diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 19dda01..b3ff80e 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
repos:
- repo: https://github.com/antonbabenko/pre-commit-terraform
- rev: v1.71.0
+ rev: v1.72.1
hooks:
- id: terraform_fmt
- id: terraform_validate
diff --git a/README.md b/README.md
index aae2839..04780e4 100644
--- a/README.md
+++ b/README.md
@@ -10,6 +10,7 @@ Terraform module which creates Auto Scaling resources on AWS.
- Autoscaling group utilizing mixed instances policy
- Ability to configure autoscaling groups to set instance refresh configuration and add lifecycle hooks
- Ability to create an autoscaling group that respects `desired_capacity` or one that ignores to allow for scaling without conflicting Terraform diffs
+- IAM role and instance profile creation
## Usage
@@ -65,6 +66,18 @@ module "asg" {
ebs_optimized = true
enable_monitoring = true
+ # IAM role & instand profile
+ create_iam_instance_profile = true
+ iam_role_name = "example-asg"
+ iam_role_path = "/ec2/"
+ iam_role_description = "IAM role example"
+ iam_role_tags = {
+ CustomIamRole = "Yes"
+ }
+ iam_role_policies = {
+ AmazonSSMManagedInstanceCore = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+ }
+
block_device_mappings = [
{
# Root volume
@@ -234,8 +247,13 @@ No modules.
| [aws_autoscaling_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group) | resource |
| [aws_autoscaling_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_policy) | resource |
| [aws_autoscaling_schedule.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_schedule) | resource |
+| [aws_iam_instance_profile.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource |
+| [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_launch_template.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template) | resource |
| [aws_default_tags.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/default_tags) | data source |
+| [aws_iam_policy_document.assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
## Inputs
@@ -248,6 +266,7 @@ No modules.
| [capacity\_reservation\_specification](#input\_capacity\_reservation\_specification) | Targeting for EC2 capacity reservations | `any` | `{}` | no |
| [cpu\_options](#input\_cpu\_options) | The CPU options for the instance | `map(string)` | `{}` | no |
| [create](#input\_create) | Determines whether to create autoscaling group or not | `bool` | `true` | no |
+| [create\_iam\_instance\_profile](#input\_create\_iam\_instance\_profile) | Determines whether an IAM instance profile is created or to use an existing IAM instance profile | `bool` | `false` | no |
| [create\_launch\_template](#input\_create\_launch\_template) | Determines whether to create launch template or not | `bool` | `true` | no |
| [create\_scaling\_policy](#input\_create\_scaling\_policy) | Determines whether to create target scaling policy schedule or not | `bool` | `true` | no |
| [create\_schedule](#input\_create\_schedule) | Determines whether to create autoscaling group schedule or not | `bool` | `true` | no |
@@ -267,8 +286,15 @@ No modules.
| [health\_check\_grace\_period](#input\_health\_check\_grace\_period) | Time (in seconds) after instance comes into service before checking health | `number` | `null` | no |
| [health\_check\_type](#input\_health\_check\_type) | `EC2` or `ELB`. Controls how health checking is done | `string` | `null` | no |
| [hibernation\_options](#input\_hibernation\_options) | The hibernation options for the instance | `map(string)` | `{}` | no |
-| [iam\_instance\_profile\_arn](#input\_iam\_instance\_profile\_arn) | The IAM Instance Profile ARN to launch the instance with | `string` | `null` | no |
-| [iam\_instance\_profile\_name](#input\_iam\_instance\_profile\_name) | The name attribute of the IAM instance profile to associate with launched instances | `string` | `null` | no |
+| [iam\_instance\_profile\_arn](#input\_iam\_instance\_profile\_arn) | Amazon Resource Name (ARN) of an existing IAM instance profile. Used when `create_iam_instance_profile` = `false` | `string` | `null` | no |
