From 9d83a18986a9b8fccf2496067269dfc0a8e433ab Mon Sep 17 00:00:00 2001 From: Daniel Czyczyn-Egird Date: Thu, 23 Jan 2025 16:29:37 +0100 Subject: [PATCH] Add possibility to use own custom arn roles instead of create new ones every time --- iam.tf | 34 ++++++++---- locals.tf | 11 ++++ main.tf | 12 +++++ modules/computation/batch.tf | 4 +- modules/computation/ec2.tf | 4 +- modules/computation/iam-batch-execution.tf | 18 +++++-- modules/computation/iam-ecs-execution.tf | 6 ++- modules/computation/iam-ecs-instance.tf | 6 ++- modules/computation/locals.tf | 19 +++++++ modules/computation/outputs.tf | 4 +- modules/computation/variables.tf | 18 +++++++ modules/metadata-service/iam.tf | 14 +++-- modules/metadata-service/lambda.tf | 14 +++-- modules/metadata-service/locals.tf | 8 +++ modules/metadata-service/outputs.tf | 2 +- modules/metadata-service/variables.tf | 12 +++++ modules/step-functions/iam-eventbridge.tf | 2 +- modules/step-functions/iam-step-functions.tf | 22 ++++---- modules/step-functions/locals.tf | 8 +++ modules/step-functions/variables.tf | 12 +++++ modules/ui/iam.tf | 14 +++-- modules/ui/variables.tf | 7 +++ outputs.tf | 6 +-- variables.tf | 54 ++++++++++++++++++++ 24 files changed, 266 insertions(+), 45 deletions(-) diff --git a/iam.tf b/iam.tf index 9ee5deb..9cadd70 100644 --- a/iam.tf +++ b/iam.tf @@ -23,6 +23,8 @@ resource "aws_iam_role" "batch_s3_task_role" { assume_role_policy = data.aws_iam_policy_document.batch_s3_task_role_assume_role.json tags = var.tags + + count = var.batch_s3_task_role_name == "" ? 1 : 0 } data "aws_iam_policy_document" "custom_s3_list_batch" { @@ -202,49 +204,63 @@ data "aws_iam_policy_document" "cloudwatch" { resource "aws_iam_role_policy" "grant_custom_s3_list_batch" { name = "s3_list" - role = aws_iam_role.batch_s3_task_role.name + role = aws_iam_role.batch_s3_task_role[0].name policy = data.aws_iam_policy_document.custom_s3_list_batch.json + + count = var.batch_s3_task_role_name == "" ? 1 : 0 } resource "aws_iam_role_policy" "grant_custom_s3_batch" { name = "custom_s3" - role = aws_iam_role.batch_s3_task_role.name + role = aws_iam_role.batch_s3_task_role[0].name policy = data.aws_iam_policy_document.custom_s3_batch.json + + count = var.batch_s3_task_role_name == "" ? 1 : 0 } resource "aws_iam_role_policy" "grant_s3_kms" { name = "s3_kms" - role = aws_iam_role.batch_s3_task_role.name + role = aws_iam_role.batch_s3_task_role[0].name policy = data.aws_iam_policy_document.s3_kms.json + + count = var.batch_s3_task_role_name == "" ? 1 : 0 } resource "aws_iam_role_policy" "grant_deny_presigned_batch" { name = "deny_presigned" - role = aws_iam_role.batch_s3_task_role.name + role = aws_iam_role.batch_s3_task_role[0].name policy = data.aws_iam_policy_document.deny_presigned_batch.json + + count = var.batch_s3_task_role_name == "" ? 1 : 0 } resource "aws_iam_role_policy" "grant_allow_sagemaker" { name = "sagemaker" - role = aws_iam_role.batch_s3_task_role.name + role = aws_iam_role.batch_s3_task_role[0].name policy = data.aws_iam_policy_document.allow_sagemaker.json + + count = var.batch_s3_task_role_name == "" ? 1 : 0 } resource "aws_iam_role_policy" "grant_iam_pass_role" { name = "iam_pass_role" - role = aws_iam_role.batch_s3_task_role.name + role = aws_iam_role.batch_s3_task_role[0].name policy = data.aws_iam_policy_document.iam_pass_role.json + + count = var.batch_s3_task_role_name == "" ? 1 : 0 } resource "aws_iam_role_policy" "grant_dynamodb" { - count = var.enable_step_functions ? 1 : 0 + count = (var.batch_s3_task_role_name == "" && var.enable_step_functions) ? 