Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

Commit 787132e

Browse files
feat: Add support for creating IAM role/instance profile with policies (#302)
1 parent 668ac71 commit 787132e

File tree

10 files changed

+267
-36
lines changed

10 files changed

+267
-36
lines changed

‎.pre-commit-config.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
repos:
22
- repo: https://github.com/antonbabenko/pre-commit-terraform
3-
rev: v1.74.1
3+
rev: v1.76.0
44
hooks:
55
- id: terraform_fmt
66
- id: terraform_wrapper_module_for_each

‎README.md

Lines changed: 22 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -184,21 +184,29 @@ No modules.
184184

185185
| Name | Type |
186186
|------|------|
187+
| [aws_iam_instance_profile.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource |
188+
| [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
189+
| [aws_iam_role_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
187190
| [aws_instance.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance) | resource |
188191
| [aws_spot_instance_request.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/spot_instance_request) | resource |
192+
| [aws_iam_policy_document.assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
193+
| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
194+
| [aws_ssm_parameter.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
189195

190196
## Inputs
191197

192198
| Name | Description | Type | Default | Required |
193199
|------|-------------|------|---------|:--------:|
194-
| <a name="input_ami"></a> [ami](#input\_ami) | ID of AMI to use for the instance | `string` | `""` | no |
200+
| <a name="input_ami"></a> [ami](#input\_ami) | ID of AMI to use for the instance | `string` | `null` | no |
201+
| <a name="input_ami_ssm_parameter"></a> [ami\_ssm\_parameter](#input\_ami\_ssm\_parameter) | SSM parameter name for the AMI ID. For Amazon Linux AMI SSM parameters see [reference](https://docs.aws.amazon.com/systems-manager/latest/userguide/parameter-store-public-parameters-ami.html) | `string` | `"/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2"` | no |
195202
| <a name="input_associate_public_ip_address"></a> [associate\_public\_ip\_address](#input\_associate\_public\_ip\_address) | Whether to associate a public IP address with an instance in a VPC | `bool` | `null` | no |
196203
| <a name="input_availability_zone"></a> [availability\_zone](#input\_availability\_zone) | AZ to start the instance in | `string` | `null` | no |
197204
| <a name="input_capacity_reservation_specification"></a> [capacity\_reservation\_specification](#input\_capacity\_reservation\_specification) | Describes an instance's Capacity Reservation targeting option | `any` | `{}` | no |
198205
| <a name="input_cpu_core_count"></a> [cpu\_core\_count](#input\_cpu\_core\_count) | Sets the number of CPU cores for an instance. | `number` | `null` | no |
199206
| <a name="input_cpu_credits"></a> [cpu\_credits](#input\_cpu\_credits) | The credit option for CPU usage (unlimited or standard) | `string` | `null` | no |
200207
| <a name="input_cpu_threads_per_core"></a> [cpu\_threads\_per\_core](#input\_cpu\_threads\_per\_core) | Sets the number of CPU threads per core for an instance (has no effect unless cpu\_core\_count is also set). | `number` | `null` | no |
201208
| <a name="input_create"></a> [create](#input\_create) | Whether to create an instance | `bool` | `true` | no |
209+
| <a name="input_create_iam_instance_profile"></a> [create\_iam\_instance\_profile](#input\_create\_iam\_instance\_profile) | Determines whether an IAM instance profile is created or to use an existing IAM instance profile | `bool` | `false` | no |
202210
| <a name="input_create_spot_instance"></a> [create\_spot\_instance](#input\_create\_spot\_instance) | Depicts if the instance is a spot instance | `bool` | `false` | no |
203211
| <a name="input_disable_api_stop"></a> [disable\_api\_stop](#input\_disable\_api\_stop) | If true, enables EC2 Instance Stop Protection. | `bool` | `null` | no |
204212
| <a name="input_disable_api_termination"></a> [disable\_api\_termination](#input\_disable\_api\_termination) | If true, enables EC2 Instance Termination Protection | `bool` | `null` | no |
@@ -211,6 +219,13 @@ No modules.
211219
| <a name="input_hibernation"></a> [hibernation](#input\_hibernation) | If true, the launched EC2 instance will support hibernation | `bool` | `null` | no |
212220
| <a name="input_host_id"></a> [host\_id](#input\_host\_id) | ID of a dedicated host that the instance will be assigned to. Use when an instance is to be launched on a specific dedicated host | `string` | `null` | no |
213221
| <a name="input_iam_instance_profile"></a> [iam\_instance\_profile](#input\_iam\_instance\_profile) | IAM Instance Profile to launch the instance with. Specified as the name of the Instance Profile | `string` | `null` | no |
222+
| <a name="input_iam_role_description"></a> [iam\_role\_description](#input\_iam\_role\_description) | Description of the role | `string` | `null` | no |
223+
| <a name="input_iam_role_name"></a> [iam\_role\_name](#input\_iam\_role\_name) | Name to use on IAM role created | `string` | `null` | no |
224+
| <a name="input_iam_role_path"></a> [iam\_role\_path](#input\_iam\_role\_path) | IAM role path | `string` | `null` | no |
225+
| <a name="input_iam_role_permissions_boundary"></a> [iam\_role\_permissions\_boundary](#input\_iam\_role\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the IAM role | `string` | `null` | no |
226+
| <a name="input_iam_role_policies"></a> [iam\_role\_policies](#input\_iam\_role\_policies) | Policies attached to the IAM role | `map(string)` | `{}` | no |
227+
| <a name="input_iam_role_tags"></a> [iam\_role\_tags](#input\_iam\_role\_tags) | A map of additional tags to add to the IAM role/profile created | `map(string)` | `{}` | no |
228+
| <a name="input_iam_role_use_name_prefix"></a> [iam\_role\_use\_name\_prefix](#input\_iam\_role\_use\_name\_prefix) | Determines whether the IAM role name (`iam_role_name` or `name`) is used as a prefix | `bool` | `true` | no |
214229
| <a name="input_instance_initiated_shutdown_behavior"></a> [instance\_initiated\_shutdown\_behavior](#input\_instance\_initiated\_shutdown\_behavior) | Shutdown behavior for the instance. Amazon defaults this to stop for EBS-backed instances and terminate for instance-store instances. Cannot be set on instance-store instance | `string` | `null` | no |
215230
| <a name="input_instance_type"></a> [instance\_type](#input\_instance\_type) | The type of instance to start | `string` | `"t3.micro"` | no |
216231
| <a name="input_ipv6_address_count"></a> [ipv6\_address\_count](#input\_ipv6\_address\_count) | A number of IPv6 addresses to associate with the primary network interface. Amazon EC2 chooses the IPv6 addresses from the range of your subnet | `number` | `null` | no |
@@ -251,6 +266,12 @@ No modules.
251266
|------|-------------|
252267
| <a name="output_arn"></a> [arn](#output\_arn) | The ARN of the instance |
253268
| <a name="output_capacity_reservation_specification"></a> [capacity\_reservation\_specification](#output\_capacity\_reservation\_specification) | Capacity reservation specification of the instance |
269+
| <a name="output_iam_instance_profile_arn"></a> [iam\_instance\_profile\_arn](#output\_iam\_instance\_profile\_arn) | ARN assigned by AWS to the instance profile |
270+
| <a name="output_iam_instance_profile_id"></a> [iam\_instance\_profile\_id](#output\_iam\_instance\_profile\_id) | Instance profile's ID |
271+
| <a name="output_iam_instance_profile_unique"></a> [iam\_instance\_profile\_unique](#output\_iam\_instance\_profile\_unique) | Stable and unique string identifying the IAM instance profile |
272+
| <a name="output_iam_role_arn"></a> [iam\_role\_arn](#output\_iam\_role\_arn) | The Amazon Resource Name (ARN) specifying the IAM role |
273+
| <a name="output_iam_role_name"></a> [iam\_role\_name](#output\_iam\_role\_name) | The name of the IAM role |
274+
| <a name="output_iam_role_unique_id"></a> [iam\_role\_unique\_id](#output\_iam\_role\_unique\_id) | Stable and unique string identifying the IAM role |
254275
| <a name="output_id"></a> [id](#output\_id) | The ID of the instance |
255276
| <a name="output_instance_state"></a> [instance\_state](#output\_instance\_state) | The state of the instance. One of: `pending`, `running`, `shutting-down`, `terminated`, `stopping`, `stopped` |
256277
| <a name="output_ipv6_addresses"></a> [ipv6\_addresses](#output\_ipv6\_addresses) | The IPv6 address assigned to the instance, if applicable. |

