[arvados] updated: 2.6.0-149-g648c8c492

git repository hosting git at public.arvados.org
Wed May 10 20:41:51 UTC 2023 

Summary of changes:
 .../multi_host/aws/pillars/arvados.sls             |  2 +-
 .../terraform/aws/data-storage/main.tf             | 10 ++++++-
 .../terraform/aws/data-storage/outputs.tf          |  4 +++
 .../salt-install/terraform/aws/services/locals.tf  |  1 +
 tools/salt-install/terraform/aws/services/main.tf  | 34 ++++++++++++++++++++++
 5 files changed, 49 insertions(+), 2 deletions(-)

       via  648c8c4928da80b9fb3f6a7fd41904ff017bcd44 (commit)
      from  92e7c012e250f689e13ef249fc76134fcc5df393 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit 648c8c4928da80b9fb3f6a7fd41904ff017bcd44
Author: Lucas Di Pentima <lucas.dipentima at curii.com>
Date:   Wed May 10 17:38:48 2023 -0300

    20482: Adds proper compute node instance profile instead of using keepstore's.
    
    We first used keepstore's instance profile because compute nodes run a local
    keepstore now.
    We also need to give compute nodes permission to change resources related to
    the EBS Autoscaler.
    
    Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <lucas.dipentima at curii.com>

diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/arvados.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/arvados.sls
index 03859c46b..f181c874d 100644
--- a/tools/salt-install/config_examples/multi_host/aws/pillars/arvados.sls
+++ b/tools/salt-install/config_examples/multi_host/aws/pillars/arvados.sls
@@ -129,7 +129,7 @@ arvados:
           ### This SG should allow SSH from the dispatcher to the compute nodes
           SecurityGroupIDs: ['sg-FIXMEFIXMEFIXMEFI']
           SubnetID: subnet-FIXMEFIXMEFIXMEFI
-          IAMInstanceProfile: __CLUSTER__-keepstore-00-iam-role
+          IAMInstanceProfile: __CLUSTER__-compute-node-00-iam-role
       DispatchPrivateKey: |
         -----BEGIN OPENSSH PRIVATE KEY-----
         Read https://doc.arvados.org/install/crunch2-cloud/install-compute-node.html#sshkeypair
diff --git a/tools/salt-install/terraform/aws/data-storage/main.tf b/tools/salt-install/terraform/aws/data-storage/main.tf
index a3ef8f010..85a67ef4d 100644
--- a/tools/salt-install/terraform/aws/data-storage/main.tf
+++ b/tools/salt-install/terraform/aws/data-storage/main.tf
@@ -30,6 +30,11 @@ resource "aws_iam_role" "keepstore_iam_role" {
   assume_role_policy = "${file("../assumerolepolicy.json")}"
 }
 
+resource "aws_iam_role" "compute_node_iam_role" {
+  name = "${local.cluster_name}-compute-node-00-iam-role"
+  assume_role_policy = "${file("../assumerolepolicy.json")}"
+}
+
 resource "aws_iam_policy" "s3_full_access" {
   name = "${local.cluster_name}_s3_full_access"
   policy = jsonencode({
@@ -50,7 +55,10 @@ resource "aws_iam_policy" "s3_full_access" {
 
 resource "aws_iam_policy_attachment" "s3_full_access_policy_attachment" {
   name = "${local.cluster_name}_s3_full_access_attachment"
-  roles = [ aws_iam_role.keepstore_iam_role.name ]
+  roles = [
+    aws_iam_role.keepstore_iam_role.name,
+    aws_iam_role.compute_node_iam_role.name,
+  ]
   policy_arn = aws_iam_policy.s3_full_access.arn
 }
 
diff --git a/tools/salt-install/terraform/aws/data-storage/outputs.tf b/tools/salt-install/terraform/aws/data-storage/outputs.tf
index 6298f926a..de45aa861 100644
--- a/tools/salt-install/terraform/aws/data-storage/outputs.tf
+++ b/tools/salt-install/terraform/aws/data-storage/outputs.tf
@@ -6,6 +6,10 @@ output "keepstore_iam_role_name" {
   value = aws_iam_role.keepstore_iam_role.name
 }
 
+output "compute_node_iam_role_name" {
+  value = aws_iam_role.compute_node_iam_role.name
+}
+
 output "use_external_db" {
   value = var.use_external_db
 }
\ No newline at end of file
diff --git a/tools/salt-install/terraform/aws/services/locals.tf b/tools/salt-install/terraform/aws/services/locals.tf
index abba4aab7..191b7e03e 100644
--- a/tools/salt-install/terraform/aws/services/locals.tf
+++ b/tools/salt-install/terraform/aws/services/locals.tf
@@ -17,4 +17,5 @@ locals {
   ssl_password_secret_name = "${local.cluster_name}-${var.ssl_password_secret_name_suffix}"
   instance_ami_id = var.instance_ami != "" ? var.instance_ami : data.aws_ami.debian-11.image_id
   custom_tags = data.terraform_remote_state.vpc.outputs.custom_tags
+  compute_node_iam_role_name = data.terraform_remote_state.data-storage.outputs.compute_node_iam_role_name
 }
diff --git a/tools/salt-install/terraform/aws/services/main.tf b/tools/salt-install/terraform/aws/services/main.tf
index f7a2527c2..a253ae26e 100644
--- a/tools/salt-install/terraform/aws/services/main.tf
+++ b/tools/salt-install/terraform/aws/services/main.tf
@@ -25,6 +25,11 @@ resource "aws_iam_instance_profile" "keepstore_instance_profile" {
   role = data.terraform_remote_state.data-storage.outputs.keepstore_iam_role_name
 }
 
+resource "aws_iam_instance_profile" "compute_node_instance_profile" {
+  name = "${local.cluster_name}-compute-node-00-iam-role"
+  role = local.compute_node_iam_role_name
+}
+
 resource "aws_iam_instance_profile" "dispatcher_instance_profile" {
   name = "${local.cluster_name}_dispatcher_instance_profile"
   role = aws_iam_role.cloud_dispatcher_iam_role.name
@@ -72,6 +77,35 @@ resource "aws_instance" "arvados_service" {
   }
 }
 
+resource "aws_iam_policy" "compute_node_ebs_autoscaler" {
+  name = "${local.cluster_name}_compute_node_ebs_autoscaler"
+  policy = jsonencode({
+    Version: "2012-10-17",
+    Id: "compute-node EBS Autoscaler policy",
+    Statement: [{
+      Effect: "Allow",
+      Action: [
+          "ec2:AttachVolume",
+          "ec2:DescribeVolumeStatus",
+          "ec2:DescribeVolumes",
+          "ec2:DescribeTags",
+          "ec2:ModifyInstanceAttribute",
+          "ec2:DescribeVolumeAttribute",
+          "ec2:CreateVolume",
+          "ec2:DeleteVolume",
+          "ec2:CreateTags"
+      ],
+      Resource: "*"
+    }]
+  })
+}
+
+resource "aws_iam_policy_attachment" "compute_node_ebs_autoscaler_attachment" {
+  name = "${local.cluster_name}_compute_node_ebs_autoscaler_attachment"
+  roles = [ local.compute_node_iam_role_name ]
+  policy_arn = aws_iam_policy.compute_node_ebs_autoscaler.arn
+}
+
 resource "aws_iam_policy" "cloud_dispatcher_ec2_access" {
   name = "${local.cluster_name}_cloud_dispatcher_ec2_access"
   policy = jsonencode({

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list