1 : 0 name = "dynamodb" - role = aws_iam_role.batch_s3_task_role.name + role = aws_iam_role.batch_s3_task_role[0].name policy = data.aws_iam_policy_document.dynamodb.json } resource "aws_iam_role_policy" "grant_cloudwatch" { name = "cloudwatch" - role = aws_iam_role.batch_s3_task_role.name + role = aws_iam_role.batch_s3_task_role[0].name policy = data.aws_iam_policy_document.cloudwatch.json + + count = var.batch_s3_task_role_name == "" ? 1 : 0 } diff --git a/locals.tf b/locals.tf index 34268e3..a3a544d 100644 --- a/locals.tf +++ b/locals.tf @@ -2,6 +2,11 @@ module "metaflow-common" { source = "./modules/common" } +data "aws_iam_role" "batch_s3_task_role" { + name = var.batch_s3_task_role_name + count = var.batch_s3_task_role_name == "" ? 0 : 1 +} + locals { resource_prefix = length(var.resource_prefix) > 0 ? "${var.resource_prefix}-" : "" resource_suffix = length(var.resource_suffix) > 0 ? "-${var.resource_suffix}" : "" @@ -21,4 +26,10 @@ locals { module.metaflow-common.default_ui_static_container_image : var.ui_static_container_image ) + + metadata_svc_ecs_task_role_id = var.metadata_svc_ecs_task_role_name == "" ? aws_iam_role.metadata_svc_ecs_task_role[0].id : data.metadata_svc_ecs_task_role.id + metadata_svc_ecs_task_role_arn = var.metadata_svc_ecs_task_role_name == "" ? aws_iam_role.metadata_svc_ecs_task_role[0].arn : data.metadata_svc_ecs_task_role.arn + + batch_s3_task_role_id = var.batch_s3_task_role_name == "" ? aws_iam_role.batch_s3_task_role[0].id : data.batch_s3_task_role.id + batch_s3_task_role_arn = var.batch_s3_task_role_name == "" ? aws_iam_role.batch_s3_task_role[0].arn : data.batch_s3_task_role.arn } diff --git a/main.tf b/main.tf index 9b2aaee..3e4c09f 100644 --- a/main.tf +++ b/main.tf @@ -43,6 +43,9 @@ module "metaflow-metadata-service" { vpc_cidr_blocks = var.vpc_cidr_blocks with_public_ip = var.with_public_ip + metadata_svc_ecs_task_role_name = var.metadata_svc_ecs_task_role_name + lambda_ecs_execute_role_name = var.lambda_ecs_execute_role_name + standard_tags = var.tags } @@ -73,6 +76,8 @@ module "metaflow-ui" { certificate_arn = var.ui_certificate_arn metadata_service_security_group_id = module.metaflow-metadata-service.metadata_service_security_group_id + metadata_ui_ecs_task_role_name = var.metadata_ui_ecs_task_role_name + extra_ui_static_env_vars = var.extra_ui_static_env_vars extra_ui_backend_env_vars = var.extra_ui_backend_env_vars standard_tags = var.tags @@ -98,6 +103,10 @@ module "metaflow-computation" { launch_template_http_tokens = var.launch_template_http_tokens launch_template_http_put_response_hop_limit = var.launch_template_http_put_response_hop_limit + batch_execution_role_name = var.batch_execution_role_name + ecs_execution_role_name = var.ecs_execution_role_name + ecs_instance_role_name = var.ecs_instance_role_name + standard_tags = var.tags } @@ -113,5 +122,8 @@ module "metaflow-step-functions" { s3_bucket_arn = module.metaflow-datastore.s3_bucket_arn s3_bucket_kms_arn = module.metaflow-datastore.datastore_s3_bucket_kms_key_arn + eventbridge_role_name = var.eventbridge_role_name + step_functions_role_name = var.step_functions_role_name + standard_tags = var.tags } diff --git a/modules/computation/batch.tf b/modules/computation/batch.tf index 655e4a6..f8e206e 100644 --- a/modules/computation/batch.tf +++ b/modules/computation/batch.tf @@ -9,7 +9,7 @@ resource "aws_batch_compute_environment" "this" { compute_environment_name_prefix = local.compute_env_prefix_name # Give permissions so the batch service can make API calls. - service_role = aws_iam_role.batch_execution_role.arn + service_role = local.batch_execution_role_arn type = "MANAGED" # On destroy, this avoids removing these policies below until compute environments are destroyed @@ -22,7 +22,7 @@ resource "aws_batch_compute_environment" "this" { compute_resources { # Give permissions so the ECS container instances can make API call. - instance_role = !local.enable_fargate_on_batch ? aws_iam_instance_profile.ecs_instance_role.arn : null + instance_role = !local.enable_fargate_on_batch ? local.ecs_instance_role_arn : null # List of types that can be launched. instance_type = !local.enable_fargate_on_batch ? var.compute_environment_instance_types : null diff --git a/modules/computation/ec2.tf b/modules/computation/ec2.tf index ef40aa4..3d9029b 100644 --- a/modules/computation/ec2.tf +++ b/modules/computation/ec2.tf @@ -46,7 +46,9 @@ resource "aws_launch_template" "cpu" { */ resource "aws_iam_instance_profile" "ecs_instance_role" { name = local.ecs_instance_role_name - role = aws_iam_role.ecs_instance_role.name + role = aws_iam_role.ecs_instance_role[0].name + + count = var.ecs_instance_role_name == "" ? 1 : 0 } resource "aws_security_group" "this" { diff --git a/modules/computation/iam-batch-execution.tf b/modules/computation/iam-batch-execution.tf index 733cab6..6b65b44 100644 --- a/modules/computation/iam-batch-execution.tf +++ b/modules/computation/iam-batch-execution.tf @@ -24,6 +24,8 @@ resource "aws_iam_role" "batch_execution_role" { assume_role_policy = data.aws_iam_policy_document.batch_execution_role_assume_role.json tags = var.standard_tags + + count = var.batch_execution_role_name == "" ? 1 : 0 } data "aws_iam_policy_document" "iam_pass_role" { @@ -161,24 +163,32 @@ data "aws_iam_policy_document" "ec2_custom_policies" { resource "aws_iam_role_policy" "grant_iam_pass_role" { name = "iam_pass_role" - role = aws_iam_role.batch_execution_role.name + role = aws_iam_role.batch_execution_role[0].name policy = data.aws_iam_policy_document.iam_pass_role.json + + count = var.batch_execution_role_name == "" ? 1 : 0 } resource "aws_iam_role_policy" "grant_custom_access_policy" { name = "custom_access" - role = aws_iam_role.batch_execution_role.name + role = aws_iam_role.batch_execution_role[0].name policy = data.aws_iam_policy_document.custom_access_policy.json + + count = var.batch_execution_role_name == "" ? 1 : 0 } resource "aws_iam_role_policy" "grant_iam_custom_policies" { name = "iam_custom" - role = aws_iam_role.batch_execution_role.name + role = aws_iam_role.batch_execution_role[0].name policy = data.aws_iam_policy_document.iam_custom_policies.json + + count = var.batch_execution_role_name == "" ? 1 : 0 } resource "aws_iam_role_policy" "grant_ec2_custom_policies" { name = "ec2_custom" - role = aws_iam_role.batch_execution_role.name + role = aws_iam_role.batch_execution_role[0].name policy = data.aws_iam_policy_document.ec2_custom_policies.json + + count = var.batch_execution_role_name == "" ? 1 : 0 } diff --git a/modules/computation/iam-ecs-execution.tf b/modules/computation/iam-ecs-execution.tf index edb89b9..5441f56 100644 --- a/modules/computation/iam-ecs-execution.tf +++ b/modules/computation/iam-ecs-execution.tf @@ -25,6 +25,8 @@ resource "aws_iam_role" "ecs_execution_role" { assume_role_policy = data.aws_iam_policy_document.ecs_execution_role_assume_role.json tags = var.standard_tags + + count = var.ecs_execution_role_name == "" ? 1 : 0 } data "aws_iam_policy_document" "ecs_task_execution_policy" { @@ -50,6 +52,8 @@ data "aws_iam_policy_document" "ecs_task_execution_policy" { resource "aws_iam_role_policy" "grant_ecs_access" { name = "ecs_access" - role = aws_iam_role.ecs_execution_role.name + role = aws_iam_role.ecs_execution_role[0].name policy = data.aws_iam_policy_document.ecs_task_execution_policy.json + + count = var.ecs_execution_role_name == "" ? 1 : 0 } diff --git a/modules/computation/iam-ecs-instance.tf b/modules/computation/iam-ecs-instance.tf index 7347990..fe6b724 100644 --- a/modules/computation/iam-ecs-instance.tf +++ b/modules/computation/iam-ecs-instance.tf @@ -22,6 +22,8 @@ resource "aws_iam_role" "ecs_instance_role" { description = "This role is passed to AWS Batch as a `instance_role`. This allows our Metaflow Batch jobs to execute with proper permissions." assume_role_policy = data.aws_iam_policy_document.ecs_instance_role_assume_role.json + + count = var.ecs_instance_role_name == "" ? 