20035: Manages AWS secret and gives read access to service nodes.

author Lucas Di Pentima <lucas.dipentima@curii.com>

Mon, 6 Feb 2023 18:00:01 +0000 (15:00 -0300)

committer Lucas Di Pentima <lucas.dipentima@curii.com>

Fri, 10 Feb 2023 18:22:11 +0000 (15:22 -0300)
author Lucas Di Pentima <lucas.dipentima@curii.com>
Mon, 6 Feb 2023 18:00:01 +0000 (15:00 -0300)
committer Lucas Di Pentima <lucas.dipentima@curii.com>
Fri, 10 Feb 2023 18:22:11 +0000 (15:22 -0300)
diff --git a/tools/salt-install/terraform/aws/services/locals.tf b/tools/salt-install/terraform/aws/services/locals.tf

index 80dc33784226f1af38e4ea840ab57405c9e3644b..6a81967cf1eb5c1174c2ba623f4e82af7537ea1e 100644 (file)
--- a/tools/salt-install/terraform/aws/services/locals.tf
+++ b/tools/salt-install/terraform/aws/services/locals.tf
@@ -8,5 +8,8 @@ locals {
    use_external_db = data.terraform_remote_state.data-storage.outputs.use_external_db
    public_ip = data.terraform_remote_state.vpc.outputs.public_ip
    private_ip = data.terraform_remote_state.vpc.outputs.private_ip
+  pubkey_path = pathexpand(var.pubkey_path)
+  pubkey_name = "arvados-deployer-key"
    hostnames = [ for hostname, eip_id in data.terraform_remote_state.vpc.outputs.eip_id: hostname ]
+  ssl_password_secret_name = "${local.cluster_name}-${var.ssl_password_secret_name_suffix}"
  }
diff --git a/tools/salt-install/terraform/aws/services/main.tf b/tools/salt-install/terraform/aws/services/main.tf

index 34eba5e6170c05c4ca37fe8d4239a45a3828df11..9c27b9726cc7507b4827fc5646f3a746564be710 100644 (file)
--- a/tools/salt-install/terraform/aws/services/main.tf
+++ b/tools/salt-install/terraform/aws/services/main.tf
@@ -19,10 +19,6 @@ provider "aws" {
    }
  }
  
-locals {
-  pubkey_path = pathexpand(var.pubkey_path)
-  pubkey_name = "arvados-deployer-key"
-}
  resource "aws_key_pair" "deployer" {
    key_name = local.pubkey_name
    public_key = file(local.pubkey_path)
@@ -38,6 +34,15 @@ resource "aws_iam_instance_profile" "dispatcher_instance_profile" {
    role = aws_iam_role.cloud_dispatcher_iam_role.name
  }
  
+resource "aws_secretsmanager_secret" "ssl_password_secret" {
+  name = local.ssl_password_secret_name
+}
+
+resource "aws_iam_instance_profile" "default_instance_profile" {
+  name = "${local.cluster_name}_default_instance_profile"
+  role = aws_iam_role.default_iam_role.name
+}
+
  resource "aws_instance" "arvados_service" {
    for_each = toset(local.hostnames)
    ami = data.aws_ami.debian-11.image_id
@@ -50,7 +55,7 @@ resource "aws_instance" "arvados_service" {
    subnet_id = data.terraform_remote_state.vpc.outputs.arvados_subnet_id
    vpc_security_group_ids = [ data.terraform_remote_state.vpc.outputs.arvados_sg_id ]
    # This should be done in a more readable way
-  iam_instance_profile = each.value == "controller" ? aws_iam_instance_profile.dispatcher_instance_profile.name : length(regexall("^keep[0-9]+", each.value)) > 0 ? aws_iam_instance_profile.keepstore_instance_profile.name : ""
+  iam_instance_profile = each.value == "controller" ? aws_iam_instance_profile.dispatcher_instance_profile.name : length(regexall("^keep[0-9]+", each.value)) > 0 ? aws_iam_instance_profile.keepstore_instance_profile.name : aws_iam_instance_profile.default_instance_profile.name
    tags = {
      Name = "arvados_service_${each.value}"
    }
@@ -106,3 +111,32 @@ resource "aws_eip_association" "eip_assoc" {
    instance_id = aws_instance.arvados_service[each.value].id
    allocation_id = data.terraform_remote_state.vpc.outputs.eip_id[each.value]
  }
+
+resource "aws_iam_role" "default_iam_role" {
+  name = "${local.cluster_name}-default-iam-role"
+  assume_role_policy = "${file("../assumerolepolicy.json")}"
+}
+
+resource "aws_iam_policy" "ssl_privkey_password_access" {
+  name = "${local.cluster_name}_ssl_privkey_password_access"
+  policy = jsonencode({
+    Version: "2012-10-17",
+    Statement: [{
+      Effect: "Allow",
+      Action: "secretsmanager:GetSecretValue",
+      Resource: "${aws_secretsmanager_secret.ssl_password_secret.arn}"
+    }]
+  })
+}
+
+# Every service node needs access to the SSL privkey password secret for
+# nginx to be able to use it.
+resource "aws_iam_policy_attachment" "ssl_privkey_password_access_attachment" {
+  name = "${local.cluster_name}_ssl_privkey_password_access_attachment"
+  roles = [
+    aws_iam_role.cloud_dispatcher_iam_role.name,
+    aws_iam_role.default_iam_role.name,
+    data.terraform_remote_state.data-storage.outputs.keepstore_iam_role_name,
+  ]
+  policy_arn = aws_iam_policy.ssl_privkey_password_access.arn
+}
diff --git a/tools/salt-install/terraform/aws/services/outputs.tf b/tools/salt-install/terraform/aws/services/outputs.tf

