From 194c91a023fc79690ee2fe050f78bb52db6a1ae3 Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Mon, 21 Jun 2021 11:20:41 -0400
Subject: [PATCH] v1.2.0: add instance_profile capability

---
 CHANGELOG.md |  3 +++
 README.md    |  6 ++++++
 main.tf      | 10 ++++++++++
 variables.tf | 12 ++++++++++++
 version.tf   |  2 +-
 5 files changed, 32 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9eff466..6ab1a8e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -16,3 +16,6 @@
 
 * v1.1.0 -- 20210617
   - add inline_policies
+
+* v1.2.0 -- 20210621
+  - add enable_instance_profile
diff --git a/README.md b/README.md
index beb7077..1faab4d 100644
--- a/README.md
+++ b/README.md
@@ -68,6 +68,9 @@ module "myrole2" {
 
   role_name                  = "my-role2"
   attached_policies          = [ data.aws_iam_policy.aws-managed-readonlyaccess.arn ]
+
+  # optional
+  enable_instance_profile    = false
 }
 ```
 
@@ -116,6 +119,7 @@ No modules.
 
 | Name | Type |
 |------|------|
+| [aws_iam_instance_profile.role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource |
 | [aws_iam_role.role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy_attachment.role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [ldap_object.role](https://registry.terraform.io/providers/hashicorp/ldap/latest/docs/resources/object) | resource |
@@ -136,8 +140,10 @@ No modules.
 | <a name="input_assume_policy_document"></a> [assume\_policy\_document](#input\_assume\_policy\_document) | JSON policy document for role to assume (i.e., the SAML assume document) | `string` | `""` | no |
 | <a name="input_attached_policies"></a> [attached\_policies](#input\_attached\_policies) | List of IAM Policy ARNs to attach to this role | `list(string)` | `[]` | no |
 | <a name="input_component_tags"></a> [component\_tags](#input\_component\_tags) | Additional tags for Components (role, policy) | `map(map(string))` | <pre>{<br>  "policy": {},<br>  "role": {}<br>}</pre> | no |
+| <a name="input_enable_instance_profile "></a> [enable\_instance\_profile ](#input\_enable\_instance\_profile ) | Flag to enable/disable instance profile on role | `bool` | `false` | no |
 | <a name="input_enable_ldap_creation"></a> [enable\_ldap\_creation](#input\_enable\_ldap\_creation) | Flag to enable/disable LDAP object creation for role group (for SAML only). Also requires LDAP credentials. | `bool` | `false` | no |
 | <a name="input_inline_policies"></a> [inline\_policies](#input\_inline\_policies) | List of IAM Policy Document objects to include in this role. Format is {name=name,policy=policy-json} | `list(object({ name = string, policy = string }))` | `[]` | no |
+| <a name="input_instance_profile_path"></a> [instance\_profile\_path](#input\_instance\_profile\_path) | Instance profile path | `string` | `"/"` | no |
 | <a name="input_ldap_host"></a> [ldap\_host](#input\_ldap\_host) | LDAP Hostname (default is for eBOCAS) | `string` | `"ldap.e.tco.census.gov"` | no |
 | <a name="input_ldap_password"></a> [ldap\_password](#input\_ldap\_password) | LDAP password for ldap\_user for writing data into eDirectory or Active Directory | `string` | `""` | no |
 | <a name="input_ldap_port"></a> [ldap\_port](#input\_ldap\_port) | LDAP port (default is 389 but also using STARTTLS) | `number` | `389` | no |
diff --git a/main.tf b/main.tf
index c05be64..787dacd 100644
--- a/main.tf
+++ b/main.tf
@@ -69,6 +69,9 @@
 * 
 *   role_name                  = "my-role2"
 *   attached_policies          = [ data.aws_iam_policy.aws-managed-readonlyaccess.arn ]
+* 
+*   # optional
+*   enable_instance_profile    = false
 * }
 * ```
 *
@@ -159,6 +162,13 @@ resource "aws_iam_role_policy_attachment" "role" {
   policy_arn = each.value
 }
 
+resource "aws_iam_instance_profile" "role" {
+  count = var.enable_instance_profile ? 1 : 0
+  name  = aws_iam_role.role.name
+  role  = aws_iam_role.role.name
+  path  = var.instance_profile_path
+}
+
 data "template_file" "role" {
   count    = local.enable_ldap ? 1 : 0
   template = file("${path.module}/templates/iam-role-ldif.${local.account_environment}.tpl")
diff --git a/variables.tf b/variables.tf
index 5cca66a..b3bb526 100644
--- a/variables.tf
+++ b/variables.tf
@@ -21,6 +21,12 @@ variable "enable_ldap_creation" {
   default     = false
 }
 
+variable "enable_instance_profile " {
+  description = "Flag to enable/disable instance profile on role"
+  type        = bool
+  default     = false
+}
+
 variable "assume_policy_document" {
   description = "JSON policy document for role to assume (i.e., the SAML assume document)"
   type        = string
@@ -39,6 +45,12 @@ variable "inline_policies" {
   default     = []
 }
 
+variable "instance_profile_path" {
+  description = "Instance profile path"
+  type        = string
+  default     = "/"
+}
+
 #---
 # ldap 
 #---
diff --git a/version.tf b/version.tf
index 9c489cd..1ee6619 100644
--- a/version.tf
+++ b/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "1.1.0"
+  _module_version = "1.2.0"
 }