tools/salt-install/terraform/aws/services/main.tf

   1 # Copyright (C) The Arvados Authors. All rights reserved.
   2 #
   3 # SPDX-License-Identifier: CC-BY-SA-3.0
   4
   5 terraform {
   6   required_providers {
   7     aws = {
   8       source = "hashicorp/aws"
   9     }
  10   }
  11 }
  12
  13 provider "aws" {
  14   region = local.region_name
  15   default_tags {
  16     tags = {
  17       Arvados = local.cluster_name
  18     }
  19   }
  20 }
  21
  22 resource "aws_key_pair" "deployer" {
  23   key_name = local.pubkey_name
  24   public_key = file(local.pubkey_path)
  25 }
  26
  27 resource "aws_iam_instance_profile" "keepstore_instance_profile" {
  28   name = "${local.cluster_name}-keepstore-00-iam-role"
  29   role = data.terraform_remote_state.data-storage.outputs.keepstore_iam_role_name
  30 }
  31
  32 resource "aws_iam_instance_profile" "dispatcher_instance_profile" {
  33   name = "${local.cluster_name}_dispatcher_instance_profile"
  34   role = aws_iam_role.cloud_dispatcher_iam_role.name
  35 }
  36
  37 resource "aws_secretsmanager_secret" "ssl_password_secret" {
  38   name = local.ssl_password_secret_name
  39 }
  40
  41 resource "aws_iam_instance_profile" "default_instance_profile" {
  42   name = "${local.cluster_name}_default_instance_profile"
  43   role = aws_iam_role.default_iam_role.name
  44 }
  45
  46 resource "aws_instance" "arvados_service" {
  47   for_each = toset(local.hostnames)
  48   ami = data.aws_ami.debian-11.image_id
  49   instance_type = var.default_instance_type
  50   key_name = local.pubkey_name
  51   user_data = templatefile("user_data.sh", {
  52     "hostname": each.value
  53   })
  54   private_ip = local.private_ip[each.value]
  55   subnet_id = data.terraform_remote_state.vpc.outputs.arvados_subnet_id
  56   vpc_security_group_ids = [ data.terraform_remote_state.vpc.outputs.arvados_sg_id ]
  57   # This should be done in a more readable way
  58   iam_instance_profile = each.value == "controller" ? aws_iam_instance_profile.dispatcher_instance_profile.name : length(regexall("^keep[0-9]+", each.value)) > 0 ? aws_iam_instance_profile.keepstore_instance_profile.name : aws_iam_instance_profile.default_instance_profile.name
  59   tags = {
  60     Name = "arvados_service_${each.value}"
  61   }
  62   root_block_device {
  63     volume_type = "gp3"
  64     volume_size = (each.value == "controller" && !local.use_external_db) ? 70 : 20
  65   }
  66
  67   lifecycle {
  68     ignore_changes = [
  69       # Avoids recreating the instance when the latest AMI changes.
  70       # Use 'terraform taint' or 'terraform apply -replace' to force
  71       # an AMI change.
  72       ami,
  73     ]
  74   }
  75 }
  76
  77 resource "aws_iam_policy" "cloud_dispatcher_ec2_access" {
  78   name = "${local.cluster_name}_cloud_dispatcher_ec2_access"
  79   policy = jsonencode({
  80     Version: "2012-10-17",
  81     Id: "arvados-dispatch-cloud policy",
  82     Statement: [{
  83       Effect: "Allow",
  84       Action: [
  85         "iam:PassRole",
  86         "ec2:DescribeKeyPairs",
  87         "ec2:ImportKeyPair",
  88         "ec2:RunInstances",
  89         "ec2:DescribeInstances",
  90         "ec2:CreateTags",
  91         "ec2:TerminateInstances"
  92       ],
  93       Resource: "*"
  94     }]
  95   })
  96 }
  97
  98 resource "aws_iam_role" "cloud_dispatcher_iam_role" {
  99   name = "${local.cluster_name}-dispatcher-00-iam-role"
 100   assume_role_policy = "${file("../assumerolepolicy.json")}"
 101 }
 102
 103 resource "aws_iam_policy_attachment" "cloud_dispatcher_ec2_access_attachment" {
 104   name = "${local.cluster_name}_cloud_dispatcher_ec2_access_attachment"
 105   roles = [ aws_iam_role.cloud_dispatcher_iam_role.name ]
 106   policy_arn = aws_iam_policy.cloud_dispatcher_ec2_access.arn
 107 }
 108
 109 resource "aws_eip_association" "eip_assoc" {
 110   for_each = toset(local.hostnames)
 111   instance_id = aws_instance.arvados_service[each.value].id
 112   allocation_id = data.terraform_remote_state.vpc.outputs.eip_id[each.value]
 113 }
 114
 115 resource "aws_iam_role" "default_iam_role" {
 116   name = "${local.cluster_name}-default-iam-role"
 117   assume_role_policy = "${file("../assumerolepolicy.json")}"
 118 }
 119
 120 resource "aws_iam_policy" "ssl_privkey_password_access" {
 121   name = "${local.cluster_name}_ssl_privkey_password_access"
 122   policy = jsonencode({
 123     Version: "2012-10-17",
 124     Statement: [{
 125       Effect: "Allow",
 126       Action: "secretsmanager:GetSecretValue",
 127       Resource: "${aws_secretsmanager_secret.ssl_password_secret.arn}"
 128     }]
 129   })
 130 }
 131
 132 # Every service node needs access to the SSL privkey password secret for
 133 # nginx to be able to use it.
 134 resource "aws_iam_policy_attachment" "ssl_privkey_password_access_attachment" {
 135   name = "${local.cluster_name}_ssl_privkey_password_access_attachment"
 136   roles = [
 137     aws_iam_role.cloud_dispatcher_iam_role.name,
 138     aws_iam_role.default_iam_role.name,
 139     data.terraform_remote_state.data-storage.outputs.keepstore_iam_role_name,
 140   ]
 141   policy_arn = aws_iam_policy.ssl_privkey_password_access.arn
 142 }