From bd02f390ed94c52c558e17bf5fd2f86569b4440a Mon Sep 17 00:00:00 2001
From: Andrew Achkar <hajapy@users.noreply.github.com>
Date: Wed, 20 Jan 2021 13:37:11 -0500
Subject: [PATCH] Allow setting IAM role by name (#25)

---
 README.md     | 33 ++++++++++++++++++++++++++++++++-
 action.yml    |  5 +++++
 src/aws.js    |  1 +
 src/config.js |  1 +
 4 files changed, 39 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 9aae5c01..d7b5bd43 100644
--- a/README.md
+++ b/README.md
@@ -83,7 +83,36 @@ Use the following steps to prepare your workflow for running on your EC2 self-ho
    }
    ```
 
-   The policy can be limited even more by specifying the resources you use.
+   If you plan to attach an IAM role to the EC2 agent with the iam-role-name parameter, you will need to allow additional actions.
+
+   ```
+   {
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Sid": "",
+        "Effect": "Allow",
+        "Action": [
+          "ec2:TerminateInstances",
+          "ec2:RunInstances",
+          "ec2:ReplaceIamInstanceProfileAssociation",
+          "ec2:DescribeInstances",
+          "ec2:DescribeInstanceStatus",
+          "ec2:AssociateIamInstanceProfile"
+        ],
+        "Resource": "*"
+      },
+      {
+        "Sid": "",
+        "Effect": "Allow",
+        "Action": "iam:PassRole",
+        "Resource": "*"
+      }
+    ]
+   }
+   ```
+   This example policy is provided as a guide. It can and most likely should be limited even more by specifying the resources you use.
+
 
 2. Add the keys to GitHub secrets.
 3. Use the [aws-actions/configure-aws-credentials](https://github.com/aws-actions/configure-aws-credentials) action to set up the keys as environment variables.
@@ -143,6 +172,7 @@ Now you're ready to go!
 | `security-group-id`                                                                                                                                                          | Required if you use the `start` mode. | EC2 Security Group Id. <br><br> The security group should belong to the same VPC as the specified subnet. <br><br> Only the outbound traffic for port 443 should be allowed. No inbound traffic is required.                        |
 | `label`                                                                                                                                                                      | Required if you use the `stop` mode.  | Name of the unique label assigned to the runner. <br><br> The label is provided by the output of the action in the `start` mode. <br><br> The label is used to remove the runner from GitHub when the runner is not needed anymore. |
 | `ec2-instance-id`                                                                                                                                                            | Required if you use the `stop` mode.  | EC2 Instance Id of the created runner. <br><br> The id is provided by the output of the action in the `start` mode. <br><br> The id is used to terminate the EC2 instance when the runner is not needed anymore.                    |
+| `iam-role-name`                                                                                                                                                            | Optional.  | IAM role name to attach to the created runner. <br><br> This allows the runner to have permissions to run additional actions within the aws account, without having to manage additional github secrets and aws users.                      |
 
 ### Environment variables
 
@@ -193,6 +223,7 @@ jobs:
           ec2-instance-type: t3.nano
           subnet-id: subnet-123
           security-group-id: sg-123
+          iam-role-name: my-role-name # optional, requires additional permissions
   do-the-job:
     name: Do the job on the runner
     runs-on: ${{ needs.start-runner.outputs.label }} # run the job on the newly created runner
diff --git a/action.yml b/action.yml
index d0047390..2790c659 100644
--- a/action.yml
+++ b/action.yml
@@ -49,6 +49,11 @@ inputs:
       The id is used to terminate the EC2 instance when the runner is not needed anymore.
       This input is required if you use the 'stop' mode.
     required: false
+  iam-role-name:
+    description: >-
+      IAM Role Name to attach to the created runner.
+      This requires additional permissions on the AWS role used to launch instances.
+    required: false
 outputs:
   label:
     description: >-
diff --git a/src/aws.js b/src/aws.js
index 3ccd42d2..359a7e9e 100644
--- a/src/aws.js
+++ b/src/aws.js
@@ -25,6 +25,7 @@ async function startEc2Instance(label, githubRegistrationToken) {
     UserData: Buffer.from(userData.join('\n')).toString('base64'),
     SubnetId: config.input.subnetId,
     SecurityGroupIds: [config.input.securityGroupId],
+    IamInstanceProfile: {Name: config.input.iamRoleName},
   };
 
   try {
diff --git a/src/config.js b/src/config.js
index faf08821..29e3bcbd 100644
--- a/src/config.js
+++ b/src/config.js
@@ -12,6 +12,7 @@ class Config {
       securityGroupId: core.getInput('security-group-id'),
       label: core.getInput('label'),
       ec2InstanceId: core.getInput('ec2-instance-id'),
+      iamRoleName: core.getInput('iam-role-name'),
     };
 
     // the values of github.context.repo.owner and github.context.repo.repo are taken from