mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-10-01 01:36:09 -04:00
192 lines
5.3 KiB
HCL
192 lines
5.3 KiB
HCL
terraform {
|
|
required_providers {
|
|
aws = {
|
|
source = "hashicorp/aws"
|
|
version = "4.44.0"
|
|
}
|
|
}
|
|
}
|
|
|
|
# Configure the AWS Provider
|
|
provider "aws" {
|
|
region = var.region
|
|
}
|
|
|
|
resource "random_id" "uid" {
|
|
byte_length = 8
|
|
}
|
|
|
|
resource "aws_iam_instance_profile" "control_plane_instance_profile" {
|
|
name = "${var.name_prefix}_control_plane_instance_profile"
|
|
role = aws_iam_role.control_plane_role.name
|
|
}
|
|
|
|
resource "aws_iam_role" "control_plane_role" {
|
|
name = "${var.name_prefix}_control_plane_role"
|
|
path = "/"
|
|
|
|
assume_role_policy = <<EOF
|
|
{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Action": "sts:AssumeRole",
|
|
"Principal": {
|
|
"Service": "ec2.amazonaws.com"
|
|
},
|
|
"Effect": "Allow",
|
|
"Sid": ""
|
|
}
|
|
]
|
|
}
|
|
EOF
|
|
}
|
|
|
|
resource "aws_iam_policy" "control_plane_policy" {
|
|
name = "${var.name_prefix}_control_plane_policy"
|
|
policy = <<EOF
|
|
{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"autoscaling:DescribeAutoScalingGroups",
|
|
"autoscaling:DescribeLaunchConfigurations",
|
|
"autoscaling:DescribeTags",
|
|
"ec2:DescribeInstances",
|
|
"ec2:DescribeRegions",
|
|
"ec2:DescribeRouteTables",
|
|
"ec2:DescribeSecurityGroups",
|
|
"ec2:DescribeSubnets",
|
|
"ec2:DescribeVolumes",
|
|
"ec2:CreateSecurityGroup",
|
|
"ec2:CreateTags",
|
|
"ec2:CreateVolume",
|
|
"ec2:ModifyInstanceAttribute",
|
|
"ec2:ModifyVolume",
|
|
"ec2:AttachVolume",
|
|
"ec2:AuthorizeSecurityGroupIngress",
|
|
"ec2:CreateRoute",
|
|
"ec2:DeleteRoute",
|
|
"ec2:DeleteSecurityGroup",
|
|
"ec2:DeleteVolume",
|
|
"ec2:DetachVolume",
|
|
"ec2:RevokeSecurityGroupIngress",
|
|
"ec2:DescribeVpcs",
|
|
"elasticloadbalancing:AddTags",
|
|
"elasticloadbalancing:AttachLoadBalancerToSubnets",
|
|
"elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
|
|
"elasticloadbalancing:CreateLoadBalancer",
|
|
"elasticloadbalancing:CreateLoadBalancerPolicy",
|
|
"elasticloadbalancing:CreateLoadBalancerListeners",
|
|
"elasticloadbalancing:ConfigureHealthCheck",
|
|
"elasticloadbalancing:DeleteLoadBalancer",
|
|
"elasticloadbalancing:DeleteLoadBalancerListeners",
|
|
"elasticloadbalancing:DescribeLoadBalancers",
|
|
"elasticloadbalancing:DescribeLoadBalancerAttributes",
|
|
"elasticloadbalancing:DetachLoadBalancerFromSubnets",
|
|
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
|
|
"elasticloadbalancing:ModifyLoadBalancerAttributes",
|
|
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
|
|
"elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer",
|
|
"elasticloadbalancing:AddTags",
|
|
"elasticloadbalancing:CreateListener",
|
|
"elasticloadbalancing:CreateTargetGroup",
|
|
"elasticloadbalancing:DeleteListener",
|
|
"elasticloadbalancing:DeleteTargetGroup",
|
|
"elasticloadbalancing:DescribeListeners",
|
|
"elasticloadbalancing:DescribeLoadBalancerPolicies",
|
|
"elasticloadbalancing:DescribeTargetGroups",
|
|
"elasticloadbalancing:DescribeTargetHealth",
|
|
"elasticloadbalancing:ModifyListener",
|
|
"elasticloadbalancing:ModifyTargetGroup",
|
|
"elasticloadbalancing:RegisterTargets",
|
|
"elasticloadbalancing:DeregisterTargets",
|
|
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
|
|
"iam:CreateServiceLinkedRole",
|
|
"kms:DescribeKey",
|
|
"logs:DescribeLogGroups",
|
|
"logs:ListTagsLogGroup",
|
|
"logs:CreateLogStream",
|
|
"logs:PutLogEvents",
|
|
"tag:GetResources",
|
|
"ec2:DescribeImages"
|
|
],
|
|
"Resource": [
|
|
"*"
|
|
]
|
|
}
|
|
]
|
|
}
|
|
EOF
|
|
}
|
|
|
|
resource "aws_iam_role_policy_attachment" "attach_control_plane_policy" {
|
|
role = aws_iam_role.control_plane_role.name
|
|
policy_arn = aws_iam_policy.control_plane_policy.arn
|
|
}
|
|
|
|
resource "aws_iam_instance_profile" "worker_node_instance_profile" {
|
|
name = "${var.name_prefix}_worker_node_instance_profile"
|
|
role = aws_iam_role.control_plane_role.name
|
|
}
|
|
|
|
resource "aws_iam_role" "worker_node_role" {
|
|
name = "${var.name_prefix}_worker_node_role"
|
|
path = "/"
|
|
|
|
assume_role_policy = <<EOF
|
|
{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Action": "sts:AssumeRole",
|
|
"Principal": {
|
|
"Service": "ec2.amazonaws.com"
|
|
},
|
|
"Effect": "Allow",
|
|
"Sid": ""
|
|
}
|
|
]
|
|
}
|
|
EOF
|
|
}
|
|
|
|
resource "aws_iam_policy" "worker_node_policy" {
|
|
name = "${var.name_prefix}_worker_node_policy"
|
|
policy = <<EOF
|
|
{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"ec2:DescribeInstances",
|
|
"ec2:DescribeRegions",
|
|
"ecr:GetAuthorizationToken",
|
|
"ecr:BatchCheckLayerAvailability",
|
|
"ecr:GetDownloadUrlForLayer",
|
|
"ecr:GetRepositoryPolicy",
|
|
"ecr:DescribeRepositories",
|
|
"ecr:ListImages",
|
|
"ecr:BatchGetImage",
|
|
"logs:DescribeLogGroups",
|
|
"logs:ListTagsLogGroup",
|
|
"logs:CreateLogStream",
|
|
"logs:PutLogEvents",
|
|
"tag:GetResources",
|
|
"ec2:DescribeImages"
|
|
],
|
|
"Resource": "*"
|
|
}
|
|
]
|
|
}
|
|
EOF
|
|
}
|
|
|
|
resource "aws_iam_role_policy_attachment" "attach_worker_node_policy" {
|
|
role = aws_iam_role.worker_node_role.name
|
|
policy_arn = aws_iam_policy.worker_node_policy.arn
|
|
}
|