terraform { required_providers { aws = { source = "hashicorp/aws" version = "4.36.1" } } } # Configure the AWS Provider provider "aws" { region = var.region } resource "random_id" "uid" { byte_length = 8 } resource "aws_iam_instance_profile" "control_plane_instance_profile" { name = "${var.name_prefix}_control_plane_instance_profile" role = aws_iam_role.control_plane_role.name } resource "aws_iam_role" "control_plane_role" { name = "${var.name_prefix}_control_plane_role" path = "/" assume_role_policy = <<EOF { "Version": "2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Principal": { "Service": "ec2.amazonaws.com" }, "Effect": "Allow", "Sid": "" } ] } EOF } resource "aws_iam_policy" "control_plane_policy" { name = "${var.name_prefix}_control_plane_policy" policy = <<EOF { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", "ec2:DescribeInstances", "ec2:DescribeRegions", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVolumes", "ec2:CreateSecurityGroup", "ec2:CreateTags", "ec2:CreateVolume", "ec2:ModifyInstanceAttribute", "ec2:ModifyVolume", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateRoute", "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:RevokeSecurityGroupIngress", "ec2:DescribeVpcs", "elasticloadbalancing:AddTags", "elasticloadbalancing:AttachLoadBalancerToSubnets", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:CreateLoadBalancer", "elasticloadbalancing:CreateLoadBalancerPolicy", "elasticloadbalancing:CreateLoadBalancerListeners", "elasticloadbalancing:ConfigureHealthCheck", "elasticloadbalancing:DeleteLoadBalancer", "elasticloadbalancing:DeleteLoadBalancerListeners", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", "elasticloadbalancing:DetachLoadBalancerFromSubnets", "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateTargetGroup", "elasticloadbalancing:DeleteListener", "elasticloadbalancing:DeleteTargetGroup", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyTargetGroup", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", "iam:CreateServiceLinkedRole", "kms:DescribeKey", "logs:DescribeLogGroups", "logs:ListTagsLogGroup", "logs:CreateLogStream", "tag:GetResources", "ec2:DescribeImages" ], "Resource": [ "*" ] } ] } EOF } resource "aws_iam_role_policy_attachment" "attach_control_plane_policy" { role = aws_iam_role.control_plane_role.name policy_arn = aws_iam_policy.control_plane_policy.arn } resource "aws_iam_instance_profile" "worker_node_instance_profile" { name = "${var.name_prefix}_worker_node_instance_profile" role = aws_iam_role.control_plane_role.name } resource "aws_iam_role" "worker_node_role" { name = "${var.name_prefix}_worker_node_role" path = "/" assume_role_policy = <<EOF { "Version": "2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Principal": { "Service": "ec2.amazonaws.com" }, "Effect": "Allow", "Sid": "" } ] } EOF } resource "aws_iam_policy" "worker_node_policy" { name = "${var.name_prefix}_worker_node_policy" policy = <<EOF { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeInstances", "ec2:DescribeRegions", "ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:GetRepositoryPolicy", "ecr:DescribeRepositories", "ecr:ListImages", "ecr:BatchGetImage", "logs:DescribeLogGroups", "logs:ListTagsLogGroup", "logs:CreateLogStream", "tag:GetResources", "ec2:DescribeImages" ], "Resource": "*" } ] } EOF } resource "aws_iam_role_policy_attachment" "attach_worker_node_policy" { role = aws_iam_role.worker_node_role.name policy_arn = aws_iam_policy.worker_node_policy.arn }