79222c36bf
This changeset adds volumes but does not mount them to instances so that we can test the mounting ("staging") via CSI plugins. The CSI plugins themselves will be installed as Nomad jobs. In order to ensure we can always mount the EFS volume, this changeset pins the deployment of the cluster to a specific subnet. In future work we should spread the cluster out among several AZs and test that behavior explicitly.
67 lines
1.5 KiB
HCL
67 lines
1.5 KiB
HCL
resource "aws_iam_instance_profile" "instance_profile" {
|
|
name_prefix = local.random_name
|
|
role = aws_iam_role.instance_role.name
|
|
}
|
|
|
|
resource "aws_iam_role" "instance_role" {
|
|
name_prefix = local.random_name
|
|
assume_role_policy = data.aws_iam_policy_document.instance_role.json
|
|
}
|
|
|
|
data "aws_iam_policy_document" "instance_role" {
|
|
statement {
|
|
effect = "Allow"
|
|
actions = ["sts:AssumeRole"]
|
|
|
|
principals {
|
|
type = "Service"
|
|
identifiers = ["ec2.amazonaws.com"]
|
|
}
|
|
}
|
|
}
|
|
|
|
resource "aws_iam_role_policy" "auto_discover_cluster" {
|
|
name = "auto-discover-cluster"
|
|
role = aws_iam_role.instance_role.id
|
|
policy = data.aws_iam_policy_document.auto_discover_cluster.json
|
|
}
|
|
|
|
# Note: Overloading this instance profile to access
|
|
# test binaries, should be renamed.
|
|
data "aws_iam_policy_document" "auto_discover_cluster" {
|
|
statement {
|
|
effect = "Allow"
|
|
|
|
actions = [
|
|
"ec2:DescribeInstances",
|
|
"ec2:DescribeTags",
|
|
"autoscaling:DescribeAutoScalingGroups",
|
|
]
|
|
resources = ["*"]
|
|
}
|
|
|
|
statement {
|
|
effect = "Allow"
|
|
|
|
actions = [
|
|
"ec2:DescribeInstances",
|
|
"ec2:DescribeTags",
|
|
"ec2:DescribeVolume*",
|
|
"ec2:AttachVolume",
|
|
"autoscaling:DescribeAutoScalingGroups",
|
|
]
|
|
resources = ["*"]
|
|
}
|
|
|
|
statement {
|
|
effect = "Allow"
|
|
|
|
actions = [
|
|
"s3:PutObject",
|
|
"s3:GetObject",
|
|
"s3:DeleteObject",
|
|
]
|
|
resources = ["arn:aws:s3:::nomad-team-test-binary/*"]
|
|
}
|
|
}
|