refactor!: create autoscaling group iam instance profile policy attachments dynamically from vars

Author: saumitra-dev

main.tf

@@ -1,7 +1,4 @@
 locals {
-  # IAM Instance Profile
-  iam_role_ec2_container_service_role_arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role"
-
   # ACM
   acm_certificates_arns = var.create_acm ? merge(
     try(module.acm[0].amazon_issued_acm_certificates_arns, {}),
@@ -303,13 +300,13 @@ module "asg" {
   launch_template        = try(var.autoscaling_group.launch_template, {})
 
   # IAM Instance Profile
-  create_iam_role                         = try(var.autoscaling_group.create_iam_role, true)
-  iam_role_name                           = try(var.autoscaling_group.iam_role_name, null)
-  iam_role_tags                           = try(var.autoscaling_group.iam_role_tags, {})
-  iam_role_ec2_container_service_role_arn = try(var.autoscaling_group.iam_role_ec2_container_service_role_arn, local.iam_role_ec2_container_service_role_arn)
-  create_iam_instance_profile             = try(var.autoscaling_group.create_iam_instance_profile, true)
-  iam_instance_profile_name               = try(var.autoscaling_group.iam_instance_profile_name, null)
-  iam_instance_profile_tags               = try(var.autoscaling_group.iam_instance_profile_tags, {})
+  create_iam_role             = try(var.autoscaling_group.create_iam_role, true)
+  iam_role_name               = try(var.autoscaling_group.iam_role_name, null)
+  iam_role_policy_attachments = try(var.autoscaling_group.iam_role_policy_attachments, [])
+  iam_role_tags               = try(var.autoscaling_group.iam_role_tags, {})
+  create_iam_instance_profile = try(var.autoscaling_group.create_iam_instance_profile, true)
+  iam_instance_profile_name   = try(var.autoscaling_group.iam_instance_profile_name, null)
+  iam_instance_profile_tags   = try(var.autoscaling_group.iam_instance_profile_tags, {})
 
   instances_tags = try(var.autoscaling_group.instances_tags, {})
   tags           = try(var.autoscaling_group.tags, {})

modules/asg/README.md

@@ -38,8 +38,8 @@ No modules.
 | <a name="input_desired_capacity"></a> [desired\_capacity](#input\_desired\_capacity) | Desired capacity for the Autoscaling group | `number` | n/a | yes |
 | <a name="input_iam_instance_profile_name"></a> [iam\_instance\_profile\_name](#input\_iam\_instance\_profile\_name) | Name of the IAM Instance Profile | `string` | `null` | no |
 | <a name="input_iam_instance_profile_tags"></a> [iam\_instance\_profile\_tags](#input\_iam\_instance\_profile\_tags) | Resource Tags for the IAM Instance Profile | `map(any)` | `{}` | no |
-| <a name="input_iam_role_ec2_container_service_role_arn"></a> [iam\_role\_ec2\_container\_service\_role\_arn](#input\_iam\_role\_ec2\_container\_service\_role\_arn) | ARN of the EC2 Container Service Role for EC2 | `string` | n/a | yes |
 | <a name="input_iam_role_name"></a> [iam\_role\_name](#input\_iam\_role\_name) | Name for the IAM Role | `string` | `null` | no |
+| <a name="input_iam_role_policy_attachments"></a> [iam\_role\_policy\_attachments](#input\_iam\_role\_policy\_attachments) | Policy ARNs to attach to the IAM Role | `list(string)` | `[]` | no |
 | <a name="input_iam_role_tags"></a> [iam\_role\_tags](#input\_iam\_role\_tags) | Resource Tags for IAM Role | `map(any)` | `{}` | no |
 | <a name="input_instances_tags"></a> [instances\_tags](#input\_instances\_tags) | Resources Tags to propagate to the Instances | `map(any)` | `{}` | no |
 | <a name="input_launch_template"></a> [launch\_template](#input\_launch\_template) | Launch Template to use with the Autoscaling group | <pre>object({<br>    name                   = optional(string, "")<br>    image_id               = optional(string, "")<br>    instance_type          = optional(string, "")<br>    vpc_security_group_ids = optional(list(string), [])<br>    key_name               = optional(string, "")<br>    user_data              = optional(string, "")<br>    tags                   = optional(map(any), {})<br>  })</pre> | `{}` | no |

modules/asg/main.tf

@@ -89,10 +89,10 @@ resource "aws_iam_role" "this" {
 }
 
 resource "aws_iam_role_policy_attachment" "this" {
-  count = var.create_iam_role ? 1 : 0
+  count = var.create_iam_role ? length(var.iam_role_policy_attachments) : 0
 
   role       = aws_iam_role.this[0].name
-  policy_arn = var.iam_role_ec2_container_service_role_arn
+  policy_arn = element(var.iam_role_policy_attachments, count.index)
 }
 
 resource "aws_iam_instance_profile" "this" {

modules/asg/variables.tf

@@ -112,17 +112,18 @@ variable "iam_role_name" {
   default     = null
 }
 
+variable "iam_role_policy_attachments" {
+  description = "Policy ARNs to attach to the IAM Role"
+  type        = list(string)
+  default     = []
+}
+
 variable "iam_role_tags" {
   description = "Resource Tags for IAM Role"
   type        = map(any)
   default     = {}
 }
 
-variable "iam_role_ec2_container_service_role_arn" {
-  description = "ARN of the EC2 Container Service Role for EC2"
-  type        = string
-}
-
 ################################################################################
 # IAM Instance Profile
 ################################################################################