+| [iam\_instance\_profile\_name](#input\_iam\_instance\_profile\_name) | The name of the IAM instance profile to be created (`create_iam_instance_profile` = `true`) or existing (`create_iam_instance_profile` = `false`) | `string` | `null` | no |
+| [iam\_role\_description](#input\_iam\_role\_description) | Description of the role | `string` | `null` | no |
+| [iam\_role\_name](#input\_iam\_role\_name) | Name to use on IAM role created | `string` | `null` | no |
+| [iam\_role\_path](#input\_iam\_role\_path) | IAM role path | `string` | `null` | no |
+| [iam\_role\_permissions\_boundary](#input\_iam\_role\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the IAM role | `string` | `null` | no |
+| [iam\_role\_policies](#input\_iam\_role\_policies) | IAM policies to attach to the IAM role | `map(string)` | `{}` | no |
+| [iam\_role\_tags](#input\_iam\_role\_tags) | A map of additional tags to add to the IAM role created | `map(string)` | `{}` | no |
+| [iam\_role\_use\_name\_prefix](#input\_iam\_role\_use\_name\_prefix) | Determines whether the IAM role name (`iam_role_name`) is used as a prefix | `bool` | `true` | no |
| [ignore\_desired\_capacity\_changes](#input\_ignore\_desired\_capacity\_changes) | Determines whether the `desired_capacity` value is ignored after initial apply. See README note for more details | `bool` | `false` | no |
| [image\_id](#input\_image\_id) | The AMI from which to launch the instance | `string` | `""` | no |
| [initial\_lifecycle\_hooks](#input\_initial\_lifecycle\_hooks) | One or more Lifecycle Hooks to attach to the Auto Scaling Group before instances are launched. The syntax is exactly the same as the separate `aws_autoscaling_lifecycle_hook` resource, without the `autoscaling_group_name` attribute. Please note that this will only work when creating a new Auto Scaling Group. For all other use-cases, please use `aws_autoscaling_lifecycle_hook` resource | `list(map(string))` | `[]` | no |
@@ -341,6 +367,12 @@ No modules.
| [autoscaling\_group\_vpc\_zone\_identifier](#output\_autoscaling\_group\_vpc\_zone\_identifier) | The VPC zone identifier |
| [autoscaling\_policy\_arns](#output\_autoscaling\_policy\_arns) | ARNs of autoscaling policies |
| [autoscaling\_schedule\_arns](#output\_autoscaling\_schedule\_arns) | ARNs of autoscaling group schedules |
+| [iam\_instance\_profile\_arn](#output\_iam\_instance\_profile\_arn) | ARN assigned by AWS to the instance profile |
+| [iam\_instance\_profile\_id](#output\_iam\_instance\_profile\_id) | Instance profile's ID |
+| [iam\_instance\_profile\_unique](#output\_iam\_instance\_profile\_unique) | Stable and unique string identifying the IAM instance profile |
+| [iam\_role\_arn](#output\_iam\_role\_arn) | The Amazon Resource Name (ARN) specifying the IAM role |
+| [iam\_role\_name](#output\_iam\_role\_name) | The name of the IAM role |
+| [iam\_role\_unique\_id](#output\_iam\_role\_unique\_id) | Stable and unique string identifying the IAM role |
| [launch\_template\_arn](#output\_launch\_template\_arn) | The ARN of the launch template |
| [launch\_template\_default\_version](#output\_launch\_template\_default\_version) | The default version of the launch template |
| [launch\_template\_id](#output\_launch\_template\_id) | The ID of the launch template |
diff --git a/examples/README.md b/examples/README.md
new file mode 100644
index 0000000..f417c0a
--- /dev/null
+++ b/examples/README.md
@@ -0,0 +1,8 @@
+# Examples
+
+Please note - the examples provided serve two primary means:
+
+1. Show users working examples of the various ways in which the module can be configured and features supported
+2. A means of testing/validating module changes
+
+Please do not mistake the examples provided as "best practices". It is up to users to consult the AWS service documentation for best practices, usage recommendations, etc.
diff --git a/examples/complete/README.md b/examples/complete/README.md
index e6bc9e9..e7c14a6 100644
--- a/examples/complete/README.md
+++ b/examples/complete/README.md
@@ -92,6 +92,12 @@ No inputs.
