From 648c8c4928da80b9fb3f6a7fd41904ff017bcd44 Mon Sep 17 00:00:00 2001 From: Lucas Di Pentima Date: Wed, 10 May 2023 17:38:48 -0300 Subject: [PATCH 1/1] 20482: Adds proper compute node instance profile instead of using keepstore's. We first used keepstore's instance profile because compute nodes run a local keepstore now. We also need to give compute nodes permission to change resources related to the EBS Autoscaler. Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima --- .../multi_host/aws/pillars/arvados.sls | 2 +- .../terraform/aws/data-storage/main.tf | 10 +++++- .../terraform/aws/data-storage/outputs.tf | 4 +++ .../terraform/aws/services/locals.tf | 1 + .../terraform/aws/services/main.tf | 34 +++++++++++++++++++ 5 files changed, 49 insertions(+), 2 deletions(-) diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/arvados.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/arvados.sls index 03859c46bd..f181c874d2 100644 --- a/tools/salt-install/config_examples/multi_host/aws/pillars/arvados.sls +++ b/tools/salt-install/config_examples/multi_host/aws/pillars/arvados.sls @@ -129,7 +129,7 @@ arvados: ### This SG should allow SSH from the dispatcher to the compute nodes SecurityGroupIDs: ['sg-FIXMEFIXMEFIXMEFI'] SubnetID: subnet-FIXMEFIXMEFIXMEFI - IAMInstanceProfile: __CLUSTER__-keepstore-00-iam-role + IAMInstanceProfile: __CLUSTER__-compute-node-00-iam-role DispatchPrivateKey: | -----BEGIN OPENSSH PRIVATE KEY----- Read https://doc.arvados.org/install/crunch2-cloud/install-compute-node.html#sshkeypair diff --git a/tools/salt-install/terraform/aws/data-storage/main.tf b/tools/salt-install/terraform/aws/data-storage/main.tf index a3ef8f010f..85a67ef4dc 100644 --- a/tools/salt-install/terraform/aws/data-storage/main.tf +++ b/tools/salt-install/terraform/aws/data-storage/main.tf @@ -30,6 +30,11 @@ resource "aws_iam_role" "keepstore_iam_role" { assume_role_policy = "${file("../assumerolepolicy.json")}" } +resource "aws_iam_role" "compute_node_iam_role" { + name = "${local.cluster_name}-compute-node-00-iam-role" + assume_role_policy = "${file("../assumerolepolicy.json")}" +} + resource "aws_iam_policy" "s3_full_access" { name = "${local.cluster_name}_s3_full_access" policy = jsonencode({ @@ -50,7 +55,10 @@ resource "aws_iam_policy" "s3_full_access" { resource "aws_iam_policy_attachment" "s3_full_access_policy_attachment" { name = "${local.cluster_name}_s3_full_access_attachment" - roles = [ aws_iam_role.keepstore_iam_role.name ] + roles = [ + aws_iam_role.keepstore_iam_role.name, + aws_iam_role.compute_node_iam_role.name, + ] policy_arn = aws_iam_policy.s3_full_access.arn } diff --git a/tools/salt-install/terraform/aws/data-storage/outputs.tf b/tools/salt-install/terraform/aws/data-storage/outputs.tf index 6298f926ad..de45aa8619 100644 --- a/tools/salt-install/terraform/aws/data-storage/outputs.tf +++ b/tools/salt-install/terraform/aws/data-storage/outputs.tf @@ -6,6 +6,10 @@ output "keepstore_iam_role_name" { value = aws_iam_role.keepstore_iam_role.name } +output "compute_node_iam_role_name" { + value = aws_iam_role.compute_node_iam_role.name +} + output "use_external_db" { value = var.use_external_db } \ No newline at end of file diff --git a/tools/salt-install/terraform/aws/services/locals.tf b/tools/salt-install/terraform/aws/services/locals.tf index abba4aab73..191b7e03e0 100644 --- a/tools/salt-install/terraform/aws/services/locals.tf +++ b/tools/salt-install/terraform/aws/services/locals.tf @@ -17,4 +17,5 @@ locals { ssl_password_secret_name = "${local.cluster_name}-${var.ssl_password_secret_name_suffix}" instance_ami_id = var.instance_ami != "" ? var.instance_ami : data.aws_ami.debian-11.image_id custom_tags = data.terraform_remote_state.vpc.outputs.custom_tags + compute_node_iam_role_name = data.terraform_remote_state.data-storage.outputs.compute_node_iam_role_name } diff --git a/tools/salt-install/terraform/aws/services/main.tf b/tools/salt-install/terraform/aws/services/main.tf index f7a2527c2c..a253ae26e8 100644 --- a/tools/salt-install/terraform/aws/services/main.tf +++ b/tools/salt-install/terraform/aws/services/main.tf @@ -25,6 +25,11 @@ resource "aws_iam_instance_profile" "keepstore_instance_profile" { role = data.terraform_remote_state.data-storage.outputs.keepstore_iam_role_name } +resource "aws_iam_instance_profile" "compute_node_instance_profile" { + name = "${local.cluster_name}-compute-node-00-iam-role" + role = local.compute_node_iam_role_name +} + resource "aws_iam_instance_profile" "dispatcher_instance_profile" { name = "${local.cluster_name}_dispatcher_instance_profile" role = aws_iam_role.cloud_dispatcher_iam_role.name @@ -72,6 +77,35 @@ resource "aws_instance" "arvados_service" { } } +resource "aws_iam_policy" "compute_node_ebs_autoscaler" { + name = "${local.cluster_name}_compute_node_ebs_autoscaler" + policy = jsonencode({ + Version: "2012-10-17", + Id: "compute-node EBS Autoscaler policy", + Statement: [{ + Effect: "Allow", + Action: [ + "ec2:AttachVolume", + "ec2:DescribeVolumeStatus", + "ec2:DescribeVolumes", + "ec2:DescribeTags", + "ec2:ModifyInstanceAttribute", + "ec2:DescribeVolumeAttribute", + "ec2:CreateVolume", + "ec2:DeleteVolume", + "ec2:CreateTags" + ], + Resource: "*" + }] + }) +} + +resource "aws_iam_policy_attachment" "compute_node_ebs_autoscaler_attachment" { + name = "${local.cluster_name}_compute_node_ebs_autoscaler_attachment" + roles = [ local.compute_node_iam_role_name ] + policy_arn = aws_iam_policy.compute_node_ebs_autoscaler.arn +} + resource "aws_iam_policy" "cloud_dispatcher_ec2_access" { name = "${local.cluster_name}_cloud_dispatcher_ec2_access" policy = jsonencode({ -- 2.30.2