iam added to allow access from ec2

examples/alb/main.tf → examples/ha_instance/main.tf

@@ -9,7 +9,7 @@ module "app_subnets" {
 }
 
 module "alb" {
-  source = "/Users/rnrbarbosa/repos/cloud-aws-stack/alb/"
+  source = "/Users/rnrbarbosa/repos/cloud-aws-stack/ha_instance/"
 
   vpc_id = "${data.terraform_remote_state.base.vpc_id}"
   stack_name = "${var.stack_name}"

ha_instance/asg.tf

@@ -10,6 +10,8 @@ resource "aws_launch_configuration" "asg_launch_nuxeo" {
     security_groups             = ["${var.alb_secgroups}"]
     enable_monitoring           = false
     ebs_optimized               = false
+    #iam_instance_profile = "${aws_iam_instance_profile.nuxeo_instance_profile.id}"
+
 
     user_data       		= "${file("userdata.sh")}"
 

ha_instance/iam.tf

@@ -0,0 +1,65 @@
+# Create an IAM role for the Web Servers.
+resource "aws_iam_role" "nuxeo_iam_role" {
+    name = "${var.stack_name}"
+    assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "ec2.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_instance_profile" "nuxeo_instance_profile" {
+    name = "${var.stack_name}"
+    roles = ["nuxeo_iam_role"]
+}
+
+resource "aws_iam_role_policy" "nuxeo_iam_role_policy" {
+  name = "${var.stack_name}"
+  role = "${aws_iam_role.nuxeo_iam_role.id}"
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": ["s3:ListBucket"],
+      "Resource": ["arn:aws:s3:::bucket-name"]
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "s3:PutObject",
+        "s3:GetObject",
+        "s3:DeleteObject"
+      ],
+      "Resource": [
+          "arn:aws:s3:::nuxeo-${sha1("${var.stack_name}")}/*",
+          "arn:aws:s3:::nuxeo-backup-${sha1("${var.stack_name}")}/*"
+      ]
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_s3_bucket" "apps_bucket" {
+    bucket = "bucket-name"
+    acl = "private"
+    versioning {
+            enabled = true
+    }
+    tags {
+        Name = "bucket-name"
+    }
+}
+

s3/s3.tf

@@ -25,14 +25,3 @@ resource "aws_s3_bucket" "bucket_backup" {
   }
 }
 
-resource "aws_s3_bucket" "bucket_logs" {
-    bucket = "nuxeo-logs-${sha1("${var.stack_name}")}"
-    acl = "private"
-
-  tags {
-    Name              = "nuxeo-logs-${sha1("${var.stack_name}")}"
-    billing-category    = "customers"
-    billing-subcategory = "${var.stack_name}"
-    role                = "nuxeo.bucket.logs"
-  }
-}

vpc/eip.tf

@@ -1,3 +1,4 @@
+# AWS EIP
 resource "aws_eip" "nateip" {
   vpc   = true
 }

vpc/igw.tf

@@ -1,3 +1,4 @@
+# INTERNET GATEWAY
 resource "aws_internet_gateway" "igw" {
   vpc_id = "${aws_vpc.vpc.id}"
 

vpc/nat.tf

@@ -1,3 +1,4 @@
+# NAT GATEWAY
 resource "aws_nat_gateway" "natgw" {
   allocation_id = "${aws_eip.nateip.id}"
   subnet_id     = "${aws_subnet.sn_public.id}"

vpc/routes.tf

@@ -32,7 +32,6 @@ resource "aws_route_table" "rtb_private" {
   }
 }
 
-
 resource "aws_route_table_association" "rta_public" {
   subnet_id      = "${aws_subnet.sn_public.id}"
   route_table_id = "${aws_route_table.rtb_public.id}"