New: module iam-instance-profile

Abstract a usage pattern for IAM instance profile. The instance level should setup this module and pass the role name to modules that attach the policy. Refer to single-node-asg and persistent-ebs for usage. Simply export profile id for attaching to instance, and role name for ataching policies.
fpco · Jul 24, 2019 · d9d11fa · d9d11fa
1 parent ae28905
commit d9d11fa
Show file tree

Hide file tree

Showing 11 changed files with 98 additions and 88 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,8 @@
 
 ### Modules
 
+* `iam-instance-profile`: Abstract the usage pattern of IAM instance profile.
+
 
 ### Examples
 
@@ -25,7 +27,6 @@
 
 * `load-asg`: updated to use new `autoscaling-policy-metric-alarm-pair` module
 
-
 # v0.9.0
 
 ### Summary

diff --git a/examples/nexus-asg/nexus.tf b/examples/nexus-asg/nexus.tf
@@ -16,16 +16,17 @@
 
 variable "region" {
   description = "The region to put resources in"
-  default     = "us-east-1"
+  default     = "us-east-2"
 }
 
 variable "az" {
   description = "The availability zone to put resources in"
-  default     = "us-east-1a"
+  default     = "us-east-2b"
 }
 
 variable "key_name" {
   description = "The keypair used to ssh into the asg intances"
+  default     = "shida-east-2"
 }
 
 module "vpc" {

diff --git a/modules/iam-instance-profile/README.md b/modules/iam-instance-profile/README.md
@@ -0,0 +1,21 @@
+# IAM Instance Profile
+
+This module abstracts the useage pattern of IAM instance profile. The caller provides role/policy, and gets profile id to assign to instance.
+
+Sample usgae:
+
+```
+module "iam_instance_profile" {
+  source             = "../iam-instance-profile"
+  assume_role_policy = "${data.aws_iam_policy_document.attach_ebs.json}"
+  policy             = "${data.aws_iam_policy_document.attach_ebs_policy.json}"
+  name_prefix        = "persistent-ebs"
+}
+
+module "server" {
+  source             = "../asg"
+  iam_profile = "${module.iam_instance_profile.iam_profile_id}"
+
+  # other things here is ignored
+}
+```
diff --git a/modules/iam-instance-profile/main.tf b/modules/iam-instance-profile/main.tf
@@ -0,0 +1,38 @@
+variable "name_prefix" {
+  description = "Creates a unique name beginning with the specified prefix."
+}
+
+resource "aws_iam_instance_profile" "profile" {
+  name_prefix = var.name_prefix
+  role        = aws_iam_role.role.name
+}
+
+resource "aws_iam_role" "role" {
+  name               = var.name_prefix
+  path               = "/"
+  assume_role_policy = <<-EOF
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Action": "sts:AssumeRole",
+          "Principal": {
+            "Service": "ec2.amazonaws.com"
+          },
+          "Effect": "Allow",
+          "Sid": ""
+        }
+      ]
+    }
+EOF
+
+}
+
+output "iam_role_name" {
+  value = aws_iam_role.role.name
+}
+
+output "iam_profile_id" {
+  value = aws_iam_instance_profile.profile.id
+}
+
diff --git a/modules/iam-instance-profile/versions.tf b/modules/iam-instance-profile/versions.tf
@@ -0,0 +1,4 @@
+
+terraform {
+  required_version = ">= 0.12"
+}
diff --git a/modules/persistent-ebs/data.tf b/modules/persistent-ebs/data.tf
@@ -4,21 +4,7 @@ data "aws_caller_identity" "current" {
 data "aws_partition" "current" {
 }
 
-data "aws_iam_policy_document" "attach_ebs" {
-  statement {
-    sid    = ""
-    effect = "Allow"
-
-    principals {
-      type        = "Service"
-      identifiers = ["ec2.amazonaws.com"]
-    }
-
-    actions = ["sts:AssumeRole"]
-  }
-}
-
-data "aws_iam_policy_document" "attach_ebs_policy" {
+data "aws_iam_policy_document" "attach_ebs_policy_doc" {
   statement {
     sid    = ""
     effect = "Allow"
@@ -35,3 +21,8 @@ data "aws_iam_policy_document" "attach_ebs_policy" {
   }
 }
 
