diff --git a/enos/enos-scenario-e2e-aws.hcl b/enos/enos-scenario-e2e-aws.hcl index 10e141b8a5..05419557d6 100644 --- a/enos/enos-scenario-e2e-aws.hcl +++ b/enos/enos-scenario-e2e-aws.hcl @@ -160,19 +160,18 @@ scenario "e2e_aws" { module = module.aws_worker depends_on = [step.create_boundary_cluster] variables { - vpc_id = step.create_base_infra.vpc_id - availability_zones = step.create_base_infra.availability_zone_names - kms_key_arn = step.create_base_infra.kms_key_arn - ubuntu_ami_id = step.create_base_infra.ami_ids["ubuntu"]["amd64"] - local_artifact_path = step.build_boundary.artifact_path - boundary_install_dir = local.boundary_install_dir - iam_instance_profile_name = step.create_boundary_cluster.iam_instance_profile_name - name_prefix = step.create_boundary_cluster.name_prefix - cluster_tag = step.create_boundary_cluster.cluster_tag - controller_addresses = step.create_boundary_cluster.public_controller_addresses - controller_sg_id = step.create_boundary_cluster.controller_aux_sg_id - worker_type_tags = [local.egress_tag] - config_file_path = "templates/worker.hcl" + vpc_id = step.create_base_infra.vpc_id + availability_zones = step.create_base_infra.availability_zone_names + kms_key_arn = step.create_base_infra.kms_key_arn + ubuntu_ami_id = step.create_base_infra.ami_ids["ubuntu"]["amd64"] + local_artifact_path = step.build_boundary.artifact_path + boundary_install_dir = local.boundary_install_dir + name_prefix = step.create_boundary_cluster.name_prefix + cluster_tag = step.create_boundary_cluster.cluster_tag + controller_addresses = step.create_boundary_cluster.public_controller_addresses + controller_sg_id = step.create_boundary_cluster.controller_aux_sg_id + worker_type_tags = [local.egress_tag] + config_file_path = "templates/worker.hcl" } } diff --git a/enos/modules/aws_bucket/main.tf b/enos/modules/aws_bucket/main.tf index 0621e409b4..20c7b1c394 100644 --- a/enos/modules/aws_bucket/main.tf +++ b/enos/modules/aws_bucket/main.tf @@ -29,6 +29,7 @@ data "aws_iam_policy_document" "default" { } resource "aws_iam_user_policy" "default" { + count = var.is_user ? 1 : 0 name = "${aws_s3_bucket.default.id}_${var.user}_access" user = var.user policy = data.aws_iam_policy_document.default.json diff --git a/enos/modules/aws_bucket/outputs.tf b/enos/modules/aws_bucket/outputs.tf index 678a11be62..bbc4cf7cbf 100644 --- a/enos/modules/aws_bucket/outputs.tf +++ b/enos/modules/aws_bucket/outputs.tf @@ -5,3 +5,8 @@ output "bucket_name" { value = aws_s3_bucket.default.id description = "The name of the S3 bucket created by this module." } + +output "bucket_arn" { + value = aws_s3_bucket.default.arn + description = "The ARN of the S3 bucket created by this module." +} diff --git a/enos/modules/aws_bucket/variables.tf b/enos/modules/aws_bucket/variables.tf index 77580d0399..cd051efe41 100644 --- a/enos/modules/aws_bucket/variables.tf +++ b/enos/modules/aws_bucket/variables.tf @@ -12,7 +12,14 @@ variable "cluster_tag" { type = string } +variable "is_user" { + description = "Boolean to specify if a user was provided to this module." + type = bool + default = false +} + variable "user" { description = "A username that will be allowed access to this module's bucket." type = string + default = "" } diff --git a/enos/modules/aws_worker/iam.tf b/enos/modules/aws_worker/iam.tf new file mode 100644 index 0000000000..6bddbcd2c4 --- /dev/null +++ b/enos/modules/aws_worker/iam.tf @@ -0,0 +1,74 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: BUSL-1.1 + +data "aws_iam_policy_document" "boundary_instance_role" { + statement { + actions = ["sts:AssumeRole"] + + principals { + type = "Service" + identifiers = ["ec2.amazonaws.com"] + } + } +} + +data "aws_iam_policy_document" "boundary_profile" { + statement { + resources = ["*"] + + actions = ["ec2:DescribeInstances"] + } + + statement { + resources = [var.kms_key_arn] + + actions = [ + "kms:DescribeKey", + "kms:ListKeys", + "kms:Encrypt", + "kms:Decrypt", + ] + } +} + +data "aws_iam_policy_document" "bucket_policy_document" { + statement { + effect = "Allow" + + actions = [ + "s3:PutObject", + "s3:GetObject", + "s3:DeleteObject", + "s3:GetObjectAttributes", + "s3:ListBucket", + ] + + resources = [ + "${var.bucket_arn}/*", + "${var.bucket_arn}", + ] + } +} + +data "aws_iam_policy_document" "combined_policy_document" { + source_policy_documents = [ + data.aws_iam_policy_document.boundary_profile.json, + data.aws_iam_policy_document.bucket_policy_document.json, + ] +} + +resource "aws_iam_role" "boundary_instance_role" { + name = "boundary_instance_role-${random_string.cluster_id.result}" + assume_role_policy = data.aws_iam_policy_document.boundary_instance_role.json +} + +resource "aws_iam_instance_profile" "boundary_profile" { + name = "boundary_instance_profile-${random_string.cluster_id.result}" + role = aws_iam_role.boundary_instance_role.name +} + +resource "aws_iam_role_policy" "boundary_policy" { + name = "boundary_policy-${random_string.cluster_id.result}" + role = aws_iam_role.boundary_instance_role.id + policy = var.bucket_arn != "" ? data.aws_iam_policy_document.combined_policy_document.json : data.aws_iam_policy_document.boundary_profile.json +} diff --git a/enos/modules/aws_worker/main.tf b/enos/modules/aws_worker/main.tf index ac2c19bc23..f6f4f59b66 100644 --- a/enos/modules/aws_worker/main.tf +++ b/enos/modules/aws_worker/main.tf @@ -130,7 +130,7 @@ resource "aws_instance" "worker" { vpc_security_group_ids = [aws_security_group.default.id] subnet_id = aws_subnet.default.id key_name = var.ssh_aws_keypair - iam_instance_profile = var.iam_instance_profile_name + iam_instance_profile = aws_iam_instance_profile.boundary_profile.name monitoring = var.worker_monitoring root_block_device { @@ -200,3 +200,11 @@ resource "enos_boundary_start" "worker_start" { } } } + +resource "random_string" "cluster_id" { + length = 8 + lower = true + upper = false + numeric = false + special = false +} diff --git a/enos/modules/aws_worker/outputs.tf b/enos/modules/aws_worker/outputs.tf index 20c057b73a..51e9cdb040 100644 --- a/enos/modules/aws_worker/outputs.tf +++ b/enos/modules/aws_worker/outputs.tf @@ -20,3 +20,8 @@ output "pet_id" { description = "The ID of the random_pet used in this module" value = random_pet.worker.id } + +output "role_arn" { + description = "The ARN of the IAM role used in this module" + value = aws_iam_role.boundary_instance_role.arn +} diff --git a/enos/modules/aws_worker/variables.tf b/enos/modules/aws_worker/variables.tf index e147c99f05..dcda83f665 100644 --- a/enos/modules/aws_worker/variables.tf +++ b/enos/modules/aws_worker/variables.tf @@ -99,11 +99,6 @@ variable "boundary_install_dir" { default = "/opt/boundary/bin" } -variable "iam_instance_profile_name" { - description = "The name of the AWS IAM instance profile from the Boundary cluster module" - type = string -} - variable "name_prefix" { description = "The name_prefix from the Boundary cluster module" type = string @@ -141,3 +136,9 @@ variable "recording_storage_path" { type = string default = "" } + +variable "bucket_arn" { + description = "ARN of the S3 bucket to store recordings" + type = string + default = "" +} diff --git a/enos/modules/test_e2e/main.tf b/enos/modules/test_e2e/main.tf index 91a60d5aa0..4ae9e88217 100644 --- a/enos/modules/test_e2e/main.tf +++ b/enos/modules/test_e2e/main.tf @@ -131,6 +131,11 @@ variable "aws_bucket_name" { type = string default = "" } +variable "aws_role_arn" { + description = "AWS Role ARN that has access to bucket" + type = string + default = "" +} variable "worker_tag_ingress" { type = string default = "" @@ -185,6 +190,7 @@ resource "enos_local_exec" "run_e2e_test" { E2E_AWS_HOST_SET_IPS2 = local.aws_host_set_ips2 E2E_AWS_REGION = var.aws_region E2E_AWS_BUCKET_NAME = var.aws_bucket_name + E2E_AWS_ROLE_ARN = var.aws_role_arn E2E_WORKER_TAG_INGRESS = var.worker_tag_ingress E2E_WORKER_TAG_EGRESS = var.worker_tag_egress E2E_WORKER_ADDRESS = var.worker_address