Option to provide instance profile role or role policy

[ErfanY]

Hello,

Thanks a great module like all other modules you have!

Currently we can specify the ec2_instance_profile_role_name, and the module will create the instance profile role with the default policy that includes read permissions to a few different services.

This is a bit cumbersome since you would like to either specify other permissions to include the role policy or you would like to scope the read permission on parameter store to only access parameters for this specific environment.

It would be therefore great to either have the possibility to provide an existing role for the instances or provide the policy that should be used.

Thanks!

[NFhbar]

I second this. Also, it seems that when setting the solution stack to multi container:

solution_stack_name = "64bit Amazon Linux 2018.03 v2.11.7 running Multi-container Docker 18.06.1-ce (Generic)"

The generated roleaws-elasticbeanstalk-ec2-role is missing the following policy:

arn:aws:iam::aws:policy/AWSElasticBeanstalkMulticontainerDocker

[aknysh]

@ErfanY @NFhbar thanks for testing and opening the issue.
If you could open a PR for that, we'll review promptly.
Otherwise, we'll be able get to it sometimes next week

[JBarna]

I was able to get around this issue by creating my own role and instance profile and then specify the IamInstanceProfile setting which overrides the default setting that the module creates. The only downside is that it still creates all of the IAM resources and they just go unused, but it gets the job done.

# create your own IAM resources
resource "aws_iam_role_policy_attachment" "instance_permissions" {
    role = "${aws_iam_role.instance_role.id}"
    policy_arn = "${aws_iam_policy.master.arn}" # policy is created elsewhere
}

resource "aws_iam_role" "instance_role" {
    name = "elb_instance_role"
    assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
EOF
}

resource "aws_iam_instance_profile" "ec2" {
  name = "elb_instance_profile"
  role = "${aws_iam_role.instance_role.name}"
}

# Now create the elastic bean environment module
module "elastic_beanstalk_environment" {
    source                             = "git::https://github.com/cloudposse/terraform-aws-elastic-beanstalk-environment.git?ref=tags/0.18.0"

    # other variables here ...

    additional_settings = [
      # insert your instance profile here
      {
        namespace = "aws:autoscaling:launchconfiguration"
        name      = "IamInstanceProfile"
        value     = "${aws_iam_instance_profile.ec2.name}"
      }
    ]
}

EDIT: This did not work for me, just opened a PR to avoid creating the other permissions if we specify a role to use #107

[florian0410]

Hello guys,

This features sounds great to me since it would fix partly the issue #172.
I just checked the MR and it sounds like to be stuck. Any news on this ?