From 7754c91c089cf2493c1e0bb383aca43c82916280 Mon Sep 17 00:00:00 2001
From: Toshiaki Maki <tmaki@pivotal.io>
Date: Tue, 11 Aug 2020 00:14:06 +0900
Subject: [PATCH] Add IAM instance profile for TAS to access s3 buckets (#56)

fixes gh-46
---
 aws/ops-manager.tf |  1 +
 aws/outputs.tf     |  1 +
 aws/tas-iam.tf     | 63 ++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 65 insertions(+)
 create mode 100644 aws/tas-iam.tf

diff --git a/aws/ops-manager.tf b/aws/ops-manager.tf
index f8a23ab..a1ed9c2 100644
--- a/aws/ops-manager.tf
+++ b/aws/ops-manager.tf
@@ -93,6 +93,7 @@ data "aws_iam_policy_document" "ops-manager" {
     actions = ["iam:PassRole"]
     resources = [
       aws_iam_role.ops-manager.arn,
+      aws_iam_role.tas-blobstore.arn,
       aws_iam_role.pks-master.arn,
       aws_iam_role.pks-worker.arn,
     ]
diff --git a/aws/outputs.tf b/aws/outputs.tf
index fba664b..9215412 100644
--- a/aws/outputs.tf
+++ b/aws/outputs.tf
@@ -53,6 +53,7 @@ locals {
     droplets_bucket_name   = aws_s3_bucket.droplets-bucket.bucket
     packages_bucket_name   = aws_s3_bucket.packages-bucket.bucket
     resources_bucket_name  = aws_s3_bucket.resources-bucket.bucket
+    tas_blobstore_iam_instance_profile_name = aws_iam_instance_profile.tas-blobstore.name
 
     nat_security_group_id   = aws_security_group.nat.id
     nat_security_group_name = aws_security_group.nat.name
diff --git a/aws/tas-iam.tf b/aws/tas-iam.tf
new file mode 100644
index 0000000..a3fa5ed
--- /dev/null
+++ b/aws/tas-iam.tf
@@ -0,0 +1,63 @@
+data "aws_iam_policy_document" "tas-blobstore-policy" {
+  statement {
+    sid     = "TasBlobstorePolicy"
+    effect  = "Allow"
+    actions = ["s3:*"]
+    resources = [
+      aws_s3_bucket.buildpacks-bucket.arn,
+      "${aws_s3_bucket.buildpacks-bucket.arn}/*",
+      aws_s3_bucket.packages-bucket.arn,
+      "${aws_s3_bucket.packages-bucket.arn}/*",
+      aws_s3_bucket.resources-bucket.arn,
+      "${aws_s3_bucket.resources-bucket.arn}/*",
+      aws_s3_bucket.droplets-bucket.arn,
+      "${aws_s3_bucket.droplets-bucket.arn}/*"
+    ]
+  }
+}
+
+resource "aws_iam_policy" "tas-blobstore" {
+  name   = "${var.environment_name}-tas-blobstore-policy"
+  policy = data.aws_iam_policy_document.tas-blobstore-policy.json
+}
+
+resource "aws_iam_role" "tas-blobstore" {
+  name = "${var.environment_name}-tas-blobstore"
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": [
+          "ec2.amazonaws.com"
+        ]
+      },
+      "Action": [
+        "sts:AssumeRole"
+      ]
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy_attachment" "tas-blobstore" {
+  role       = aws_iam_role.tas-blobstore.name
+  policy_arn = aws_iam_policy.tas-blobstore.arn
+}
+
+resource "aws_iam_instance_profile" "tas-blobstore" {
+  name = "${var.environment_name}-tas-blobstore"
+  role = aws_iam_role.tas-blobstore.name
+
+  lifecycle {
+    ignore_changes = [name]
+  }
+}