-
-
Notifications
You must be signed in to change notification settings - Fork 326
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Option to provide instance profile role or role policy #70
Comments
I second this. Also, it seems that when setting the solution stack to multi container:
The generated role
|
I was able to get around this issue by creating my own role and instance profile and then specify the # create your own IAM resources
resource "aws_iam_role_policy_attachment" "instance_permissions" {
role = "${aws_iam_role.instance_role.id}"
policy_arn = "${aws_iam_policy.master.arn}" # policy is created elsewhere
}
resource "aws_iam_role" "instance_role" {
name = "elb_instance_role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
}
resource "aws_iam_instance_profile" "ec2" {
name = "elb_instance_profile"
role = "${aws_iam_role.instance_role.name}"
}
# Now create the elastic bean environment module
module "elastic_beanstalk_environment" {
source = "git::https://github.com/cloudposse/terraform-aws-elastic-beanstalk-environment.git?ref=tags/0.18.0"
# other variables here ...
additional_settings = [
# insert your instance profile here
{
namespace = "aws:autoscaling:launchconfiguration"
name = "IamInstanceProfile"
value = "${aws_iam_instance_profile.ec2.name}"
}
]
} EDIT: This did not work for me, just opened a PR to avoid creating the other permissions if we specify a role to use #107 |
Hello guys, This features sounds great to me since it would fix partly the issue #172. |
Hello,
Thanks a great module like all other modules you have!
Currently we can specify the
ec2_instance_profile_role_name
, and the module will create the instance profile role with the default policy that includes read permissions to a few different services.This is a bit cumbersome since you would like to either specify other permissions to include the role policy or you would like to scope the read permission on parameter store to only access parameters for this specific environment.
It would be therefore great to either have the possibility to provide an existing role for the instances or provide the policy that should be used.
Thanks!
The text was updated successfully, but these errors were encountered: