Add IAM roles
- Discourse - Remo - Coss - Mozillians
This commit is contained in:
Yousef Alam
Родитель
4fd1ce4498
Коммит
4659b88083
2
coss.tf
2
coss.tf
|
|
@ -2,10 +2,12 @@ module "coss-production" {
|
|||
source = "./modules/coss"
|
||||
|
||||
environment = "production"
|
||||
iam-assume-role-policy = "${data.aws_iam_policy_document.containers-assume-role-policy.json}"
|
||||
}
|
||||
|
||||
module "coss-staging" {
|
||||
source = "./modules/coss"
|
||||
|
||||
environment = "staging"
|
||||
iam-assume-role-policy = "${data.aws_iam_policy_document.containers-assume-role-policy.json}"
|
||||
}
|
||||
|
|
|
|||
|
|
@ -8,6 +8,7 @@ module "discourse-production" {
|
|||
elasticache_subnet_group = "${aws_elasticache_subnet_group.elasticache-production-subnet-group.name}"
|
||||
fqdn = "discourse.mozilla.org"
|
||||
ssl_certificate = "${lookup(var.ssl_certificates, "community-sites-elb-${var.aws_region}")}"
|
||||
iam-assume-role-policy = "${data.aws_iam_policy_document.containers-assume-role-policy.json}"
|
||||
}
|
||||
|
||||
module "discourse-staging" {
|
||||
|
|
@ -20,4 +21,5 @@ module "discourse-staging" {
|
|||
elasticache_subnet_group = "${aws_elasticache_subnet_group.elasticache-production-subnet-group.name}"
|
||||
fqdn = "discourse-staging.production.paas.mozilla.community"
|
||||
ssl_certificate = "${lookup(var.ssl_certificates, "community-sites-elb-${var.aws_region}")}"
|
||||
iam-assume-role-policy = "${data.aws_iam_policy_document.containers-assume-role-policy.json}"
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,4 +1,24 @@
|
|||
# mesos-cluster staging
|
||||
data "aws_iam_policy_document" "mesos-slave-production-host-policy-document" {
|
||||
statement {
|
||||
effect = "Allow"
|
||||
actions = [
|
||||
"sts:AssumeRole",
|
||||
"iam:GetRole"
|
||||
]
|
||||
|
||||
resources = [
|
||||
"${module.discourse-staging.container-role-arn}",
|
||||
"${module.discourse-production.container-role-arn}",
|
||||
"${module.mozillians-staging.container-role-arn}",
|
||||
"${module.remo-staging.container-role-arn}",
|
||||
"${module.remo-production.container-role-arn}",
|
||||
"${module.coss-staging.container-role-arn}",
|
||||
"${module.coss-production.container-role-arn}",
|
||||
"${aws_iam_role.mozdef-logs-role.arn}"
|
||||
]
|
||||
}
|
||||
}
|
||||
|
||||
module "mesos-cluster-staging" {
|
||||
source = "./modules/mesos-cluster"
|
||||
# provider vars
|
||||
|
|
@ -49,3 +69,9 @@ module "mesos-cluster-production" {
|
|||
adminaccessrole-uid = "${aws_iam_role.admin-access-role.unique_id}"
|
||||
mozillians-slave-ec2-sg-id = "${aws_security_group.mozillians-slave-ec2-sg.id}"
|
||||
}
|
||||
|
||||
resource "aws_iam_role_policy" "mesos-slave-production-host-role-policy" {
|
||||
name = "mesos-slave-host-role-policy"
|
||||
role = "${module.mesos-cluster-production.slave-host-role-arn}"
|
||||
policy = "${data.aws_iam_policy_document.mesos-slave-production-host-policy-document.json}"
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,4 +1,6 @@
|
|||
data "aws_iam_policy_document" "coss-iam-policy" {
|
||||
variable "iam-assume-role-policy" {}
|
||||
|
||||
data "aws_iam_policy_document" "policy-document" {
|
||||
statement {
|
||||
effect = "Allow"
|
||||
actions = [
|
||||
|
|
@ -12,10 +14,17 @@ data "aws_iam_policy_document" "coss-iam-policy" {
|
|||
}
|
||||
}
|
||||
|
||||
