### This SG should allow SSH from the dispatcher to the compute nodes
SecurityGroupIDs: ['sg-FIXMEFIXMEFIXMEFI']
SubnetID: subnet-FIXMEFIXMEFIXMEFI
- IAMInstanceProfile: __CLUSTER__-keepstore-00-iam-role
+ IAMInstanceProfile: __CLUSTER__-compute-node-00-iam-role
DispatchPrivateKey: |
-----BEGIN OPENSSH PRIVATE KEY-----
Read https://doc.arvados.org/install/crunch2-cloud/install-compute-node.html#sshkeypair
assume_role_policy = "${file("../assumerolepolicy.json")}"
}
+resource "aws_iam_role" "compute_node_iam_role" {
+ name = "${local.cluster_name}-compute-node-00-iam-role"
+ assume_role_policy = "${file("../assumerolepolicy.json")}"
+}
+
resource "aws_iam_policy" "s3_full_access" {
name = "${local.cluster_name}_s3_full_access"
policy = jsonencode({
resource "aws_iam_policy_attachment" "s3_full_access_policy_attachment" {
name = "${local.cluster_name}_s3_full_access_attachment"
- roles = [ aws_iam_role.keepstore_iam_role.name ]
+ roles = [
+ aws_iam_role.keepstore_iam_role.name,
+ aws_iam_role.compute_node_iam_role.name,
+ ]
policy_arn = aws_iam_policy.s3_full_access.arn
}
value = aws_iam_role.keepstore_iam_role.name
}
+output "compute_node_iam_role_name" {
+ value = aws_iam_role.compute_node_iam_role.name
+}
+
output "use_external_db" {
value = var.use_external_db
}
\ No newline at end of file
ssl_password_secret_name = "${local.cluster_name}-${var.ssl_password_secret_name_suffix}"
instance_ami_id = var.instance_ami != "" ? var.instance_ami : data.aws_ami.debian-11.image_id
custom_tags = data.terraform_remote_state.vpc.outputs.custom_tags
+ compute_node_iam_role_name = data.terraform_remote_state.data-storage.outputs.compute_node_iam_role_name
}
role = data.terraform_remote_state.data-storage.outputs.keepstore_iam_role_name
}
+resource "aws_iam_instance_profile" "compute_node_instance_profile" {
+ name = "${local.cluster_name}-compute-node-00-iam-role"
+ role = local.compute_node_iam_role_name
+}
+
resource "aws_iam_instance_profile" "dispatcher_instance_profile" {
name = "${local.cluster_name}_dispatcher_instance_profile"
role = aws_iam_role.cloud_dispatcher_iam_role.name
}
}
+resource "aws_iam_policy" "compute_node_ebs_autoscaler" {
+ name = "${local.cluster_name}_compute_node_ebs_autoscaler"
+ policy = jsonencode({
+ Version: "2012-10-17",
+ Id: "compute-node EBS Autoscaler policy",
+ Statement: [{
+ Effect: "Allow",
+ Action: [
+ "ec2:AttachVolume",
+ "ec2:DescribeVolumeStatus",
+ "ec2:DescribeVolumes",
+ "ec2:DescribeTags",
+ "ec2:ModifyInstanceAttribute",
+ "ec2:DescribeVolumeAttribute",
+ "ec2:CreateVolume",
+ "ec2:DeleteVolume",
+ "ec2:CreateTags"
+ ],
+ Resource: "*"
+ }]
+ })
+}
+
+resource "aws_iam_policy_attachment" "compute_node_ebs_autoscaler_attachment" {
+ name = "${local.cluster_name}_compute_node_ebs_autoscaler_attachment"
+ roles = [ local.compute_node_iam_role_name ]
+ policy_arn = aws_iam_policy.compute_node_ebs_autoscaler.arn
+}
+
resource "aws_iam_policy" "cloud_dispatcher_ec2_access" {
name = "${local.cluster_name}_cloud_dispatcher_ec2_access"
policy = jsonencode({