Add support for instance_role_arn in GameLift Fleet

aws/resource_aws_gamelift_fleet.go

@@ -45,6 +45,12 @@ func resourceAwsGameliftFleet() *schema.Resource {
 				Required:     true,
 				ValidateFunc: validation.StringLenBetween(1, 1024),
 			},
+			"instance_role_arn": {
+				Type:         schema.TypeString,
+				ForceNew:     true,
+				ValidateFunc: validateArn,
+				Optional:     true,
+			},
 			"description": {
 				Type:         schema.TypeString,
 				Optional:     true,
@@ -190,6 +196,11 @@ func resourceAwsGameliftFleetCreate(d *schema.ResourceData, meta interface{}) er
 	if v, ok := d.GetOk("ec2_inbound_permission"); ok {
 		input.EC2InboundPermissions = expandGameliftIpPermissions(v.([]interface{}))
 	}
+
+	if v, ok := d.GetOk("instance_role_arn"); ok {
+		input.InstanceRoleArn = aws.String(v.(string))
+	}
+
 	if v, ok := d.GetOk("metric_groups"); ok {
 		input.MetricGroups = expandStringList(v.([]interface{}))
 	}
@@ -204,7 +215,18 @@ func resourceAwsGameliftFleetCreate(d *schema.ResourceData, meta interface{}) er
 	}
 
 	log.Printf("[INFO] Creating Gamelift Fleet: %s", input)
-	out, err := conn.CreateFleet(&input)
+	var out *gamelift.CreateFleetOutput
+	err := resource.Retry(3*time.Minute, func() *resource.RetryError {
+		var err error
+		out, err = conn.CreateFleet(&input)
+		if isAWSErr(err, gamelift.ErrCodeInvalidRequestException, "GameLift is not authorized to perform") {
+			return resource.RetryableError(err)
+		}
+		if err != nil {
+			return resource.NonRetryableError(err)
+		}
+		return nil
+	})
 	if err != nil {
 		return err
 	}
@@ -286,6 +308,7 @@ func resourceAwsGameliftFleetRead(d *schema.ResourceData, meta interface{}) erro
 	d.Set("log_paths", aws.StringValueSlice(fleet.LogPaths))
 	d.Set("metric_groups", flattenStringList(fleet.MetricGroups))
 	d.Set("name", fleet.Name)
+	d.Set("instance_role_arn", fleet.InstanceRoleArn)
 	d.Set("new_game_session_protection_policy", fleet.NewGameSessionProtectionPolicy)
 	d.Set("operating_system", fleet.OperatingSystem)
 	d.Set("resource_creation_limit_policy", flattenGameliftResourceCreationLimitPolicy(fleet.ResourceCreationLimitPolicy))

aws/resource_aws_gamelift_fleet_test.go

@@ -555,6 +555,7 @@ resource "aws_gamelift_fleet" "test" {
   ec2_instance_type = "c4.large"
   name              = "%s"
   description       = "%s"
+  instance_role_arn = "${aws_iam_role.test.arn}"
 
   ec2_inbound_permission {
     from_port = 8080
@@ -599,8 +600,10 @@ resource "aws_gamelift_fleet" "test" {
 
 %s
 
+%s
+
 `, fleetName, desc, launchPath, params,
-		testAccAWSGameliftFleetBasicTemplate(buildName, bucketName, key, roleArn))
+		testAccAWSGameliftFleetBasicTemplate(buildName, bucketName, key, roleArn), testAccAWSGameLiftFleetIAMRole(buildName))
 }
 
 func testAccAWSGameliftFleetAllFieldsUpdatedConfig(fleetName, desc, launchPath string, params string, buildName, bucketName, key, roleArn string) string {
@@ -610,6 +613,7 @@ resource "aws_gamelift_fleet" "test" {
   ec2_instance_type = "c4.large"
   name              = "%s"
   description       = "%s"
+  instance_role_arn = "${aws_iam_role.test.arn}"
 
   ec2_inbound_permission {
     from_port = 8888
@@ -654,8 +658,10 @@ resource "aws_gamelift_fleet" "test" {
 
