Expose EC2 worker IAM role as output of module.astronomer-enterprise

We are in the need to attach extra IAM policies to the EC2 worker nodes to be able to access our AWS resources.

I currently have a hardcoded variable with the EC2 worker role name that I grabbed from terraform show and I used an explicit dependency to make our custom aws_iam_role_policy_attachment happen after module.astronomer-enterprise has deployed his changes.

It would be awesome that we can get the module.astronomer-enterprise.module.aws.module.eks.aws_iam_role.workers as output of module.astronomer-enterprise, that would allow me to grab the value directly, instead of creating a workaround (and buggy) depends_on on the custom aws_iam_role_policy_attachment.

Here is a sample of the way I’m applying our custom IAM policy attachments to the worker role:

variable "astronomer_iam_role" {
  # TODO: Get this value from the astronomer module
  # module.astronomer-enterprise.module.aws.module.eks.aws_iam_role.workers[0].name
  default = "astronomer-XXXXXXXX20191205155549771100000007"
}

resource "aws_iam_role_policy_attachment" "eks-worker-policies" {
  # The dependency ensures this resource to be provisioned 
  # AFTER the astronomer changes
  depends_on = [
    module.astronomer-enterprise.windows_debug_box_hostname,
  ]
  count      = "${length(var.extra_policies)}"
  role       = "${var.astronomer_iam_role}"
  policy_arn = "${var.extra_policies[count.index]}"
}

From terraform show:

# module.astronomer-enterprise.module.aws.module.eks.aws_iam_role_policy_attachment.workers_AmazonEKSWorkerNodePolicy[0]:
resource "aws_iam_role_policy_attachment" "workers_AmazonEKSWorkerNodePolicy" {
    id         = "astronomer-XXXXXXXX20191205155549771100000007-2019120515555080820000000b"
    policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
    role       = "astronomer-XXXXXXXX20191205155549771100000007"
}
# module.astronomer-enterprise.module.aws.module.eks.aws_iam_role.workers[0]:
resource "aws_iam_role" "workers" {
    arn                   = "arn:aws:iam::XXXXXXXX:role/astronomer-XXXXXXXX20191205155549771100000007"
    create_date           = "2019-12-05T15:55:50Z"
    force_detach_policies = true
    id                    = "astronomer-XXXXXXXX20191205155549771100000007"
    max_session_duration  = 3600
    name                  = "astronomer-XXXXXXXX20191205155549771100000007"
    name_prefix           = "astronomer-XXXXXXXX"
    path                  = "/"
    tags                  = {}
    unique_id             = "XXXXXXXXXXXXXXXXXXXXX"
    assume_role_policy    = jsonencode( ... )
}