| [complete\_autoscaling\_group\_vpc\_zone\_identifier](#output\_complete\_autoscaling\_group\_vpc\_zone\_identifier) | The VPC zone identifier |
| [complete\_autoscaling\_policy\_arns](#output\_complete\_autoscaling\_policy\_arns) | ARNs of autoscaling policies |
| [complete\_autoscaling\_schedule\_arns](#output\_complete\_autoscaling\_schedule\_arns) | ARNs of autoscaling group schedules |
+| [complete\_iam\_instance\_profile\_arn](#output\_complete\_iam\_instance\_profile\_arn) | ARN assigned by AWS to the instance profile |
+| [complete\_iam\_instance\_profile\_id](#output\_complete\_iam\_instance\_profile\_id) | Instance profile's ID |
+| [complete\_iam\_instance\_profile\_unique](#output\_complete\_iam\_instance\_profile\_unique) | Stable and unique string identifying the IAM instance profile |
+| [complete\_iam\_role\_arn](#output\_complete\_iam\_role\_arn) | The Amazon Resource Name (ARN) specifying the IAM role |
+| [complete\_iam\_role\_name](#output\_complete\_iam\_role\_name) | The name of the IAM role |
+| [complete\_iam\_role\_unique\_id](#output\_complete\_iam\_role\_unique\_id) | Stable and unique string identifying the IAM role |
| [complete\_launch\_template\_arn](#output\_complete\_launch\_template\_arn) | The ARN of the launch template |
| [complete\_launch\_template\_default\_version](#output\_complete\_launch\_template\_default\_version) | The default version of the launch template |
| [complete\_launch\_template\_id](#output\_complete\_launch\_template\_id) | The ID of the launch template |
@@ -111,6 +117,12 @@ No inputs.
| [default\_autoscaling\_group\_name](#output\_default\_autoscaling\_group\_name) | The autoscaling group name |
| [default\_autoscaling\_group\_target\_group\_arns](#output\_default\_autoscaling\_group\_target\_group\_arns) | List of Target Group ARNs that apply to this AutoScaling Group |
| [default\_autoscaling\_group\_vpc\_zone\_identifier](#output\_default\_autoscaling\_group\_vpc\_zone\_identifier) | The VPC zone identifier |
+| [default\_iam\_instance\_profile\_arn](#output\_default\_iam\_instance\_profile\_arn) | ARN assigned by AWS to the instance profile |
+| [default\_iam\_instance\_profile\_id](#output\_default\_iam\_instance\_profile\_id) | Instance profile's ID |
+| [default\_iam\_instance\_profile\_unique](#output\_default\_iam\_instance\_profile\_unique) | Stable and unique string identifying the IAM instance profile |
+| [default\_iam\_role\_arn](#output\_default\_iam\_role\_arn) | The Amazon Resource Name (ARN) specifying the IAM role |
+| [default\_iam\_role\_name](#output\_default\_iam\_role\_name) | The name of the IAM role |
+| [default\_iam\_role\_unique\_id](#output\_default\_iam\_role\_unique\_id) | Stable and unique string identifying the IAM role |
| [default\_launch\_template\_arn](#output\_default\_launch\_template\_arn) | The ARN of the launch template |
| [default\_launch\_template\_default\_version](#output\_default\_launch\_template\_default\_version) | The default version of the launch template |
| [default\_launch\_template\_id](#output\_default\_launch\_template\_id) | The ID of the launch template |
@@ -130,6 +142,12 @@ No inputs.
| [external\_autoscaling\_group\_name](#output\_external\_autoscaling\_group\_name) | The autoscaling group name |
| [external\_autoscaling\_group\_target\_group\_arns](#output\_external\_autoscaling\_group\_target\_group\_arns) | List of Target Group ARNs that apply to this AutoScaling Group |
| [external\_autoscaling\_group\_vpc\_zone\_identifier](#output\_external\_autoscaling\_group\_vpc\_zone\_identifier) | The VPC zone identifier |
+| [external\_iam\_instance\_profile\_arn](#output\_external\_iam\_instance\_profile\_arn) | ARN assigned by AWS to the instance profile |
+| [external\_iam\_instance\_profile\_id](#output\_external\_iam\_instance\_profile\_id) | Instance profile's ID |
+| [external\_iam\_instance\_profile\_unique](#output\_external\_iam\_instance\_profile\_unique) | Stable and unique string identifying the IAM instance profile |
+| [external\_iam\_role\_arn](#output\_external\_iam\_role\_arn) | The Amazon Resource Name (ARN) specifying the IAM role |
+| [external\_iam\_role\_name](#output\_external\_iam\_role\_name) | The name of the IAM role |
+| [external\_iam\_role\_unique\_id](#output\_external\_iam\_role\_unique\_id) | Stable and unique string identifying the IAM role |
| [external\_launch\_template\_arn](#output\_external\_launch\_template\_arn) | The ARN of the launch template |
| [external\_launch\_template\_default\_version](#output\_external\_launch\_template\_default\_version) | The default version of the launch template |
| [external\_launch\_template\_id](#output\_external\_launch\_template\_id) | The ID of the launch template |
@@ -154,6 +172,12 @@ No inputs.