 %s
 
+%s
+
 `, fleetName, desc, launchPath, params,
-		testAccAWSGameliftFleetBasicTemplate(buildName, bucketName, key, roleArn))
+		testAccAWSGameliftFleetBasicTemplate(buildName, bucketName, key, roleArn), testAccAWSGameLiftFleetIAMRole(buildName))
 }
 
 func testAccAWSGameliftFleetBasicTemplate(buildName, bucketName, key, roleArn string) string {
@@ -672,3 +678,57 @@ resource "aws_gamelift_build" "test" {
 }
 `, buildName, bucketName, key, roleArn)
 }
+
+func testAccAWSGameLiftFleetIAMRole(rName string) string {
+	return fmt.Sprintf(`
+	resource "aws_iam_role" "test" {
+		name = "test-role-%[1]s"
+
+		assume_role_policy = <<EOF
+{
+"Version": "2012-10-17",
+"Statement": [
+	{
+		"Sid": "",
+		"Effect": "Allow",
+		"Principal": {
+			"Service": [
+			"gamelift.amazonaws.com"
+			]
+		},
+		"Action": [
+			"sts:AssumeRole"
+			]
+		}
+	]
+}
+EOF
+	  }
+
+	  resource "aws_iam_policy" "test" {
+		name        = "test-policy-%[1]s"
+		path        = "/"
+		description = "GameLift Fleet PassRole Policy"
+
+		policy = <<EOF
+{
+"Version": "2012-10-17",
+"Statement": [{
+	"Effect": "Allow",
+	"Action": [
+		"iam:PassRole",
+		"sts:AssumeRole"
+		],
+	"Resource": ["*"]
+}]
+}
+EOF
+	  }
+
+	  resource "aws_iam_policy_attachment" "test-attach" {
+		name       = "test-attachment-%[1]s"
+		roles      = ["${aws_iam_role.test.name}"]
+		policy_arn = "${aws_iam_policy.test.arn}"
+	  }
+`, rName)
+}

aws/resource_aws_gamelift_test.go

@@ -28,7 +28,6 @@ func testAccAWSGameliftSampleGame(region string) (*testAccGameliftGame, error) {
 	bucket := fmt.Sprintf("gamelift-sample-builds-prod-%s", region)
 	key := fmt.Sprintf("%s/server/sample_build_%s", version, version)
 	roleArn := fmt.Sprintf("arn:aws:iam::%s:role/sample-build-upload-role-%s", accId, region)
-
 	launchPath := `C:\game\Bin64.Release.Dedicated\MultiplayerProjectLauncher_Server.exe`
 
 	gg := &testAccGameliftGame{

website/docs/r/gamelift_fleet.html.markdown

@@ -32,11 +32,12 @@ resource "aws_gamelift_fleet" "example" {
 The following arguments are supported:
 
 * `build_id` - (Required) ID of the Gamelift Build to be deployed on the fleet.
-* `ec2_instance_type` - (Required) Name of an EC2 instance type. e.g. `t2.micro`
-* `name` - (Required) The name of the fleet.
 * `description` - (Optional) Human-readable description of the fleet.
 * `ec2_inbound_permission` - (Optional) Range of IP addresses and port settings that permit inbound traffic to access server processes running on the fleet. See below.
+* `ec2_instance_type` - (Required) Name of an EC2 instance type. e.g. `t2.micro`
+* `instance_role_arn` - (Optional) ARN of an IAM role that instances in the fleet can assume.
 * `metric_groups` - (Optional) List of names of metric groups to add this fleet to. A metric group tracks metrics across all fleets in the group. Defaults to `default`.
+* `name` - (Required) The name of the fleet.
 * `new_game_session_protection_policy` - (Optional) Game session protection policy to apply to all instances in this fleet. e.g. `FullProtection`. Defaults to `NoProtection`.
 * `resource_creation_limit_policy` - (Optional) Policy that limits the number of game sessions an individual player can create over a span of time for this fleet. See below.
 * `runtime_configuration` - (Optional) Instructions for launching server processes on each instance in the fleet. See below.