Export the role policy document (#3)

* Add the iam_policy_document output in case we are already using a role. * append cloudwatch_agent to the name so that those resources do not collide with existing ones * update the readme with a another example and add the new output * fix the example names * Update outputs.tf Co-Authored-By: parabolic <[email protected]> * Update README.md Co-Authored-By: parabolic <[email protected]> * Update README.yaml Co-Authored-By: parabolic <[email protected]> * Update README.yaml Co-Authored-By: parabolic <[email protected]> * Update outputs.tf Co-Authored-By: parabolic <[email protected]> * Fix the output description and add a real data resource for the AMI. * add the `cloudwatch-agent` attribute * fix a typo in the readme * Add the attributes as a list variable with a default value
cloudposse-archives · May 17, 2019 · da1213e · da1213e
1 parent fae0a1d
commit da1213e
Show file tree

Hide file tree

Showing 6 changed files with 256 additions and 11 deletions.
diff --git a/README.md b/README.md
@@ -59,7 +59,7 @@ module "cloudwatch_agent" {
 
 resource "aws_launch_configuration" "multipart" {
   name_prefix          = "cloudwatch_agent"
-  image_id             = "${data.aws_ami.ecs-optimized.id}"
+  image_id             = "${data.aws_ami.ecs_optimized.id}"
   iam_instance_profile = "${aws_iam_instance_profile.cloudwatch_agent.name}"
   instance_type        = "t2.micro"
   user_data_base64     = "${module.cloudwatch_agent.user_data}"
@@ -70,6 +70,106 @@ resource "aws_launch_configuration" "multipart" {
     create_before_destroy = true
   }
 }
+
+data "aws_ami" "ecs_optimized" {
+  most_recent = true
+
+  filter {
+    name   = "name"
+    values = ["amzn2-ami-ecs-hvm-*-x86_64-*"]
+  }
+
+  owners = [
+    "amazon",
+  ]
+}
+```
+
+### Example with using the iam_policy_document and aws_iam_role:
+
+```hcl
+locals {
+  application {
+    name      = "cloudwatch_agent"
+    stage     = "dev"
+    namespace = "eg"
+  }
+}
+
+module "label" {
+  source      = "git::https://github.com/cloudposse/terraform-null-label.git?ref=master"
+  stage       = "${local.application["stage"]}"
+  name        = "${local.application["name"]}"
+  namespace   = "${local.application["namespace"]}"
+}
+
+module "cloudwatch_agent" {
+  source = "git::https://github.com/cloudposse/terraform-aws-cloudwatch-agent?ref=master"
+
+  name      = "${module.label.name}"
+  stage     = "${module.label.stage}"
+  namespace = "${module.label.namespace}"
+}
+
+resource "aws_launch_configuration" "multipart" {
+  name_prefix          = "${module.label.name}"
+  image_id             = "${data.aws_ami.ecs_optimized.id}"
+  iam_instance_profile = "${aws_iam_instance_profile.cloudwatch_agent.name}"
+  instance_type        = "t2.micro"
+  user_data_base64     = "${module.cloudwatch_agent.user_data}"
+  security_groups      = ["${aws_security_group.ecs.id}"]
+  key_name             = "${var.ssh_key_pair}"
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+data "aws_ami" "ecs_optimized" {
+  most_recent = true
+
+  filter {
+    name   = "name"
+    values = ["amzn2-ami-ecs-hvm-*-x86_64-*"]
+  }
+
+  owners = [
+    "amazon",
+  ]
+}
+
+data "aws_iam_policy_document" "ec2_cloudwatch" {
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+
+    principals = {
+      type        = "Service"
+      identifiers = ["ec2.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_role" "ec2" {
+  name = "${module.label.id}"
+
+  assume_role_policy = "${data.aws_iam_policy_document.ec2_cloudwatch.json}"
+
+  tags = {
+    Name = "${module.label.id}"
+  }
+}
+
+resource "aws_iam_role_policy" "cloudwatch_agent" {
+  name   = "${module.label.id}"
+  policy = "${module.cloudwatch_agent.iam_policy_document}"
+  role   = "${aws_iam_role.ec2.id}"
+}
+
+resource "aws_iam_instance_profile" "cloudwatch_agent" {
+  name_prefix = "${module.label.name}"
+  role        = "${aws_iam_role.ec2.name}"
+}
 ```
 
 ### Example with passing user-data and using the role from the module using advanced metrics configuration:
@@ -92,7 +192,7 @@ data "template_file" "cloud-init" {
 
 resource "aws_launch_configuration" "multipart" {
   name_prefix          = "cloudwatch_agent"
-  image_id             = "${data.aws_ami.ecs-optimized.id}"
+  image_id             = "${data.aws_ami.ecs_optimized.id}"
   iam_instance_profile = "${aws_iam_instance_profile.cloudwatch_agent.name}"
   instance_type        = "t2.micro"
   user_data_base64     = "${module.cloudwatch_agent.user_data}"
@@ -104,6 +204,19 @@ resource "aws_launch_configuration" "multipart" {
   }
 }
 
+data "aws_ami" "ecs_optimized" {
+  most_recent = true
+
+  filter {
+    name   = "name"
+    values = ["amzn2-ami-ecs-hvm-*-x86_64-*"]
+  }
+
+  owners = [
+    "amazon",
+  ]
+}