1 : 0 } /* @@ -32,6 +34,8 @@ resource "aws_iam_role" "ecs_instance_role" { https://docs.aws.amazon.com/AmazonECS/latest/developerguide/instance_IAM_role.html */ resource "aws_iam_role_policy_attachment" "ecs_instance_role" { - role = aws_iam_role.ecs_instance_role.name + role = aws_iam_role.ecs_instance_role[0].name policy_arn = "arn:${var.iam_partition}:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role" + + count = var.ecs_instance_role_name == "" ? 1 : 0 } diff --git a/modules/computation/locals.tf b/modules/computation/locals.tf index bea84cb..7a07dee 100644 --- a/modules/computation/locals.tf +++ b/modules/computation/locals.tf @@ -1,3 +1,13 @@ +data "aws_iam_role" "batch_execution_role" { + name = var.batch_execution_role_name + count = var.batch_execution_role_name == "" ? 0 : 1 +} + +data "aws_iam_role" "ecs_execution_role" { + name = var.ecs_execution_role_name + count = var.ecs_execution_role_name == "" ? 0 : 1 +} + locals { # Name of Batch service's security group used on the compute environment batch_security_group_name = "${var.resource_prefix}batch-compute-environment-security-group${var.resource_suffix}" @@ -19,4 +29,13 @@ locals { ecs_instance_role_name = "${var.resource_prefix}ecs-iam-role${var.resource_suffix}" enable_fargate_on_batch = var.batch_type == "fargate" + + batch_execution_role_id = var.batch_execution_role_name == "" ? aws_iam_role.batch_execution_role[0].id : data.batch_execution_role.id + batch_execution_role_arn = var.batch_execution_role_name == "" ? aws_iam_role.batch_execution_role[0].arn : data.batch_execution_role.arn + + ecs_execution_role_id = var.ecs_execution_role_name == "" ? aws_iam_role.ecs_execution_role[0].id : data.ecs_execution_role.id + ecs_execution_role_arn = var.ecs_execution_role_name == "" ? aws_iam_role.ecs_execution_role[0].arn : data.ecs_execution_role.arn + + ecs_instance_role_id = var.ecs_instance_role_name == "" ? aws_iam_role.ecs_instance_role[0].id : data.ecs_instance_role.id + ecs_instance_role_arn = var.ecs_instance_role_name == "" ? aws_iam_role.ecs_instance_role[0].arn : data.ecs_instance_role.arn } diff --git a/modules/computation/outputs.tf b/modules/computation/outputs.tf index 6890f43..a86bdc2 100644 --- a/modules/computation/outputs.tf +++ b/modules/computation/outputs.tf @@ -9,12 +9,12 @@ output "batch_job_queue_arn" { } output "ecs_execution_role_arn" { - value = aws_iam_role.ecs_execution_role.arn + value = local.ecs_execution_role_arn description = "The IAM role that grants access to ECS and Batch services which we'll use as our Metadata Service API's execution_role for our Fargate instance" } output "ecs_instance_role_arn" { - value = aws_iam_role.ecs_instance_role.arn + value = local.ecs_instance_role_arn description = "This role will be granted access to our S3 Bucket which acts as our blob storage." } diff --git a/modules/computation/variables.tf b/modules/computation/variables.tf index 92d11ba..2344e9c 100644 --- a/modules/computation/variables.tf +++ b/modules/computation/variables.tf @@ -102,3 +102,21 @@ variable "launch_template_image_id" { nullable = true default = null } + +variable "batch_execution_role_name" { + type = string + description = "Custom Name for the Batch Execution Role" + default = "" +} + +variable "ecs_execution_role_name" { + type = string + description = "Custom Name for the ECS Execution Role" + default = "" +} + +variable "ecs_instance_role_name" { + type = string + description = "Custom Name for the ECS Instance Role" + default = "" +} diff --git a/modules/metadata-service/iam.tf b/modules/metadata-service/iam.tf index be0a2de..c1ba8f4 100644 --- a/modules/metadata-service/iam.tf +++ b/modules/metadata-service/iam.tf @@ -22,6 +22,8 @@ resource "aws_iam_role" "metadata_svc_ecs_task_role" { assume_role_policy = data.aws_iam_policy_document.metadata_svc_ecs_task_assume_role.json tags = var.standard_tags + + count = var.metadata_svc_ecs_task_role_name == "" ? 