| [mixed\_instance\_autoscaling\_group\_name](#output\_mixed\_instance\_autoscaling\_group\_name) | The autoscaling group name |
| [mixed\_instance\_autoscaling\_group\_target\_group\_arns](#output\_mixed\_instance\_autoscaling\_group\_target\_group\_arns) | List of Target Group ARNs that apply to this AutoScaling Group |
| [mixed\_instance\_autoscaling\_group\_vpc\_zone\_identifier](#output\_mixed\_instance\_autoscaling\_group\_vpc\_zone\_identifier) | The VPC zone identifier |
+| [mixed\_instance\_iam\_instance\_profile\_arn](#output\_mixed\_instance\_iam\_instance\_profile\_arn) | ARN assigned by AWS to the instance profile |
+| [mixed\_instance\_iam\_instance\_profile\_id](#output\_mixed\_instance\_iam\_instance\_profile\_id) | Instance profile's ID |
+| [mixed\_instance\_iam\_instance\_profile\_unique](#output\_mixed\_instance\_iam\_instance\_profile\_unique) | Stable and unique string identifying the IAM instance profile |
+| [mixed\_instance\_iam\_role\_arn](#output\_mixed\_instance\_iam\_role\_arn) | The Amazon Resource Name (ARN) specifying the IAM role |
+| [mixed\_instance\_iam\_role\_name](#output\_mixed\_instance\_iam\_role\_name) | The name of the IAM role |
+| [mixed\_instance\_iam\_role\_unique\_id](#output\_mixed\_instance\_iam\_role\_unique\_id) | Stable and unique string identifying the IAM role |
| [mixed\_instance\_launch\_template\_arn](#output\_mixed\_instance\_launch\_template\_arn) | The ARN of the launch template |
| [mixed\_instance\_launch\_template\_default\_version](#output\_mixed\_instance\_launch\_template\_default\_version) | The default version of the launch template |
| [mixed\_instance\_launch\_template\_id](#output\_mixed\_instance\_launch\_template\_id) | The ID of the launch template |
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
index 886db29..883150a 100644
--- a/examples/complete/main.tf
+++ b/examples/complete/main.tf
@@ -180,7 +180,17 @@ module "complete" {
ebs_optimized = true
enable_monitoring = true
- iam_instance_profile_arn = aws_iam_instance_profile.ssm.arn
+ create_iam_instance_profile = true
+ iam_role_name = "complete-${local.name}"
+ iam_role_path = "/ec2/"
+ iam_role_description = "Complete IAM role example"
+ iam_role_tags = {
+ CustomIamRole = "Yes"
+ }
+ iam_role_policies = {
+ AmazonSSMManagedInstanceCore = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+ }
+
# # Security group is set on the ENIs below
# security_groups = [module.asg_sg.security_group_id]
@@ -338,6 +348,17 @@ module "complete" {
}
}
}
+ request-count-per-target = {
+ policy_type = "TargetTrackingScaling"
+ estimated_instance_warmup = 120
+ target_tracking_configuration = {
+ predefined_metric_specification = {
+ predefined_metric_type = "ALBRequestCountPerTarget"
+ resource_label = "${module.alb.lb_arn_suffix}/${module.alb.target_group_arn_suffixes[0]}"
+ }
+ target_value = 800
+ }
+ }
}
}
@@ -360,6 +381,8 @@ module "mixed_instance" {
instance_type = "t3.micro"
capacity_rebalance = true
+ iam_instance_profile_arn = aws_iam_instance_profile.ssm.arn
+
initial_lifecycle_hooks = [
{
name = "ExampleStartupLifeCycleHook"
diff --git a/examples/complete/outputs.tf b/examples/complete/outputs.tf
index b5a1850..c584666 100644
--- a/examples/complete/outputs.tf
+++ b/examples/complete/outputs.tf
@@ -126,6 +126,36 @@ output "default_autoscaling_group_enabled_metrics" {
value = module.default.autoscaling_group_enabled_metrics
}
+output "default_iam_role_name" {
+ description = "The name of the IAM role"
+ value = module.default.iam_role_name
+}
+
+output "default_iam_role_arn" {
+ description = "The Amazon Resource Name (ARN) specifying the IAM role"
+ value = module.default.iam_role_arn
+}
+
+output "default_iam_role_unique_id" {
+ description = "Stable and unique string identifying the IAM role"
+ value = module.default.iam_role_unique_id
+}
+
+output "default_iam_instance_profile_arn" {
+ description = "ARN assigned by AWS to the instance profile"