+resource "aws_iam_policy" "attach_ebs_policy" {
+  name = "attach_ebs"
+
+  policy = data.aws_iam_policy_document.attach_ebs_policy_doc.json
+}
diff --git a/modules/persistent-ebs/iam.tf b/modules/persistent-ebs/iam.tf
diff --git a/modules/persistent-ebs/main.tf b/modules/persistent-ebs/main.tf
@@ -25,29 +25,9 @@ resource "aws_ebs_volume" "main" {
   )
 }
 
-output "iam_profile_id" {
-  value       = aws_iam_instance_profile.attach_ebs.id
-  description = "`id` exported from the `aws_iam_instance_profile`"
-}
-
-output "iam_profile_arn" {
-  value       = aws_iam_instance_profile.attach_ebs.arn
-  description = "`arn` exported from the `aws_iam_instance_profile`"
-}
-
-output "iam_profile_policy_document" {
-  value       = aws_iam_role_policy.attach_ebs.policy
-  description = "`policy` exported from the `aws_iam_role_policy`"
-}
-
-output "iam_role_arn" {
-  value       = aws_iam_role.attach_ebs.arn
-  description = "`arn` exported from the `aws_iam_role`"
-}
-
-output "iam_role_name" {
-  value       = aws_iam_role.attach_ebs.name
-  description = "`name` exported from the `aws_iam_role`"
+resource "aws_iam_role_policy_attachment" "attach_ebs" {
+  role       = var.iam_instance_profile_role_name
+  policy_arn = aws_iam_policy.attach_ebs_policy.arn
 }
 
 output "volume_id" {

diff --git a/modules/persistent-ebs/variables.tf b/modules/persistent-ebs/variables.tf
@@ -56,3 +56,7 @@ variable "extra_tags" {
   type        = map(string)
 }
 
+variable "iam_instance_profile_role_name" {
+  description = "The role to attach policy needed by this module."
+  type        = string
+}
diff --git a/modules/single-node-asg/main.tf b/modules/single-node-asg/main.tf
@@ -12,16 +12,22 @@
  */
 
 module "service-data" {
-  source      = "../persistent-ebs"
-  name_prefix = "${var.name_prefix}-${var.name_suffix}-data"
-  region      = var.region
-  az          = data.aws_subnet.server-subnet.availability_zone
-  size        = var.data_volume_size
-  iops        = var.data_volume_iops
-  volume_type = var.data_volume_type
-  encrypted   = var.data_volume_encrypted
-  kms_key_id  = var.data_volume_kms_key_id
-  snapshot_id = var.data_volume_snapshot_id
+  source                         = "../persistent-ebs"
+  name_prefix                    = "${var.name_prefix}-${var.name_suffix}-data"
+  region                         = var.region
+  az                             = data.aws_subnet.server-subnet.availability_zone
+  size                           = var.data_volume_size
+  iops                           = var.data_volume_iops
+  volume_type                    = var.data_volume_type
+  encrypted                      = var.data_volume_encrypted
+  kms_key_id                     = var.data_volume_kms_key_id
+  snapshot_id                    = var.data_volume_snapshot_id
+  iam_instance_profile_role_name = module.instance_profile.iam_role_name
+}
+
+module "instance_profile" {
+  source      = "../iam-instance-profile"
+  name_prefix = "${var.name_prefix}-${var.name_suffix}"
 }
 
 module "server" {
@@ -44,8 +50,7 @@ module "server" {
   root_volume_type = var.root_volume_type
   root_volume_size = var.root_volume_size
 
-  #
-  iam_profile = module.service-data.iam_profile_id
+  iam_profile = module.instance_profile.iam_profile_id
 
   user_data = <<END_INIT
 #!/bin/bash

diff --git a/modules/single-node-asg/outputs.tf b/modules/single-node-asg/outputs.tf
@@ -2,19 +2,3 @@ output "asg_name" {
   value       = module.server.name
   description = "`name` exported from the Server `aws_autoscaling_group`"
 }
-
-output "asg_iam_profile_arn" {
-  value       = module.service-data.iam_profile_arn
-  description = "`arn` exported from the Service Data `aws_iam_profile`"
-}
-
-output "asg_iam_role_arn" {
-  value       = module.service-data.iam_role_arn
-  description = "`arn` exported from the Service Data `aws_iam_role`"
-}
-
-output "asg_iam_role_name" {
-  value       = module.service-data.iam_role_name
-  description = "`name` exported from the Service Data `aws_iam_role`"
-}
-