From 0632869de1b21951bd9eda70e3f4c2568dfae8d2 Mon Sep 17 00:00:00 2001 From: Lachlan Donald Date: Fri, 5 Oct 2018 16:00:24 +1000 Subject: [PATCH] Split roles for lifecycle hook and ec2 instance --- terraform/modules/example/main.tf | 71 +++++++++++++++++++------------ 1 file changed, 43 insertions(+), 28 deletions(-) diff --git a/terraform/modules/example/main.tf b/terraform/modules/example/main.tf index b26d56b..8b23789 100644 --- a/terraform/modules/example/main.tf +++ b/terraform/modules/example/main.tf @@ -41,7 +41,7 @@ resource "aws_launch_configuration" "main" { image_id = "${var.instance_ami}" instance_type = "${var.instance_type}" key_name = "${var.instance_key}" - iam_instance_profile = "${aws_iam_instance_profile.lifecycle.name}" + iam_instance_profile = "${aws_iam_instance_profile.ec2.name}" security_groups = ["${aws_security_group.main.id}"] user_data = "${data.template_file.main.rendered}" @@ -63,6 +63,15 @@ resource "aws_autoscaling_group" "main" { lifecycle { create_before_destroy = true } + + initial_lifecycle_hook { + name = "${var.name_prefix}-lifecycle" + default_result = "CONTINUE" + heartbeat_timeout = 60 + lifecycle_transition = "autoscaling:EC2_INSTANCE_TERMINATING" + notification_target_arn = "${aws_sns_topic.main.arn}" + role_arn = "${aws_iam_role.lifecycle_hook.arn}" + } } resource "aws_security_group" "main" { @@ -169,53 +178,59 @@ data "aws_iam_policy_document" "permissions" { } } -# SNS topic for the lifecycle hook -resource "aws_sns_topic" "main" { - name = "${var.name_prefix}-lifecycle" +resource "aws_iam_instance_profile" "ec2" { + name = "${var.name_prefix}-ec2-instance-profile" + role = "${aws_iam_role.ec2.name}" +} + +resource "aws_iam_role" "ec2" { + name = "${var.name_prefix}-ec2-role" + assume_role_policy = "${data.aws_iam_policy_document.ec2_assume.json}" +} + +resource "aws_iam_role_policy" "ec2" { + name = "${var.name_prefix}-ec2-permissions" + role = "${aws_iam_role.ec2.id}" + policy = "${data.aws_iam_policy_document.permissions.json}" } -# Lifecycle hook -resource "aws_autoscaling_lifecycle_hook" "main" { - name = "${var.name_prefix}-lifecycle" - autoscaling_group_name = "${aws_autoscaling_group.main.id}" - lifecycle_transition = "autoscaling:EC2_INSTANCE_TERMINATING" - default_result = "CONTINUE" - heartbeat_timeout = "60" - notification_target_arn = "${aws_sns_topic.main.arn}" - role_arn = "${aws_iam_role.lifecycle.arn}" +data "aws_iam_policy_document" "ec2_assume" { + statement { + effect = "Allow" + actions = ["sts:AssumeRole"] + + principals { + type = "Service" + identifiers = ["ec2.amazonaws.com"] + } + } } -resource "aws_iam_instance_profile" "lifecycle" { - name = "${var.name_prefix}-lifecycle-instance-profile" - role = "${aws_iam_role.lifecycle.name}" +# SNS topic for the lifecycle hook +resource "aws_sns_topic" "main" { + name = "${var.name_prefix}-lifecycle" } # Execution role and policies for the lifecycle hook -resource "aws_iam_role" "lifecycle" { +resource "aws_iam_role" "lifecycle_hook" { name = "${var.name_prefix}-lifecycle-role" - assume_role_policy = "${data.aws_iam_policy_document.assume.json}" + assume_role_policy = "${data.aws_iam_policy_document.asg_assume.json}" } -resource "aws_iam_role_policy" "lifecycle-asg" { +resource "aws_iam_role_policy" "lifecycle_hook" { name = "${var.name_prefix}-lifecycle-asg-permissions" - role = "${aws_iam_role.lifecycle.id}" + role = "${aws_iam_role.lifecycle_hook.id}" policy = "${data.aws_iam_policy_document.asg_permissions.json}" } -resource "aws_iam_role_policy" "lifecycle" { - name = "${var.name_prefix}-lifecycle-permissions" - role = "${aws_iam_role.lifecycle.id}" - policy = "${data.aws_iam_policy_document.permissions.json}" -} - -data "aws_iam_policy_document" "assume" { +data "aws_iam_policy_document" "asg_assume" { statement { effect = "Allow" actions = ["sts:AssumeRole"] principals { type = "Service" - identifiers = ["ec2.amazonaws.com", "autoscaling.amazonaws.com"] + identifiers = ["autoscaling.amazonaws.com"] } } }