+ value = module.default.iam_instance_profile_arn
+}
+
+output "default_iam_instance_profile_id" {
+ description = "Instance profile's ID"
+ value = module.default.iam_instance_profile_id
+}
+
+output "default_iam_instance_profile_unique" {
+ description = "Stable and unique string identifying the IAM instance profile"
+ value = module.default.iam_instance_profile_unique
+}
+
################################################################################
# External
################################################################################
@@ -225,6 +255,36 @@ output "external_autoscaling_group_enabled_metrics" {
value = module.external.autoscaling_group_enabled_metrics
}
+output "external_iam_role_name" {
+ description = "The name of the IAM role"
+ value = module.external.iam_role_name
+}
+
+output "external_iam_role_arn" {
+ description = "The Amazon Resource Name (ARN) specifying the IAM role"
+ value = module.external.iam_role_arn
+}
+
+output "external_iam_role_unique_id" {
+ description = "Stable and unique string identifying the IAM role"
+ value = module.external.iam_role_unique_id
+}
+
+output "external_iam_instance_profile_arn" {
+ description = "ARN assigned by AWS to the instance profile"
+ value = module.external.iam_instance_profile_arn
+}
+
+output "external_iam_instance_profile_id" {
+ description = "Instance profile's ID"
+ value = module.external.iam_instance_profile_id
+}
+
+output "external_iam_instance_profile_unique" {
+ description = "Stable and unique string identifying the IAM instance profile"
+ value = module.external.iam_instance_profile_unique
+}
+
################################################################################
# Complete
################################################################################
@@ -334,6 +394,36 @@ output "complete_autoscaling_group_enabled_metrics" {
value = module.complete.autoscaling_group_enabled_metrics
}
+output "complete_iam_role_name" {
+ description = "The name of the IAM role"
+ value = module.complete.iam_role_name
+}
+
+output "complete_iam_role_arn" {
+ description = "The Amazon Resource Name (ARN) specifying the IAM role"
+ value = module.complete.iam_role_arn
+}
+
+output "complete_iam_role_unique_id" {
+ description = "Stable and unique string identifying the IAM role"
+ value = module.complete.iam_role_unique_id
+}
+
+output "complete_iam_instance_profile_arn" {
+ description = "ARN assigned by AWS to the instance profile"
+ value = module.complete.iam_instance_profile_arn
+}
+
+output "complete_iam_instance_profile_id" {
+ description = "Instance profile's ID"
+ value = module.complete.iam_instance_profile_id
+}
+
+output "complete_iam_instance_profile_unique" {
+ description = "Stable and unique string identifying the IAM instance profile"
+ value = module.complete.iam_instance_profile_unique
+}
+
################################################################################
# Mixed instance policy
################################################################################
@@ -432,3 +522,33 @@ output "mixed_instance_autoscaling_group_enabled_metrics" {
description = "List of metrics enabled for collection"
value = module.mixed_instance.autoscaling_group_enabled_metrics
}
+
+output "mixed_instance_iam_role_name" {
+ description = "The name of the IAM role"
+ value = module.mixed_instance.iam_role_name
+}
+
+output "mixed_instance_iam_role_arn" {
+ description = "The Amazon Resource Name (ARN) specifying the IAM role"
+ value = module.mixed_instance.iam_role_arn
+}
+
+output "mixed_instance_iam_role_unique_id" {
+ description = "Stable and unique string identifying the IAM role"
+ value = module.mixed_instance.iam_role_unique_id
+}
+
+output "mixed_instance_iam_instance_profile_arn" {
+ description = "ARN assigned by AWS to the instance profile"
+ value = module.mixed_instance.iam_instance_profile_arn
+}
+
+output "mixed_instance_iam_instance_profile_id" {
