Merge pull request #4 from terraform-modules/add-instance-profile

v1.2.0: add instance_profile capability
terraform-modules · Jun 21, 2021 · 6eedc96 · 6eedc96
2 parents 4f1c62d + 194c91a
commit 6eedc96
Show file tree

Hide file tree

Showing 5 changed files with 32 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -16,3 +16,6 @@
 
 * v1.1.0 -- 20210617
   - add inline_policies
+
+* v1.2.0 -- 20210621
+  - add enable_instance_profile
diff --git a/README.md b/README.md
@@ -68,6 +68,9 @@ module "myrole2" {
 
   role_name                  = "my-role2"
   attached_policies          = [ data.aws_iam_policy.aws-managed-readonlyaccess.arn ]
+
+  # optional
+  enable_instance_profile    = false
 }
 ```
 
@@ -116,6 +119,7 @@ No modules.
 
 | Name | Type |
 |------|------|
+| [aws_iam_instance_profile.role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource |
 | [aws_iam_role.role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy_attachment.role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [ldap_object.role](https://registry.terraform.io/providers/hashicorp/ldap/latest/docs/resources/object) | resource |
@@ -136,8 +140,10 @@ No modules.
 | <a name="input_assume_policy_document"></a> [assume\_policy\_document](#input\_assume\_policy\_document) | JSON policy document for role to assume (i.e., the SAML assume document) | `string` | `""` | no |
 | <a name="input_attached_policies"></a> [attached\_policies](#input\_attached\_policies) | List of IAM Policy ARNs to attach to this role | `list(string)` | `[]` | no |
 | <a name="input_component_tags"></a> [component\_tags](#input\_component\_tags) | Additional tags for Components (role, policy) | `map(map(string))` | <pre>{<br>  "policy": {},<br>  "role": {}<br>}</pre> | no |
+| <a name="input_enable_instance_profile "></a> [enable\_instance\_profile ](#input\_enable\_instance\_profile ) | Flag to enable/disable instance profile on role | `bool` | `false` | no |
 | <a name="input_enable_ldap_creation"></a> [enable\_ldap\_creation](#input\_enable\_ldap\_creation) | Flag to enable/disable LDAP object creation for role group (for SAML only). Also requires LDAP credentials. | `bool` | `false` | no |
 | <a name="input_inline_policies"></a> [inline\_policies](#input\_inline\_policies) | List of IAM Policy Document objects to include in this role. Format is {name=name,policy=policy-json} | `list(object({ name = string, policy = string }))` | `[]` | no |
+| <a name="input_instance_profile_path"></a> [instance\_profile\_path](#input\_instance\_profile\_path) | Instance profile path | `string` | `"/"` | no |
 | <a name="input_ldap_host"></a> [ldap\_host](#input\_ldap\_host) | LDAP Hostname (default is for eBOCAS) | `string` | `"ldap.e.tco.census.gov"` | no |
 | <a name="input_ldap_password"></a> [ldap\_password](#input\_ldap\_password) | LDAP password for ldap\_user for writing data into eDirectory or Active Directory | `string` | `""` | no |
 | <a name="input_ldap_port"></a> [ldap\_port](#input\_ldap\_port) | LDAP port (default is 389 but also using STARTTLS) | `number` | `389` | no |

diff --git a/main.tf b/main.tf
@@ -69,6 +69,9 @@
 * 
 *   role_name                  = "my-role2"
 *   attached_policies          = [ data.aws_iam_policy.aws-managed-readonlyaccess.arn ]
+* 
+*   # optional
+*   enable_instance_profile    = false
 * }
 * ```
 *
@@ -159,6 +162,13 @@ resource "aws_iam_role_policy_attachment" "role" {
   policy_arn = each.value
 }
 
+resource "aws_iam_instance_profile" "role" {
+  count = var.enable_instance_profile ? 1 : 0
+  name  = aws_iam_role.role.name
+  role  = aws_iam_role.role.name
+  path  = var.instance_profile_path
+}
+
 data "template_file" "role" {
   count    = local.enable_ldap ? 1 : 0
   template = file("${path.module}/templates/iam-role-ldif.${local.account_environment}.tpl")

diff --git a/variables.tf b/variables.tf
@@ -21,6 +21,12 @@ variable "enable_ldap_creation" {
   default     = false
 }
 
+variable "enable_instance_profile " {
+  description = "Flag to enable/disable instance profile on role"
+  type        = bool
+  default     = false
+}
+
 variable "assume_policy_document" {
   description = "JSON policy document for role to assume (i.e., the SAML assume document)"
   type        = string
@@ -39,6 +45,12 @@ variable "inline_policies" {
   default     = []
 }
 
+variable "instance_profile_path" {
+  description = "Instance profile path"
+  type        = string
+  default     = "/"
+}
+
 #---
 # ldap 
 #---

diff --git a/version.tf b/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "1.1.0"
+  _module_version = "1.2.0"
 }