Update default_instance_profile for instance

tedilabs · May 9, 2024 · 13af5b2 · 13af5b2
1 parent df4994d
commit 13af5b2
Show file tree

Hide file tree

Showing 5 changed files with 60 additions and 39 deletions.
diff --git a/modules/instance/README.md b/modules/instance/README.md
@@ -16,22 +16,22 @@ This module creates following resources.
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.6 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.61 |
-| <a name="requirement_cloudinit"></a> [cloudinit](#requirement\_cloudinit) | >= 2.2 |
+| <a name="requirement_cloudinit"></a> [cloudinit](#requirement\_cloudinit) | >= 2.3 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.19.0 |
-| <a name="provider_cloudinit"></a> [cloudinit](#provider\_cloudinit) | 2.3.2 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.48.0 |
+| <a name="provider_cloudinit"></a> [cloudinit](#provider\_cloudinit) | 2.3.4 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_instance_profile"></a> [instance\_profile](#module\_instance\_profile) | tedilabs/account/aws//modules/iam-role | ~> 0.22.0 |
+| <a name="module_instance_profile"></a> [instance\_profile](#module\_instance\_profile) | tedilabs/account/aws//modules/iam-role | ~> 0.29.0 |
 | <a name="module_resource_group"></a> [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.10.0 |
 
