adding required changes

2019-10-22 21:40:18 +11:00 · 2019-10-22 21:40:18 +11:00 · ec1d70dc44
parent 65d1447b64
commit ec1d70dc44
3 changed files with 46 additions and 0 deletions
--- a/builder/amazon/common/step_run_spot_instance_test.go
+++ b/builder/amazon/common/step_run_spot_instance_test.go
@ -2,6 +2,7 @@ package common

 import (
 	"bytes"
+	"fmt"
 	"testing"
 	"time"

@ -125,6 +126,10 @@ func TestCreateTemplateData(t *testing.T) {
 		t.Fatalf("Template should have contained a networkInterface object: recieved %#v", template.NetworkInterfaces)
 	}

+	if *template.IamInstanceProfile.Name != state.Get("iamInstanceProfile") {
+		t.Fatalf("Template should have contained a InstanceProfile name: recieved %#v", template.IamInstanceProfile.Name)
+	}
+
 	// Rerun, this time testing that we set security group IDs
 	state.Put("subnet_id", "")
 	template = stepRunSpotInstance.CreateTemplateData(aws.String("userdata"), "az", state,
@ -132,4 +137,13 @@ func TestCreateTemplateData(t *testing.T) {
 	if template.NetworkInterfaces != nil {
 		t.Fatalf("Template shouldn't contain network interfaces object if subnet_id is unset.")
 	}
+
+	// Rerun, this time testing that instance doesn't have instance profile is iamInstanceProfile is unset
+	state.Put("iamInstanceProfile", "")
+	template = stepRunSpotInstance.CreateTemplateData(aws.String("userdata"), "az", state,
+		&ec2.LaunchTemplateInstanceMarketOptionsRequest{})
+	fmt.Println(template.IamInstanceProfile)
+	if *template.IamInstanceProfile.Name != "" {
+		t.Fatalf("Template shouldn't contain instance profile if iamInstanceProfile is unset.")
+	}
 }
--- a/builder/amazon/ebssurrogate/builder.go
+++ b/builder/amazon/ebssurrogate/builder.go
@ -8,6 +8,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"github.com/aws/aws-sdk-go/service/iam"

 	"github.com/aws/aws-sdk-go/service/ec2"
 	awscommon "github.com/hashicorp/packer/builder/amazon/common"
@ -164,7 +165,9 @@ func (b *Builder) Run(ctx context.Context, ui packer.Ui, hook packer.Hook) (pack
 	if err != nil {
 		return nil, err
 	}
+
 	ec2conn := ec2.New(session)
+	iam := iam.New(session)

 	// Setup the state bag and initial state for the steps
 	state := new(multistep.BasicStateBag)
@ -172,6 +175,7 @@ func (b *Builder) Run(ctx context.Context, ui packer.Ui, hook packer.Hook) (pack
 	state.Put("access_config", &b.config.AccessConfig)
 	state.Put("ami_config", &b.config.AMIConfig)
 	state.Put("ec2", ec2conn)
+	state.Put("iam", iam)
 	state.Put("awsSession", session)
 	state.Put("hook", hook)
 	state.Put("ui", ui)
@ -256,6 +260,10 @@ func (b *Builder) Run(ctx context.Context, ui packer.Ui, hook packer.Hook) (pack
 			CommConfig:             &b.config.RunConfig.Comm,
 			TemporarySGSourceCidrs: b.config.TemporarySGSourceCidrs,
 		},
+		&awscommon.StepIamInstanceProfile{
+			IamInstanceProfile:                        b.config.IamInstanceProfile,
+			TemporaryIamInstanceProfilePolicyDocument: b.config.TemporaryIamInstanceProfilePolicyDocument,
+		},
 		&awscommon.StepCleanupVolumes{
 			LaunchMappings: b.config.LaunchMappings.Common(),
 		},
--- a/website/source/docs/builders/amazon.html.md
+++ b/website/source/docs/builders/amazon.html.md
@ -209,6 +209,30 @@ work, but specifics will depend on your use-case.
 }
 ```

+In case when you're creating a temporary instance profile you will require to have following
+IAM policies.
+
+``` json
+{
+    "Sid": "PackerIAMCreateRole",
+    "Effect": "Allow",
+    "Action": [
+        "iam:PassRole",
+        "iam:CreateInstanceProfile",
+        "iam:DeleteInstanceProfile",
+        "iam:GetRole",
+        "iam:GetInstanceProfile",
+        "iam:DeleteRolePolicy",
+        "iam:RemoveRoleFromInstanceProfile",
+        "iam:CreateRole",
+        "iam:DeleteRole",
+        "iam:PutRolePolicy",
+        "iam:AddRoleToInstanceProfile"
+    ],
+    "Resource": "*"
+}
+```
+
 ### Checking that system time is current

 Amazon uses the current time as part of the [request signing