Open kmcquade opened 6 years ago
+1
I am currently working on version that would do this but am still testing:
https://github.com/thenom/terraform-aws-consul/tree/switchable-iam
Any updates on this? This is a huge gap for my use case.
I need special permissions to allow my instance to grab certificates at boot, which as it stands, cannot be modified with the current architecture.
Ideally, at least please let me specify additional policy rules, or override the module used.
By the way:
The IAM Role ARN is exported as an output variable if you need to add additional permissions
This is not a solution, since if it needs special permissions AT LAUNCH, terraform apply will change the desired instances and the instances will start launching BEFORE I have a chance to modify the permissions.
Right now, if you run the terraform-aws-vault role as a user who does not have permissions to create a role (but can assign them), then this build will not be successful due to the need to create a role that just grants describe-instances, describe-groups, and describe-tags. I'd like to be able to supply the iam_role_id, but that's not possible.
https://github.com/hashicorp/terraform-aws-consul/blob/master/modules/consul-iam-policies/main.tf
I will submit a PR later to implement this. Figured I would create the issue and reference it after.