Removed custom AWS Batch service role from the metaflow-computation submodule.

Addresses issue outerbounds#101

Author: Angel Pizarro

modules/computation/README.md

@@ -20,6 +20,7 @@ To read more, see [the Metaflow docs](https://docs.metaflow.org/metaflow-on-aws/
 | <a name="input_compute_environment_instance_types"></a> [compute\_environment\_instance\_types](#input\_compute\_environment\_instance\_types) | The instance types for the compute environment as a comma-separated list | `list(string)` | n/a | yes |
 | <a name="input_compute_environment_max_vcpus"></a> [compute\_environment\_max\_vcpus](#input\_compute\_environment\_max\_vcpus) | Maximum VCPUs for Batch Compute Environment [16-96] | `number` | n/a | yes |
 | <a name="input_compute_environment_min_vcpus"></a> [compute\_environment\_min\_vcpus](#input\_compute\_environment\_min\_vcpus) | Minimum VCPUs for Batch Compute Environment [0-16] for EC2 Batch Compute Environment (ignored for Fargate) | `number` | n/a | yes |
+| <a name="input_custom_batch_service_role_arn"></a> [custom\_batch\_service\_role\_arn](#input\_custom\_batch\_service\_role\_arn) | The ARN of a custom service role for AWS Batch managed services to leverage. For more information, refer to https://docs.aws.amazon.com/batch/latest/userguide/using-service-linked-roles.html | `string` | `null` | no |
 | <a name="input_iam_partition"></a> [iam\_partition](#input\_iam\_partition) | IAM Partition (Select aws-us-gov for AWS GovCloud, otherwise leave as is) | `string` | `"aws"` | no |
 | <a name="input_launch_template_http_endpoint"></a> [launch\_template\_http\_endpoint](#input\_launch\_template\_http\_endpoint) | Whether the metadata service is available. Can be 'enabled' or 'disabled' | `string` | `"enabled"` | no |
 | <a name="input_launch_template_http_put_response_hop_limit"></a> [launch\_template\_http\_put\_response\_hop\_limit](#input\_launch\_template\_http\_put\_response\_hop\_limit) | The desired HTTP PUT response hop limit for instance metadata requests. Can be an integer from 1 to 64 | `number` | `2` | no |

modules/computation/batch.tf

@@ -8,17 +8,7 @@ resource "aws_batch_compute_environment" "this" {
   */
   compute_environment_name_prefix = local.compute_env_prefix_name
 
-  # Give permissions so the batch service can make API calls.
-  service_role = aws_iam_role.batch_execution_role.arn
-  type         = "MANAGED"
-
-  # On destroy, this avoids removing these policies below until compute environments are destroyed
-  depends_on = [
-    aws_iam_role_policy.grant_iam_pass_role,
-    aws_iam_role_policy.grant_custom_access_policy,
-    aws_iam_role_policy.grant_iam_custom_policies,
-    aws_iam_role_policy.grant_ec2_custom_policies,
-  ]
+  type = "MANAGED"
 
   compute_resources {
     # Give permissions so the ECS container instances can make API call.
@@ -73,6 +63,15 @@ resource "aws_batch_compute_environment" "this" {
     # To ensure terraform redeploys do not silently overwrite an up to date desired_vcpus that metaflow may modify
     ignore_changes = [compute_resources.0.desired_vcpus]
   }
+
+  /* Define a custom service role for AWS Batch. Usually this is not
+     needed, as AWS Batch will create a Service-Linked Role (SLR)
+     when you create your first compute environment.
+
+     For more information, refer to https://docs.aws.amazon.com/batch/latest/userguide/using-service-linked-roles.html.
+  */
+  service_role = var.custom_batch_service_role_arn
+
 }
 
 resource "aws_batch_job_queue" "this" {

modules/computation/iam-batch-execution.tf

@@ -102,3 +102,10 @@ variable "launch_template_image_id" {
   nullable    = true
   default     = null
 }
+
+variable "custom_batch_service_role_arn" {
+  type        = string
+  description = "The ARN of a custom service role for AWS Batch managed services to leverage. For more information, refer to https://docs.aws.amazon.com/batch/latest/userguide/using-service-linked-roles.html"
+  nullable    = true
+  default     = null
+}