# Note: This only creates the IAM policy, it needs to be attached to a user or role
|
||||
resource "aws_iam_policy" "aws-access-policy" {
|
||||
name = "coss-${var.environment}-iam-policy"
|
||||
path = "/"
|
||||
description = "Coss ${var.environment} IAM policy"
|
||||
policy = "${data.aws_iam_policy_document.coss-iam-policy.json}"
|
||||
resource "aws_iam_role" "container-role" {
|
||||
name = "coss-${var.environment}-role"
|
||||
assume_role_policy = "${var.iam-assume-role-policy}"
|
||||
}
|
||||
|
||||
resource "aws_iam_role_policy" "iam-role-policy" {
|
||||
name = "coss-${var.environment}-role-policy"
|
||||
role = "${aws_iam_role.container-role.name}"
|
||||
policy = "${data.aws_iam_policy_document.policy-document.json}"
|
||||
}
|
||||
|
||||
output "container-role-arn" {
|
||||
value = "${aws_iam_role.container-role.arn}"
|
||||
}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,51 @@
|
|||
variable "iam-assume-role-policy" {}
|
||||
|
||||
data "aws_iam_policy_document" "policy-document" {
|
||||
statement {
|
||||
effect = "Allow"
|
||||
actions = [
|
||||
"s3:*",
|
||||
]
|
||||
|
||||
resources = [
|
||||
"${aws_s3_bucket.discourse-content.arn}",
|
||||
]
|
||||
}
|
||||
|
||||
statement {
|
||||
effect = "Allow"
|
||||
actions = [
|
||||
"s3:*",
|
||||
]
|
||||
|
||||
resources = [
|
||||
"${aws_s3_bucket.discourse-content.arn}/*",
|
||||
]
|
||||
}
|
||||
|
||||
statement {
|
||||
effect = "Allow"
|
||||
actions = [
|
||||
"ses:SendRawEmail",
|
||||
]
|
||||
|
||||
resources = [
|
||||
"*",
|
||||
]
|
||||
}
|
||||
}
|
||||
|
||||
resource "aws_iam_role" "container-role" {
|
||||
name = "discourse-${var.environment}-role"
|
||||
assume_role_policy = "${var.iam-assume-role-policy}"
|
||||
}
|
||||
|
||||
resource "aws_iam_role_policy" "iam-role-policy" {
|
||||
name = "discourse-${var.environment}-role-policy"
|
||||
role = "${aws_iam_role.container-role.name}"
|
||||
policy = "${data.aws_iam_policy_document.policy-document.json}"
|
||||
}
|
||||
|
||||
output "container-role-arn" {
|
||||
value = "${aws_iam_role.container-role.arn}"
|
||||
}
|
||||
|
|
@ -0,0 +1,53 @@
|
|||
data "aws_iam_policy_document" "mesos-assume-role-policy" {
|
||||
|
||||
statement {
|
||||
effect = "Allow"
|
||||
actions = [
|
||||
"sts:AssumeRole"
|
||||
]
|
||||
|
||||
principals {
|
||||
type = "Service"
|
||||
identifiers = [
|
||||
"ec2.amazonaws.com"
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource "aws_iam_role" "mesos-master-host-role" {
|
||||
name = "mesos-master-${var.environment}-host-role"
|
||||
assume_role_policy = "${data.aws_iam_policy_document.mesos-assume-role-policy.json}"
|
||||
|
||||
lifecycle {
|
||||
create_before_destroy = true
|
||||
}
|
||||
}
|
||||
|
||||
resource "aws_iam_role" "mesos-slave-host-role" {
|
||||
name = "mesos-slave-${var.environment}-host-role"
|
||||
assume_role_policy = "${data.aws_iam_policy_document.mesos-assume-role-policy.json}"
|
||||
|
||||
lifecycle {
|
||||
create_before_destroy = true
|
||||
}
|
||||
}
|
||||
|
||||
resource "aws_iam_role_policy_attachment" "mesos-master-host-mozdef-policy" {
|
||||
role = "${aws_iam_role.mesos-master-host-role.name}"
|
||||
policy_arn = "arn:aws:iam::484535289196:policy/SnsMozdefLogsFullAccess"
|
||||
}
|
||||
|
||||
resource "aws_iam_instance_profile" "mesos-master-profile" {
|
||||
name = "mesos-master-${var.environment}-profile"
|
||||