1 : 0 } data "aws_iam_policy_document" "s3_kms" { @@ -84,18 +86,24 @@ data "aws_iam_policy_document" "deny_presigned_batch" { resource "aws_iam_role_policy" "grant_s3_kms" { name = "s3_kms" - role = aws_iam_role.metadata_svc_ecs_task_role.name + role = aws_iam_role.metadata_svc_ecs_task_role[0].name policy = data.aws_iam_policy_document.s3_kms.json + + count = var.metadata_svc_ecs_task_role_name == "" ? 1 : 0 } resource "aws_iam_role_policy" "grant_custom_s3_batch" { name = "custom_s3" - role = aws_iam_role.metadata_svc_ecs_task_role.name + role = aws_iam_role.metadata_svc_ecs_task_role[0].name policy = data.aws_iam_policy_document.custom_s3_batch.json + + count = var.metadata_svc_ecs_task_role_name == "" ? 1 : 0 } resource "aws_iam_role_policy" "grant_deny_presigned_batch" { name = "deny_presigned" - role = aws_iam_role.metadata_svc_ecs_task_role.name + role = aws_iam_role.metadata_svc_ecs_task_role[0].name policy = data.aws_iam_policy_document.deny_presigned_batch.json + + count = var.metadata_svc_ecs_task_role_name == "" ? 1 : 0 } diff --git a/modules/metadata-service/lambda.tf b/modules/metadata-service/lambda.tf index af5fce8..288b8f1 100644 --- a/modules/metadata-service/lambda.tf +++ b/modules/metadata-service/lambda.tf @@ -18,6 +18,8 @@ resource "aws_iam_role" "lambda_ecs_execute_role" { assume_role_policy = data.aws_iam_policy_document.lambda_ecs_execute_role.json tags = var.standard_tags + + count = var.lambda_ecs_execute_role_name == "" ? 1 : 0 } data "aws_iam_policy_document" "lambda_ecs_task_execute_policy_cloudwatch" { @@ -68,14 +70,18 @@ data "aws_iam_policy_document" "lambda_ecs_task_execute_policy_vpc" { resource "aws_iam_role_policy" "grant_lambda_ecs_cloudwatch" { name = "cloudwatch" - role = aws_iam_role.lambda_ecs_execute_role.name + role = aws_iam_role.lambda_ecs_execute_role[0].name policy = data.aws_iam_policy_document.lambda_ecs_task_execute_policy_cloudwatch.json + + count = var.lambda_ecs_execute_role_name == "" ? 1 : 0 } resource "aws_iam_role_policy" "grant_lambda_ecs_vpc" { name = "ecs_task_execute" - role = aws_iam_role.lambda_ecs_execute_role.name + role = aws_iam_role.lambda_ecs_execute_role[0].name policy = data.aws_iam_policy_document.lambda_ecs_task_execute_policy_vpc.json + + count = var.lambda_ecs_execute_role_name == "" ? 1 : 0 } data "archive_file" "db_migrate_lambda" { @@ -119,7 +125,7 @@ resource "aws_lambda_function" "db_migrate_lambda" { description = "Trigger DB Migration" filename = local.db_migrate_lambda_zip_file source_code_hash = data.archive_file.db_migrate_lambda.output_base64sha256 - role = aws_iam_role.lambda_ecs_execute_role.arn + role = aws_iam_role.lambda_ecs_execute_role[0].arn tags = var.standard_tags environment { @@ -132,4 +138,6 @@ resource "aws_lambda_function" "db_migrate_lambda" { subnet_ids = [var.subnet1_id, var.subnet2_id] security_group_ids = [aws_security_group.metadata_service_security_group.id] } + + count = var.lambda_ecs_execute_role_name == "" ? 1 : 0 } diff --git a/modules/metadata-service/locals.tf b/modules/metadata-service/locals.tf index a75f8db..2b4811f 100644 --- a/modules/metadata-service/locals.tf +++ b/modules/metadata-service/locals.tf @@ -2,6 +2,11 @@ module "metaflow-common" { source = "../common" } +data "aws_iam_role" "metadata_svc_ecs_task_role" { + name = var.metadata_svc_ecs_task_role_name + count = var.metadata_svc_ecs_task_role_name == "" ? 