 ## Resources
@@ -59,14 +59,14 @@ This module creates following resources.
 | <a name="input_availability_zone"></a> [availability\_zone](#input\_availability\_zone) | (Optional) AZ (Availability Zone) to create the instance in. | `string` | `null` | no |
 | <a name="input_cpu_credit_specification"></a> [cpu\_credit\_specification](#input\_cpu\_credit\_specification) | (Optional) The specification for CPU credit. A credit specification is only available for T2, T3, and T3a instances. Valid values are `STANDARD` or `UNLIMITED`. T3 instances are launched as `UNLIMITED` by default. T2 instances are launched as `STANDARD` by default. | `string` | `null` | no |
 | <a name="input_cpu_options"></a> [cpu\_options](#input\_cpu\_options) | (Optional) The configuration of the CPU options to optimize the instance for specific workloads or business needs. You can specify these CPU options during instance launch. There is no additional or reduced charge for specifying CPU options. `cpu_options` block as defined below.<br>    (Optional) `core_count` - Sets the number of CPU cores for an instance. This option is only supported on creation of instance type that support CPU Options CPU Cores and Threads Per CPU Core Per Instance Type - specifying this option for unsupported instance types will return an error from the EC2 API.<br>    (Optional) `threads_per_core` - Set the number of CPU threads per core for the instance. If set to to 1, hyperthreading is disabled on the launched instance. | <pre>object({<br>    core_count       = number<br>    threads_per_core = number<br>  })</pre> | `null` | no |
-| <a name="input_custom_instance_profile"></a> [custom\_instance\_profile](#input\_custom\_instance\_profile) | (Optional) The IAM Instance Profile to replace the default instance profile which is managed by this module. Specified as the name of the Instance Profile. Ensure your credentials have the correct permission to assign the instance profile according to the EC2 documentation, notably `iam:PassRole`. | `string` | `null` | no |
+| <a name="input_default_instance_profile"></a> [default\_instance\_profile](#input\_default\_instance\_profile) | (Optional) A configuration for the default instance profile of the instance. Use `instance_profile` if `default_instance_profile.enabled` is `false`. `default_instance_profile` block as defined below.<br>    (Optional) `enabled` - Whether to create the default instance profile. Defaults to `true`.<br>    (Optional) `name` - The name for the default instance profile. Defaults to `ec2-${var.name}`.<br>    (Optional) `path` - The path for the default instance profile.<br>    (Optional) `description` - The description of the default instance profile.<br>    (Optional) `policies` - A list of IAM policy ARNs to attach to the default instance profile.<br>    (Optional) `inline_policies` - A map of inline IAM policies to attach to the default instance profile. (`name` => `policy`). | <pre>object({<br>    enabled     = optional(bool, true)<br>    name        = optional(string)<br>    path        = optional(string, "/")<br>    description = optional(string, "Managed by Terraform.")<br><br>    policies        = optional(list(string), [])<br>    inline_policies = optional(map(string), {})<br>  })</pre> | `{}` | no |
 | <a name="input_dns_resource_name_ipv4_enabled"></a> [dns\_resource\_name\_ipv4\_enabled](#input\_dns\_resource\_name\_ipv4\_enabled) | (Optional) Whether to resolve the IPv4 address of the EC2 instance for requests to your resource-name based domain. | `bool` | `null` | no |
 | <a name="input_dns_resource_name_ipv6_enabled"></a> [dns\_resource\_name\_ipv6\_enabled](#input\_dns\_resource\_name\_ipv6\_enabled) | (Optional) Whether to resolve the IPv6 address of the EC2 instance for requests to your resource-name based domain. | `bool` | `null` | no |
 | <a name="input_ebs_optimized"></a> [ebs\_optimized](#input\_ebs\_optimized) | (Optional) Whether to enable additional, dedicated throughput between Amazon EC2 and Amazon EBS. The launched EC2 instance will be EBS-optimized if true. Note that if this is not set on an instance type that is optimized by default then this will show as disabled but if the instance type is optimized by default then there is no need to set this and there is no effect to disabling it. | `bool` | `null` | no |
 | <a name="input_eip_associations"></a> [eip\_associations](#input\_eip\_associations) | (Optional) A list of configurations to associate Elastic IPs to the network interfaces of the instance. Each `eip_associations` block as defined below.<br>    (Required) `eip` - The allocation ID of Elastic IP to associate.<br>    (Optional) `private_ip` - The primary or secondary private IP address to associate with the Elastic IP address. If no private IP address is specified, the Elastic IP address is associated with the primary private IP address. | `list(map(string))` | `[]` | no |
 | <a name="input_host_id"></a> [host\_id](#input\_host\_id) | (Optional) The ID of a dedicated host that the instance will be assigned to. Use when an instance is to be launched on a specific dedicated host. | `string` | `null` | no |
 | <a name="input_hostname_type"></a> [hostname\_type](#input\_hostname\_type) | (Optional) The type of hostname for the EC2 instances. For IPv4 only subnets, an instance DNS name must be based on the instance IPv4 address. For IPv6 native subnets, an instance DNS name must be based on the instance ID. For dual-stack subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values are `IP_V4` and `RESOURCE_NAME`. | `string` | `null` | no |
-| <a name="input_instance_profile"></a> [instance\_profile](#input\_instance\_profile) | (Optional) The configuration for the default instance profile of the instance. `instance_profile` block as defined below.<br>    (Optional) `enabled` - Whether to trigger a destroy and recreate when user data is changed. Defaults to `false`.<br>    (Optional) `name` - The name for the IAM role.<br>    (Optional) `path` - The path for the IAM role.<br>    (Optional) `description` - The description of the role.<br>    (Optional) `assumable_roles` - List of IAM roles ARNs which can be assumed by the role.<br>    (Optional) `policies` - List of IAM policies ARNs to attach to IAM role.<br>    (Optional) `inline_policies` - Map of inline IAM policies to attach to IAM role. (`name` => `policy`). | `any` | `null` | no |
+| <a name="input_instance_profile"></a> [instance\_profile](#input\_instance\_profile) | (Optional) A name of the IAM Instance Profile to replace the default instance profile which is managed by this module. | `string` | `null` | no |
 | <a name="input_instance_store_volumes"></a> [instance\_store\_volumes](#input\_instance\_store\_volumes) | (Optional) The configuration for instance store volumes (also known as ephemeral volumes) of the instance. This is only required non-NVME instance store volumes (for old generation EC2 instance types). Each item of `instance_store_volumes` as defined below.<br>    (Required) `device_name` - The device name of the instance store to mount on the instance. For example, `/dev/sdh` or `xvdh`.<br>    (Optional) `virtual_name` - The virtual device name (ephemeral N). Instance store volumes are numbered starting from 0. An instance type with 2 available instance store volumes can specify mappings for ephemeral0 and ephemeral1. The number of available instance store volumes depends on the instance type. After you connect to the instance, you must mount the volume.<br>    (Optional) `no_device` - Whether to suppress the specified device included in the AMI's block device mapping. Defaults to `false`. | `any` | `[]` | no |
 | <a name="input_launch_template"></a> [launch\_template](#input\_launch\_template) | (Optional) The configuration for launch template of the instance. Launch Template parameters will be used only once during instance creation. If you want to update existing instance you need to change parameters directly. Updating Launch Template specification will force a new instance. Any other instance parameters that you specify will override the same parameters in the launch template. `launch_template` block as defined below.<br>    (Optional) `id` - The ID of the launch template. Conflicts with `name`.<br>    (Optional) `name` - The name of the launch template. Conflicts with `id`.<br>    (Optional) `version` - The version of launch template. Valid value is a specific version number, `$Latest` or `$Default`. Defaults to `$Default`. | `map(string)` | `null` | no |
 | <a name="input_metadata_options"></a> [metadata\_options](#input\_metadata\_options) | (Optional) The configuration for metadata of the instance. `metadata_options` block as defined below.<br>    (Optional) `http_enabled` - Whether the metadata service is available. You can turn off access to your instance metadata by disabling the HTTP endpoint of the instance metadata service. Defaults to `true`.<br>    (Optional) `http_token_required` - Whether or not the metadata service requires session tokens, also referred to as Instance Metadata Service Version 2 (IMDSv2). Defaults to `false`.<br>    (Optional) `http_put_response_hop_limit` - A desired HTTP PUT response hop limit for instance metadata requests. The larger the number, the further instance metadata requests can travel. Valid values are integer from `1` to `64`. Defaults to `1`.<br>    (Optional) `instance_tags_enabled` - Whether to enable the access to instance tags from the instance metadata service. Defaults to `false`. | `any` | `null` | no |

