diff --git a/README.md b/README.md
index aa194bd..821ef44 100644
--- a/README.md
+++ b/README.md
@@ -321,6 +321,7 @@ Available targets:
| [mfa\_delete](#input\_mfa\_delete) | A boolean that indicates that versions of S3 objects can only be deleted with MFA. ( Terraform cannot apply changes of this value; https://github.com/terraform-providers/terraform-provider-aws/issues/629 ) | `bool` | `false` | no |
| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no |
| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no |
+| [permissions\_boundary](#input\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the IAM role | `string` | `""` | no |
| [prevent\_unencrypted\_uploads](#input\_prevent\_unencrypted\_uploads) | Prevent uploads of unencrypted objects to S3 | `bool` | `true` | no |
| [profile](#input\_profile) | AWS profile name as set in the shared credentials file | `string` | `""` | no |
| [read\_capacity](#input\_read\_capacity) | DynamoDB read capacity units | `number` | `5` | no |
diff --git a/docs/terraform.md b/docs/terraform.md
index 39fc4ba..546f950 100644
--- a/docs/terraform.md
+++ b/docs/terraform.md
@@ -76,6 +76,7 @@
| [mfa\_delete](#input\_mfa\_delete) | A boolean that indicates that versions of S3 objects can only be deleted with MFA. ( Terraform cannot apply changes of this value; https://github.com/terraform-providers/terraform-provider-aws/issues/629 ) | `bool` | `false` | no |
| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no |
| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no |
+| [permissions\_boundary](#input\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the IAM role | `string` | `""` | no |
| [prevent\_unencrypted\_uploads](#input\_prevent\_unencrypted\_uploads) | Prevent uploads of unencrypted objects to S3 | `bool` | `true` | no |
| [profile](#input\_profile) | AWS profile name as set in the shared credentials file | `string` | `""` | no |
| [read\_capacity](#input\_read\_capacity) | DynamoDB read capacity units | `number` | `5` | no |
diff --git a/replication.tf b/replication.tf
index da11db2..f154b48 100644
--- a/replication.tf
+++ b/replication.tf
@@ -1,8 +1,9 @@
resource "aws_iam_role" "replication" {
count = local.enabled && var.s3_replication_enabled ? 1 : 0
- name = format("%s-replication", module.this.id)
- assume_role_policy = data.aws_iam_policy_document.replication_sts[0].json
+ name = format("%s-replication", module.this.id)
+ assume_role_policy = data.aws_iam_policy_document.replication_sts[0].json
+ permissions_boundary = var.permissions_boundary
}
data "aws_iam_policy_document" "replication_sts" {
diff --git a/variables.tf b/variables.tf
index f80d6b8..a82fb17 100644
--- a/variables.tf
+++ b/variables.tf
@@ -194,3 +194,8 @@ variable "dynamodb_table_name" {
default = null
description = "Override the name of the DynamoDB table which defaults to using `module.dynamodb_table_label.id`"
}
+variable "permissions_boundary" {
+ type = string
+ default = ""
+ description = "ARN of the policy that is used to set the permissions boundary for the IAM role"
+}
\ No newline at end of file