index 84568761331ce93fa7056913e7116449faaca27b..0c29420e80f09bca5b59a9fefa61bca37b64d652 100644 (file)
--- a/tools/salt-install/terraform/aws/services/outputs.tf
+++ b/tools/salt-install/terraform/aws/services/outputs.tf
@@ -58,3 +58,7 @@ output "deploy_user" {
  output "region_name" {
    value = data.terraform_remote_state.vpc.outputs.region_name
  }
+
+output "ssl_password_secret_name" {
+  value = aws_secretsmanager_secret.ssl_password_secret.name
+}
+\ No newline at end of file
diff --git a/tools/salt-install/terraform/aws/services/terraform.tfvars b/tools/salt-install/terraform/aws/services/terraform.tfvars

index 374ecbe08e3bc82860f2a54d162f17a00fa48edb..79f3dc3188e3b99c5d63aea34cfdffa95fc06d0a 100644 (file)
--- a/tools/salt-install/terraform/aws/services/terraform.tfvars
+++ b/tools/salt-install/terraform/aws/services/terraform.tfvars
@@ -7,3 +7,7 @@
  
  # Set the instance type for your hosts. Default: m5a.large
  # default_instance_type = "t2.micro"
+
+# AWS secret's name which holds the SSL certificate private key's password.
+# Default: "arvados-ssl-privkey-password"
+# ssl_password_secret_name_suffix = "some-name-suffix"
+\ No newline at end of file
diff --git a/tools/salt-install/terraform/aws/services/variables.tf b/tools/salt-install/terraform/aws/services/variables.tf

index 89b1886c19a44416505227bd84afcc46b0f2857e..e520a9ab895f03412b6b15484f3eedb5c43cb034 100644 (file)
--- a/tools/salt-install/terraform/aws/services/variables.tf
+++ b/tools/salt-install/terraform/aws/services/variables.tf
@@ -13,3 +13,9 @@ variable "pubkey_path" {
    type = string
    default = "~/.ssh/id_rsa.pub"
  }
+
+variable "ssl_password_secret_name_suffix" {
+  description = "Name suffix for the SSL certificate's private key password AWS secret."
+  type = string
+  default = "arvados-ssl-privkey-password"
+}
+\ No newline at end of file
author	Lucas Di Pentima <lucas.dipentima@curii.com>
	Mon, 6 Feb 2023 18:00:01 +0000 (15:00 -0300)
committer	Lucas Di Pentima <lucas.dipentima@curii.com>
	Fri, 10 Feb 2023 18:22:11 +0000 (15:22 -0300)
tools/salt-install/terraform/aws/services/locals.tf		patch \| blob \| history
tools/salt-install/terraform/aws/services/main.tf		patch \| blob \| history
tools/salt-install/terraform/aws/services/outputs.tf		patch \| blob \| history
tools/salt-install/terraform/aws/services/terraform.tfvars		patch \| blob \| history
tools/salt-install/terraform/aws/services/variables.tf		patch \| blob \| history