diff --git a/modules/instance/iam.tf b/modules/instance/iam.tf
@@ -3,23 +3,35 @@
 ###################################################
 
 module "instance_profile" {
-  source  = "tedilabs/account/aws//modules/iam-role"
-  version = "~> 0.22.0"
-
-  count = try(var.instance_profile.enabled, true) ? 1 : 0
-
-  name        = try(var.instance_profile.name, "ec2-${local.metadata.name}")
-  path        = try(var.instance_profile.path, "/")
-  description = try(var.instance_profile.description, "Instance Profile for EC2 Instance (${local.metadata.name}).")
+  count = var.default_instance_profile.enabled ? 1 : 0
 
-  trusted_services = ["ec2.amazonaws.com"]
+  source  = "tedilabs/account/aws//modules/iam-role"
+  version = "~> 0.29.0"
 
-  assumable_roles = try(var.instance_profile.assumable_roles, [])
-  policies        = try(var.instance_profile.policies, [])
-  inline_policies = try(var.instance_profile.inline_policies, {})
+  name = coalesce(
+    var.default_instance_profile.name,
+    "ec2-${local.metadata.name}"
+  )
+  path        = var.default_instance_profile.path
+  description = var.default_instance_profile.description
+
+  trusted_service_policies = [
+    {
+      services = ["ec2.amazonaws.com"]
+    }
+  ]
+
+  policies = concat(
+    [],
+    var.default_instance_profile.policies,
+  )
+  inline_policies = var.default_instance_profile.inline_policies
 
-  instance_profile_enabled = true
+  instance_profile = {
+    enabled = true
+  }
 
