iam instance profile (#425)

ManagedKube · Apr 20, 2023 · 0d8850b · 0d8850b
1 parent 7c14989
commit 0d8850b
Show file tree

Hide file tree

Showing 4 changed files with 47 additions and 1 deletion.
diff --git a/terraform-modules/aws/iam/generic/README.md b/terraform-modules/aws/iam/generic/README.md
@@ -16,12 +16,14 @@ No modules.
 
 | Name | Type |
 |------|------|
+| [aws_iam_instance_profile.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource |
 | [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_create_iam_instance_profile"></a> [create\_iam\_instance\_profile](#input\_create\_iam\_instance\_profile) | Whether to create the IAM instance profile | `bool` | `false` | no |
 | <a name="input_iam_assume_role_policy"></a> [iam\_assume\_role\_policy](#input\_iam\_assume\_role\_policy) | Json to create assume\_role\_policy in line | `string` | `"{}"` | no |
 | <a name="input_iam_description"></a> [iam\_description](#input\_iam\_description) | (Optional) Description of the role. | `string` | `"New Role created from ManagedKube Module"` | no |
 | <a name="input_iam_force_detach_policies"></a> [iam\_force\_detach\_policies](#input\_iam\_force\_detach\_policies) | (Optional) Whether to force detaching any policies the role has before destroying it | `bool` | `false` | no |
@@ -36,7 +38,7 @@ No modules.
 | Name | Description |
 |------|-------------|
 | <a name="output_iam_arn"></a> [iam\_arn](#output\_iam\_arn) | Amazon Resource Name (ARN) specifying the role. |
-
+| <a name="output_iam_instance_profile_arn"></a> [iam\_instance\_profile\_arn](#output\_iam\_instance\_profile\_arn) | Amazon Resource Name (ARN) specifying instance profiel the role. |
 
 ## Example Usage
 Here are some examples of how we can consume the module through the inputs variables.
@@ -122,3 +124,28 @@ for the IAM role. We’ll refer to this policy simply as the ‘trust policy’.
     iam_assume_role_policy    = templatefile("assume_role_policy.json", { account_id = local.account_id, external_id = local.iam_external_id})
     tags                      = local.tags
     ```
+
+# IAM Instances Profile
+An IAM Instance Profile is an AWS Identity and Access Management (IAM) entity that you can use to pass role information to an Amazon EC2 instance 
+when the instance starts. It is a container for an IAM role that you can use to pass permissions to the EC2 instance, allowing it to access other 
+AWS resources according to the policies attached to the role.
+
+## Where We Can use this?
+An example of usage could be in the EMR EC2 role. If you only create a simple IAM, it won't work. You must specify an Instance Profile ARN: 
+https://github.com/cloudposse/terraform-aws-emr-cluster/blob/e5cf195da0b55a426517b9a0cc410d46109d2419/main.tf#L451
+
+## How Can We Activate this?
+The create_iam_instance_profile variable is a boolean flag that, when set to true, enables the creation of an IAM instance profile and associates 
+it with the specified IAM role. This is particularly useful when deploying services like Amazon EMR that require an IAM instance profile for proper 
+operation.
+
+Example usage:
+```
+module "example_emr" {
+  source                  = "path/to/your/module"
+  create_iam_instance_profile = true
+  # other variables and configuration
+}
+```
+When create_iam_instance_profile is set to false, the module will not create an IAM instance profile, and you will have to provide an existing instance 
+profile for the service if needed.
diff --git a/terraform-modules/aws/iam/generic/main.tf b/terraform-modules/aws/iam/generic/main.tf
@@ -13,4 +13,12 @@ resource "aws_iam_role" "this" {
   managed_policy_arns   = var.iam_managed_policy_arns
   assume_role_policy    = var.iam_assume_role_policy
   tags                  = var.tags
+}
+
+resource "aws_iam_instance_profile" "this" {
+  count = var.create_iam_instance_profile ? 1 : 0
+
+  name = var.iam_name
+  role = var.iam_name
+  tags = var.tags
 }
diff --git a/terraform-modules/aws/iam/generic/outputs.tf b/terraform-modules/aws/iam/generic/outputs.tf
@@ -1,4 +1,9 @@
 output "iam_arn" {
   description = "Amazon Resource Name (ARN) specifying the role."
   value       = aws_iam_role.this.arn
+}
+
+output "iam_instance_profile_arn" {
+  description = "Amazon Resource Name (ARN) specifying instance profiel the role."
+  value       = aws_iam_instance_profile.this[0].arn
 }
diff --git a/terraform-modules/aws/iam/generic/variables.tf b/terraform-modules/aws/iam/generic/variables.tf
@@ -46,6 +46,12 @@ variable iam_assume_role_policy {
 }
 #End Trust relationship section-----------------------------
 
+variable "create_iam_instance_profile" {
+  description = "Whether to create the IAM instance profile"
+  type        = bool
+  default     = false
+}
+
 
 variable tags {
   type = map(any)