| # Licensed to the Apache Software Foundation (ASF) under one |
| # or more contributor license agreements. See the NOTICE file |
| # distributed with this work for additional information |
| # regarding copyright ownership. The ASF licenses this file |
| # to you under the Apache License, Version 2.0 (the |
| # "License"); you may not use this file except in compliance |
| # with the License. You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, |
| # software distributed under the License is distributed on an |
| # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| # KIND, either express or implied. See the License for the |
| # specific language governing permissions and limitations |
| # under the License. |
| |
| terraform { |
| required_providers { |
| aws = { |
| source = "hashicorp/aws" |
| version = "~> 3.0" |
| } |
| } |
| backend "s3" { |
| bucket = "airflow-ci-tfstate" |
| key = "tf-state/packer-roles" |
| region = "us-east-2" |
| } |
| } |
| |
| # Configure the AWS Provider |
| provider "aws" { |
| region = "us-east-2" |
| } |
| |
| ### PACKER NEED IAM ROLE ### |
| resource "aws_iam_role_policy" "packer_policy" { |
| name = "packer-base-policy" |
| role = aws_iam_role.packer_role.id |
| |
| policy = <<-EOF |
| { |
| "Version": "2012-10-17", |
| "Statement": [ |
| { |
| "Sid": "04092021", |
| "Effect": "Allow", |
| "Action": [ |
| "ec2:AttachVolume", |
| "ec2:AuthorizeSecurityGroupIngress", |
| "ec2:CopyImage", |
| "ec2:CreateImage", |
| "ec2:CreateKeypair", |
| "ec2:CreateSecurityGroup", |
| "ec2:CreateSnapshot", |
| "ec2:CreateTags", |
| "ec2:CreateVolume", |
| "ec2:DeleteKeyPair", |
| "ec2:DeleteSecurityGroup", |
| "ec2:DeleteSnapshot", |
| "ec2:DeleteVolume", |
| "ec2:DeregisterImage", |
| "ec2:DescribeImageAttribute", |
| "ec2:DescribeImages", |
| "ec2:DescribeInstances", |
| "ec2:DescribeInstanceStatus", |
| "ec2:DescribeRegions", |
| "ec2:DescribeSecurityGroups", |
| "ec2:DescribeSnapshots", |
| "ec2:DescribeSubnets", |
| "ec2:DescribeTags", |
| "ec2:DescribeVolumes", |
| "ec2:DetachVolume", |
| "ec2:GetPasswordData", |
| "ec2:ModifyImageAttribute", |
| "ec2:ModifyInstanceAttribute", |
| "ec2:ModifySnapshotAttribute", |
| "ec2:RegisterImage", |
| "ec2:RunInstances", |
| "ec2:StopInstances", |
| "ec2:TerminateInstances" |
| ], |
| "Resource": "*" |
| } |
| ] |
| } |
| EOF |
| } |
| |
| resource "aws_iam_role" "packer_role" { |
| name = "packer-role" |
| |
| assume_role_policy = <<EOF |
| { |
| "Version": "2012-10-17", |
| "Statement": [ |
| { |
| "Action": "sts:AssumeRole", |
| "Principal": { |
| "Service": "ec2.amazonaws.com" |
| }, |
| "Effect": "Allow", |
| "Sid": "" |
| } |
| ] |
| } |
| EOF |
| |
| tags = { |
| tag-key = "tag-value" |
| } |
| } |
| |
| ### SSM ### |
| |
| resource "aws_iam_role" "packer_ssm_role" { |
| name = "packer-ssm-role" |
| |
| assume_role_policy = <<EOF |
| { |
| "Version": "2012-10-17", |
| "Statement": [ |
| { |
| "Action": "sts:AssumeRole", |
| "Principal": { |
| "Service": "ec2.amazonaws.com" |
| }, |
| "Effect": "Allow", |
| "Sid": "" |
| } |
| ] |
| } |
| EOF |
| |
| tags = { |
| tag-key = "tag-value" |
| } |
| } |
| |
| resource "aws_iam_role_policy" "packer_ssm_policy" { |
| name = "packer-ssm-policy" |
| role = aws_iam_role.packer_ssm_role.id |
| |
| policy = <<-EOF |
| { |
| "Version": "2012-10-17", |
| "Statement": [ |
| { |
| "Sid": "04092021", |
| "Effect": "Allow", |
| "Action": [ |
| "ssm:StartSession" |
| ], |
| |
| "Resource": "arn:aws:ec2:*:*:instance/*" |
| } |
| ] |
| } |
| EOF |
| } |
| |
| resource "aws_iam_role_policy_attachment" "attach_packer_ssm_policy" { |
| role = aws_iam_role.packer_ssm_role.name |
| policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" |
| } |
| |
| resource "aws_iam_instance_profile" "packer_ssm_profile" { |
| name = "packer_ssm_instance_profile" |
| role = aws_iam_role.packer_ssm_role.name |
| } |