+ description = "Instance profile's ID"
+ value = module.mixed_instance.iam_instance_profile_id
+}
+
+output "mixed_instance_iam_instance_profile_unique" {
+ description = "Stable and unique string identifying the IAM instance profile"
+ value = module.mixed_instance.iam_instance_profile_unique
+}
diff --git a/main.tf b/main.tf
index bbb3bf5..4c82e03 100644
--- a/main.tf
+++ b/main.tf
@@ -1,3 +1,4 @@
+data "aws_partition" "current" {}
data "aws_default_tags" "current" {}
locals {
@@ -19,6 +20,11 @@ locals {
# Launch template
################################################################################
+locals {
+ iam_instance_profile_arn = var.create_iam_instance_profile ? aws_iam_instance_profile.this[0].arn : var.iam_instance_profile_arn
+ iam_instance_profile_name = !var.create_iam_instance_profile && var.iam_instance_profile_arn == null ? var.iam_instance_profile_name : null
+}
+
resource "aws_launch_template" "this" {
count = var.create_launch_template ? 1 : 0
@@ -123,10 +129,10 @@ resource "aws_launch_template" "this" {
}
dynamic "iam_instance_profile" {
- for_each = var.iam_instance_profile_name != null || var.iam_instance_profile_arn != null ? [1] : []
+ for_each = local.iam_instance_profile_name != null || local.iam_instance_profile_arn != null ? [1] : []
content {
- name = var.iam_instance_profile_name
- arn = var.iam_instance_profile_arn
+ name = local.iam_instance_profile_name
+ arn = local.iam_instance_profile_arn
}
}
@@ -695,6 +701,7 @@ resource "aws_autoscaling_policy" "this" {
for_each = try([target_tracking_configuration.value.predefined_metric_specification], [])
content {
predefined_metric_type = predefined_metric_specification.value.predefined_metric_type
+ resource_label = try(predefined_metric_specification.value.resource_label, null)
}
}
@@ -760,3 +767,59 @@ resource "aws_autoscaling_policy" "this" {
}
}
}
+
+################################################################################
+# IAM Role / Instance Profile
+################################################################################
+
+locals {
+ internal_iam_instance_profile_name = try(coalesce(var.iam_instance_profile_name, var.iam_role_name), "")
+}
+
+data "aws_iam_policy_document" "assume_role_policy" {
+ count = local.create && var.create_iam_instance_profile ? 1 : 0
+
+ statement {
+ sid = "EC2AssumeRole"
+ actions = ["sts:AssumeRole"]
+
+ principals {
+ type = "Service"
+ identifiers = ["ec2.${data.aws_partition.current.dns_suffix}"]
+ }
+ }
+}
+
+resource "aws_iam_role" "this" {
+ count = local.create && var.create_iam_instance_profile ? 1 : 0
+
+ name = var.iam_role_use_name_prefix ? null : local.internal_iam_instance_profile_name
+ name_prefix = var.iam_role_use_name_prefix ? "${local.internal_iam_instance_profile_name}-" : null
+ path = var.iam_role_path
+ description = var.iam_role_description
+
+ assume_role_policy = data.aws_iam_policy_document.assume_role_policy[0].json
+ permissions_boundary = var.iam_role_permissions_boundary
+ force_detach_policies = true
+
+ tags = merge(var.tags, var.iam_role_tags)
+}
+
+resource "aws_iam_role_policy_attachment" "this" {
+ for_each = { for k, v in var.iam_role_policies : k => v if var.create && var.create_iam_instance_profile }
+
+ policy_arn = each.value
+ role = aws_iam_role.this[0].name
+}
+
+resource "aws_iam_instance_profile" "this" {
+ count = local.create && var.create_iam_instance_profile ? 1 : 0
+
+ role = aws_iam_role.this[0].name
+
+ name = var.iam_role_use_name_prefix ? null : var.iam_role_name
+ name_prefix = var.iam_role_use_name_prefix ? "${var.iam_role_name}-" : null
+ path = var.iam_role_path
+
+ tags = merge(var.tags, var.iam_role_tags)
+}
diff --git a/outputs.tf b/outputs.tf
index c460eb0..d481a8b 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -118,3 +118,37 @@ output "autoscaling_policy_arns" {
description = "ARNs of autoscaling policies"
value = { for k, v in aws_autoscaling_policy.this : k => v.arn }
}
+
