X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/ae718ad33a5ec4ee88f92477f4353927e0fe9d39..aad7ebe7938a9f5cb225881a1df8746664c493e8:/tools/salt-install/terraform/aws/services/main.tf?ds=sidebyside

diff --git a/tools/salt-install/terraform/aws/services/main.tf b/tools/salt-install/terraform/aws/services/main.tf
index 34eba5e617..b214aeb113 100644
--- a/tools/salt-install/terraform/aws/services/main.tf
+++ b/tools/salt-install/terraform/aws/services/main.tf
@@ -19,10 +19,6 @@ provider "aws" {
   }
 }
 
-locals {
-  pubkey_path = pathexpand(var.pubkey_path)
-  pubkey_name = "arvados-deployer-key"
-}
 resource "aws_key_pair" "deployer" {
   key_name = local.pubkey_name
   public_key = file(local.pubkey_path)
@@ -38,8 +34,18 @@ resource "aws_iam_instance_profile" "dispatcher_instance_profile" {
   role = aws_iam_role.cloud_dispatcher_iam_role.name
 }
 
+resource "aws_secretsmanager_secret" "ssl_password_secret" {
+  name = local.ssl_password_secret_name
+  recovery_window_in_days = 0
+}
+
+resource "aws_iam_instance_profile" "default_instance_profile" {
+  name = "${local.cluster_name}_default_instance_profile"
+  role = aws_iam_role.default_iam_role.name
+}
+
 resource "aws_instance" "arvados_service" {
-  for_each = toset(local.hostnames)
+  for_each = toset(concat(local.public_hosts, local.private_hosts))
   ami = data.aws_ami.debian-11.image_id
   instance_type = var.default_instance_type
   key_name = local.pubkey_name
@@ -47,10 +53,10 @@ resource "aws_instance" "arvados_service" {
     "hostname": each.value
   })
   private_ip = local.private_ip[each.value]
-  subnet_id = data.terraform_remote_state.vpc.outputs.arvados_subnet_id
+  subnet_id = contains(local.user_facing_hosts, each.value) ? data.terraform_remote_state.vpc.outputs.public_subnet_id : data.terraform_remote_state.vpc.outputs.private_subnet_id
   vpc_security_group_ids = [ data.terraform_remote_state.vpc.outputs.arvados_sg_id ]
   # This should be done in a more readable way
-  iam_instance_profile = each.value == "controller" ? aws_iam_instance_profile.dispatcher_instance_profile.name : length(regexall("^keep[0-9]+", each.value)) > 0 ? aws_iam_instance_profile.keepstore_instance_profile.name : ""
+  iam_instance_profile = each.value == "controller" ? aws_iam_instance_profile.dispatcher_instance_profile.name : length(regexall("^keep[0-9]+", each.value)) > 0 ? aws_iam_instance_profile.keepstore_instance_profile.name : aws_iam_instance_profile.default_instance_profile.name
   tags = {
     Name = "arvados_service_${each.value}"
   }
@@ -77,7 +83,6 @@ resource "aws_iam_policy" "cloud_dispatcher_ec2_access" {
     Statement: [{
       Effect: "Allow",
       Action: [
-        "iam:PassRole",
         "ec2:DescribeKeyPairs",
         "ec2:ImportKeyPair",
         "ec2:RunInstances",
@@ -86,6 +91,13 @@ resource "aws_iam_policy" "cloud_dispatcher_ec2_access" {
         "ec2:TerminateInstances"
       ],
       Resource: "*"
+    },
+    {
+      Effect: "Allow",
+      Action: [
+        "iam:PassRole",
+      ],
+      Resource: "arn:aws:iam::*:role/${aws_iam_instance_profile.keepstore_instance_profile.name}"
     }]
   })
 }
@@ -102,7 +114,36 @@ resource "aws_iam_policy_attachment" "cloud_dispatcher_ec2_access_attachment" {
 }
 
 resource "aws_eip_association" "eip_assoc" {
-  for_each = toset(local.hostnames)
+  for_each = local.private_only ? [] : toset(local.public_hosts)
   instance_id = aws_instance.arvados_service[each.value].id
   allocation_id = data.terraform_remote_state.vpc.outputs.eip_id[each.value]
 }
+
+resource "aws_iam_role" "default_iam_role" {
+  name = "${local.cluster_name}-default-iam-role"
+  assume_role_policy = "${file("../assumerolepolicy.json")}"
+}
+
+resource "aws_iam_policy" "ssl_privkey_password_access" {
+  name = "${local.cluster_name}_ssl_privkey_password_access"
+  policy = jsonencode({
+    Version: "2012-10-17",
+    Statement: [{
+      Effect: "Allow",
+      Action: "secretsmanager:GetSecretValue",
+      Resource: "${aws_secretsmanager_secret.ssl_password_secret.arn}"
+    }]
+  })
+}
+
+# Every service node needs access to the SSL privkey password secret for
+# nginx to be able to use it.
+resource "aws_iam_policy_attachment" "ssl_privkey_password_access_attachment" {
+  name = "${local.cluster_name}_ssl_privkey_password_access_attachment"
+  roles = [
+    aws_iam_role.cloud_dispatcher_iam_role.name,
+    aws_iam_role.default_iam_role.name,
+    data.terraform_remote_state.data-storage.outputs.keepstore_iam_role_name,
+  ]
+  policy_arn = aws_iam_policy.ssl_privkey_password_access.arn
+}