1 # Copyright (C) The Arvados Authors. All rights reserved.
3 # SPDX-License-Identifier: CC-BY-SA-3.0
8 source = "hashicorp/aws"
14 region = local.region_name
17 Arvados = local.cluster_name
22 resource "aws_key_pair" "deployer" {
23 key_name = local.pubkey_name
24 public_key = file(local.pubkey_path)
27 resource "aws_iam_instance_profile" "keepstore_instance_profile" {
28 name = "${local.cluster_name}-keepstore-00-iam-role"
29 role = data.terraform_remote_state.data-storage.outputs.keepstore_iam_role_name
32 resource "aws_iam_instance_profile" "dispatcher_instance_profile" {
33 name = "${local.cluster_name}_dispatcher_instance_profile"
34 role = aws_iam_role.cloud_dispatcher_iam_role.name
37 resource "aws_secretsmanager_secret" "ssl_password_secret" {
38 name = local.ssl_password_secret_name
41 resource "aws_iam_instance_profile" "default_instance_profile" {
42 name = "${local.cluster_name}_default_instance_profile"
43 role = aws_iam_role.default_iam_role.name
46 resource "aws_instance" "arvados_service" {
47 for_each = toset(local.hostnames)
48 ami = data.aws_ami.debian-11.image_id
49 instance_type = var.default_instance_type
50 key_name = local.pubkey_name
51 user_data = templatefile("user_data.sh", {
52 "hostname": each.value
54 private_ip = local.private_ip[each.value]
55 subnet_id = data.terraform_remote_state.vpc.outputs.arvados_subnet_id
56 vpc_security_group_ids = [ data.terraform_remote_state.vpc.outputs.arvados_sg_id ]
57 # This should be done in a more readable way
58 iam_instance_profile = each.value == "controller" ? aws_iam_instance_profile.dispatcher_instance_profile.name : length(regexall("^keep[0-9]+", each.value)) > 0 ? aws_iam_instance_profile.keepstore_instance_profile.name : aws_iam_instance_profile.default_instance_profile.name
60 Name = "arvados_service_${each.value}"
64 volume_size = (each.value == "controller" && !local.use_external_db) ? 70 : 20
69 # Avoids recreating the instance when the latest AMI changes.
70 # Use 'terraform taint' or 'terraform apply -replace' to force
77 resource "aws_iam_policy" "cloud_dispatcher_ec2_access" {
78 name = "${local.cluster_name}_cloud_dispatcher_ec2_access"
80 Version: "2012-10-17",
81 Id: "arvados-dispatch-cloud policy",
86 "ec2:DescribeKeyPairs",
89 "ec2:DescribeInstances",
91 "ec2:TerminateInstances"
98 resource "aws_iam_role" "cloud_dispatcher_iam_role" {
99 name = "${local.cluster_name}-dispatcher-00-iam-role"
100 assume_role_policy = "${file("../assumerolepolicy.json")}"
103 resource "aws_iam_policy_attachment" "cloud_dispatcher_ec2_access_attachment" {
104 name = "${local.cluster_name}_cloud_dispatcher_ec2_access_attachment"
105 roles = [ aws_iam_role.cloud_dispatcher_iam_role.name ]
106 policy_arn = aws_iam_policy.cloud_dispatcher_ec2_access.arn
109 resource "aws_eip_association" "eip_assoc" {
110 for_each = toset(local.hostnames)
111 instance_id = aws_instance.arvados_service[each.value].id
112 allocation_id = data.terraform_remote_state.vpc.outputs.eip_id[each.value]
115 resource "aws_iam_role" "default_iam_role" {
116 name = "${local.cluster_name}-default-iam-role"
117 assume_role_policy = "${file("../assumerolepolicy.json")}"
120 resource "aws_iam_policy" "ssl_privkey_password_access" {
121 name = "${local.cluster_name}_ssl_privkey_password_access"
122 policy = jsonencode({
123 Version: "2012-10-17",
126 Action: "secretsmanager:GetSecretValue",
127 Resource: "${aws_secretsmanager_secret.ssl_password_secret.arn}"
132 # Every service node needs access to the SSL privkey password secret for
133 # nginx to be able to use it.
134 resource "aws_iam_policy_attachment" "ssl_privkey_password_access_attachment" {
135 name = "${local.cluster_name}_ssl_privkey_password_access_attachment"
137 aws_iam_role.cloud_dispatcher_iam_role.name,
138 aws_iam_role.default_iam_role.name,
139 data.terraform_remote_state.data-storage.outputs.keepstore_iam_role_name,
141 policy_arn = aws_iam_policy.ssl_privkey_password_access.arn