tools/salt-install/terraform/aws/services/main.tf

   1 # Copyright (C) The Arvados Authors. All rights reserved.
   2 #
   3 # SPDX-License-Identifier: CC-BY-SA-3.0
   4
   5 terraform {
   6   required_providers {
   7     aws = {
   8       source = "hashicorp/aws"
   9     }
  10   }
  11 }
  12
  13 provider "aws" {
  14   region = local.region_name
  15   default_tags {
  16     tags = {
  17       Arvados = local.cluster_name
  18     }
  19   }
  20 }
  21
  22 locals {
  23   pubkey_path = pathexpand(var.pubkey_path)
  24   pubkey_name = "arvados-deployer-key"
  25 }
  26 resource "aws_key_pair" "deployer" {
  27   key_name = local.pubkey_name
  28   public_key = file(local.pubkey_path)
  29 }
  30
  31 resource "aws_iam_instance_profile" "keepstore_instance_profile" {
  32   name = "${local.cluster_name}-keepstore-00-iam-role"
  33   role = data.terraform_remote_state.data-storage.outputs.keepstore_iam_role_name
  34 }
  35
  36 resource "aws_iam_instance_profile" "dispatcher_instance_profile" {
  37   name = "${local.cluster_name}_dispatcher_instance_profile"
  38   role = aws_iam_role.cloud_dispatcher_iam_role.name
  39 }
  40
  41 resource "aws_instance" "arvados_service" {
  42   for_each = toset(local.hostnames)
  43   ami = data.aws_ami.debian-11.image_id
  44   instance_type = var.default_instance_type
  45   key_name = local.pubkey_name
  46   user_data = templatefile("user_data.sh", {
  47     "hostname": each.value
  48   })
  49   private_ip = local.private_ip[each.value]
  50   subnet_id = data.terraform_remote_state.vpc.outputs.arvados_subnet_id
  51   vpc_security_group_ids = [ data.terraform_remote_state.vpc.outputs.arvados_sg_id ]
  52   # This should be done in a more readable way
  53   iam_instance_profile = each.value == "controller" ? aws_iam_instance_profile.dispatcher_instance_profile.name : length(regexall("^keep[0-9]+", each.value)) > 0 ? aws_iam_instance_profile.keepstore_instance_profile.name : ""
  54   tags = {
  55     Name = "arvados_service_${each.value}"
  56   }
  57   root_block_device {
  58     volume_type = "gp3"
  59     volume_size = (each.value == "controller" && !local.use_external_db) ? 70 : 20
  60   }
  61
  62   lifecycle {
  63     ignore_changes = [
  64       # Avoids recreating the instance when the latest AMI changes.
  65       # Use 'terraform taint' or 'terraform apply -replace' to force
  66       # an AMI change.
  67       ami,
  68     ]
  69   }
  70 }
  71
  72 resource "aws_iam_policy" "cloud_dispatcher_ec2_access" {
  73   name = "${local.cluster_name}_cloud_dispatcher_ec2_access"
  74   policy = jsonencode({
  75     Version: "2012-10-17",
  76     Id: "arvados-dispatch-cloud policy",
  77     Statement: [{
  78       Effect: "Allow",
  79       Action: [
  80         "iam:PassRole",
  81         "ec2:DescribeKeyPairs",
  82         "ec2:ImportKeyPair",
  83         "ec2:RunInstances",
  84         "ec2:DescribeInstances",
  85         "ec2:CreateTags",
  86         "ec2:TerminateInstances"
  87       ],
  88       Resource: "*"
  89     }]
  90   })
  91 }
  92
  93 resource "aws_iam_role" "cloud_dispatcher_iam_role" {
  94   name = "${local.cluster_name}-dispatcher-00-iam-role"
  95   assume_role_policy = "${file("../assumerolepolicy.json")}"
  96 }
  97
  98 resource "aws_iam_policy_attachment" "cloud_dispatcher_ec2_access_attachment" {
  99   name = "${local.cluster_name}_cloud_dispatcher_ec2_access_attachment"
 100   roles = [ aws_iam_role.cloud_dispatcher_iam_role.name ]
 101   policy_arn = aws_iam_policy.cloud_dispatcher_ec2_access.arn
 102 }
 103
 104 resource "aws_eip_association" "eip_assoc" {
 105   for_each = toset(local.hostnames)
 106   instance_id = aws_instance.arvados_service[each.value].id
 107   allocation_id = data.terraform_remote_state.vpc.outputs.eip_id[each.value]
 108 }