1 # Copyright (C) The Arvados Authors. All rights reserved.
3 # SPDX-License-Identifier: CC-BY-SA-3.0
6 required_version = "~> 1.3.0"
9 source = "hashicorp/aws"
16 region = local.region_name
18 tags = merge(local.custom_tags, {
19 Arvados = local.cluster_name
25 resource "aws_iam_instance_profile" "keepstore_instance_profile" {
26 name = "${local.cluster_name}-keepstore-00-iam-role"
27 role = data.terraform_remote_state.data-storage.outputs.keepstore_iam_role_name
30 resource "aws_iam_instance_profile" "compute_node_instance_profile" {
31 name = "${local.cluster_name}-compute-node-00-iam-role"
32 role = local.compute_node_iam_role_name
35 resource "aws_iam_instance_profile" "dispatcher_instance_profile" {
36 name = "${local.cluster_name}_dispatcher_instance_profile"
37 role = aws_iam_role.cloud_dispatcher_iam_role.name
40 resource "aws_secretsmanager_secret" "ssl_password_secret" {
41 name = local.ssl_password_secret_name
42 recovery_window_in_days = 0
45 resource "aws_iam_instance_profile" "default_instance_profile" {
46 name = "${local.cluster_name}_default_instance_profile"
47 role = aws_iam_role.default_iam_role.name
50 resource "aws_instance" "arvados_service" {
51 for_each = toset(concat(local.public_hosts, local.private_hosts))
52 ami = local.instance_ami_id
53 instance_type = try(var.instance_type[each.value], var.instance_type.default)
54 user_data = templatefile("user_data.sh", {
55 "hostname": each.value,
56 "deploy_user": var.deploy_user,
57 "ssh_pubkey": file(local.pubkey_path)
59 private_ip = local.private_ip[each.value]
60 subnet_id = contains(local.user_facing_hosts, each.value) ? local.public_subnet_id : local.private_subnet_id
61 vpc_security_group_ids = [ local.arvados_sg_id ]
62 iam_instance_profile = try(local.instance_profile[each.value], local.instance_profile.default).name
64 Name = "${local.cluster_name}_arvados_service_${each.value}"
68 volume_size = try(var.instance_volume_size[each.value], var.instance_volume_size.default)
73 # Avoids recreating the instance when the latest AMI changes.
74 # Use 'terraform taint' or 'terraform apply -replace' to force
81 resource "aws_iam_policy" "compute_node_ebs_autoscaler" {
82 name = "${local.cluster_name}_compute_node_ebs_autoscaler"
84 Version: "2012-10-17",
85 Id: "compute-node EBS Autoscaler policy",
90 "ec2:DescribeVolumeStatus",
91 "ec2:DescribeVolumes",
93 "ec2:ModifyInstanceAttribute",
94 "ec2:DescribeVolumeAttribute",
104 resource "aws_iam_policy_attachment" "compute_node_ebs_autoscaler_attachment" {
105 name = "${local.cluster_name}_compute_node_ebs_autoscaler_attachment"
106 roles = [ local.compute_node_iam_role_name ]
107 policy_arn = aws_iam_policy.compute_node_ebs_autoscaler.arn
110 resource "aws_iam_policy" "cloud_dispatcher_ec2_access" {
111 name = "${local.cluster_name}_cloud_dispatcher_ec2_access"
112 policy = jsonencode({
113 Version: "2012-10-17",
114 Id: "arvados-dispatch-cloud policy",
118 "ec2:DescribeKeyPairs",
121 "ec2:DescribeInstances",
123 "ec2:TerminateInstances"
132 Resource: "arn:aws:iam::*:role/${aws_iam_instance_profile.compute_node_instance_profile.name}"
137 resource "aws_iam_role" "cloud_dispatcher_iam_role" {
138 name = "${local.cluster_name}-dispatcher-00-iam-role"
139 assume_role_policy = "${file("../assumerolepolicy.json")}"
142 resource "aws_iam_policy_attachment" "cloud_dispatcher_ec2_access_attachment" {
143 name = "${local.cluster_name}_cloud_dispatcher_ec2_access_attachment"
144 roles = [ aws_iam_role.cloud_dispatcher_iam_role.name ]
145 policy_arn = aws_iam_policy.cloud_dispatcher_ec2_access.arn
148 resource "aws_eip_association" "eip_assoc" {
149 for_each = local.private_only ? [] : toset(local.public_hosts)
150 instance_id = aws_instance.arvados_service[each.value].id
151 allocation_id = local.eip_id[each.value]
154 resource "aws_iam_role" "default_iam_role" {
155 name = "${local.cluster_name}-default-iam-role"
156 assume_role_policy = "${file("../assumerolepolicy.json")}"
159 resource "aws_iam_policy" "ssl_privkey_password_access" {
160 name = "${local.cluster_name}_ssl_privkey_password_access"
161 policy = jsonencode({
162 Version: "2012-10-17",
165 Action: "secretsmanager:GetSecretValue",
166 Resource: "${aws_secretsmanager_secret.ssl_password_secret.arn}"
171 # Every service node needs access to the SSL privkey password secret for
172 # nginx to be able to use it.
173 resource "aws_iam_policy_attachment" "ssl_privkey_password_access_attachment" {
174 name = "${local.cluster_name}_ssl_privkey_password_access_attachment"
176 aws_iam_role.cloud_dispatcher_iam_role.name,
177 aws_iam_role.default_iam_role.name,
178 local.keepstore_iam_role_name,
180 policy_arn = aws_iam_policy.ssl_privkey_password_access.arn