon Sep 17 00:00:00 2001
From: PePe Amengual <jose.amengual@gmail.com>
Date: Fri, 8 Apr 2022 14:55:27 -0700
Subject: [PATCH 2/4] Adding permission boundary

---
 main.tf | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/main.tf b/main.tf
index 86c38a6..8623613 100644
--- a/main.tf
+++ b/main.tf
@@ -26,8 +26,10 @@ resource "aws_api_gateway_rest_api_policy" "this" {
 }
 
 module "cloudwatch_log_group" {
-  source  = "cloudposse/cloudwatch-logs/aws"
-  version = "0.6.2"
+  # source  = "cloudposse/cloudwatch-logs/aws"
+  # version = "0.6.2"
+  source = "git::https://github.com/cloudposse/terraform-aws-cloudwatch-logs.git?ref=add_policy_boundary"
+  
 
   enabled = local.create_log_group
   context = module.this.context

From 7bd4816f4fb321e991cd8b43ff6270a7d6ae287e Mon Sep 17 00:00:00 2001
From: PePe Amengual <jose.amengual@gmail.com>
Date: Fri, 8 Apr 2022 15:07:25 -0700
Subject: [PATCH 3/4] fixing typo

---
 modules/account-settings/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/account-settings/main.tf b/modules/account-settings/main.tf
index b64d840..3258ec4 100644
--- a/modules/account-settings/main.tf
+++ b/modules/account-settings/main.tf
@@ -46,7 +46,7 @@ module "role" {
   policy_document_count = 1
   policy_description    = "Allow API Gateway to send logs to CloudWatch IAM policy"
   role_description      = "Allow API Gateway to send logs to CloudWatch"
-  permission_boundary   = var.permission_boundary
+  permissions_boundary   = var.permissions_boundary
   role_tags_enabled     = var.role_tags_enabled
 
   context = module.this.context

From 28acf68cfc5f7e98b4f1079d94ae0c0fe7d48b0e Mon Sep 17 00:00:00 2001
From: PePe Amengual <jose.amengual@gmail.com>
Date: Wed, 13 Apr 2022 20:14:29 -0700
Subject: [PATCH 4/4] Update cloudwatch-log module and add permission boundary
 and iam_tags var

---
 README.md                             |  4 +++-
 docs/terraform.md                     |  4 +++-
 main.tf                               | 11 ++++++-----
 modules/account-settings/main.tf      |  6 +++---
 modules/account-settings/variables.tf |  2 +-
 variables.tf                          | 12 ++++++++++++
 6 files changed, 28 insertions(+), 11 deletions(-)

diff --git a/README.md b/README.md
index c936563..ddc6722 100644
--- a/README.md
+++ b/README.md
@@ -155,7 +155,7 @@ Available targets:
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_cloudwatch_log_group"></a> [cloudwatch\_log\_group](#module\_cloudwatch\_log\_group) | cloudposse/cloudwatch-logs/aws | 0.6.2 |
+| <a name="module_cloudwatch_log_group"></a> [cloudwatch\_log\_group](#module\_cloudwatch\_log\_group) | cloudposse/cloudwatch-logs/aws | 0.6.5 |
 | <a name="module_this"></a> [this](#module\_this) | cloudposse/label/null | 0.25.0 |
 
 ## Resources
@@ -182,6 +182,7 @@ Available targets:
 | <a name="input_enabled"></a> [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
 | <a name="input_endpoint_type"></a> [endpoint\_type](#input\_endpoint\_type) | The type of the endpoint. One of - PUBLIC, PRIVATE, REGIONAL | `string` | `"REGIONAL"` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no |
+| <a name="input_iam_tags_enabled"></a> [iam\_tags\_enabled](#input\_iam\_tags\_enabled) | Enable/disable tags on IAM roles and policies | `string` | `true` | no |
 | <a name="input_id_length_limit"></a> [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).<br>Set to `0` for unlimited length.<br>Set to `null` for keep the existing setting, which defaults to `0`.<br>Does not affect `id_full`. | `number` | `null` | no |
 | <a name="input_label_key_case"></a> [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.<br>Does not affect keys of tags passed in via the `tags` input.<br>Possible values: `lower`, `title`, `upper`.<br>Default value: `title`. | `string` | `null` | no |
 | <a name="input_label_order"></a> [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.<br>Defaults to ["namespace", "environment", "stage", "name", "attributes"].<br>You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no |
@@ -192,6 +193,7 @@ Available targets:
 | <a name="input_name"></a> [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.<br>This is the only ID element not also included as a `tag`.<br>The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no |
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no |
 | <a name="input_openapi_config"></a> [openapi\_config](#input\_openapi\_config) | The OpenAPI specification for the API | `any` | `{}` | no |
+| <a name="input_permissions_boundary"></a> [permissions\_boundary](#input\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the IAM role | `string` | `""` | no |
 | <a name="input_private_link_target_arns"></a> [private\_link\_target\_arns](#input\_private\_link\_target\_arns) | A list of target ARNs for VPC Private Link | `list(string)` | `[]` | no |
 | <a name="input_regex_replace_chars"></a> [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.<br>Characters matching the regex will be removed from the ID elements.<br>If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
 | <a name="input_rest_api_policy"></a> [rest\_api\_policy](#input\_rest\_api\_policy) | The IAM policy document for the API. | `string` | `null` | no |
diff --git a/docs/terraform.md b/docs/terraform.md
index 2171d9b..4a3e8ba 100644
--- a/docs/terraform.md
+++ b/docs/terraform.md
@@ -16,7 +16,7 @@
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_cloudwatch_log_group"></a> [cloudwatch\_log\_group](#module\_cloudwatch\_log\_group) | cloudposse/cloudwatch-logs/aws | 0.6.2 |
+| <a name="module_cloudwatch_log_group"></a> [cloudwatch\_log\_group](#module\_cloudwatch\_log\_group) | cloudposse/cloudwatch-logs/aws | 0.6.5 |
 | <a name="module_this"></a> [this](#module\_this) | cloudposse/label/null | 0.25.0 |
 
