241 lines
4.7 KiB
HCL
241 lines
4.7 KiB
HCL
data "aws_iam_policy" "ssm" {
|
|
name = "AmazonSSMManagedInstanceCore"
|
|
}
|
|
|
|
resource "aws_iam_user" "deploy" {
|
|
name = "riju-deploy"
|
|
}
|
|
|
|
resource "aws_iam_access_key" "deploy" {
|
|
user = aws_iam_user.deploy.name
|
|
}
|
|
|
|
data "aws_iam_policy_document" "deploy" {
|
|
# statement {
|
|
# actions = [
|
|
# "ec2:RunInstances",
|
|
# ]
|
|
|
|
# resources = [
|
|
# data.aws_ami.ci.arn,
|
|
# ]
|
|
# }
|
|
|
|
statement {
|
|
actions = [
|
|
"ecr:GetAuthorizationToken",
|
|
"ecr-public:GetAuthorizationToken",
|
|
"sts:GetServiceBearerToken",
|
|
]
|
|
|
|
resources = [
|
|
"*",
|
|
]
|
|
}
|
|
|
|
statement {
|
|
actions = [
|
|
"ecr:DescribeRegistry",
|
|
]
|
|
|
|
resources = [
|
|
"*",
|
|
]
|
|
}
|
|
|
|
statement {
|
|
actions = [
|
|
"ecr:BatchGetImage",
|
|
"ecr:BatchCheckLayerAvailability",
|
|
"ecr:CompleteLayerUpload",
|
|
"ecr:DescribeImages",
|
|
"ecr:DescribeRepositories",
|
|
"ecr:GetDownloadUrlForLayer",
|
|
"ecr:InitiateLayerUpload",
|
|
"ecr:ListImages",
|
|
"ecr:PutImage",
|
|
"ecr:UploadLayerPart",
|
|
]
|
|
|
|
resources = [
|
|
aws_ecr_repository.riju.arn,
|
|
]
|
|
}
|
|
|
|
statement {
|
|
actions = [
|
|
"s3:ListBucket",
|
|
]
|
|
|
|
resources = [
|
|
"arn:aws:s3:::${aws_s3_bucket.riju.bucket}",
|
|
]
|
|
}
|
|
|
|
statement {
|
|
actions = [
|
|
"s3:*Object",
|
|
]
|
|
|
|
resources = [
|
|
"arn:aws:s3:::${aws_s3_bucket.riju.bucket}/*",
|
|
]
|
|
}
|
|
}
|
|
|
|
data "aws_iam_policy_document" "deploy_assume_role" {
|
|
statement {
|
|
actions = [
|
|
"sts:AssumeRole",
|
|
]
|
|
|
|
principals {
|
|
type = "AWS"
|
|
identifiers = [
|
|
"${data.aws_caller_identity.current.account_id}",
|
|
]
|
|
}
|
|
}
|
|
}
|
|
|
|
resource "aws_iam_policy" "deploy" {
|
|
name = "riju-deploy"
|
|
description = "Policy granting CI access to deploy Riju"
|
|
policy = data.aws_iam_policy_document.deploy.json
|
|
}
|
|
|
|
resource "aws_iam_user_policy_attachment" "deploy" {
|
|
user = aws_iam_user.deploy.name
|
|
policy_arn = aws_iam_policy.deploy.arn
|
|
}
|
|
|
|
resource "aws_iam_role" "deploy" {
|
|
name = "riju-deploy"
|
|
description = "Role used by CI and deployment"
|
|
assume_role_policy = data.aws_iam_policy_document.deploy_assume_role.json
|
|
}
|
|
|
|
resource "aws_iam_role_policy_attachment" "deploy" {
|
|
role = aws_iam_role.deploy.name
|
|
policy_arn = aws_iam_policy.deploy.arn
|
|
}
|
|
|
|
resource "aws_iam_instance_profile" "deploy" {
|
|
name = "riju-deploy"
|
|
role = aws_iam_role.deploy.name
|
|
}
|
|
|
|
data "aws_iam_policy_document" "server" {
|
|
statement {
|
|
actions = [
|
|
"s3:GetObject",
|
|
]
|
|
|
|
resources = [
|
|
"arn:aws:s3:::${aws_s3_bucket.riju.bucket}/config.json",
|
|
]
|
|
}
|
|
|
|
statement {
|
|
actions = [
|
|
"ecr:GetAuthorizationToken",
|
|
]
|
|
|
|
resources = [
|
|
"*",
|
|
]
|
|
}
|
|
|
|
statement {
|
|
actions = [
|
|
"ecr:BatchGetImage",
|
|
"ecr:GetDownloadUrlForLayer",
|
|
]
|
|
|
|
resources = [
|
|
aws_ecr_repository.riju.arn,
|
|
]
|
|
}
|
|
}
|
|
|
|
resource "aws_iam_policy" "server" {
|
|
name = "riju-server"
|
|
description = "Policy granting supervisor process on Riju server ability to download from S3"
|
|
policy = data.aws_iam_policy_document.server.json
|
|
}
|
|
|
|
data "aws_iam_policy_document" "server_assume_role" {
|
|
statement {
|
|
actions = [
|
|
"sts:AssumeRole",
|
|
]
|
|
|
|
principals {
|
|
type = "Service"
|
|
identifiers = [
|
|
"ec2.amazonaws.com",
|
|
]
|
|
}
|
|
}
|
|
}
|
|
|
|
resource "aws_iam_role" "server" {
|
|
name = "riju-server"
|
|
description = "Role used by supervisor process on Riju server"
|
|
assume_role_policy = data.aws_iam_policy_document.server_assume_role.json
|
|
}
|
|
|
|
resource "aws_iam_role_policy_attachment" "server" {
|
|
role = aws_iam_role.server.name
|
|
policy_arn = aws_iam_policy.server.arn
|
|
}
|
|
|
|
resource "aws_iam_role_policy_attachment" "server_ssm" {
|
|
role = aws_iam_role.server.name
|
|
policy_arn = data.aws_iam_policy.ssm.arn
|
|
}
|
|
|
|
resource "aws_iam_instance_profile" "server" {
|
|
name = "riju-server"
|
|
role = aws_iam_role.server.name
|
|
}
|
|
|
|
data "aws_iam_policy_document" "backup_assume_role" {
|
|
statement {
|
|
actions = [
|
|
"sts:AssumeRole",
|
|
]
|
|
|
|
principals {
|
|
type = "Service"
|
|
identifiers = [
|
|
"backup.amazonaws.com",
|
|
]
|
|
}
|
|
}
|
|
}
|
|
|
|
resource "aws_iam_role" "backup" {
|
|
name = "riju-backup"
|
|
description = "Role used by AWS Backup for Riju"
|
|
assume_role_policy = data.aws_iam_policy_document.backup_assume_role.json
|
|
}
|
|
|
|
data "aws_iam_policy" "backup" {
|
|
name = "AWSBackupServiceRolePolicyForBackup"
|
|
}
|
|
|
|
data "aws_iam_policy" "backup_restores" {
|
|
name = "AWSBackupServiceRolePolicyForRestores"
|
|
}
|
|
|
|
resource "aws_iam_role_policy_attachment" "backup" {
|
|
role = aws_iam_role.backup.name
|
|
policy_arn = data.aws_iam_policy.backup.arn
|
|
}
|
|
|
|
resource "aws_iam_role_policy_attachment" "backup_restores" {
|
|
role = aws_iam_role.backup.name
|
|
policy_arn = data.aws_iam_policy.backup_restores.arn
|
|
}
|