fix: improve IAM custom role naming

The `iam_role_arn` variable was misleading because it actually needs to be the role name instead of the ARN. This has been renamed to `custom_iam_role_name`, and validation has been added to `create_iam_role` to try to ensure that a role is only provided when it is set to `false`, and vice-versa.
spacelift-io · Nov 10, 2023 · f7e1931 · f7e1931
1 parent 142bb92
commit f7e1931
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 10 deletions.
diff --git a/README.md b/README.md
@@ -111,13 +111,13 @@ $ make docs
 | <a name="input_autoscaler_version"></a> [autoscaler\_version](#input\_autoscaler\_version) | Version of the autoscaler to deploy | `string` | `"v0.2.0"` | no |
 | <a name="input_configuration"></a> [configuration](#input\_configuration) | User configuration. This allows you to decide how you want to pass your token<br>  and private key to the environment - be that directly, or using SSM Parameter<br>  Store, Vault etc. Ultimately, here you need to export SPACELIFT\_TOKEN and<br>  SPACELIFT\_POOL\_PRIVATE\_KEY to the environment. | `string` | n/a | yes |
 | <a name="input_create_iam_role"></a> [create\_iam\_role](#input\_create\_iam\_role) | Determines whether an IAM role is created or to use an existing IAM role | `bool` | `true` | no |
+| <a name="input_custom_iam_role_name"></a> [custom\_iam\_role\_name](#input\_custom\_iam\_role\_name) | Name of an existing IAM to use. Used `when create_iam_role` = `false` | `string` | `""` | no |
 | <a name="input_disable_container_credentials"></a> [disable\_container\_credentials](#input\_disable\_container\_credentials) | If true, the run container will not be able to access the instance profile<br>  credentials by talking to the EC2 metadata endpoint. This is done by setting<br>  the number of hops in IMDSv2 to 1. Since the Docker container goes through an<br>  extra NAT step, this still allows the launcher to talk to the endpoint, but<br>  prevents the container from doing so. | `bool` | `false` | no |
 | <a name="input_domain_name"></a> [domain\_name](#input\_domain\_name) | Top-level domain name to use for pulling the launcher binary | `string` | `"spacelift.io"` | no |
 | <a name="input_ec2_instance_type"></a> [ec2\_instance\_type](#input\_ec2\_instance\_type) | EC2 instance type for the workers. If an arm64-based AMI is used, this must be an arm64-based instance type. | `string` | `"t3.micro"` | no |
 | <a name="input_enable_autoscaling"></a> [enable\_autoscaling](#input\_enable\_autoscaling) | Determines whether to create the Lambda Autoscaler function and dependent resources or not | `bool` | `true` | no |
 | <a name="input_enable_monitoring"></a> [enable\_monitoring](#input\_enable\_monitoring) | Enables/disables detailed monitoring | `bool` | `true` | no |
 | <a name="input_enabled_metrics"></a> [enabled\_metrics](#input\_enabled\_metrics) | List of CloudWatch metrics enabled on the ASG | `list(string)` | <pre>[<br>  "GroupDesiredCapacity",<br>  "GroupInServiceInstances",<br>  "GroupMaxSize",<br>  "GroupMinSize",<br>  "GroupPendingInstances",<br>  "GroupStandbyInstances",<br>  "GroupTerminatingInstances",<br>  "GroupTotalInstances"<br>]</pre> | no |
-| <a name="input_iam_role_arn"></a> [iam\_role\_arn](#input\_iam\_role\_arn) | ARN of an existing IAM to use. Used `when create_iam_role` = `false` | `string` | `null` | no |
 | <a name="input_instance_refresh"></a> [instance\_refresh](#input\_instance\_refresh) | If this block is configured, start an Instance Refresh when this Auto Scaling Group is updated based on instance refresh configration. | `any` | `{}` | no |
 | <a name="input_max_size"></a> [max\_size](#input\_max\_size) | Maximum number of workers to spin up | `number` | `10` | no |
 | <a name="input_min_size"></a> [min\_size](#input\_min\_size) | Minimum numbers of workers to spin up | `number` | `0` | no |

diff --git a/examples/custom-iam-role/main.tf b/examples/custom-iam-role/main.tf
@@ -61,7 +61,8 @@ module "this" {
     export SPACELIFT_TOKEN="<token-here>"
     export SPACELIFT_POOL_PRIVATE_KEY="<private-key-here>"
   EOT
-  iam_role_arn               = aws_iam_role.this.arn
+  create_iam_role            = false
+  custom_iam_role_name       = aws_iam_role.this.name
   security_groups            = [data.aws_security_group.this.id]
   spacelift_api_key_endpoint = var.spacelift_api_key_endpoint
   spacelift_api_key_id       = var.spacelift_api_key_id

diff --git a/iam.tf b/iam.tf
@@ -1,3 +1,17 @@
+locals {
+  # Validation hack until https://github.com/hashicorp/terraform/issues/25609 is resolved
+  #! IMPORTANT! This check works only for known during 'terraform plan' values of `var.custom_iam_role_name`.
+  #! If IAM role name is not known during 'terraform plan', the check will be skipped and
+  #! error message will pop up only after `terraform apply ' in the next 'terraform plan'.
+  validate_condition = (!var.create_iam_role && length(var.custom_iam_role_name) == 0) || (var.create_iam_role && length(var.custom_iam_role_name) > 0)
+  validate_message = "The 'create_iam_role' has been set to '${var.create_iam_role}', when 'custom_iam_role_name' set to '${var.custom_iam_role_name}', which are mutually exclusive. To create a new IAM role inside module, set 'create_iam_role' to 'true' and 'custom_iam_role_name' to ''. To use a custom IAM role, set 'create_iam_role' to 'false' and 'custom_iam_role_name' to the name of the custom IAM role."
+  validate_check = regex(
+      "^${local.validate_message}$",
+      ( !local.validate_condition
+        ? local.validate_message
+        : "" ) )
+}
+
 resource "aws_iam_role" "this" {
   count = var.create_iam_role ? 1 : 0
   name  = local.namespace
@@ -31,7 +45,7 @@ resource "aws_iam_instance_profile" "this" {
   depends_on = [aws_iam_role_policy_attachment.this]
 
   name = local.namespace
-  role = var.create_iam_role ? aws_iam_role.this[0].name : var.iam_role_arn
+  role = var.create_iam_role ? aws_iam_role.this[0].name : var.custom_iam_role_name
 }
 
 data "aws_iam_policy_document" "autoscaler" {

diff --git a/variables.tf b/variables.tf
@@ -53,16 +53,16 @@ variable "enabled_metrics" {
   ]
 }
 
+variable "custom_iam_role_name" {
+  description = "Name of an existing IAM to use. Used `when create_iam_role` = `false`"
+  type        = string
+  default     = ""
+}
+
 variable "create_iam_role" {
-  default     = true
   description = "Determines whether an IAM role is created or to use an existing IAM role"
   type        = bool
-}
-
-variable "iam_role_arn" {
-  default     = null
-  description = "ARN of an existing IAM to use. Used `when create_iam_role` = `false`"
-  type        = string
+  default     = true
 }
 
 variable "min_size" {