open-nomad/e2e/terraform/iam.tf

resource "aws_iam_instance_profile" "instance_profile" {
  name_prefix = local.random_name
  role        = aws_iam_role.instance_role.name
}

resource "aws_iam_role" "instance_role" {
  name_prefix        = local.random_name
  assume_role_policy = data.aws_iam_policy_document.instance_role.json
}

data "aws_iam_policy_document" "instance_role" {
  statement {
    effect  = "Allow"
    actions = ["sts:AssumeRole"]

    principals {
      type        = "Service"
      identifiers = ["ec2.amazonaws.com"]
    }
  }
}

resource "aws_iam_role_policy" "auto_discover_cluster" {
  name   = "auto-discover-cluster"
  role   = aws_iam_role.instance_role.id
  policy = data.aws_iam_policy_document.auto_discover_cluster.json
}

# Note: Overloading this instance profile to access
# test binaries, should be renamed.
data "aws_iam_policy_document" "auto_discover_cluster" {
  statement {
    effect = "Allow"

    actions = [
      "ec2:DescribeInstances",
      "ec2:DescribeTags",
      "autoscaling:DescribeAutoScalingGroups",
    ]
    resources = ["*"]
  }

  statement {
    effect = "Allow"

    actions = [
      "ec2:DescribeInstances",
      "ec2:DescribeTags",
      "ec2:DescribeVolume*",
      "ec2:AttachVolume",
      "ec2:DetachVolume",
      "autoscaling:DescribeAutoScalingGroups",
    ]
    resources = ["*"]
  }

  statement {
    effect = "Allow"

    actions = [
      "s3:PutObject",
      "s3:GetObject",
      "s3:DeleteObject",
    ]
    resources = ["arn:aws:s3:::nomad-team-test-binary/*"]
  }
}
Terraform configs for e2e tests 2018-12-17 17:40:09 +00:00			`resource "aws_iam_instance_profile" "instance_profile" {`
e2e: upgrade terraform to 0.12.x (#6489) 2019-10-14 15:27:08 +00:00			`name_prefix = local.random_name`
			`role = aws_iam_role.instance_role.name`
Terraform configs for e2e tests 2018-12-17 17:40:09 +00:00			`}`

			`resource "aws_iam_role" "instance_role" {`
e2e: upgrade terraform to 0.12.x (#6489) 2019-10-14 15:27:08 +00:00			`name_prefix = local.random_name`
			`assume_role_policy = data.aws_iam_policy_document.instance_role.json`
Terraform configs for e2e tests 2018-12-17 17:40:09 +00:00			`}`

			`data "aws_iam_policy_document" "instance_role" {`
			`statement {`
			`effect = "Allow"`
			`actions = ["sts:AssumeRole"]`

			`principals {`
			`type = "Service"`
			`identifiers = ["ec2.amazonaws.com"]`
			`}`
			`}`
			`}`

			`resource "aws_iam_role_policy" "auto_discover_cluster" {`
			`name = "auto-discover-cluster"`
e2e: upgrade terraform to 0.12.x (#6489) 2019-10-14 15:27:08 +00:00			`role = aws_iam_role.instance_role.id`
			`policy = data.aws_iam_policy_document.auto_discover_cluster.json`
Terraform configs for e2e tests 2018-12-17 17:40:09 +00:00			`}`

			`# Note: Overloading this instance profile to access`
			`# test binaries, should be renamed.`
			`data "aws_iam_policy_document" "auto_discover_cluster" {`
			`statement {`
			`effect = "Allow"`

			`actions = [`
			`"ec2:DescribeInstances",`
			`"ec2:DescribeTags",`
			`"autoscaling:DescribeAutoScalingGroups",`
			`]`
			`resources = ["*"]`
			`}`

			`statement {`
			`effect = "Allow"`

			`actions = [`
			`"ec2:DescribeInstances",`
			`"ec2:DescribeTags",`
e2e: add EBS and EFS volumes for testing CSI (#7266) This changeset adds volumes but does not mount them to instances so that we can test the mounting ("staging") via CSI plugins. The CSI plugins themselves will be installed as Nomad jobs. In order to ensure we can always mount the EFS volume, this changeset pins the deployment of the cluster to a specific subnet. In future work we should spread the cluster out among several AZs and test that behavior explicitly. 2020-03-04 15:44:51 +00:00			`"ec2:DescribeVolume*",`
			`"ec2:AttachVolume",`
csi: e2e tests for EBS and EFS plugins (#7343) This changeset provides two basic e2e tests for CSI plugins targeting common AWS use cases. The EBS test launches the EBS plugin (controller + nodes) and registers an EBS volume as a Nomad CSI volume. We deploy a job that writes to the volume, stop that job, and reuse the volume for another job which should be able to read the data written by the first job. The EFS test launches the EFS plugin (nodes-only) and registers an EFS volume as a Nomad CSI volume. We deploy a job that writes to the volume, stop that job, and reuse the volume for another job which should be able to read the data written by the first job. The writer jobs mount the CSI volume at a location within the alloc dir. 2020-03-16 12:53:04 +00:00			`"ec2:DetachVolume",`
Terraform configs for e2e tests 2018-12-17 17:40:09 +00:00			`"autoscaling:DescribeAutoScalingGroups",`
			`]`
			`resources = ["*"]`
			`}`

			`statement {`
			`effect = "Allow"`

			`actions = [`
e2e: upgrade terraform to 0.12.x (#6489) 2019-10-14 15:27:08 +00:00			`"s3:PutObject",`
			`"s3:GetObject",`
			`"s3:DeleteObject",`
Terraform configs for e2e tests 2018-12-17 17:40:09 +00:00			`]`
			`resources = ["arn:aws:s3:::nomad-team-test-binary/*"]`
			`}`
			`}`