0 : 1 +} + locals { # Name of ECS cluster. # replace() ensures names that are composed of just prefix + suffix do not have duplicate dashes @@ -27,4 +32,7 @@ locals { lambda_ecs_execute_role_name = "${var.resource_prefix}lambda_ecs_execute${var.resource_suffix}" cloudwatch_logs_arn_prefix = "arn:${var.iam_partition}:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}" + + metadata_svc_ecs_task_role_id = var.metadata_svc_ecs_task_role_name == "" ? aws_iam_role.metadata_svc_ecs_task_role[0].id : data.metadata_svc_ecs_task_role.id + metadata_svc_ecs_task_role_arn = var.metadata_svc_ecs_task_role_name == "" ? aws_iam_role.metadata_svc_ecs_task_role[0].arn : data.metadata_svc_ecs_task_role.arn } diff --git a/modules/metadata-service/outputs.tf b/modules/metadata-service/outputs.tf index 5b93e41..cd9312a 100644 --- a/modules/metadata-service/outputs.tf +++ b/modules/metadata-service/outputs.tf @@ -29,7 +29,7 @@ output "metadata_service_security_group_id" { } output "metadata_svc_ecs_task_role_arn" { - value = aws_iam_role.metadata_svc_ecs_task_role.arn + value = local.metadata_svc_ecs_task_role_arn description = "This role is passed to AWS ECS' task definition as the `task_role`. This allows the running of the Metaflow Metadata Service to have the proper permissions to speak to other AWS resources." } diff --git a/modules/metadata-service/variables.tf b/modules/metadata-service/variables.tf index b38f99c..0f7e9ca 100644 --- a/modules/metadata-service/variables.tf +++ b/modules/metadata-service/variables.tf @@ -126,3 +126,15 @@ variable "with_public_ip" { type = bool description = "Enable public IP assignment for the Metadata Service. Typically you want this to be set to true if using public subnets as subnet1_id and subnet2_id, and false otherwise" } + +variable "metadata_svc_ecs_task_role_name" { + type = string + description = "Custom Name for the Metadata Service ECS Task Role" + default = "" +} + +variable "lambda_ecs_execute_role_name" { + type = string + description = "Custom Name for the Lambda ECS Execute Role" + default = "" +} diff --git a/modules/step-functions/iam-eventbridge.tf b/modules/step-functions/iam-eventbridge.tf index 46e31e0..85210b2 100644 --- a/modules/step-functions/iam-eventbridge.tf +++ b/modules/step-functions/iam-eventbridge.tf @@ -28,7 +28,7 @@ data "aws_iam_policy_document" "eventbridge_step_functions_policy" { } resource "aws_iam_role" "eventbridge_role" { - count = var.active ? 1 : 0 + count = (var.eventbridge_role_name == "" && var.active) ? 1 : 0 name = "${var.resource_prefix}eventbridge_role${var.resource_suffix}" description = "IAM role for Amazon EventBridge to access AWS Step Functions." assume_role_policy = data.aws_iam_policy_document.eventbridge_assume_role_policy.json diff --git a/modules/step-functions/iam-step-functions.tf b/modules/step-functions/iam-step-functions.tf index e617785..767889e 100644 --- a/modules/step-functions/iam-step-functions.tf +++ b/modules/step-functions/iam-step-functions.tf @@ -138,7 +138,7 @@ data "aws_iam_policy_document" "step_functions_dynamodb" { } resource "aws_iam_role" "step_functions_role" { - count = var.active ? 1 : 0 + count = (var.step_functions_role_name == "" && var.active) ? 1 : 0 name = "${var.resource_prefix}step_functions_role${var.resource_suffix}" description = "IAM role for AWS Step Functions to access AWS resources (AWS Batch, AWS DynamoDB)." assume_role_policy = data.aws_iam_policy_document.step_functions_assume_role_policy.json @@ -147,36 +147,36 @@ resource "aws_iam_role" "step_functions_role" { } resource "aws_iam_role_policy" "step_functions_batch" { - count = var.active ? 1 : 0 + count = (var.step_functions_role_name == "" && var.active) ? 