open-nomad/e2e/terraform/iam.tf
Tim Gross 79222c36bf
e2e: add EBS and EFS volumes for testing CSI (#7266)
This changeset adds volumes but does not mount them to instances so
that we can test the mounting ("staging") via CSI plugins. The CSI
plugins themselves will be installed as Nomad jobs.

In order to ensure we can always mount the EFS volume, this changeset
pins the deployment of the cluster to a specific subnet. In future
work we should spread the cluster out among several AZs and test that
behavior explicitly.
2020-03-04 10:44:51 -05:00

67 lines
1.5 KiB
HCL

resource "aws_iam_instance_profile" "instance_profile" {
name_prefix = local.random_name
role = aws_iam_role.instance_role.name
}
resource "aws_iam_role" "instance_role" {
name_prefix = local.random_name
assume_role_policy = data.aws_iam_policy_document.instance_role.json
}
data "aws_iam_policy_document" "instance_role" {
statement {
effect = "Allow"
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["ec2.amazonaws.com"]
}
}
}
resource "aws_iam_role_policy" "auto_discover_cluster" {
name = "auto-discover-cluster"
role = aws_iam_role.instance_role.id
policy = data.aws_iam_policy_document.auto_discover_cluster.json
}
# Note: Overloading this instance profile to access
# test binaries, should be renamed.
data "aws_iam_policy_document" "auto_discover_cluster" {
statement {
effect = "Allow"
actions = [
"ec2:DescribeInstances",
"ec2:DescribeTags",
"autoscaling:DescribeAutoScalingGroups",
]
resources = ["*"]
}
statement {
effect = "Allow"
actions = [
"ec2:DescribeInstances",
"ec2:DescribeTags",
"ec2:DescribeVolume*",
"ec2:AttachVolume",
"autoscaling:DescribeAutoScalingGroups",
]
resources = ["*"]
}
statement {
effect = "Allow"
actions = [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
]
resources = ["arn:aws:s3:::nomad-team-test-binary/*"]
}
}