From 0df860c4aee0ac9461e3e4fbb1328b0ea4e9dacd Mon Sep 17 00:00:00 2001
From: Veetaha <gersoh3@gmail.com>
Date: Fri, 20 Sep 2024 17:17:13 +0000
Subject: [PATCH 1/2] Remove debugging remnants

---
 elastio-terraform-deployment/README.md        |  2 +-
 elastio-terraform-deployment/module/main.tf   | 30 +++++++++++++++++
 .../module/variables.tf                       | 33 ++++++++++++++++++-
 3 files changed, 63 insertions(+), 2 deletions(-)

diff --git a/elastio-terraform-deployment/README.md b/elastio-terraform-deployment/README.md
index cf19787..8d3b6d9 100644
--- a/elastio-terraform-deployment/README.md
+++ b/elastio-terraform-deployment/README.md
@@ -64,6 +64,6 @@ module "elastio" {
 
   # This input is optional. Here you can specify the version of the NAT provisioning stack.
   # If you don't need it, just omit this input variable.
-  elastio_nat_provision_stack = "v4"
+  elastio_nat_provision_stack = "v5"
 }
 ```
diff --git a/elastio-terraform-deployment/module/main.tf b/elastio-terraform-deployment/module/main.tf
index 7d6d2af..c43277b 100644
--- a/elastio-terraform-deployment/module/main.tf
+++ b/elastio-terraform-deployment/module/main.tf
@@ -36,6 +36,7 @@ locals {
     iamResourceNamesSuffix            = var.iam_resource_names_suffix
     iamResourceNamesStatic            = var.iam_resource_names_static
     disableCustomerManagedIamPolicies = var.disable_customer_managed_iam_policies
+    disableServiceLinkedRolesCreation = var.service_linked_roles == "tf"
     supportRoleExpirationDate         = var.support_role_expiration_date
     tenantRoleArn                     = "arn:aws:iam::176355207749:role/vkryvenko.development.elastio.us"
   }
@@ -73,9 +74,38 @@ locals {
     key => tostring(value)
     if value != null
   }
+
+  service_linked_roles_services = [
+    "ecs.amazonaws.com",
+    "batch.amazonaws.com",
+    "spot.amazonaws.com",
+    "spotfleet.amazonaws.com",
+    "ecs.application-autoscaling.amazonaws.com",
+    "autoscaling.amazonaws.com",
+  ]
+}
+
+resource "terraform_data" "service_linked_roles" {
+  for_each = var.service_linked_roles == "tf" ? local.service_linked_roles_services : toset([])
+
+  input = each.value
+  triggers_replace = each.value
+
+  provisioner "local-exec" {
+    command = <<CMD
+      aws iam create-service-linked-role --aws-service-name $service_name || true
+    CMD
+
+    environment = {
+      service_name = self.input
+    }
+  }
 }
 
+
 resource "aws_cloudformation_stack" "elastio_account_level_stack" {
+  depends_on = [terraform_data.service_linked_roles]
+
   name         = "elastio-account-level-stack"
   template_url = data.http.cloudformation_template.response_body
   tags = {
diff --git a/elastio-terraform-deployment/module/variables.tf b/elastio-terraform-deployment/module/variables.tf
index face0fb..8a1eb6a 100644
--- a/elastio-terraform-deployment/module/variables.tf
+++ b/elastio-terraform-deployment/module/variables.tf
@@ -40,7 +40,7 @@ variable "elastio_cloud_connectors" {
 
 variable "elastio_nat_provision_stack" {
   description = <<DESCR
-    Specifies the version of Elastio NAT provision stack to deploy (e.g. `v4`).
+    Specifies the version of Elastio NAT provision stack to deploy (e.g. `v5`).
 
     This is a Cloudformation stack that automatically provisions NAT Gateways in
     your VPC when Elastio worker instances run to provide them with the outbound
@@ -149,6 +149,37 @@ variable "disable_customer_managed_iam_policies" {
   default = null
 }
 
+variable "service_linked_roles" {
+  description = <<DESCR
+  By default the CFN stack creates the service-linked IAM roles needed by the stack.
+  Since these are global in your account, they can't be defined as regular resources
+  in the CFN, because these roles may already exist in your account and thus
+  the deployment would fail on a name conflict.
+
+  Instead, by default, they are deployed using an AWS::CloudFormation::CustomResource
+  which invokes an AWS Lambda function that creates the service-linked roles only if
+  they don't exist and doesn't fail if they do.
+
+  The default approach of creating the service-linked roles via the CFN requires
+  creating a lambda function in your environment that has IAM write permission of
+  `iam:CreateServiceLinkedRole`. If you can't afford creating such a lambda function
+  then set this parameter to `tf` and this terraform module will create the
+  service-linked roles without the need for a lambda function.
+
+  If you set this to `tf`, then make sure you have the AWS CLI installed and
+  configured with the necessary credentials on the machine where you run terraform.
+  DESCR
+
+  type     = string
+  default  = "cfn"
+  nullable = false
+
+  validation {
+    condition     = contains(["cfn", "tf"], var.service_linked_roles)
+    error_message = "service_linked_roles must be one of 'cfn', 'tf'"
+  }
+}
+
 variable "support_role_expiration_date" {
   description = <<DESCR
     Specifies a date when the ElastioSupport role will be disabled. This role

From b812bb9c8562fce5985449e4da55aa9f09220cb2 Mon Sep 17 00:00:00 2001
From: Veetaha <gersoh3@gmail.com>
Date: Fri, 20 Sep 2024 17:22:11 +0000
Subject: [PATCH 2/2] More comments

---
 elastio-terraform-deployment/module/main.tf | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/elastio-terraform-deployment/module/main.tf b/elastio-terraform-deployment/module/main.tf
index c43277b..330bc97 100644
--- a/elastio-terraform-deployment/module/main.tf
+++ b/elastio-terraform-deployment/module/main.tf
@@ -85,6 +85,10 @@ locals {
   ]
 }
 
+# We have to use the `terraform_data` resource for the service-linked roles
+# because their creation needs to be idempotent and terraform shouldn't claim
+# ownership of them. These roles may already exist in the account, and they
+# may be used by other resources not managed by Elastio.
 resource "terraform_data" "service_linked_roles" {
   for_each = var.service_linked_roles == "tf" ? local.service_linked_roles_services : toset([])