+  force_detach_policies  = true
   resource_group_enabled = false
   module_tags_enabled    = false
 

diff --git a/modules/instance/main.tf b/modules/instance/main.tf
@@ -52,9 +52,9 @@ resource "aws_instance" "this" {
   instance_type = var.type
   ami           = var.ami
   key_name      = var.ssh_key
-  iam_instance_profile = (try(var.instance_profile.enabled, true)
+  iam_instance_profile = (var.default_instance_profile.enabled
     ? module.instance_profile[0].name
-    : var.custom_instance_profile
+    : var.instance_profile
   )
 
   dynamic "launch_template" {
@@ -214,9 +214,9 @@ resource "aws_spot_instance_request" "this" {
   instance_type = var.type
   ami           = var.ami
   key_name      = var.ssh_key
-  iam_instance_profile = (try(var.instance_profile.enabled, true)
+  iam_instance_profile = (var.default_instance_profile.enabled
     ? module.instance_profile[0].name
-    : var.custom_instance_profile
+    : var.instance_profile
   )
 
   dynamic "launch_template" {

diff --git a/modules/instance/variables.tf b/modules/instance/variables.tf
@@ -34,25 +34,34 @@ variable "ssh_key" {
   default     = null
 }
 
-variable "instance_profile" {
+variable "default_instance_profile" {
   description = <<EOF
-  (Optional) The configuration for the default instance profile of the instance. `instance_profile` block as defined below.
-    (Optional) `enabled` - Whether to trigger a destroy and recreate when user data is changed. Defaults to `false`.
-    (Optional) `name` - The name for the IAM role.
-    (Optional) `path` - The path for the IAM role.
-    (Optional) `description` - The description of the role.
-    (Optional) `assumable_roles` - List of IAM roles ARNs which can be assumed by the role.
-    (Optional) `policies` - List of IAM policies ARNs to attach to IAM role.
-    (Optional) `inline_policies` - Map of inline IAM policies to attach to IAM role. (`name` => `policy`).
+  (Optional) A configuration for the default instance profile of the instance. Use `instance_profile` if `default_instance_profile.enabled` is `false`. `default_instance_profile` block as defined below.
+    (Optional) `enabled` - Whether to create the default instance profile. Defaults to `true`.
+    (Optional) `name` - The name for the default instance profile. Defaults to `ec2-$${var.name}`.
+    (Optional) `path` - The path for the default instance profile.
+    (Optional) `description` - The description of the default instance profile.
+    (Optional) `policies` - A list of IAM policy ARNs to attach to the default instance profile.
+    (Optional) `inline_policies` - A map of inline IAM policies to attach to the default instance profile. (`name` => `policy`).
   EOF
-  type        = any
-  default     = null
+  type = object({
+    enabled     = optional(bool, true)
+    name        = optional(string)
+    path        = optional(string, "/")
+    description = optional(string, "Managed by Terraform.")
+
+    policies        = optional(list(string), [])
+    inline_policies = optional(map(string), {})
+  })
+  default  = {}
+  nullable = false
 }
 
-variable "custom_instance_profile" {
-  description = "(Optional) The IAM Instance Profile to replace the default instance profile which is managed by this module. Specified as the name of the Instance Profile. Ensure your credentials have the correct permission to assign the instance profile according to the EC2 documentation, notably `iam:PassRole`."
+variable "instance_profile" {
+  description = "(Optional) A name of the IAM Instance Profile to replace the default instance profile which is managed by this module."
   type        = string
   default     = null
+  nullable    = true
 }
 
 variable "availability_zone" {

diff --git a/modules/instance/versions.tf b/modules/instance/versions.tf
@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.5"
+  required_version = ">= 1.6"
 
   required_providers {
     aws = {
@@ -8,7 +8,7 @@ terraform {
     }
     cloudinit = {
       source  = "hashicorp/cloudinit"
-      version = ">= 2.2"
+      version = ">= 2.3"
     }
   }
 }