+
 resource "aws_iam_instance_profile" "cloudwatch_agent" {
   name_prefix = "cloudwatch_agent"
   role        = "${module.cloudwatch_agent.role_name}"
@@ -130,6 +243,7 @@ Available targets:
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
 | aggregation_dimensions | Specifies the dimensions that collected metrics are to be aggregated on. | list | `<list>` | no |
+| attributes | Add a suffix to the resource names. | list | `<list>` | no |
 | cpu_resources | Specifies that per-cpu metrics are to be collected. The only allowed value is *. If you include this field and value, per-cpu metrics are collected. | string | `"resources": ["*"],` | no |
 | disk_resources | Specifies an array of disk mount points. This field limits CloudWatch to collect metrics from only the listed mount points. You can specify * as the value to collect metrics from all mount points. Defaults to the root / mountpount. | list | `<list>` | no |
 | metrics_collection_interval | Specifies how often to collect the cpu metrics, overriding the global metrics_collection_interval specified in the agent section of the configuration file. If you set this value below 60 seconds, each metric is collected as a high-resolution metric. | string | `60` | no |
@@ -145,7 +259,8 @@ Available targets:
 
 | Name | Description |
 |------|-------------|
-| role_name | The role name that should be attached to the role policy |
+| iam_policy_document | The IAM policy document that can be attached to a role policy |
+| role_name | The name of the created IAM role that can be assumed by the instance |
 | user_data | The user_data with the cloudwatch_agent configuration in base64 and gzipped |
 
 

diff --git a/README.yaml b/README.yaml
@@ -113,7 +113,7 @@ usage: |-
 
   resource "aws_launch_configuration" "multipart" {
     name_prefix          = "cloudwatch_agent"
-    image_id             = "${data.aws_ami.ecs-optimized.id}"
+    image_id             = "${data.aws_ami.ecs_optimized.id}"
     iam_instance_profile = "${aws_iam_instance_profile.cloudwatch_agent.name}"
     instance_type        = "t2.micro"
     user_data_base64     = "${module.cloudwatch_agent.user_data}"
@@ -124,6 +124,106 @@ usage: |-
       create_before_destroy = true
     }
   }
+
+  data "aws_ami" "ecs_optimized" {
+    most_recent = true
+
+    filter {
+      name   = "name"
+      values = ["amzn2-ami-ecs-hvm-*-x86_64-*"]
+    }
+
+    owners = [
+      "amazon",
+    ]
+  }
+  ```
+
+  ### Example with using the iam_policy_document and aws_iam_role:
+
+  ```hcl
+  locals {
+    application {
+      name      = "cloudwatch_agent"
+      stage     = "dev"
+      namespace = "eg"
+    }
+  }
+
+  module "label" {
+    source      = "git::https://github.com/cloudposse/terraform-null-label.git?ref=master"
+    stage       = "${local.application["stage"]}"
+    name        = "${local.application["name"]}"
+    namespace   = "${local.application["namespace"]}"
+  }
+
+  module "cloudwatch_agent" {
+    source = "git::https://github.com/cloudposse/terraform-aws-cloudwatch-agent?ref=master"
+
+    name      = "${module.label.name}"
+    stage     = "${module.label.stage}"
+    namespace = "${module.label.namespace}"
+  }
+
+  resource "aws_launch_configuration" "multipart" {
+    name_prefix          = "${module.label.name}"
+    image_id             = "${data.aws_ami.ecs_optimized.id}"
+    iam_instance_profile = "${aws_iam_instance_profile.cloudwatch_agent.name}"
+    instance_type        = "t2.micro"
+    user_data_base64     = "${module.cloudwatch_agent.user_data}"
+    security_groups      = ["${aws_security_group.ecs.id}"]
+    key_name             = "${var.ssh_key_pair}"
+
+    lifecycle {
+      create_before_destroy = true
+    }
+  }
+
+  data "aws_ami" "ecs_optimized" {
+    most_recent = true
+
+    filter {
+      name   = "name"
+      values = ["amzn2-ami-ecs-hvm-*-x86_64-*"]
+    }
+
+    owners = [
+      "amazon",
+    ]
+  }
+
+  data "aws_iam_policy_document" "ec2_cloudwatch" {
+    statement {
+      effect  = "Allow"
+      actions = ["sts:AssumeRole"]
+
+      principals = {
+        type        = "Service"
+        identifiers = ["ec2.amazonaws.com"]
+      }
+    }
+  }
+
+  resource "aws_iam_role" "ec2" {
+    name = "${module.label.id}"
+
+    assume_role_policy = "${data.aws_iam_policy_document.ec2_cloudwatch.json}"
+
+    tags = {
+      Name = "${module.label.id}"
+    }
+  }
+
+  resource "aws_iam_role_policy" "cloudwatch_agent" {
+    name   = "${module.label.id}"
+    policy = "${module.cloudwatch_agent.iam_policy_document}"
+    role   = "${aws_iam_role.ec2.id}"
+  }
+
+  resource "aws_iam_instance_profile" "cloudwatch_agent" {
+    name_prefix = "${module.label.name}"
+    role        = "${aws_iam_role.ec2.name}"
+  }
   ```
 