roles = ["${aws_iam_role.mesos-master-host-role.name}"]
|
||||
}
|
||||
|
||||
resource "aws_iam_instance_profile" "mesos-slave-profile" {
|
||||
name = "mesos-slave-${var.environment}-profile"
|
||||
roles = ["${aws_iam_role.mesos-slave-host-role.name}"]
|
||||
}
|
||||
|
||||
output "slave-host-role-arn" {
|
||||
value = "${aws_iam_role.mesos-slave-host-role.arn}"
|
||||
}
|
||||
|
|
@ -18,49 +18,6 @@ variable "mozillians-slave-ec2-sg-id" {
|
|||
default = ""
|
||||
}
|
||||
|
||||
data "aws_iam_policy_document" "mesos-assume-role-policy" {
|
||||
|
||||
statement {
|
||||
effect = "Allow"
|
||||
actions = [
|
||||
"sts:AssumeRole"
|
||||
]
|
||||
|
||||
principals {
|
||||
type = "Service"
|
||||
identifiers = [
|
||||
"ec2.amazonaws.com"
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource "aws_iam_role" "mesos-master-host-role" {
|
||||
name = "mesos-master-${var.environment}-host-role"
|
||||
assume_role_policy = "${data.aws_iam_policy_document.mesos-assume-role-policy.json}"
|
||||
}
|
||||
|
||||
resource "aws_iam_role" "mesos-slave-host-role" {
|
||||
name = "mesos-slave-${var.environment}-host-role"
|
||||
assume_role_policy = "${data.aws_iam_policy_document.mesos-assume-role-policy.json}"
|
||||
}
|
||||
|
||||
resource "aws_iam_role_policy_attachment" "mesos-master-host-mozdef-policy" {
|
||||
role = "${aws_iam_role.mesos-master-host-role.name}"
|
||||
policy_arn = "arn:aws:iam::484535289196:policy/SnsMozdefLogsFullAccess"
|
||||
}
|
||||
|
||||
resource "aws_iam_instance_profile" "mesos-master-profile" {
|
||||
name = "mesos-master-${var.environment}-profile"
|
||||
roles = ["${aws_iam_role.mesos-master-host-role.name}"]
|
||||
}
|
||||
|
||||
resource "aws_iam_instance_profile" "mesos-slave-profile" {
|
||||
name = "mesos-slave-${var.environment}-profile"
|
||||
roles = ["${aws_iam_role.mesos-slave-host-role.name}"]
|
||||
}
|
||||
|
||||
|
||||
resource "aws_elb" "mesos-elb" {
|
||||
name = "mesos-${var.environment}-elb"
|
||||
security_groups = ["${aws_security_group.mesos-elb-sg.id}"]
|
||||
|
|
|
|||
|
|
@ -1,4 +1,6 @@
|
|||
data "aws_iam_policy_document" "mozillians-bucket-policy" {
|
||||
variable "iam-assume-role-policy" {}
|
||||
|
||||
data "aws_iam_policy_document" "policy-document" {
|
||||
statement {
|
||||
effect = "Allow"
|
||||
actions = [
|
||||
|
|
@ -58,14 +60,21 @@ data "aws_iam_policy_document" "mozillians-bucket-policy" {
|
|||
}
|
||||
}
|
||||
|
||||
# Note: This only creates the IAM policy, it needs to be attached to a user or role
|
||||
resource "aws_iam_policy" "aws-access-policy" {
|
||||
name = "mozillians-${var.environment}-s3-ses-es"
|
||||
path = "/"
|
||||
description = "Mozillians ${var.environment} IAM policy for S3/SES/ES"
|
||||
policy = "${data.aws_iam_policy_document.mozillians-bucket-policy.json}"
|
||||
resource "aws_iam_role" "container-role" {
|
||||
name = "mozillians-${var.environment}-role"
|
||||
assume_role_policy = "${var.iam-assume-role-policy}"
|
||||
}
|
||||
|
||||
resource "aws_iam_role_policy" "iam-role-policy" {
|
||||
name = "mozillians-${var.environment}-role-policy"
|
||||
role = "${aws_iam_role.container-role.name}"
|
||||
policy = "${data.aws_iam_policy_document.policy-document.json}"
|
||||
}
|
||||
|
||||
output "aws-access-policy-arn" {
|
||||
value = "${aws_iam_policy.aws-access-policy.arn}"
|
||||
value = "${aws_iam_role_policy.iam-role-policy.arn}"
