tools/salt-install/terraform/aws/data-storage/main.tf

   1 # Copyright (C) The Arvados Authors. All rights reserved.
   2 #
   3 # SPDX-License-Identifier: CC-BY-SA-3.0
   4
   5 terraform {
   6   required_version = "~> 1.3.0"
   7   required_providers {
   8     aws = {
   9       source = "hashicorp/aws"
  10       version = "~> 4.38.0"
  11     }
  12   }
  13 }
  14
  15 provider "aws" {
  16   region = local.region_name
  17   default_tags {
  18     tags = merge(local.custom_tags, {
  19       Arvados = local.cluster_name
  20       Terraform = true
  21     })
  22   }
  23 }
  24
  25 # S3 bucket and access resources for Keep blocks
  26 resource "aws_s3_bucket" "keep_volume" {
  27   bucket = "${local.cluster_name}-nyw5e-000000000000000-volume"
  28 }
  29
  30 resource "aws_iam_role" "keepstore_iam_role" {
  31   name = "${local.cluster_name}-keepstore-00-iam-role"
  32   assume_role_policy = "${file("../assumerolepolicy.json")}"
  33 }
  34
  35 resource "aws_iam_role" "compute_node_iam_role" {
  36   name = "${local.cluster_name}-compute-node-00-iam-role"
  37   assume_role_policy = "${file("../assumerolepolicy.json")}"
  38 }
  39
  40 resource "aws_iam_policy" "s3_full_access" {
  41   name = "${local.cluster_name}_s3_full_access"
  42   policy = jsonencode({
  43     Version: "2012-10-17",
  44     Id: "arvados-keepstore policy",
  45     Statement: [{
  46       Effect: "Allow",
  47       Action: [
  48         "s3:*",
  49       ],
  50       Resource: [
  51         "arn:aws:s3:::${local.cluster_name}-nyw5e-000000000000000-volume",
  52         "arn:aws:s3:::${local.cluster_name}-nyw5e-000000000000000-volume/*"
  53       ]
  54     }]
  55   })
  56 }
  57
  58 resource "aws_iam_policy_attachment" "s3_full_access_policy_attachment" {
  59   name = "${local.cluster_name}_s3_full_access_attachment"
  60   roles = [
  61     aws_iam_role.keepstore_iam_role.name,
  62     aws_iam_role.compute_node_iam_role.name,
  63   ]
  64   policy_arn = aws_iam_policy.s3_full_access.arn
  65 }
  66