‎examples/complete/README.md

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -66,6 +66,12 @@ No inputs.
6666
|------|-------------|
6767
| <a name="output_ec2_complete_arn"></a> [ec2\_complete\_arn](#output\_ec2\_complete\_arn) | The ARN of the instance |
6868
| <a name="output_ec2_complete_capacity_reservation_specification"></a> [ec2\_complete\_capacity\_reservation\_specification](#output\_ec2\_complete\_capacity\_reservation\_specification) | Capacity reservation specification of the instance |
69+
| <a name="output_ec2_complete_iam_instance_profile_arn"></a> [ec2\_complete\_iam\_instance\_profile\_arn](#output\_ec2\_complete\_iam\_instance\_profile\_arn) | ARN assigned by AWS to the instance profile |
70+
| <a name="output_ec2_complete_iam_instance_profile_id"></a> [ec2\_complete\_iam\_instance\_profile\_id](#output\_ec2\_complete\_iam\_instance\_profile\_id) | Instance profile's ID |
71+
| <a name="output_ec2_complete_iam_instance_profile_unique"></a> [ec2\_complete\_iam\_instance\_profile\_unique](#output\_ec2\_complete\_iam\_instance\_profile\_unique) | Stable and unique string identifying the IAM instance profile |
72+
| <a name="output_ec2_complete_iam_role_arn"></a> [ec2\_complete\_iam\_role\_arn](#output\_ec2\_complete\_iam\_role\_arn) | The Amazon Resource Name (ARN) specifying the IAM role |
73+
| <a name="output_ec2_complete_iam_role_name"></a> [ec2\_complete\_iam\_role\_name](#output\_ec2\_complete\_iam\_role\_name) | The name of the IAM role |
74+
| <a name="output_ec2_complete_iam_role_unique_id"></a> [ec2\_complete\_iam\_role\_unique\_id](#output\_ec2\_complete\_iam\_role\_unique\_id) | Stable and unique string identifying the IAM role |
6975
| <a name="output_ec2_complete_id"></a> [ec2\_complete\_id](#output\_ec2\_complete\_id) | The ID of the instance |
7076
| <a name="output_ec2_complete_instance_state"></a> [ec2\_complete\_instance\_state](#output\_ec2\_complete\_instance\_state) | The state of the instance. One of: `pending`, `running`, `shutting-down`, `terminated`, `stopping`, `stopped` |
7177
| <a name="output_ec2_complete_primary_network_interface_id"></a> [ec2\_complete\_primary\_network\_interface\_id](#output\_ec2\_complete\_primary\_network\_interface\_id) | The ID of the instance's primary network interface |

‎examples/complete/main.tf

Lines changed: 23 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -33,14 +33,20 @@ module "ec2_complete" {
3333
name = local.name
3434

3535
ami = data.aws_ami.amazon_linux.id
36-
instance_type = "c5.4xlarge"
36+
instance_type = "c5.xlarge"# used to set core count below
3737
availability_zone = element(module.vpc.azs, 0)
3838
subnet_id = element(module.vpc.private_subnets, 0)
3939
vpc_security_group_ids = [module.security_group.security_group_id]
4040
placement_group = aws_placement_group.web.id
4141
associate_public_ip_address = true
4242
disable_api_stop = false
4343

44+
create_iam_instance_profile = true
45+
iam_role_description = "IAM role for EC2 instance"
46+
iam_role_policies = {
47+
AdministratorAccess = "arn:aws:iam::aws:policy/AdministratorAccess"
48+
}
49+
4450
# only one of these can be enabled at a time
4551
hibernation = true
4652
# enclave_options_enabled = true
@@ -83,9 +89,6 @@ module "ec2_network_interface" {
8389

8490
name = "${local.name}-network-interface"
8591

86-
ami = data.aws_ami.amazon_linux.id
87-
instance_type = "c5.large"
88-
8992
network_interface = [
9093
{
9194
device_index = 0
@@ -102,8 +105,6 @@ module "ec2_metadata_options" {
102105

103106
name = "${local.name}-metadata-options"
104107

105-
ami = data.aws_ami.amazon_linux.id
106-
instance_type = "c5.4xlarge"
107108
subnet_id = element(module.vpc.private_subnets, 0)
108109
vpc_security_group_ids = [module.security_group.security_group_id]
109110

@@ -122,7 +123,6 @@ module "ec2_t2_unlimited" {
122123

123124
name = "${local.name}-t2-unlimited"
124125

125-
ami = data.aws_ami.amazon_linux.id
126126
instance_type = "t2.micro"
127127
cpu_credits = "unlimited"
128128
subnet_id = element(module.vpc.private_subnets, 0)
@@ -137,7 +137,6 @@ module "ec2_t3_unlimited" {
137137

