fix: error IAM role attachement when applying the module the first ti… (#659)

Ensure policies attachment are done with module managed resources in case the role is managed via terraform objects. This to avoid attachments are created before the role is created. Depends on does not support dynamics, sot not an option.

Author: npalm

examples/runner-default/.terraform.lock.hcl

@@ -1,7 +1,7 @@
 resource "aws_iam_role_policy" "instance" {
   count  = var.enable_cloudwatch_logging && var.create_runner_iam_role ? 1 : 0
   name   = "${local.name_iam_objects}-logging"
-  role   = local.aws_iam_role_instance_name
+  role   = var.create_runner_iam_role ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name
   policy = templatefile("${path.module}/policies/instance-logging-policy.json", { partition = data.aws_partition.current.partition })
 }
 

logging.tf

@@ -399,14 +399,14 @@ resource "aws_iam_policy" "instance_session_manager_policy" {
 resource "aws_iam_role_policy_attachment" "instance_session_manager_policy" {
   count = var.enable_runner_ssm_access ? 1 : 0
 
-  role       = local.aws_iam_role_instance_name
+  role       = var.create_runner_iam_role ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name
   policy_arn = aws_iam_policy.instance_session_manager_policy[0].arn
 }
 
 resource "aws_iam_role_policy_attachment" "instance_session_manager_aws_managed" {
   count = var.enable_runner_ssm_access ? 1 : 0
 
-  role       = local.aws_iam_role_instance_name
+  role       = var.create_runner_iam_role ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name
   policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonSSMManagedInstanceCore"
 }
 
@@ -416,7 +416,7 @@ resource "aws_iam_role_policy_attachment" "instance_session_manager_aws_managed"
 resource "aws_iam_role_policy_attachment" "user_defined_policies" {
   count = length(var.runner_iam_policy_arns)
 
-  role       = local.aws_iam_role_instance_name
+  role       = var.create_runner_iam_role ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name
   policy_arn = var.runner_iam_policy_arns[count.index]
 }
 
@@ -429,7 +429,7 @@ resource "aws_iam_role_policy_attachment" "docker_machine_cache_instance" {
      use aws_iam_role.docker_machine.name here! See https://docs.gitlab.com/runner/configuration/advanced-configuration.html */
   count = var.runners_executor == "docker+machine" ? (var.cache_bucket["create"] || lookup(var.cache_bucket, "policy", "") != "" ? 1 : 0) : 0
 
-  role       = local.aws_iam_role_instance_name
+  role       = var.create_runner_iam_role ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name
   policy_arn = local.bucket_policy
 }
 
@@ -485,7 +485,7 @@ resource "aws_iam_policy" "service_linked_role" {
 resource "aws_iam_role_policy_attachment" "service_linked_role" {
   count = var.allow_iam_service_linked_role_creation ? 1 : 0
 
-  role       = local.aws_iam_role_instance_name
+  role       = var.create_runner_iam_role ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name
   policy_arn = aws_iam_policy.service_linked_role[0].arn
 }
 
@@ -509,7 +509,7 @@ resource "aws_iam_policy" "ssm" {
 resource "aws_iam_role_policy_attachment" "ssm" {
   count = var.enable_manage_gitlab_token ? 1 : 0
 
-  role       = local.aws_iam_role_instance_name
+  role       = var.create_runner_iam_role ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name
   policy_arn = aws_iam_policy.ssm[0].arn
 }
 
@@ -529,7 +529,7 @@ resource "aws_iam_policy" "eip" {
 resource "aws_iam_role_policy_attachment" "eip" {
   count = var.enable_eip ? 1 : 0
 
-  role       = local.aws_iam_role_instance_name
+  role       = var.create_runner_iam_role ? aws_iam_role.instance[0].name : local.aws_iam_role_instance_name
   policy_arn = aws_iam_policy.eip[0].arn
 }