From b6cb4eb24db66635b3cafbbfbcfc74fd406e9bf7 Mon Sep 17 00:00:00 2001
From: Mike Christopher <mike.christopher@consensys.net>
Date: Tue, 28 Mar 2023 17:03:09 -0700
Subject: [PATCH 1/2] Add support for permission boundries

---
 replication.tf | 5 +++--
 variables.tf   | 6 ++++++
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/replication.tf b/replication.tf
index cb0af93c..6f4014b1 100644
--- a/replication.tf
+++ b/replication.tf
@@ -1,8 +1,9 @@
 resource "aws_iam_role" "replication" {
   count = local.replication_enabled ? 1 : 0
 
-  name               = format("%s-replication", module.this.id)
-  assume_role_policy = data.aws_iam_policy_document.replication_sts[0].json
+  name                 = format("%s-replication", module.this.id)
+  assume_role_policy   = data.aws_iam_policy_document.replication_sts[0].json
+  permissions_boundary = var.s3_replication_permission_boundry_arn
 }
 
 data "aws_iam_policy_document" "replication_sts" {
diff --git a/variables.tf b/variables.tf
index 2e73eaf7..c3fd2d9e 100644
--- a/variables.tf
+++ b/variables.tf
@@ -280,6 +280,12 @@ variable "s3_replication_source_roles" {
   description = "Cross-account IAM Role ARNs that will be allowed to perform S3 replication to this bucket (for replication within the same AWS account, it's not necessary to adjust the bucket policy)."
 }
 
+variable "s3_replication_permission_boundry_arn" {
+  type        = string
+  default     = null
+  description = "Permission boundry of the IAM replication role. Defaults to null."
+}
+
 variable "bucket_name" {
   type        = string
   default     = null

From 7210e1fa5c5cc624ba408d185ad71174c25bf265 Mon Sep 17 00:00:00 2001
From: Mike Christopher <mike.christopher@consensys.net>
Date: Tue, 28 Mar 2023 21:43:50 -0700
Subject: [PATCH 2/2] fix: spelling

---
 replication.tf | 2 +-
 variables.tf   | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/replication.tf b/replication.tf
index 6f4014b1..04bcce3d 100644
--- a/replication.tf
+++ b/replication.tf
@@ -3,7 +3,7 @@ resource "aws_iam_role" "replication" {
 
   name                 = format("%s-replication", module.this.id)
   assume_role_policy   = data.aws_iam_policy_document.replication_sts[0].json
-  permissions_boundary = var.s3_replication_permission_boundry_arn
+  permissions_boundary = var.s3_replication_permission_boundary_arn
 }
 
 data "aws_iam_policy_document" "replication_sts" {
diff --git a/variables.tf b/variables.tf
index c3fd2d9e..c3ffc9a0 100644
--- a/variables.tf
+++ b/variables.tf
@@ -280,10 +280,10 @@ variable "s3_replication_source_roles" {
   description = "Cross-account IAM Role ARNs that will be allowed to perform S3 replication to this bucket (for replication within the same AWS account, it's not necessary to adjust the bucket policy)."
 }
 
-variable "s3_replication_permission_boundry_arn" {
+variable "s3_replication_permission_boundary_arn" {
   type        = string
   default     = null
-  description = "Permission boundry of the IAM replication role. Defaults to null."
+  description = "Permission boundary ARN of the IAM replication role. Defaults to null."
 }
 
 variable "bucket_name" {