From ec1d70dc44ca8ac6b12fa9ef8aa1a43df1653b22 Mon Sep 17 00:00:00 2001
From: Bernard Baltrusaitis <bernard@runawaylover.info>
Date: Tue, 22 Oct 2019 21:40:18 +1100
Subject: [PATCH] adding required changes

---
 .../common/step_run_spot_instance_test.go     | 14 +++++++++++
 builder/amazon/ebssurrogate/builder.go        |  8 +++++++
 website/source/docs/builders/amazon.html.md   | 24 +++++++++++++++++++
 3 files changed, 46 insertions(+)

diff --git a/builder/amazon/common/step_run_spot_instance_test.go b/builder/amazon/common/step_run_spot_instance_test.go
index 1d0f28460..e39e05db9 100644
--- a/builder/amazon/common/step_run_spot_instance_test.go
+++ b/builder/amazon/common/step_run_spot_instance_test.go
@@ -2,6 +2,7 @@ package common
 
 import (
 	"bytes"
+	"fmt"
 	"testing"
 	"time"
 
@@ -125,6 +126,10 @@ func TestCreateTemplateData(t *testing.T) {
 		t.Fatalf("Template should have contained a networkInterface object: recieved %#v", template.NetworkInterfaces)
 	}
 
+	if *template.IamInstanceProfile.Name != state.Get("iamInstanceProfile") {
+		t.Fatalf("Template should have contained a InstanceProfile name: recieved %#v", template.IamInstanceProfile.Name)
+	}
+
 	// Rerun, this time testing that we set security group IDs
 	state.Put("subnet_id", "")
 	template = stepRunSpotInstance.CreateTemplateData(aws.String("userdata"), "az", state,
@@ -132,4 +137,13 @@ func TestCreateTemplateData(t *testing.T) {
 	if template.NetworkInterfaces != nil {
 		t.Fatalf("Template shouldn't contain network interfaces object if subnet_id is unset.")
 	}
+
+	// Rerun, this time testing that instance doesn't have instance profile is iamInstanceProfile is unset
+	state.Put("iamInstanceProfile", "")
+	template = stepRunSpotInstance.CreateTemplateData(aws.String("userdata"), "az", state,
+		&ec2.LaunchTemplateInstanceMarketOptionsRequest{})
+	fmt.Println(template.IamInstanceProfile)
+	if *template.IamInstanceProfile.Name != "" {
+		t.Fatalf("Template shouldn't contain instance profile if iamInstanceProfile is unset.")
+	}
 }
diff --git a/builder/amazon/ebssurrogate/builder.go b/builder/amazon/ebssurrogate/builder.go
index 7c7ce4b48..ce31e0d1d 100644
--- a/builder/amazon/ebssurrogate/builder.go
+++ b/builder/amazon/ebssurrogate/builder.go
@@ -8,6 +8,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"github.com/aws/aws-sdk-go/service/iam"
 
 	"github.com/aws/aws-sdk-go/service/ec2"
 	awscommon "github.com/hashicorp/packer/builder/amazon/common"
@@ -164,7 +165,9 @@ func (b *Builder) Run(ctx context.Context, ui packer.Ui, hook packer.Hook) (pack
 	if err != nil {
 		return nil, err
 	}
+
 	ec2conn := ec2.New(session)
+	iam := iam.New(session)
 
 	// Setup the state bag and initial state for the steps
 	state := new(multistep.BasicStateBag)
@@ -172,6 +175,7 @@ func (b *Builder) Run(ctx context.Context, ui packer.Ui, hook packer.Hook) (pack
 	state.Put("access_config", &b.config.AccessConfig)
 	state.Put("ami_config", &b.config.AMIConfig)
 	state.Put("ec2", ec2conn)
+	state.Put("iam", iam)
 	state.Put("awsSession", session)
 	state.Put("hook", hook)
 	state.Put("ui", ui)
@@ -256,6 +260,10 @@ func (b *Builder) Run(ctx context.Context, ui packer.Ui, hook packer.Hook) (pack
 			CommConfig:             &b.config.RunConfig.Comm,
 			TemporarySGSourceCidrs: b.config.TemporarySGSourceCidrs,
 		},
+		&awscommon.StepIamInstanceProfile{
+			IamInstanceProfile:                        b.config.IamInstanceProfile,
+			TemporaryIamInstanceProfilePolicyDocument: b.config.TemporaryIamInstanceProfilePolicyDocument,
+		},
 		&awscommon.StepCleanupVolumes{
 			LaunchMappings: b.config.LaunchMappings.Common(),
 		},
diff --git a/website/source/docs/builders/amazon.html.md b/website/source/docs/builders/amazon.html.md
index 0cfa0d98b..e29b0be0e 100644
--- a/website/source/docs/builders/amazon.html.md
+++ b/website/source/docs/builders/amazon.html.md
@@ -209,6 +209,30 @@ work, but specifics will depend on your use-case.
 }
 ```
 
+In case when you're creating a temporary instance profile you will require to have following
+IAM policies.
+
+``` json
+{
+    "Sid": "PackerIAMCreateRole",
+    "Effect": "Allow",
+    "Action": [
+        "iam:PassRole",
+        "iam:CreateInstanceProfile",
+        "iam:DeleteInstanceProfile",
+        "iam:GetRole",
+        "iam:GetInstanceProfile",
+        "iam:DeleteRolePolicy",
+        "iam:RemoveRoleFromInstanceProfile",
+        "iam:CreateRole",
+        "iam:DeleteRole",
+        "iam:PutRolePolicy",
+        "iam:AddRoleToInstanceProfile"
+    ],
+    "Resource": "*"
+}
+```
+
 ### Checking that system time is current
 
 Amazon uses the current time as part of the [request signing