tools/salt-install/terraform/aws/data-storage/main.tf

   1 # Copyright (C) The Arvados Authors. All rights reserved.
   2 #
   3 # SPDX-License-Identifier: CC-BY-SA-3.0
   4
   5 terraform {
   6   required_providers {
   7     aws = {
   8       source = "hashicorp/aws"
   9     }
  10   }
  11 }
  12
  13 provider "aws" {
  14   region = local.region_name
  15   default_tags {
  16     tags = merge(local.custom_tags, {
  17       Arvados = local.cluster_name
  18       Terraform = true
  19     })
  20   }
  21 }
  22
  23 # S3 bucket and access resources for Keep blocks
  24 resource "aws_s3_bucket" "keep_volume" {
  25   bucket = "${local.cluster_name}-nyw5e-000000000000000-volume"
  26 }
  27
  28 resource "aws_iam_role" "keepstore_iam_role" {
  29   name = "${local.cluster_name}-keepstore-00-iam-role"
  30   assume_role_policy = "${file("../assumerolepolicy.json")}"
  31 }
  32
  33 resource "aws_iam_policy" "s3_full_access" {
  34   name = "${local.cluster_name}_s3_full_access"
  35   policy = jsonencode({
  36     Version: "2012-10-17",
  37     Id: "arvados-keepstore policy",
  38     Statement: [{
  39       Effect: "Allow",
  40       Action: [
  41         "s3:*",
  42       ],
  43       Resource: [
  44         "arn:aws:s3:::${local.cluster_name}-nyw5e-000000000000000-volume",
  45         "arn:aws:s3:::${local.cluster_name}-nyw5e-000000000000000-volume/*"
  46       ]
  47     }]
  48   })
  49 }
  50
  51 resource "aws_iam_policy_attachment" "s3_full_access_policy_attachment" {
  52   name = "${local.cluster_name}_s3_full_access_attachment"
  53   roles = [ aws_iam_role.keepstore_iam_role.name ]
  54   policy_arn = aws_iam_policy.s3_full_access.arn
  55 }
  56