   ### Example with passing user-data and using the role from the module using advanced metrics configuration:
@@ -146,7 +246,7 @@ usage: |-
 
   resource "aws_launch_configuration" "multipart" {
     name_prefix          = "cloudwatch_agent"
-    image_id             = "${data.aws_ami.ecs-optimized.id}"
+    image_id             = "${data.aws_ami.ecs_optimized.id}"
     iam_instance_profile = "${aws_iam_instance_profile.cloudwatch_agent.name}"
     instance_type        = "t2.micro"
     user_data_base64     = "${module.cloudwatch_agent.user_data}"
@@ -158,6 +258,19 @@ usage: |-
     }
   }
 
+  data "aws_ami" "ecs_optimized" {
+    most_recent = true
+
+    filter {
+      name   = "name"
+      values = ["amzn2-ami-ecs-hvm-*-x86_64-*"]
+    }
+
+    owners = [
+      "amazon",
+    ]
+  }
+
   resource "aws_iam_instance_profile" "cloudwatch_agent" {
     name_prefix = "cloudwatch_agent"
     role        = "${module.cloudwatch_agent.role_name}"

diff --git a/docs/terraform.md b/docs/terraform.md
@@ -3,6 +3,7 @@
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
 | aggregation_dimensions | Specifies the dimensions that collected metrics are to be aggregated on. | list | `<list>` | no |
+| attributes | Add a suffix to the resource names. | list | `<list>` | no |
 | cpu_resources | Specifies that per-cpu metrics are to be collected. The only allowed value is *. If you include this field and value, per-cpu metrics are collected. | string | `"resources": ["*"],` | no |
 | disk_resources | Specifies an array of disk mount points. This field limits CloudWatch to collect metrics from only the listed mount points. You can specify * as the value to collect metrics from all mount points. Defaults to the root / mountpount. | list | `<list>` | no |
 | metrics_collection_interval | Specifies how often to collect the cpu metrics, overriding the global metrics_collection_interval specified in the agent section of the configuration file. If you set this value below 60 seconds, each metric is collected as a high-resolution metric. | string | `60` | no |
@@ -18,6 +19,7 @@
 
 | Name | Description |
 |------|-------------|
-| role_name | The role name that should be attached to the role policy |
+| iam_policy_document | The IAM policy document that can be attached to a role policy |
+| role_name | The name of the created IAM role that can be assumed by the instance |
 | user_data | The user_data with the cloudwatch_agent configuration in base64 and gzipped |
 
diff --git a/main.tf b/main.tf
@@ -1,8 +1,9 @@
 module "label" {
-  source    = "git::https://github.com/cloudposse/terraform-null-label.git?ref=tags/0.7.0"
-  stage     = "${var.stage}"
-  name      = "${var.name}"
-  namespace = "${var.namespace}"
+  source     = "git::https://github.com/cloudposse/terraform-null-label.git?ref=tags/0.7.0"
+  stage      = "${var.stage}"
+  name       = "${var.name}"
+  namespace  = "${var.namespace}"
+  attributes = "${var.attributes}"
 }
 
 data "template_file" "cloud_init_cloudwatch_agent" {

diff --git a/outputs.tf b/outputs.tf
@@ -4,6 +4,11 @@ output "user_data" {
 }
 
 output "role_name" {
-  description = "The role name that should be attached to the role policy"
+  description = "The name of the created IAM role that can be assumed by the instance"
   value       = "${aws_iam_role.ec2_cloudwatch.name}"
 }
+
+output "iam_policy_document" {
+  description = "The IAM policy document that can be attached to a role policy"
+  value       = "${data.aws_iam_policy_document.wildcard_cloudwatch_agent.json}"
+}
diff --git a/variables.tf b/variables.tf
@@ -72,3 +72,12 @@ EOF
   type    = "string"
   default = 60
 }
+
+variable "attributes" {
+  description = "Add a suffix to the resource names."
+  type        = "list"
+
+  default = [
+    "cloudwatch-agent",
+  ]
+}