20482: Adds proper compute node instance profile instead of using keepstore's.

[arvados.git] / tools / salt-install / terraform / aws / data-storage / main.tf

diff --git a/tools/salt-install/terraform/aws/data-storage/main.tf b/tools/salt-install/terraform/aws/data-storage/main.tf
index 6f7e233fd8c9125adc96a2a3c794bb6c03112c3f..85a67ef4dc23997c66bd8086943bcaa49da31211 100644 (file)
--- a/tools/salt-install/terraform/aws/data-storage/main.tf
+++ b/tools/salt-install/terraform/aws/data-storage/main.tf
@@ -13,9 +13,10 @@ terraform {
 provider "aws" {
   region = local.region_name
   default_tags {
-    tags = {
+    tags = merge(local.custom_tags, {
       Arvados = local.cluster_name
-    }
+      Terraform = true
+    })
   }
 }
 
@@ -29,6 +30,11 @@ resource "aws_iam_role" "keepstore_iam_role" {
   assume_role_policy = "${file("../assumerolepolicy.json")}"
 }
 
+resource "aws_iam_role" "compute_node_iam_role" {
+  name = "${local.cluster_name}-compute-node-00-iam-role"
+  assume_role_policy = "${file("../assumerolepolicy.json")}"
+}
+
 resource "aws_iam_policy" "s3_full_access" {
   name = "${local.cluster_name}_s3_full_access"
   policy = jsonencode({
@@ -49,7 +55,10 @@ resource "aws_iam_policy" "s3_full_access" {
 
 resource "aws_iam_policy_attachment" "s3_full_access_policy_attachment" {
   name = "${local.cluster_name}_s3_full_access_attachment"
-  roles = [ aws_iam_role.keepstore_iam_role.name ]
+  roles = [
+    aws_iam_role.keepstore_iam_role.name,
+    aws_iam_role.compute_node_iam_role.name,
+  ]
   policy_arn = aws_iam_policy.s3_full_access.arn
 }