Merge branch '20284-username-conflict-fix' refs #20284
[arvados.git] / tools / salt-install / terraform / aws / data-storage / main.tf
1 # Copyright (C) The Arvados Authors. All rights reserved.
2 #
3 # SPDX-License-Identifier: CC-BY-SA-3.0
4
5 terraform {
6   required_version = "~> 1.3.0"
7   required_providers {
8     aws = {
9       source = "hashicorp/aws"
10       version = "~> 4.38.0"
11     }
12   }
13 }
14
15 provider "aws" {
16   region = local.region_name
17   default_tags {
18     tags = merge(local.custom_tags, {
19       Arvados = local.cluster_name
20       Terraform = true
21     })
22   }
23 }
24
25 # S3 bucket and access resources for Keep blocks
26 resource "aws_s3_bucket" "keep_volume" {
27   bucket = "${local.cluster_name}-nyw5e-000000000000000-volume"
28 }
29
30 resource "aws_iam_role" "keepstore_iam_role" {
31   name = "${local.cluster_name}-keepstore-00-iam-role"
32   assume_role_policy = "${file("../assumerolepolicy.json")}"
33 }
34
35 resource "aws_iam_role" "compute_node_iam_role" {
36   name = "${local.cluster_name}-compute-node-00-iam-role"
37   assume_role_policy = "${file("../assumerolepolicy.json")}"
38 }
39
40 resource "aws_iam_policy" "s3_full_access" {
41   name = "${local.cluster_name}_s3_full_access"
42   policy = jsonencode({
43     Version: "2012-10-17",
44     Id: "arvados-keepstore policy",
45     Statement: [{
46       Effect: "Allow",
47       Action: [
48         "s3:*",
49       ],
50       Resource: [
51         "arn:aws:s3:::${local.cluster_name}-nyw5e-000000000000000-volume",
52         "arn:aws:s3:::${local.cluster_name}-nyw5e-000000000000000-volume/*"
53       ]
54     }]
55   })
56 }
57
58 resource "aws_iam_policy_attachment" "s3_full_access_policy_attachment" {
59   name = "${local.cluster_name}_s3_full_access_attachment"
60   roles = [
61     aws_iam_role.keepstore_iam_role.name,
62     aws_iam_role.compute_node_iam_role.name,
63   ]
64   policy_arn = aws_iam_policy.s3_full_access.arn
65 }
66