Add IAM instance profile for TAS to access s3 buckets (#56)

fixes gh-46
pivotal · Aug 10, 2020 · 7754c91 · 7754c91
1 parent 882f2c4
commit 7754c91
Show file tree

Hide file tree

Showing 3 changed files with 65 additions and 0 deletions.
diff --git a/aws/ops-manager.tf b/aws/ops-manager.tf
@@ -93,6 +93,7 @@ data "aws_iam_policy_document" "ops-manager" {
     actions = ["iam:PassRole"]
     resources = [
       aws_iam_role.ops-manager.arn,
+      aws_iam_role.tas-blobstore.arn,
       aws_iam_role.pks-master.arn,
       aws_iam_role.pks-worker.arn,
     ]

diff --git a/aws/outputs.tf b/aws/outputs.tf
@@ -53,6 +53,7 @@ locals {
     droplets_bucket_name   = aws_s3_bucket.droplets-bucket.bucket
     packages_bucket_name   = aws_s3_bucket.packages-bucket.bucket
     resources_bucket_name  = aws_s3_bucket.resources-bucket.bucket
+    tas_blobstore_iam_instance_profile_name = aws_iam_instance_profile.tas-blobstore.name
 
     nat_security_group_id   = aws_security_group.nat.id
     nat_security_group_name = aws_security_group.nat.name

diff --git a/aws/tas-iam.tf b/aws/tas-iam.tf
@@ -0,0 +1,63 @@
+data "aws_iam_policy_document" "tas-blobstore-policy" {
+  statement {
+    sid     = "TasBlobstorePolicy"
+    effect  = "Allow"
+    actions = ["s3:*"]
+    resources = [
+      aws_s3_bucket.buildpacks-bucket.arn,
+      "${aws_s3_bucket.buildpacks-bucket.arn}/*",
+      aws_s3_bucket.packages-bucket.arn,
+      "${aws_s3_bucket.packages-bucket.arn}/*",
+      aws_s3_bucket.resources-bucket.arn,
+      "${aws_s3_bucket.resources-bucket.arn}/*",
+      aws_s3_bucket.droplets-bucket.arn,
+      "${aws_s3_bucket.droplets-bucket.arn}/*"
+    ]
+  }
+}
+
+resource "aws_iam_policy" "tas-blobstore" {
+  name   = "${var.environment_name}-tas-blobstore-policy"
+  policy = data.aws_iam_policy_document.tas-blobstore-policy.json
+}
+
+resource "aws_iam_role" "tas-blobstore" {
+  name = "${var.environment_name}-tas-blobstore"
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": [
+          "ec2.amazonaws.com"
+        ]
+      },
+      "Action": [
+        "sts:AssumeRole"
+      ]
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy_attachment" "tas-blobstore" {
+  role       = aws_iam_role.tas-blobstore.name
+  policy_arn = aws_iam_policy.tas-blobstore.arn
+}
+
+resource "aws_iam_instance_profile" "tas-blobstore" {
+  name = "${var.environment_name}-tas-blobstore"
+  role = aws_iam_role.tas-blobstore.name
+
+  lifecycle {
+    ignore_changes = [name]
+  }
+}