Support custom IAM roles for cluster and workers (#338)

* allow specifying custom worker IAM instance profiles

* allow specifying custom cluster IAM role

* add doc

* update changelog

* use data.aws_iam_instance_profile.name

workers.tf

@@ -38,7 +38,7 @@ resource "aws_launch_configuration" "workers" {
   name_prefix                 = "${aws_eks_cluster.this.name}-${lookup(var.worker_groups[count.index], "name", count.index)}"
   associate_public_ip_address = "${lookup(var.worker_groups[count.index], "public_ip", local.workers_group_defaults["public_ip"])}"
   security_groups             = ["${local.worker_security_group_id}", "${var.worker_additional_security_group_ids}", "${compact(split(",",lookup(var.worker_groups[count.index],"additional_security_group_ids", local.workers_group_defaults["additional_security_group_ids"])))}"]
-  iam_instance_profile        = "${element(aws_iam_instance_profile.workers.*.id, count.index)}"
+  iam_instance_profile        = "${element(coalescelist(aws_iam_instance_profile.workers.*.id, data.aws_iam_instance_profile.custom_worker_group_iam_instance_profile.*.name), count.index)}"
   image_id                    = "${lookup(var.worker_groups[count.index], "ami_id", local.workers_group_defaults["ami_id"])}"
   instance_type               = "${lookup(var.worker_groups[count.index], "instance_type", local.workers_group_defaults["instance_type"])}"
   key_name                    = "${lookup(var.worker_groups[count.index], "key_name", local.workers_group_defaults["key_name"])}"
@@ -131,32 +131,36 @@ resource "aws_iam_role" "workers" {
   permissions_boundary  = "${var.permissions_boundary}"
   path                  = "${var.iam_path}"
   force_detach_policies = true
+  count                 = "${var.manage_worker_iam_resources ? 1 : 0}"
 }
 
 resource "aws_iam_instance_profile" "workers" {
   name_prefix = "${aws_eks_cluster.this.name}"
   role        = "${lookup(var.worker_groups[count.index], "iam_role_id",  lookup(local.workers_group_defaults, "iam_role_id"))}"
-  count       = "${var.worker_group_count}"
+  count       = "${var.manage_worker_iam_resources ? var.worker_group_count : 0}"
   path        = "${var.iam_path}"
 }
 
 resource "aws_iam_role_policy_attachment" "workers_AmazonEKSWorkerNodePolicy" {
   policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
   role       = "${aws_iam_role.workers.name}"
+  count      = "${var.manage_worker_iam_resources ? 1 : 0}"
 }
 
 resource "aws_iam_role_policy_attachment" "workers_AmazonEKS_CNI_Policy" {
   policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
   role       = "${aws_iam_role.workers.name}"
+  count      = "${var.manage_worker_iam_resources ? 1 : 0}"
 }
 
 resource "aws_iam_role_policy_attachment" "workers_AmazonEC2ContainerRegistryReadOnly" {
   policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
   role       = "${aws_iam_role.workers.name}"
+  count      = "${var.manage_worker_iam_resources ? 1 : 0}"
 }
 
 resource "aws_iam_role_policy_attachment" "workers_additional_policies" {
-  count      = "${var.workers_additional_policies_count}"
+  count      = "${var.manage_worker_iam_resources ? var.workers_additional_policies_count : 0}"
   role       = "${aws_iam_role.workers.name}"
   policy_arn = "${var.workers_additional_policies[count.index]}"
 }
@@ -174,6 +178,7 @@ resource "null_resource" "tags_as_list_of_maps" {
 resource "aws_iam_role_policy_attachment" "workers_autoscaling" {
   policy_arn = "${aws_iam_policy.worker_autoscaling.arn}"
   role       = "${aws_iam_role.workers.name}"
+  count      = "${var.manage_worker_iam_resources ? 1 : 0}"
 }
 
 resource "aws_iam_policy" "worker_autoscaling" {
@@ -181,6 +186,7 @@ resource "aws_iam_policy" "worker_autoscaling" {
   description = "EKS worker node autoscaling policy for cluster ${aws_eks_cluster.this.name}"
   policy      = "${data.aws_iam_policy_document.worker_autoscaling.json}"
   path        = "${var.iam_path}"
+  count       = "${var.manage_worker_iam_resources ? 1 : 0}"
 }
 
 data "aws_iam_policy_document" "worker_autoscaling" {