How to attach policy to the instance profile?

[Eslamanwar]

• Just a question , how to attach policy to the instance profile?
  as a requirement to for example pull image from ECR

[npalm]

Not supported yet, but we are open for PR's. The request needs change to the Lambda that creates the instance. ` https://github.com/philips-labs/terraform-aws-github-runner/blob/80104c3f3fae344844f75bdb090a9c8ca179c9e7/modules/runners/lambdas/runners/src/scale-runners/runners.ts#L69

[jpalomaki]

@npalm @Eslamanwar Perhaps allowing a user to pass in an inline IAM policy document and/or a list of managed policy ARNs via variables.tf would make sense:

module "github-runner" {
  source  = "philips-labs/github-runner/aws"
  version = "X.Y.Z"
  ...
  runner_iam_role_inline_policy= <<-EOF
    {
      "Version": "2012-10-17",
      "Statement": {
        "Sid": "AllowExample",
        "Effect": "Allow",
        ...
      }
    }
  EOF
  runner_iam_role_managed_policies = [
    "arn:aws:iam::aws:policy/ExampleAwsManagedPolicy"
  ]
}

These could then be attached to the runner IAM role in policies-runner.tf?

[npalm]

I see two more logical options to me

• Let the runner export the iam role, which made it easy for the user of the module to attache any profile of their need.
• Let the runner module accepted an optional list of managed (no inline) policies that are attached to the runner.

The first one is a simple option to add and brings the required flexibility.

[jpalomaki]

@npalm As to option 1, by export, do you mean a module output?

[npalm]

@npalm As to option 1, by export, do you mean a module output?

yep

[rlove]

Could we pass the preconfigured role to the terraform as an ARN? Then store than in a variable for scale-up lambda to use

[jpalomaki]

@npalm @rlove @Eslamanwar See #361 for a potential solution.

[npalm]

@Eslamanwar @rlove @jpalomaki converted the issue ot a discussion