From b000339a314aa5b880685965af4a874a5a7fe201 Mon Sep 17 00:00:00 2001
From: Julien Vey <vey.julien@gmail.com>
Date: Tue, 3 Apr 2018 17:39:39 +0200
Subject: [PATCH] ec2_instace: fix instance_role argument (#37465)

---
 .../modules/cloud/amazon/ec2_instance.py      |  7 +--
 .../files/assume-role-policy.json             | 13 ++++
 .../ec2_instance/tasks/iam_instance_role.yml  | 62 +++++++++++++++++++
 .../targets/ec2_instance/tasks/main.yml       |  1 +
 4 files changed, 79 insertions(+), 4 deletions(-)
 create mode 100644 test/integration/targets/ec2_instance/files/assume-role-policy.json
 create mode 100644 test/integration/targets/ec2_instance/tasks/iam_instance_role.yml

diff --git a/lib/ansible/modules/cloud/amazon/ec2_instance.py b/lib/ansible/modules/cloud/amazon/ec2_instance.py
index 5f34ab51831..33e196a4223 100644
--- a/lib/ansible/modules/cloud/amazon/ec2_instance.py
+++ b/lib/ansible/modules/cloud/amazon/ec2_instance.py
@@ -994,7 +994,7 @@ def build_run_instance_spec(params, ec2=None):
 
     # IAM profile
     if params.get('instance_role'):
-        spec['IamInstanceProfile'] = dict(Arn=determine_iam_role(params.get('iam_profile')))
+        spec['IamInstanceProfile'] = dict(Arn=determine_iam_role(params.get('instance_role')))
 
     spec['InstanceType'] = params['instance_type']
     return spec
@@ -1267,11 +1267,10 @@ def pretty_instance(i):
     return instance
 
 
-def determine_iam_role(name_or_arn, iam):
+def determine_iam_role(name_or_arn):
     if re.match(r'^arn:aws:iam::\d+:instance-profile/[\w+=/,.@-]+$', name_or_arn):
         return name_or_arn
-    if iam is None:
-        iam = module.client('iam')
+    iam = module.client('iam')
     try:
         role = iam.get_instance_profile(InstanceProfileName=name_or_arn)
         return role['InstanceProfile']['Arn']
diff --git a/test/integration/targets/ec2_instance/files/assume-role-policy.json b/test/integration/targets/ec2_instance/files/assume-role-policy.json
new file mode 100644
index 00000000000..72413abdd38
--- /dev/null
+++ b/test/integration/targets/ec2_instance/files/assume-role-policy.json
@@ -0,0 +1,13 @@
+{
+  "Version": "2008-10-17",
+  "Statement": [
+    {
+      "Sid": "",
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "ec2.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
diff --git a/test/integration/targets/ec2_instance/tasks/iam_instance_role.yml b/test/integration/targets/ec2_instance/tasks/iam_instance_role.yml
new file mode 100644
index 00000000000..a20a9e0dc73
--- /dev/null
+++ b/test/integration/targets/ec2_instance/tasks/iam_instance_role.yml
@@ -0,0 +1,62 @@
+- name: set connection information for all tasks
+  set_fact:
+    aws_connection_info: &aws_connection_info
+      aws_access_key: "{{ aws_access_key }}"
+      aws_secret_key: "{{ aws_secret_key }}"
+      security_token: "{{ security_token }}"
+      region: "{{ aws_region }}"
+  no_log: true
+
+- block:
+    - name: Create IAM role for test
+      iam_role:
+        name: "{{ resource_prefix }}-test-policy"
+        assume_role_policy_document: "{{ lookup('file','assume-role-policy.json') }}"
+        state: present
+        create_instance_profile: yes
+        managed_policy:
+        - AmazonEC2ContainerServiceRole
+        <<: *aws_connection_info
+      register: iam_role
+
+    - name: Wait for IAM role to be available, otherwise the next step will fail (Invalid IAM Instance Profile name)
+      command: sleep 10
+
+    - name: Make instance with an instance_role
+      ec2_instance:
+        name: "{{ resource_prefix }}-test-default-vpc"
+        image_id: "{{ ec2_ami_image[aws_region] }}"
+        security_groups: "{{ sg.group_id }}"
+        instance_type: t2.micro
+        instance_role: "{{ resource_prefix }}-test-policy"
+        <<: *aws_connection_info
+      register: instance_with_role
+
+    - assert:
+        that:
+          - 'instance_with_role.instances[0].iam_instance_profile.arn == iam_role.arn.replace(":role/", ":instance-profile/")'
+
+  always:
+    - name: Terminate instance
+      ec2:
+        instance_ids: "{{ instance_with_role.instance_ids }}"
+        state: absent
+        <<: *aws_connection_info
+      register: removed
+      until: removed is not failed
+      ignore_errors: yes
+      retries: 10
+
+    - name: Delete IAM role for test
+      iam_role:
+        name: "{{ resource_prefix }}-test-policy"
+        assume_role_policy_document: "{{ lookup('file','assume-role-policy.json') }}"
+        state: absent
+        create_instance_profile: yes
+        managed_policy:
+        - AmazonEC2ContainerServiceRole
+        <<: *aws_connection_info
+      register: removed
+      until: removed is not failed
+      ignore_errors: yes
+      retries: 10
diff --git a/test/integration/targets/ec2_instance/tasks/main.yml b/test/integration/targets/ec2_instance/tasks/main.yml
index 4ccee173c5d..82f9f11d405 100644
--- a/test/integration/targets/ec2_instance/tasks/main.yml
+++ b/test/integration/targets/ec2_instance/tasks/main.yml
@@ -94,6 +94,7 @@
     - include_tasks: tasks/external_resource_attach.yml
     - include_tasks: tasks/block_devices.yml
     - include_tasks: tasks/default_vpc_tests.yml
+    - include_tasks: tasks/iam_instance_role.yml
 
 
     # ============================================================