terraform.tf

resource "aws_iam_user" "asg_healthreport" {
  name = "${var.stack}-asg_healthreport"
  # can't use create_before_destroy due to fixed name
}

resource "aws_iam_access_key" "asg_healthreport" {
  user = "${aws_iam_user.asg_healthreport.name}"
  # can't use create_before_destroy due to fixed name of user
}

resource "aws_iam_policy" "asg_healthreport" {
  name = "${var.stack}-asg_healthreport_policy"
  # can't use create_before_destroy due to fixed name of user
  policy = <<EOF
{ "Version":"2012-10-17", "Statement": [ {
  "Resource": [ "*" ],
  "Action": [ "autoscaling:SetInstanceHealth" ],
  "Effect": "Allow"
} ] }
EOF
}

resource "aws_iam_policy_attachment" "asg_healthreport" {
  name = "${var.stack}-asg_healthreportAttachment"
  users = ["${aws_iam_user.asg_healthreport.name}"]
  policy_arn = "${aws_iam_policy.asg_healthreport.arn}"
}

userdata.sh

# Set up aws CLI for ASG health reporting
mkdir /root/.aws
printf '[default]\naws_secret_access_key=%s\naws_access_key_id=%s\nregion=%s' \
${aws_iam_access_key.asg_healthreport.secret} ${aws_iam_access_key.asg_healthreport.id} ${var.region} \
> /root/.aws/config
chmod 600 /root/.aws/config

# Report ourselves as unhealthy until fully booted
INSTANCE_ID=`curl -f http://169.254.169.254/latest/meta-data/instance-id`
aws autoscaling set-instance-health --should-respect-grace-period \
  --instance-id $${INSTANCE_ID} \
  --health-status Unhealthy

[...]

# Report ourselves as healthy
aws autoscaling set-instance-health --should-respect-grace-period \
  --instance-id $${INSTANCE_ID} \
  --health-status Healthy
EOF