Handle the creation of an "IAM instance Profile", an "IAM role" and a list of "IAM Role Policy attachement" when a list of "IAM policy" arns is provided
Example :
I give a new parameter iam_instance_policy_arns
in the EC2 module arguments
iam_instance_policy_arns = flatten([
local.gitlab_s3_policy_create ? [aws_iam_policy.gitlab_s3_policy[0].arn] : [],
local.gitlab_s3_backups_policy_create ? [aws_iam_policy.gitlab_s3_backups_policy[0].arn] : [],
local.gitlab_s3_registry_policy_create ? [aws_iam_policy.gitlab_s3_registry_policy[0].arn] : [],
local.gitlab_s3_kms_policy_create ? [aws_iam_policy.gitlab_s3_kms_policy[0].arn] : [],
var.default_iam_instance_policy_arns,
var.gitlab_rails_iam_instance_policy_arns
])
and it would create for me (if necessary) :
resource "aws_iam_instance_profile" "gitlab" {
count = var.node_count > 0 && length(var.iam_instance_policy_arns) > 0 ? 1 : 0
name = "${var.prefix}-${var.node_type}-profile"
role = aws_iam_role.gitlab[0].name
}
resource "aws_iam_role" "gitlab" {
count = var.node_count > 0 && length(var.iam_instance_policy_arns) > 0 ? 1 : 0
name = "${var.prefix}-${var.node_type}-role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Sid = ""
Principal = {
Service = "ec2.amazonaws.com"
}
},
]
})
}
resource "aws_iam_role_policy_attachment" "gitlab" {
count = var.node_count > 0 ? length(var.iam_instance_policy_arns) : 0
role = aws_iam_role.gitlab[0].name
policy_arn = var.iam_instance_policy_arns[count.index]
}
Idea is taken from this module https://gitlab.com/gitlab-org/gitlab-environment-toolkit/-/tree/main/terraform/modules/gitlab_aws_instance that creates multiple instances of similar EC2 and is used multiple time in https://gitlab.com/gitlab-org/gitlab-environment-toolkit/-/tree/main/terraform/modules/gitlab_ref_arch_aws