Creating and attaching an AWS IAM role, with a policy to an EC2 instance using Terraform scripts

This is an infrastructure as a code, which is equivalent to the AWS CloudFormation, that allows the user to create, update, and version any of the Amazon Web Services (AWS) infrastructure.

Why Terraform?

The motivation behind this post is to, illustrate an example of:

  1. creating an AWS IAM role using terraform.
  2. creating an IAM policy using terraform.
  3. attaching the policy to the role using terraform.
  4. creating the IAM instance profile using terraform.
  5. Assigning the IAM role, to an EC2 instance on the fly using terraform.

1. Creating an AWS IAM role using Terraform:

The terraform script:

The resource block above, constructs a resource of the stated TYPE (i.e. the initial parameter “aws_iam_role”) and NAME (i.e. the second parameter “ec2_s3_access_role”). The integration of the type and name must be distinctive. Within the block (the { }) is the configuration for the resource.

A resource component in terraform, constructs a resource, of the given TYPE (first parameter) and NAME (second parameter) when defining a resource. As an example, if the script is:

resource "aws_iam_instance_profile" "test_profile" {                             name  = "test_profile"                         
roles = ["${aws_iam_role.ec2_s3_access_role.name}"]
}

So in the above block, aws_iam_instance_profile is the TYPE and test_profile is the NAME. The combination of the type and name must be unique.

assume_role_policy parameter in the above resource block, allows an entity, permission to assume the role.

The assume role policy:

2. Creating an AWS IAM policy using Terraform:

The terraform script:

The policy parameter in the above block, requires an IAM policy in a JSON format. What the following policy does is that, it allows the IAM role to access all the S3 buckets and also to perform any kind of actions (i.e. list buckets, put objects, delete objects etc.) on those buckets.

The IAM policy:

3. Attaching the policy to the role using Terraform:

The terraform script:

The aws_iam_policy_attachment in the above resource block, is used to attach a Managed IAM Policy to user(s), role(s), and/or group(s). But in our case, it was a role. The value for the roles parameter has been accessed from the resource block which we created in step 1.

Value of the role = ${aws_iam_role.ec2_s3_access_role.name}

Explanation:

> aws_iam_role is the type of the resource block which we created in step 1.

> ec2_s3_access_role is the name of the variable which we defined.

> name is a property of that resource block.

The same thing applies to the value for policy_arn.

4. Creating the IAM instance profile using terraform:

The terraform script:

The value for the roles parameter has been accessed from the resource block which we created in step 1.

5. Assigning the IAM role, to an EC2 instance on the fly using terraform:

The terraform script:

The tags parameter is defined to identify or rather differentiate the EC2 instance from the others. It simply represents a mapping. The value of ami, is being retrieved from the predefined variables which are defined on a different terraform script as shown below:

The following commands should be executed from the terminal in the respective order within the directory where the scripts are being saved.

  1. Initializing a new or an existing Terraform configuration
terraform init

2. Generate and show an execution plan from the resources we’re trying to provision

terraform plan

3. Validating the Terraform files

terraform validate

4. Builds or changes the infrastructure

terraform apply

The complete list of commands are available here.

Complete source-code is available here for grab:

https://github.com/Kulasangar/terraform-demo

Machine Learning has kept me thriving…https://about.me/kulasangar

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store