Details
-
Type: Task
-
Status: Closed (View Workflow)
-
Priority: Major
-
Resolution: Done
-
Affects Version/s: None
-
Fix Version/s: None
-
Labels:None
-
Story Points:0.5
-
Epic Link:
-
Sprint:Spring 9 : 25 May to 8 Jun
Description
In order to give our appstore ec2 the ability to store digital assets (e.g., app jar files and screen shots) in its designated S3 bucket, we create an IAM managed policy and IAM role specifically for that S3 bucket.
When we create the ec2, we provide the name of role via using the parameter "instance_profile_name."
This of course only runs once when the ec2 is created. Later in the same playbook, we include a task "Grant testappstore access to s3 bucket" which tries again to add the role to the ec2. This ensures that if we change the s3 bucket for some reason, the ec2 will get modified with the correct role.
However, this task fails with an error message reading:
"TASK [ec2 : Grant testappstore access to s3 bucket] **************************************************************************
fatal: [localhost]: FAILED! => changed=false
attempts: 3
msg: You must include an image_id or image.id parameter to create an instance, or use a launch_template."
For this task, re-write the task "Add EC2 private IP to RDS host security group" and make it properly idempotent such that if the ec2 does not already have the given role, it is added.
Attachments
Activity
Field | Original Value | New Value |
---|---|---|
Epic Link | IGBF-2323 [ 18477 ] |
Rank | Ranked higher |
Assignee | Chester Dias [ cdias1 ] |
Assignee | Chester Dias [ cdias1 ] | Ann Loraine [ aloraine ] |
Status | To-Do [ 10305 ] | In Progress [ 3 ] |
Status | In Progress [ 3 ] | Needs 1st Level Review [ 10005 ] |
Status | Needs 1st Level Review [ 10005 ] | First Level Review in Progress [ 10301 ] |
Status | First Level Review in Progress [ 10301 ] | Ready for Pull Request [ 10304 ] |
Status | Ready for Pull Request [ 10304 ] | Pull Request Submitted [ 10101 ] |
Status | Pull Request Submitted [ 10101 ] | Reviewing Pull Request [ 10303 ] |
Status | Reviewing Pull Request [ 10303 ] | Merged Needs Testing [ 10002 ] |
Status | Merged Needs Testing [ 10002 ] | Post-merge Testing In Progress [ 10003 ] |
Resolution | Done [ 10000 ] | |
Status | Post-merge Testing In Progress [ 10003 ] | Closed [ 6 ] |
See:
When I used the AWS console to modify an existing ec2's IAM role, the UI replaced the existing role with the new one. It seems like you can only attach one IAM role to an EC2.
I don't think the ec2 or ec2_instance modules have a way to re-assign or assign IAM roles to existing EC2 instances.
To modify the IAM role, we need to use aws command line with shell as described in the above reddit post.
According to the AWS documentation, you can create an IAM role and designate the IAM role as being intended for use with EC2 instances. If you do that, then probably when you create the ec2 and use the same name for the instance_policy_name, the correct role gets assigned.