138138
name = "${local.name}-t3-unlimited"
139139

140-
ami = data.aws_ami.amazon_linux.id
141140
instance_type = "t3.micro"
142141
cpu_credits = "unlimited"
143142
subnet_id = element(module.vpc.private_subnets, 0)
@@ -196,7 +195,6 @@ module "ec2_multiple" {
196195

197196
name = "${local.name}-multi-${each.key}"
198197

199-
ami = data.aws_ami.amazon_linux.id
200198
instance_type = each.value.instance_type
201199
availability_zone = each.value.availability_zone
202200
subnet_id = each.value.subnet_id
@@ -218,7 +216,6 @@ module "ec2_spot_instance" {
218216
name = "${local.name}-spot-instance"
219217
create_spot_instance = true
220218

221-
ami = data.aws_ami.amazon_linux.id
222219
availability_zone = element(module.vpc.azs, 0)
223220
subnet_id = element(module.vpc.private_subnets, 0)
224221
vpc_security_group_ids = [module.security_group.security_group_id]
@@ -308,6 +305,22 @@ module "ec2_targeted_capacity_reservation" {
308305
tags = local.tags
309306
}
310307

308+
resource "aws_ec2_capacity_reservation" "open" {
309+
instance_type = "t3.micro"
310+
instance_platform = "Linux/UNIX"
311+
availability_zone = "${local.region}a"
312+
instance_count = 1
313+
instance_match_criteria = "open"
314+
}
315+
316+
resource "aws_ec2_capacity_reservation" "targeted" {
317+
instance_type = "t3.micro"
318+
instance_platform = "Linux/UNIX"
319+
availability_zone = "${local.region}a"
320+
instance_count = 1
321+
instance_match_criteria = "targeted"
322+
}
323+
311324
################################################################################
312325
# Supporting Resources
313326
################################################################################
@@ -363,19 +376,3 @@ resource "aws_kms_key" "this" {
363376
resource "aws_network_interface" "this" {
364377
subnet_id = element(module.vpc.private_subnets, 0)
365378
}
366-
367-
resource "aws_ec2_capacity_reservation" "open" {
368-
instance_type = "t3.micro"
369-
instance_platform = "Linux/UNIX"
370-
availability_zone = "${local.region}a"
371-
instance_count = 1
372-
instance_match_criteria = "open"
373-
}
374-
375-
resource "aws_ec2_capacity_reservation" "targeted" {
376-
instance_type = "t3.micro"
377-
instance_platform = "Linux/UNIX"
378-
availability_zone = "${local.region}a"
379-
instance_count = 1
380-
instance_match_criteria = "targeted"
381-
}

‎examples/complete/outputs.tf

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -44,6 +44,36 @@ output "ec2_complete_tags_all" {
4444
value = module.ec2_complete.tags_all
4545
}
4646

47+
output "ec2_complete_iam_role_name" {
48+
description = "The name of the IAM role"
49+
value = module.ec2_complete.iam_role_name
50+
}
51+
52+
output "ec2_complete_iam_role_arn" {
53+
description = "The Amazon Resource Name (ARN) specifying the IAM role"
54+
value = module.ec2_complete.iam_role_arn
55+
}
56+
57+
output "ec2_complete_iam_role_unique_id" {
58+
description = "Stable and unique string identifying the IAM role"
59+
value = module.ec2_complete.iam_role_unique_id
60+
}
61+
62+
output "ec2_complete_iam_instance_profile_arn" {
63+
description = "ARN assigned by AWS to the instance profile"
64+
value = module.ec2_complete.iam_instance_profile_arn
65+
}
66+
67+
output "ec2_complete_iam_instance_profile_id" {
68+
description = "Instance profile's ID"
69+
value = module.ec2_complete.iam_instance_profile_id
70+
}
71+
72+
output "ec2_complete_iam_instance_profile_unique" {
73+
description = "Stable and unique string identifying the IAM instance profile"
74+
value = module.ec2_complete.iam_instance_profile_unique
75+
}
76+
4777
# EC2 T2 Unlimited
4878
output "ec2_t2_unlimited_id" {
4979
description = "The ID of the instance"

0 commit comments

Comments
(0)

AltStyle によって変換されたページ (->オリジナル) /