|
||||
}
|
||||
|
||||
output "container-role-arn" {
|
||||
value = "${aws_iam_role.container-role.arn}"
|
||||
}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,29 @@
|
|||
variable "iam-assume-role-policy" {}
|
||||
|
||||
data "aws_iam_policy_document" "policy-document" {
|
||||
statement {
|
||||
effect = "Allow"
|
||||
actions = [
|
||||
"ses:SendRawEmail",
|
||||
]
|
||||
|
||||
resources = [
|
||||
"*",
|
||||
]
|
||||
}
|
||||
}
|
||||
|
||||
resource "aws_iam_role" "container-role" {
|
||||
name = "remo-${var.environment}-role"
|
||||
assume_role_policy = "${var.iam-assume-role-policy}"
|
||||
}
|
||||
|
||||
resource "aws_iam_role_policy" "iam-role-policy" {
|
||||
name = "remo-${var.environment}-role-policy"
|
||||
role = "${aws_iam_role.container-role.name}"
|
||||
policy = "${data.aws_iam_policy_document.policy-document.json}"
|
||||
}
|
||||
|
||||
output "container-role-arn" {
|
||||
value = "${aws_iam_role.container-role.arn}"
|
||||
}
|
||||
|
|
@ -34,12 +34,11 @@ resource "aws_security_group_rule" "mozillians-slave-ec2-sg-allowallfromshared"
|
|||
security_group_id = "${aws_security_group.mozillians-slave-ec2-sg.id}"
|
||||
}
|
||||
|
||||
data "aws_iam_policy_document" "mozillians-production-assume-role-policy" {
|
||||
|
||||
data "aws_iam_policy_document" "mozillians-host-assume-role-policy" {
|
||||
statement {
|
||||
effect = "Allow"
|
||||
actions = [
|
||||
"sts:AssumeRole",
|
||||
"sts:AssumeRole"
|
||||
]
|
||||
|
||||
principals {
|
||||
|
|
@ -49,74 +48,43 @@ data "aws_iam_policy_document" "mozillians-production-assume-role-policy" {
|
|||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
data "aws_iam_policy_document" "mozillians-production-host-policy-document" {
|
||||
statement {
|
||||
effect = "Allow"
|
||||
actions = [
|
||||
"sts:AssumeRole",
|
||||
"iam:GetRole"
|
||||
]
|
||||
|
||||
principals {
|
||||
type = "AWS"
|
||||
identifiers = [
|
||||
# Temporarily allow Andrew to assume this role
|
||||
"arn:aws:iam::371522382791:user/akrug"
|
||||
]
|
||||
}
|
||||
resources = [
|
||||
"${module.mozillians-production.container-role-arn}",
|
||||
"${aws_iam_role.mozdef-logs-role.arn}"
|
||||
]
|
||||
}
|
||||
}
|
||||
|
||||
data "aws_iam_policy_document" "mozillians-staging-assume-role-policy" {
|
||||
resource "aws_iam_role" "mozillians-host-role" {
|
||||
name = "mozillians-host-role"
|
||||
assume_role_policy = "${data.aws_iam_policy_document.mozillians-host-assume-role-policy.json}"
|
||||
|
||||
statement {
|
||||
effect = "Allow"
|
||||
actions = [
|
||||
"sts:AssumeRole",
|
||||
]
|
||||
|
||||
principals {
|
||||
type = "AWS"
|
||||
identifiers = [
|
||||
# Temporarily allow Andrew to assume this role
|
||||
"arn:aws:iam::371522382791:user/akrug"
|
||||
]
|
||||
}
|
||||
lifecycle {
|
||||
create_before_destroy = true
|
||||
}
|
||||
}
|
||||
|
||||
resource "aws_iam_role" "mozillians-staging-role" {
|
||||
name = "mozillians-staging-role"
|
||||
assume_role_policy = "${data.aws_iam_policy_document.mozillians-staging-assume-role-policy.json}"
|
||||
resource "aws_iam_role_policy" "mozillians-host-role-policy" {
|
||||
name = "mozillians-host-role-policy"
|
||||
role = "${aws_iam_role.mozillians-host-role.name}"
|
||||
policy = "${data.aws_iam_policy_document.mozillians-production-host-policy-document.json}"
|
||||
}
|
||||
|
||||