1 : 0 name = "aws_batch" - role = aws_iam_role.step_functions_role[0].id + role = local.step_functions_role_id policy = data.aws_iam_policy_document.step_functions_batch_policy.json } resource "aws_iam_role_policy" "step_functions_s3" { - count = var.active ? 1 : 0 + count = (var.step_functions_role_name == "" && var.active) ? 1 : 0 name = "s3" - role = aws_iam_role.step_functions_role[0].id + role = local.step_functions_role_id policy = data.aws_iam_policy_document.step_functions_s3.json } resource "aws_iam_role_policy" "step_functions_cloudwatch" { - count = var.active ? 1 : 0 + count = (var.step_functions_role_name == "" && var.active) ? 1 : 0 name = "cloudwatch" - role = aws_iam_role.step_functions_role[0].id + role = local.step_functions_role_id policy = data.aws_iam_policy_document.step_functions_cloudwatch.json } resource "aws_iam_role_policy" "step_functions_eventbridge" { - count = var.active ? 1 : 0 + count = (var.step_functions_role_name == "" && var.active) ? 1 : 0 name = "event_bridge" - role = aws_iam_role.step_functions_role[0].id + role = local.step_functions_role_id policy = data.aws_iam_policy_document.step_functions_eventbridge.json } resource "aws_iam_role_policy" "step_functions_dynamodb" { - count = var.active ? 1 : 0 + count = (var.step_functions_role_name == "" && var.active) ? 1 : 0 name = "dynamodb" - role = aws_iam_role.step_functions_role[0].id + role = local.step_functions_role_id policy = data.aws_iam_policy_document.step_functions_dynamodb.json } diff --git a/modules/step-functions/locals.tf b/modules/step-functions/locals.tf index b92bab9..0be1ed2 100644 --- a/modules/step-functions/locals.tf +++ b/modules/step-functions/locals.tf @@ -1,3 +1,11 @@ +data "aws_iam_role" "step_functions_role" { + name = var.step_functions_role_name + count = var.step_functions_role_name == "" ? 0 : 1 +} + locals { dynamodb_step_functions_state_db_name = "${var.resource_prefix}step_functions_state${var.resource_suffix}" + + step_functions_role_id = var.step_functions_role_name == "" ? aws_iam_role.step_functions_role[0].id : data.step_functions_role.id + step_functions_role_arn = var.step_functions_role_name == "" ? aws_iam_role.step_functions_role[0].arn : data.step_functions_role.arn } diff --git a/modules/step-functions/variables.tf b/modules/step-functions/variables.tf index 641c495..14c15fe 100644 --- a/modules/step-functions/variables.tf +++ b/modules/step-functions/variables.tf @@ -39,3 +39,15 @@ variable "standard_tags" { type = map(string) description = "The standard tags to apply to every AWS resource." } + +variable "eventbridge_role_name" { + type = string + description = "Custom Name for the EventBridge Role" + default = "" +} + +variable "step_functions_role_name" { + type = string + description = "Custom Name for the Step Functions Role" + default = "" +} \ No newline at end of file diff --git a/modules/ui/iam.tf b/modules/ui/iam.tf index a4a0995..4d69c52 100644 --- a/modules/ui/iam.tf +++ b/modules/ui/iam.tf @@ -22,6 +22,8 @@ resource "aws_iam_role" "metadata_ui_ecs_task_role" { assume_role_policy = data.aws_iam_policy_document.metadata_svc_ecs_task_assume_role.json tags = var.standard_tags + + count = var.metadata_ui_ecs_task_role_name == "" ? 1 : 0 } data "aws_iam_policy_document" "s3_kms" { @@ -84,18 +86,24 @@ data "aws_iam_policy_document" "deny_presigned_batch" { resource "aws_iam_role_policy" "grant_s3_kms" { name = "s3_kms" - role = aws_iam_role.metadata_ui_ecs_task_role.name + role = aws_iam_role.metadata_ui_ecs_task_role[0].name policy = data.aws_iam_policy_document.s3_kms.json + + count = var.metadata_ui_ecs_task_role_name == "" ? 1 : 0 } resource "aws_iam_role_policy" "grant_custom_s3_batch" { name = "custom_s3" - role = aws_iam_role.metadata_ui_ecs_task_role.name + role = aws_iam_role.metadata_ui_ecs_task_role[0].name policy = data.aws_iam_policy_document.custom_s3_batch.json + + count = var.metadata_ui_ecs_task_role_name == "" ? 1 : 0 } resource "aws_iam_role_policy" "grant_deny_presigned_batch" { name = "deny_presigned" - role = aws_iam_role.metadata_ui_ecs_task_role.name + role = aws_iam_role.metadata_ui_ecs_task_role[0].name policy = data.aws_iam_policy_document.deny_presigned_batch.json + + count = var.metadata_ui_ecs_task_role_name == "" ? 1 : 0 } diff --git a/modules/ui/variables.tf b/modules/ui/variables.tf index db1ce14..3626948 100644 --- a/modules/ui/variables.tf +++ b/modules/ui/variables.tf @@ -126,3 +126,10 @@ variable "alb_internal" { description = "Defines whether the ALB is internal" default = false } + +variable "metadata_ui_ecs_task_role_name" { + type = string + description = "Custom Name for the Metadata UI ECS Task Role" + default = "" +} + diff --git a/outputs.tf b/outputs.tf index 9b3b339..1887935 100644 --- a/outputs.tf +++ b/outputs.tf @@ -14,7 +14,7 @@ output "METAFLOW_DATATOOLS_S3ROOT" { } output "METAFLOW_ECS_S3_ACCESS_IAM_ROLE" { - value = aws_iam_role.batch_s3_task_role.arn + value = local.batch_s3_task_role_arn description = "Role for AWS Batch to Access Amazon S3" } @@ -54,7 +54,7 @@ output "datastore_s3_bucket_kms_key_arn" { } output "metadata_svc_ecs_task_role_arn" { - value = module.metaflow-metadata-service.metadata_svc_ecs_task_role_arn + value = local.metadata_svc_ecs_task_role_arn } output "metaflow_api_gateway_rest_api_id" { @@ -84,7 +84,7 @@ output "metaflow_profile_json" { "METAFLOW_DATASTORE_SYSROOT_S3" = module.metaflow-datastore.METAFLOW_DATASTORE_SYSROOT_S3, "METAFLOW_DATATOOLS_S3ROOT" = module.metaflow-datastore.METAFLOW_DATATOOLS_S3ROOT, "METAFLOW_BATCH_JOB_QUEUE" = module.metaflow-computation.METAFLOW_BATCH_JOB_QUEUE, - "METAFLOW_ECS_S3_ACCESS_IAM_ROLE" = aws_iam_role.batch_s3_task_role.arn + "METAFLOW_ECS_S3_ACCESS_IAM_ROLE" = local.batch_s3_task_role_arn "METAFLOW_SERVICE_URL" = module.metaflow-metadata-service.METAFLOW_SERVICE_URL, "METAFLOW_SERVICE_INTERNAL_URL" = module.metaflow-metadata-service.METAFLOW_SERVICE_INTERNAL_URL, "METAFLOW_SFN_IAM_ROLE" = module.metaflow-step-functions.metaflow_step_functions_role_arn, diff --git a/variables.tf b/variables.tf index 1738c0b..06cf946 100644 --- a/variables.tf +++ b/variables.tf @@ -199,3 +199,57 @@ variable "enable_key_rotation" { description = "Enable key rotation for KMS keys" default = false } + +variable "batch_s3_task_role_name" { #DONE + type = string + description = "Custom Name for the Batch S3 Task Role" + default = "" +} + +variable "batch_execution_role_name" { #DONE + type = string + description = "Custom Name for the Batch Execution Role" + default = "" +} + +variable "ecs_execution_role_name" { #DONE + type = string + description = "Custom Name for the ECS Execution Role" + default = "" +} + +variable "ecs_instance_role_name" { #DONE + type = string + description = "Custom Name for the ECS Instance Role" + default = "" +} + +variable "metadata_svc_ecs_task_role_name" { #DONE + type = string + description = "Custom Name for the Metadata Service ECS Task Role" + default = "" +} + +variable "lambda_ecs_execute_role_name" { #DONE + type = string + description = "Custom Name for the Lambda ECS Execute Role" + default = "" +} + +variable "eventbridge_role_name" { #DONE + type = string + description = "Custom Name for the EventBridge Role" + default = "" +} + +variable "step_functions_role_name" { #DONE + type = string + description = "Custom Name for the Step Functions Role" + default = "" +} + +variable "metadata_ui_ecs_task_role_name" { #DONE + type = string + description = "Custom Name for the Metadata UI ECS Task Role" + default = "" +}