diff --git a/main.tf b/main.tf
index 230a709..512be4d 100644
--- a/main.tf
+++ b/main.tf
@@ -72,3 +72,37 @@ resource "aws_cloudwatch_metric_alarm" "aws_bastion_cpu_threshold" {
     InstanceId = aws_instance.this.id
   }
 }
+
+resource "aws_iam_instance_profile" "this" {
+  for_each = var.instance_profiles
+
+  name = each.key
+  role = each.value.role
+
+  depends_on = [
+    aws_iam_role.this
+  ]
+}
+
+resource "aws_iam_role" "this" {
+  for_each = var.instance_profiles
+
+  name = each.value.role
+  path = "/"
+
+  assume_role_policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Action": "sts:AssumeRole",
+            "Principal": {
+               "Service": "${each.value.assume_role_service}"
+            },
+            "Effect": "Allow",
+            "Sid": ""
+        }
+    ]
+}
+EOF
+}
diff --git a/variables.tf b/variables.tf
index 4b80317..4b98ae1 100644
--- a/variables.tf
+++ b/variables.tf
@@ -98,3 +98,16 @@ variable "efs_mounts" {
   #}
   #}
 }
+
+variable "instance_profiles" {
+  default = {}
+  #"test_profile1" = {
+  #  role                = "test_role1",
+  #  assume_role_service = "ec2.amazonaws.com"
+  #},
+  #"test_profile2" = {
+  #  role                = "test_role2",
+  #  assume_role_service = "s3.amazonaws.com"
+  #}
+}
+