resource "aws_iam_role_policy_attachment" "mozillians-staging-mozdef-policy" {
|
||||
role = "${aws_iam_role.mozillians-staging-role.name}"
|
||||
policy_arn = "arn:aws:iam::484535289196:policy/SnsMozdefLogsFullAccess"
|
||||
}
|
||||
|
||||
resource "aws_iam_role_policy_attachment" "mozillians-staging-access-policy" {
|
||||
role = "${aws_iam_role.mozillians-staging-role.name}"
|
||||
policy_arn = "${module.mozillians-staging.aws-access-policy-arn}"
|
||||
}
|
||||
|
||||
resource "aws_iam_role" "mozillians-production-role" {
|
||||
name = "mozillians-production-role"
|
||||
assume_role_policy = "${data.aws_iam_policy_document.mozillians-production-assume-role-policy.json}"
|
||||
}
|
||||
|
||||
resource "aws_iam_role_policy_attachment" "mozillians-production-mozdef-policy" {
|
||||
role = "${aws_iam_role.mozillians-production-role.name}"
|
||||
policy_arn = "arn:aws:iam::484535289196:policy/SnsMozdefLogsFullAccess"
|
||||
}
|
||||
|
||||
resource "aws_iam_role_policy_attachment" "mozillians-production-access-policy" {
|
||||
role = "${aws_iam_role.mozillians-production-role.name}"
|
||||
policy_arn = "${module.mozillians-production.aws-access-policy-arn}"
|
||||
}
|
||||
|
||||
resource "aws_iam_instance_profile" "mozillians-production-profile" {
|
||||
name = "mozillians-production-profile"
|
||||
roles = ["${aws_iam_role.mozillians-production-role.name}"]
|
||||
roles = ["${aws_iam_role.mozillians-host-role.name}"]
|
||||
}
|
||||
|
||||
resource "aws_launch_configuration" "mozillians-slave-ec2-lc" {
|
||||
|
|
@ -188,6 +156,7 @@ module "mozillians-staging" {
|
|||
cdn_static_origin_domain_name = "web-mozillians-staging.production.paas.mozilla.community"
|
||||
cdn_ssl_certificate = "${lookup(var.ssl_certificates, "community-sites-elb-${var.aws_region}")}"
|
||||
cis_publisher_role_arn = "arn:aws:iam::656532927350:role/CISPublisherRole"
|
||||
iam-assume-role-policy = "${data.aws_iam_policy_document.containers-assume-role-policy.json}"
|
||||
}
|
||||
|
||||
module "mozillians-production" {
|
||||
|
|
@ -205,6 +174,7 @@ module "mozillians-production" {
|
|||
cdn_static_origin_domain_name = "mozillians.org"
|
||||
cdn_ssl_certificate = "${lookup(var.ssl_certificates, "community-sites-elb-${var.aws_region}")}"
|
||||
cis_publisher_role_arn = "arn:aws:iam::371522382791:role/CISPublisherRole"
|
||||
iam-assume-role-policy = "${data.aws_iam_policy_document.containers-assume-role-policy.json}"
|
||||
}
|
||||
|
||||
resource "aws_elasticsearch_domain" "mozillians-es" {
|
||||
|
|
|
|||
2
remo.tf
2
remo.tf
|
|
@ -8,6 +8,7 @@ module "remo-staging" {
|
|||
elasticache_subnet_group = "${aws_elasticache_subnet_group.elasticache-production-subnet-group.name}"
|
||||
elasticache_sg_name = "remo-redis-staging-sg"
|
||||
elasticache_sg_description = "remo staging elasticache SG"
|
||||
iam-assume-role-policy = "${data.aws_iam_policy_document.containers-assume-role-policy.json}"
|
||||
}
|
||||
|
||||
module "remo-production" {
|
||||
|
|
@ -20,4 +21,5 @@ module "remo-production" {
|
|||
elasticache_subnet_group = "${aws_elasticache_subnet_group.elasticache-production-subnet-group.name}"
|
||||
elasticache_sg_name = "remo-redis-shared-sg"
|
||||
elasticache_sg_description = "remo elasticache SG"
|
||||
iam-assume-role-policy = "${data.aws_iam_policy_document.containers-assume-role-policy.json}"
|
||||
}
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче