- allocation_id = data.terraform_remote_state.vpc.outputs.eip_id[each.value]
- # private_ip_address = local.private_ip[each.value]
+ allocation_id = local.eip_id[each.value]
+}
+
+resource "aws_iam_role" "default_iam_role" {
+ name = "${local.cluster_name}-default-iam-role"
+ assume_role_policy = "${file("../assumerolepolicy.json")}"
+}
+
+resource "aws_iam_policy" "ssl_privkey_password_access" {
+ name = "${local.cluster_name}_ssl_privkey_password_access"
+ policy = jsonencode({
+ Version: "2012-10-17",
+ Statement: [{
+ Effect: "Allow",
+ Action: "secretsmanager:GetSecretValue",
+ Resource: "${aws_secretsmanager_secret.ssl_password_secret.arn}"
+ }]
+ })
+}
+
+# Every service node needs access to the SSL privkey password secret for
+# nginx to be able to use it.
+resource "aws_iam_policy_attachment" "ssl_privkey_password_access_attachment" {
+ name = "${local.cluster_name}_ssl_privkey_password_access_attachment"
+ roles = [
+ aws_iam_role.cloud_dispatcher_iam_role.name,
+ aws_iam_role.default_iam_role.name,
+ local.keepstore_iam_role_name,
+ ]
+ policy_arn = aws_iam_policy.ssl_privkey_password_access.arn