Allow instance profiles to be provided (#60)

Co-authored-by: Joe Niland <joe@originalmind.com.au>
Co-authored-by: actions-bot <58130806+actions-bot@users.noreply.github.com>

Author: 3 people

README.md

@@ -189,6 +189,7 @@ Available targets:
 | environment | Environment, e.g. 'prod', 'staging', 'dev', 'pre-prod', 'UAT' | `string` | `""` | no |
 | evaluation\_periods | The number of periods over which data is compared to the specified threshold. | `number` | `5` | no |
 | instance\_enabled | Flag to control the instance creation. Set to false if it is necessary to skip instance creation | `bool` | `true` | no |
+| instance\_profile | A pre-defined profile to attach to the instance (default is to build our own) | `string` | `""` | no |
 | instance\_type | The type of the instance | `string` | `"t2.micro"` | no |
 | ipv6\_address\_count | Number of IPv6 addresses to associate with the primary network interface. Amazon EC2 chooses the IPv6 addresses from the range of your subnet (-1 to use subnet default) | `number` | `0` | no |
 | ipv6\_addresses | List of IPv6 addresses from the range of the subnet to associate with the primary network interface | `list(string)` | `[]` | no |
@@ -223,6 +224,7 @@ Available targets:
 | alarm | CloudWatch Alarm ID |
 | ebs\_ids | IDs of EBSs |
 | id | Disambiguated ID of the instance |
+| instance\_profile | Name of the instance's profile (either built or supplied) |
 | name | Instance name |
 | primary\_network\_interface\_id | ID of the instance's primary network interface |
 | private\_dns | Private DNS of instance |

docs/terraform.md

@@ -41,6 +41,7 @@
 | environment | Environment, e.g. 'prod', 'staging', 'dev', 'pre-prod', 'UAT' | `string` | `""` | no |
 | evaluation\_periods | The number of periods over which data is compared to the specified threshold. | `number` | `5` | no |
 | instance\_enabled | Flag to control the instance creation. Set to false if it is necessary to skip instance creation | `bool` | `true` | no |
+| instance\_profile | A pre-defined profile to attach to the instance (default is to build our own) | `string` | `""` | no |
 | instance\_type | The type of the instance | `string` | `"t2.micro"` | no |
 | ipv6\_address\_count | Number of IPv6 addresses to associate with the primary network interface. Amazon EC2 chooses the IPv6 addresses from the range of your subnet (-1 to use subnet default) | `number` | `0` | no |
 | ipv6\_addresses | List of IPv6 addresses from the range of the subnet to associate with the primary network interface | `list(string)` | `[]` | no |
@@ -75,6 +76,7 @@
 | alarm | CloudWatch Alarm ID |
 | ebs\_ids | IDs of EBSs |
 | id | Disambiguated ID of the instance |
+| instance\_profile | Name of the instance's profile (either built or supplied) |
 | name | Instance name |
 | primary\_network\_interface\_id | ID of the instance's primary network interface |
 | private\_dns | Private DNS of instance |

main.tf

@@ -1,14 +1,18 @@
 locals {
-  instance_count       = var.instance_enabled ? 1 : 0
-  security_group_count = var.create_default_security_group ? 1 : 0
-  region               = var.region != "" ? var.region : data.aws_region.default.name
-  root_iops            = var.root_volume_type == "io1" ? var.root_iops : "0"
-  ebs_iops             = var.ebs_volume_type == "io1" ? var.ebs_iops : "0"
-  availability_zone    = var.availability_zone != "" ? var.availability_zone : data.aws_subnet.default.availability_zone
-  ami                  = var.ami != "" ? var.ami : join("", data.aws_ami.default.*.image_id)
-  ami_owner            = var.ami != "" ? var.ami_owner : join("", data.aws_ami.default.*.owner_id)
-  root_volume_type     = var.root_volume_type != "" ? var.root_volume_type : data.aws_ami.info.root_device_type
-  public_dns           = var.associate_public_ip_address && var.assign_eip_address && var.instance_enabled ? data.null_data_source.eip.outputs["public_dns"] : join("", aws_instance.default.*.public_dns)
+  instance_count = var.instance_enabled ? 1 : 0
+  # create an instance profile if the instance is enabled and we aren't given
+  # one to use
+  instance_profile_count = ! var.instance_enabled ? 0 : length(var.instance_profile) > 0 ? 0 : 1
+  instance_profile       = local.instance_profile_count == 0 ? var.instance_profile : join("", aws_iam_instance_profile.default.*.name)
+  security_group_count   = var.create_default_security_group ? 1 : 0
+  region                 = var.region != "" ? var.region : data.aws_region.default.name
+  root_iops              = var.root_volume_type == "io1" ? var.root_iops : "0"
+  ebs_iops               = var.ebs_volume_type == "io1" ? var.ebs_iops : "0"
+  availability_zone      = var.availability_zone != "" ? var.availability_zone : data.aws_subnet.default.availability_zone
+  ami                    = var.ami != "" ? var.ami : join("", data.aws_ami.default.*.image_id)
+  ami_owner              = var.ami != "" ? var.ami_owner : join("", data.aws_ami.default.*.owner_id)
+  root_volume_type       = var.root_volume_type != "" ? var.root_volume_type : data.aws_ami.info.root_device_type
+  public_dns             = var.associate_public_ip_address && var.assign_eip_address && var.instance_enabled ? data.null_data_source.eip.outputs["public_dns"] : join("", aws_instance.default.*.public_dns)
 }
 
 data "aws_caller_identity" "default" {
@@ -67,6 +71,11 @@ data "aws_ami" "info" {
   owners = [local.ami_owner]
 }
 
+data "aws_iam_instance_profile" "given" {
+  count = var.instance_enabled && length(var.instance_profile) > 0 ? 1 : 0
+  name  = var.instance_profile
+}
+
 module "label" {
   source      = "git::https://github.com/cloudposse/terraform-null-label.git?ref=tags/0.16.0"
   namespace   = var.namespace
@@ -80,13 +89,13 @@ module "label" {
 }
 
 resource "aws_iam_instance_profile" "default" {
-  count = local.instance_count
+  count = local.instance_profile_count
   name  = module.label.id
   role  = join("", aws_iam_role.default.*.name)
 }
 
 resource "aws_iam_role" "default" {
-  count                = local.instance_count
+  count                = local.instance_profile_count
   name                 = module.label.id
   path                 = "/"
   assume_role_policy   = data.aws_iam_policy_document.default.json
@@ -101,7 +110,7 @@ resource "aws_instance" "default" {
   ebs_optimized               = var.ebs_optimized
   disable_api_termination     = var.disable_api_termination
   user_data                   = var.user_data
-  iam_instance_profile        = join("", aws_iam_instance_profile.default.*.name)
+  iam_instance_profile        = local.instance_profile
   associate_public_ip_address = var.associate_public_ip_address
   key_name                    = var.ssh_key_pair
   subnet_id                   = var.subnet

outputs.tf

@@ -45,7 +45,7 @@ output "security_group_ids" {
 
 output "role" {
   description = "Name of AWS IAM Role associated with the instance"
-  value       = join("", aws_iam_role.default.*.name)
+  value       = local.instance_profile_count > 0 ? join("", aws_iam_role.default.*.name) : join("", data.aws_iam_instance_profile.given.*.role_name)
 }
 
 output "alarm" {
@@ -70,3 +70,8 @@ output "primary_network_interface_id" {
   description = "ID of the instance's primary network interface"
   value       = join("", aws_instance.default.*.primary_network_interface_id)
 }
+
+output "instance_profile" {
+  description = "Name of the instance's profile (either built or supplied)"
+  value       = local.instance_profile
+}

variables.tf

@@ -287,3 +287,9 @@ variable "permissions_boundary_arn" {
   description = "Policy ARN to attach to instance role as a permissions boundary"
   default     = ""
 }
+
+variable "instance_profile" {
+  type        = string
+  description = "A pre-defined profile to attach to the instance (default is to build our own)"
+  default     = ""
+}