 ## Resources
@@ -43,6 +43,7 @@
 | <a name="input_enabled"></a> [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
 | <a name="input_endpoint_type"></a> [endpoint\_type](#input\_endpoint\_type) | The type of the endpoint. One of - PUBLIC, PRIVATE, REGIONAL | `string` | `"REGIONAL"` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no |
+| <a name="input_iam_tags_enabled"></a> [iam\_tags\_enabled](#input\_iam\_tags\_enabled) | Enable/disable tags on IAM roles and policies | `string` | `true` | no |
 | <a name="input_id_length_limit"></a> [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).<br>Set to `0` for unlimited length.<br>Set to `null` for keep the existing setting, which defaults to `0`.<br>Does not affect `id_full`. | `number` | `null` | no |
 | <a name="input_label_key_case"></a> [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.<br>Does not affect keys of tags passed in via the `tags` input.<br>Possible values: `lower`, `title`, `upper`.<br>Default value: `title`. | `string` | `null` | no |
 | <a name="input_label_order"></a> [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.<br>Defaults to ["namespace", "environment", "stage", "name", "attributes"].<br>You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no |
@@ -53,6 +54,7 @@
 | <a name="input_name"></a> [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.<br>This is the only ID element not also included as a `tag`.<br>The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no |
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no |
 | <a name="input_openapi_config"></a> [openapi\_config](#input\_openapi\_config) | The OpenAPI specification for the API | `any` | `{}` | no |
+| <a name="input_permissions_boundary"></a> [permissions\_boundary](#input\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the IAM role | `string` | `""` | no |
 | <a name="input_private_link_target_arns"></a> [private\_link\_target\_arns](#input\_private\_link\_target\_arns) | A list of target ARNs for VPC Private Link | `list(string)` | `[]` | no |
 | <a name="input_regex_replace_chars"></a> [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.<br>Characters matching the regex will be removed from the ID elements.<br>If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
 | <a name="input_rest_api_policy"></a> [rest\_api\_policy](#input\_rest\_api\_policy) | The IAM policy document for the API. | `string` | `null` | no |
diff --git a/main.tf b/main.tf
index 8623613..e9acd1c 100644
--- a/main.tf
+++ b/main.tf
@@ -26,12 +26,13 @@ resource "aws_api_gateway_rest_api_policy" "this" {
 }
 
 module "cloudwatch_log_group" {
-  # source  = "cloudposse/cloudwatch-logs/aws"
-  # version = "0.6.2"
-  source = "git::https://github.com/cloudposse/terraform-aws-cloudwatch-logs.git?ref=add_policy_boundary"
-  
+  source  = "cloudposse/cloudwatch-logs/aws"
+  version = "0.6.5"
+
+  enabled              = local.create_log_group
+  iam_tags_enabled     = var.iam_tags_enabled
+  permissions_boundary = var.permissions_boundary
 
-  enabled = local.create_log_group
   context = module.this.context
 }
 
diff --git a/modules/account-settings/main.tf b/modules/account-settings/main.tf
index 3258ec4..af39802 100644
--- a/modules/account-settings/main.tf
+++ b/modules/account-settings/main.tf
@@ -28,7 +28,7 @@ data "aws_iam_policy_document" "api_gateway_permissions" {
 
 module "role" {
   source  = "cloudposse/iam-role/aws"
-  version = "0.16.0"
+  version = "0.16.1"
 
   enabled = local.create_iam_role
   #name         = module.iam_role_label.id
@@ -46,8 +46,8 @@ module "role" {
   policy_document_count = 1
   policy_description    = "Allow API Gateway to send logs to CloudWatch IAM policy"
   role_description      = "Allow API Gateway to send logs to CloudWatch"
-  permissions_boundary   = var.permissions_boundary
-  role_tags_enabled     = var.role_tags_enabled
+  permissions_boundary  = var.permissions_boundary
+  tags_enabled          = var.iam_tags_enabled
 
   context = module.this.context
 }
diff --git a/modules/account-settings/variables.tf b/modules/account-settings/variables.tf
index 06e56d4..b17ea3f 100644
--- a/modules/account-settings/variables.tf
+++ b/modules/account-settings/variables.tf
@@ -4,7 +4,7 @@ variable "iam_role_arn" {
   default     = null
 }
 
-variable "role_tags_enabled" {
+variable "iam_tags_enabled" {
   type        = string
   description = "Enable/disable tags on IAM roles"
   default     = true
diff --git a/variables.tf b/variables.tf
index 75f95c5..805298a 100644
--- a/variables.tf
+++ b/variables.tf
@@ -109,3 +109,15 @@ variable "private_link_target_arns" {
   description = "A list of target ARNs for VPC Private Link"
   default     = []
 }
+
+variable "iam_tags_enabled" {
+  type        = string
+  description = "Enable/disable tags on IAM roles and policies"
+  default     = true
+}
+
+variable "permissions_boundary" {
+  type        = string
+  default     = ""
+  description = "ARN of the policy that is used to set the permissions boundary for the IAM role"
+}
\ No newline at end of file