modules/aws: Add IAM module

This adds an IAM Terraform module to provide a place for IAM resources that don't fit elsewhere. The immediate need is to create the IAM role and profile for worker nodes now that the larger worker module has been removed: #119
openshift · Sep 17, 2018 · 97dd926 · 97dd926
1 parent a6fbe17
commit 97dd926
Show file tree

Hide file tree

Showing 3 changed files with 91 additions and 0 deletions.
diff --git a/modules/aws/iam/main.tf b/modules/aws/iam/main.tf
@@ -0,0 +1,80 @@
+locals {
+  arn = "aws"
+}
+
+resource "aws_iam_instance_profile" "worker" {
+  name = "${var.cluster_name}-worker-profile"
+
+  role = "${var.worker_iam_role == "" ?
+    join("|", aws_iam_role.worker_role.*.name) :
+    join("|", data.aws_iam_role.worker_role.*.name)
+  }"
+}
+
+data "aws_iam_role" "worker_role" {
+  count = "${var.worker_iam_role == "" ? 0 : 1}"
+  name  = "${var.worker_iam_role}"
+}
+
+resource "aws_iam_role" "worker_role" {
+  count = "${var.worker_iam_role == "" ? 1 : 0}"
+  name  = "${var.cluster_name}-worker-role"
+  path  = "/"
+
+  assume_role_policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Action": "sts:AssumeRole",
+            "Principal": {
+                "Service": "ec2.amazonaws.com"
+            },
+            "Effect": "Allow",
+            "Sid": ""
+        }
+    ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "worker_policy" {
+  count = "${var.worker_iam_role == "" ? 1 : 0}"
+  name  = "${var.cluster_name}_worker_policy"
+  role  = "${aws_iam_role.worker_role.id}"
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": "ec2:Describe*",
+      "Resource": "*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": "ec2:AttachVolume",
+      "Resource": "*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": "ec2:DetachVolume",
+      "Resource": "*"
+    },
+    {
+      "Action": "elasticloadbalancing:*",
+      "Resource": "*",
+      "Effect": "Allow"
+    },
+    {
+      "Action" : [
+        "s3:GetObject"
+      ],
+      "Resource": "arn:${local.arn}:s3:::*",
+      "Effect": "Allow"
+    }
+  ]
+}
+EOF
+}
diff --git a/modules/aws/iam/variables.tf b/modules/aws/iam/variables.tf
@@ -0,0 +1,5 @@
+variable "worker_iam_role" {
+  type        = "string"
+  default     = ""
+  description = "IAM role to use for the instance profiles of worker nodes."
+}
diff --git a/steps/infra/aws/main.tf b/steps/infra/aws/main.tf
@@ -41,6 +41,12 @@ module "masters" {
   user_data_igns      = "${var.tectonic_ignition_masters}"
 }
 
+module "iam" {
+  source = "../../../modules/aws/iam"
+
+  worker_iam_role  = "${var.tectonic_aws_worker_iam_role_name}"
+}
+
 module "dns" {
   source = "../../../modules/dns/route53"