X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/ad17f016de2feecc24a163af77c9c9c5add7dc3b..aad7ebe7938a9f5cb225881a1df8746664c493e8:/tools/salt-install/terraform/aws/services/main.tf

diff --git a/tools/salt-install/terraform/aws/services/main.tf b/tools/salt-install/terraform/aws/services/main.tf
index 7ec3b954ee..b214aeb113 100644
--- a/tools/salt-install/terraform/aws/services/main.tf
+++ b/tools/salt-install/terraform/aws/services/main.tf
@@ -36,6 +36,7 @@ resource "aws_iam_instance_profile" "dispatcher_instance_profile" {
 
 resource "aws_secretsmanager_secret" "ssl_password_secret" {
   name = local.ssl_password_secret_name
+  recovery_window_in_days = 0
 }
 
 resource "aws_iam_instance_profile" "default_instance_profile" {
@@ -52,7 +53,7 @@ resource "aws_instance" "arvados_service" {
     "hostname": each.value
   })
   private_ip = local.private_ip[each.value]
-  subnet_id = contains(local.public_hosts, each.value) ? data.terraform_remote_state.vpc.outputs.public_subnet_id : data.terraform_remote_state.vpc.outputs.private_subnet_id
+  subnet_id = contains(local.user_facing_hosts, each.value) ? data.terraform_remote_state.vpc.outputs.public_subnet_id : data.terraform_remote_state.vpc.outputs.private_subnet_id
   vpc_security_group_ids = [ data.terraform_remote_state.vpc.outputs.arvados_sg_id ]
   # This should be done in a more readable way
   iam_instance_profile = each.value == "controller" ? aws_iam_instance_profile.dispatcher_instance_profile.name : length(regexall("^keep[0-9]+", each.value)) > 0 ? aws_iam_instance_profile.keepstore_instance_profile.name : aws_iam_instance_profile.default_instance_profile.name
@@ -82,7 +83,6 @@ resource "aws_iam_policy" "cloud_dispatcher_ec2_access" {
     Statement: [{
       Effect: "Allow",
       Action: [
-        "iam:PassRole",
         "ec2:DescribeKeyPairs",
         "ec2:ImportKeyPair",
         "ec2:RunInstances",
@@ -91,6 +91,13 @@ resource "aws_iam_policy" "cloud_dispatcher_ec2_access" {
         "ec2:TerminateInstances"
       ],
       Resource: "*"
+    },
+    {
+      Effect: "Allow",
+      Action: [
+        "iam:PassRole",
+      ],
+      Resource: "arn:aws:iam::*:role/${aws_iam_instance_profile.keepstore_instance_profile.name}"
     }]
   })
 }
@@ -107,7 +114,7 @@ resource "aws_iam_policy_attachment" "cloud_dispatcher_ec2_access_attachment" {
 }
 
 resource "aws_eip_association" "eip_assoc" {
-  for_each = toset(local.public_hosts)
+  for_each = local.private_only ? [] : toset(local.public_hosts)
   instance_id = aws_instance.arvados_service[each.value].id
   allocation_id = data.terraform_remote_state.vpc.outputs.eip_id[each.value]
 }