diff --git a/aws/ops-manager.tf b/aws/ops-manager.tf index f8a23ab..a1ed9c2 100644 --- a/aws/ops-manager.tf +++ b/aws/ops-manager.tf @@ -93,6 +93,7 @@ data "aws_iam_policy_document" "ops-manager" { actions = ["iam:PassRole"] resources = [ aws_iam_role.ops-manager.arn, + aws_iam_role.tas-blobstore.arn, aws_iam_role.pks-master.arn, aws_iam_role.pks-worker.arn, ] diff --git a/aws/outputs.tf b/aws/outputs.tf index fba664b..9215412 100644 --- a/aws/outputs.tf +++ b/aws/outputs.tf @@ -53,6 +53,7 @@ locals { droplets_bucket_name = aws_s3_bucket.droplets-bucket.bucket packages_bucket_name = aws_s3_bucket.packages-bucket.bucket resources_bucket_name = aws_s3_bucket.resources-bucket.bucket + tas_blobstore_iam_instance_profile_name = aws_iam_instance_profile.tas-blobstore.name nat_security_group_id = aws_security_group.nat.id nat_security_group_name = aws_security_group.nat.name diff --git a/aws/tas-iam.tf b/aws/tas-iam.tf new file mode 100644 index 0000000..a3fa5ed --- /dev/null +++ b/aws/tas-iam.tf @@ -0,0 +1,63 @@ +data "aws_iam_policy_document" "tas-blobstore-policy" { + statement { + sid = "TasBlobstorePolicy" + effect = "Allow" + actions = ["s3:*"] + resources = [ + aws_s3_bucket.buildpacks-bucket.arn, + "${aws_s3_bucket.buildpacks-bucket.arn}/*", + aws_s3_bucket.packages-bucket.arn, + "${aws_s3_bucket.packages-bucket.arn}/*", + aws_s3_bucket.resources-bucket.arn, + "${aws_s3_bucket.resources-bucket.arn}/*", + aws_s3_bucket.droplets-bucket.arn, + "${aws_s3_bucket.droplets-bucket.arn}/*" + ] + } +} + +resource "aws_iam_policy" "tas-blobstore" { + name = "${var.environment_name}-tas-blobstore-policy" + policy = data.aws_iam_policy_document.tas-blobstore-policy.json +} + +resource "aws_iam_role" "tas-blobstore" { + name = "${var.environment_name}-tas-blobstore" + + lifecycle { + create_before_destroy = true + } + + assume_role_policy = <