[Bug]: partial support for role permission boundary

[mdemarqu]

Welcome to the AWS Observability Accelerator

• Yes, I've searched similar issues on GitHub and didn't find any.

AWS Observability Accelerator Release version

2.13.0

What is your environment, configuration and the example used?

Example: "existing-cluster-with-base-and-infra"
with enable_managed_prometheus = false and provided managed_prometheus_workspace_id

Terraform v1.12.2

• provider registry.terraform.io/alekc/kubectl v2.1.3
• provider registry.terraform.io/hashicorp/aws v6.2.0
• provider registry.terraform.io/hashicorp/helm v2.17.0
• provider registry.terraform.io/hashicorp/kubernetes v2.37.1
• provider registry.terraform.io/hashicorp/random v3.7.2

What did you do and What did you see instead?

On my AWS account, role creation is allowed only if a specific permission boundary is set.
I enabled "irsa_iam_permissions_boundary" to the given permission boundary ARN.
However, the permission boundary is not propagated to "cluster_secretstore_role" resource in "eks-monitoring/add-ons/external-secrets/main.tf" : role creation fails.

Workaround
add irsa_iam_permissions_boundary input variable in this module :

module "cluster_secretstore_role" {
  source                        = "github.com/aws-ia/terraform-aws-eks-blueprints//modules/irsa?ref=v4.32.1"
  kubernetes_namespace          = local.namespace
  create_kubernetes_namespace   = false
  kubernetes_service_account    = local.cluster_secretstore_sa
  irsa_iam_policies             = [aws_iam_policy.cluster_secretstore.arn]
  eks_cluster_id                = var.addon_context.eks_cluster_id
  eks_oidc_provider_arn         = var.addon_context.eks_oidc_provider_arn
  depends_on                    = [module.external_secrets]
  irsa_iam_permissions_boundary = var.addon_context.irsa_iam_permissions_boundary
}