Create IAM Instance Profile Role policy to allow Vault AWS Auth full …

…functionality, and enable by variable.

modules/vault-cluster/main.tf

@@ -212,3 +212,27 @@ data "aws_iam_policy_document" "vault_s3" {
     ]
   }
 }
+
+resource "aws_iam_role_policy" "vault_aws_EC2_IAM_Auth" {
+  count   = "${var.enable_EC2_IAM_Auth ? 1 : 0}"
+  name    = "vault_aws_EC2_IAM_Auth"
+  role    = "${aws_iam_role.instance_role.id}"
+  policy  = "${element(concat(data.aws_iam_policy_document.vault_aws_EC2_IAM_Auth.*.json, list("")), 0)}"
+}
+
+data "aws_iam_policy_document" "vault_aws_EC2_IAM_Auth" {
+  count   = "${var.enable_EC2_IAM_Auth ? 1 : 0}"
+  statement {
+    effect = "Allow"
+
+    actions = [
+      "ec2:DescribeInstances",
+      "iam:GetInstanceProfile",
+      "iam:GetUser",
+      "iam:GetRole"
+    ]
+
+    resources = ["*"]
+  }
+}
+

modules/vault-cluster/variables.tf

@@ -175,3 +175,7 @@ variable "force_destroy_s3_bucket" {
   description = "If 'configure_s3_backend' is enabled and you set this to true, when you run terraform destroy, this tells Terraform to delete all the objects in the S3 bucket used for backend storage. You should NOT set this to true in production or you risk losing all your data! This property is only here so automated tests of this module can clean up after themselves. Only used if 'enable_s3_backend' is set to true."
   default     = false
 }
+
+variable "enable_EC2_IAM_Auth" {
+  description = "Configure IAM Instance Profile on Vault cluster members to permit the user to enable AWS Auth backend. Note that this does NOT actually enable the backend, but merely sets policys that will permit it to function as expected."
+}