From aa969fc7c0597b5f02eb922141574e75e069e3f2 Mon Sep 17 00:00:00 2001 From: Dave Grizzanti Date: Mon, 22 Jul 2019 08:16:24 -0400 Subject: [PATCH 1/3] Add path and permissions_boundary to iam instance role --- examples/couchbase-ami/README.md | 4 ++-- modules/couchbase-cluster/main.tf | 6 ++++-- modules/couchbase-cluster/variables.tf | 6 ++++++ 3 files changed, 12 insertions(+), 4 deletions(-) diff --git a/examples/couchbase-ami/README.md b/examples/couchbase-ami/README.md index fb26db1..61f438a 100644 --- a/examples/couchbase-ami/README.md +++ b/examples/couchbase-ami/README.md @@ -23,7 +23,7 @@ To build the Couchbase AMI: 1. Configure your AWS credentials using one of the [options supported by the AWS SDK](http://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html). Usually, the easiest option is to set the `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` environment variables. -1. Update the `variables` section of the `couchbase.json` Packer template to specify the AWS region and Couchbase +1. Update the `variables` section of the `couchbase.json` to specify the AWS region and Couchbase version you wish to use. 1. To build an Ubuntu AMI for Couchbase Enterprise: `packer build -only=ubuntu-ami -var edition=enterprise couchbase.json`. 1. To build an Ubuntu AMI for Couchbase Community: `packer build -only=ubuntu-ami -var edition=community couchbase.json`. @@ -93,4 +93,4 @@ The Packer template in this example folder can build not only AMIs, but also Doc convenient for testing out the various scripts in the `modules` folder without having to wait for an AMI to build and a bunch of EC2 Instances to boot up. See the [local-mocks folder](https://github.com/gruntwork-io/terraform-aws-couchbase/tree/master/modules/install-couchbase-server) for -instructions. \ No newline at end of file +instructions. diff --git a/modules/couchbase-cluster/main.tf b/modules/couchbase-cluster/main.tf index 72456a7..460e375 100644 --- a/modules/couchbase-cluster/main.tf +++ b/modules/couchbase-cluster/main.tf @@ -165,8 +165,10 @@ resource "aws_iam_instance_profile" "instance_profile" { } resource "aws_iam_role" "instance_role" { - name_prefix = var.cluster_name - assume_role_policy = data.aws_iam_policy_document.instance_role.json + name_prefix = var.cluster_name + assume_role_policy = data.aws_iam_policy_document.instance_role.json + path = var.instance_profile_path + permissions_boundary = var.instance_permissions_boundary # aws_iam_instance_profile.instance_profile in this module sets create_before_destroy to true, which means # everything it depends on, including this resource, must set it as well, or you'll get cyclic dependency errors diff --git a/modules/couchbase-cluster/variables.tf b/modules/couchbase-cluster/variables.tf index ddd4af6..b4f0a3c 100644 --- a/modules/couchbase-cluster/variables.tf +++ b/modules/couchbase-cluster/variables.tf @@ -164,6 +164,12 @@ variable "instance_profile_path" { default = "/" } +variable "instance_permissions_boundary" { + description = "The ARN of the policy that is used to set the permissions boundary for the instance profile role" + type = string + default = null +} + variable "ssh_port" { description = "The port used for SSH connections" type = number From 764c09c336d2f354c0d85b42e76f868775e5aa26 Mon Sep 17 00:00:00 2001 From: Dave Grizzanti Date: Mon, 22 Jul 2019 08:23:34 -0400 Subject: [PATCH 2/3] Use a separate variable for instance role path --- modules/couchbase-cluster/main.tf | 2 +- modules/couchbase-cluster/variables.tf | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/modules/couchbase-cluster/main.tf b/modules/couchbase-cluster/main.tf index 460e375..bfc5304 100644 --- a/modules/couchbase-cluster/main.tf +++ b/modules/couchbase-cluster/main.tf @@ -167,7 +167,7 @@ resource "aws_iam_instance_profile" "instance_profile" { resource "aws_iam_role" "instance_role" { name_prefix = var.cluster_name assume_role_policy = data.aws_iam_policy_document.instance_role.json - path = var.instance_profile_path + path = var.instance_role_path permissions_boundary = var.instance_permissions_boundary # aws_iam_instance_profile.instance_profile in this module sets create_before_destroy to true, which means diff --git a/modules/couchbase-cluster/variables.tf b/modules/couchbase-cluster/variables.tf index b4f0a3c..188c238 100644 --- a/modules/couchbase-cluster/variables.tf +++ b/modules/couchbase-cluster/variables.tf @@ -164,6 +164,12 @@ variable "instance_profile_path" { default = "/" } +variable "instance_role_path" { + description = "Path in which to create the IAM instance role." + type = string + default = "/" +} + variable "instance_permissions_boundary" { description = "The ARN of the policy that is used to set the permissions boundary for the instance profile role" type = string From 429023c9b3b40b66ee7852582b95f1e336676273 Mon Sep 17 00:00:00 2001 From: Dave Grizzanti Date: Mon, 22 Jul 2019 13:16:53 -0400 Subject: [PATCH 3/3] Revert back the README change --- examples/couchbase-ami/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/couchbase-ami/README.md b/examples/couchbase-ami/README.md index 61f438a..db19908 100644 --- a/examples/couchbase-ami/README.md +++ b/examples/couchbase-ami/README.md @@ -23,7 +23,7 @@ To build the Couchbase AMI: 1. Configure your AWS credentials using one of the [options supported by the AWS SDK](http://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html). Usually, the easiest option is to set the `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` environment variables. -1. Update the `variables` section of the `couchbase.json` to specify the AWS region and Couchbase +1. Update the `variables` section of the `couchbase.json` Packer template to specify the AWS region and Couchbase version you wish to use. 1. To build an Ubuntu AMI for Couchbase Enterprise: `packer build -only=ubuntu-ami -var edition=enterprise couchbase.json`. 1. To build an Ubuntu AMI for Couchbase Community: `packer build -only=ubuntu-ami -var edition=community couchbase.json`.