Merge pull request #25 from opszero/jana/add-instance-role

abhiyerra · web-flow · commit 71e29360b99c · 2023-05-02T14:51:18.000-07:00
Add instance profile for bastion instance
diff --git a/main.tf b/main.tf
@@ -41,6 +41,7 @@ resource "aws_instance" "this" {
   associate_public_ip_address = true
   subnet_id                   = var.subnet_id
   vpc_security_group_ids      = concat(var.security_group_ids, [aws_security_group.this.id])
+  iam_instance_profile = var.instance_profile != null ? aws_iam_instance_profile.this.arn : null
 
   monitoring = true
 
@@ -74,35 +75,36 @@ resource "aws_cloudwatch_metric_alarm" "aws_bastion_cpu_threshold" {
 }
 
 resource "aws_iam_instance_profile" "this" {
-  for_each = var.instance_profiles
-
-  name = each.key
-  role = each.value.role
+  count = var.instance_profile != null ? 1 : 0
+  name  = "${var.instance_profile.role_name}-profile"
+  role  = aws_iam_role.this.name
 
   depends_on = [
     aws_iam_role.this
   ]
 }
 
 resource "aws_iam_role" "this" {
-  for_each = var.instance_profiles
-
-  name = each.value.role
-  path = "/"
-
-  assume_role_policy = <<EOF
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Action": "sts:AssumeRole",
-            "Principal": {
-               "Service": "${each.value.assume_role_service}"
-            },
-            "Effect": "Allow",
-            "Sid": ""
-        }
-    ]
+  count = var.instance_profile != null ? 1 : 0
+  name  = var.instance_profile.role_name
+  path  = "/"
+
+  assume_role_policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [{
+      "Action" : "sts:AssumeRole",
+      "Principal" : {
+        "Service" : var.instance_profile.assume_role_service
+      },
+      "Effect" : "Allow",
+      "Sid" : ""
+    }]
+  })
 }
-EOF
+
+resource "aws_iam_role_policy_attachment" "this" {
+  count = length(var.instance_profile.policy_arns) > 0 ? length(var.instance_profile.policy_arns) : 0
+
+  policy_arn = var.instance_profile.policy_arns[count.index]
+  role       = aws_iam_role.this.name
 }
diff --git a/variables.tf b/variables.tf
@@ -99,15 +99,17 @@ variable "efs_mounts" {
   #}
 }
 
-variable "instance_profiles" {
-  default = {}
-  #"test_profile1" = {
-  #  role                = "test_role1",
-  #  assume_role_service = "ec2.amazonaws.com"
-  #},
-  #"test_profile2" = {
-  #  role                = "test_role2",
-  #  assume_role_service = "s3.amazonaws.com"
-  #}
+variable "instance_profile" {
+  type = object({
+    role_name = string
+    assume_role_service = string
+    policy_arns = list(string)
+  })
+  default = null
+#  default = {
+#    role_name = "test_role1"
+#    assume_role_service = "ec2.amazonaws.com"
+#    policy_arns = ["testarn1", "testarn2"]
+#  }
 }
 