+################################################################################
+# IAM Role / Instance Profile
+################################################################################
+
+output "iam_role_name" {
+ description = "The name of the IAM role"
+ value = try(aws_iam_role.this[0].name, "")
+}
+
+output "iam_role_arn" {
+ description = "The Amazon Resource Name (ARN) specifying the IAM role"
+ value = try(aws_iam_role.this[0].arn, "")
+}
+
+output "iam_role_unique_id" {
+ description = "Stable and unique string identifying the IAM role"
+ value = try(aws_iam_role.this[0].unique_id, "")
+}
+
+output "iam_instance_profile_arn" {
+ description = "ARN assigned by AWS to the instance profile"
+ value = try(aws_iam_instance_profile.this[0].arn, var.iam_instance_profile_arn)
+}
+
+output "iam_instance_profile_id" {
+ description = "Instance profile's ID"
+ value = try(aws_iam_instance_profile.this[0].id, "")
+}
+
+output "iam_instance_profile_unique" {
+ description = "Stable and unique string identifying the IAM instance profile"
+ value = try(aws_iam_instance_profile.this[0].unique_id, "")
+}
diff --git a/variables.tf b/variables.tf
index 119fb6c..ff3de54 100644
--- a/variables.tf
+++ b/variables.tf
@@ -229,12 +229,6 @@ variable "ebs_optimized" {
default = null
}
-variable "iam_instance_profile_name" {
- description = "The name attribute of the IAM instance profile to associate with launched instances"
- type = string
- default = null
-}
-
variable "image_id" {
description = "The AMI from which to launch the instance"
type = string
@@ -401,12 +395,6 @@ variable "hibernation_options" {
default = {}
}
-variable "iam_instance_profile_arn" {
- description = "The IAM Instance Profile ARN to launch the instance with"
- type = string
- default = null
-}
-
variable "instance_market_options" {
description = "The market (purchasing) option for the instance"
type = any
@@ -481,6 +469,70 @@ variable "scaling_policies" {
default = {}
}
+################################################################################
+# IAM Role / Instance Profile
+################################################################################
+
+variable "create_iam_instance_profile" {
+ description = "Determines whether an IAM instance profile is created or to use an existing IAM instance profile"
+ type = bool
+ default = false
+}
+
+variable "iam_instance_profile_arn" {
+ description = "Amazon Resource Name (ARN) of an existing IAM instance profile. Used when `create_iam_instance_profile` = `false`"
+ type = string
+ default = null
+}
+
+variable "iam_instance_profile_name" {
+ description = "The name of the IAM instance profile to be created (`create_iam_instance_profile` = `true`) or existing (`create_iam_instance_profile` = `false`)"
+ type = string
+ default = null
+}
+
+variable "iam_role_name" {
+ description = "Name to use on IAM role created"
+ type = string
+ default = null
+}
+
+variable "iam_role_use_name_prefix" {
+ description = "Determines whether the IAM role name (`iam_role_name`) is used as a prefix"
+ type = bool
+ default = true
+}
+
+variable "iam_role_path" {
+ description = "IAM role path"
+ type = string
+ default = null
+}
+
+variable "iam_role_description" {
+ description = "Description of the role"
+ type = string
+ default = null
+}
+
+variable "iam_role_permissions_boundary" {
+ description = "ARN of the policy that is used to set the permissions boundary for the IAM role"
+ type = string
+ default = null
+}
+
+variable "iam_role_policies" {
+ description = "IAM policies to attach to the IAM role"
+ type = map(string)
+ default = {}
+}
+
+variable "iam_role_tags" {
+ description = "A map of additional tags to add to the IAM role created"
+ type = map(string)
+ default = {}
+}
+
variable "putin_khuylo" {
description = "Do you agree that Putin doesn't respect Ukrainian sovereignty and territorial integrity? More info: https://en.wikipedia.org/wiki/Putin_khuylo!"
type = bool