ecr: add s3 bucket and role policy for FVP job

for TFC-92. The summary of changes:

Create the S3 bucket for tuxtput
Create policy to access it, and attach it to existing ecr_push_pull role
make an instance profile that grants access to ecr_push_pull for instances it is attached to


Change-Id: Iba6520b9d533ff92255deb3b7bea9d2c708d082e
diff --git a/ecr.tf b/ecr.tf
index ef959cf..7562ad3 100644
--- a/ecr.tf
+++ b/ecr.tf
@@ -54,3 +54,35 @@
 EOF
 }
 
+module "trustedfirmware_fvp_storage" {
+  source = "./modules/resources/s3"
+  bucket = "trustedfirmware-fvp"
+  acl = "private"
+}
+
+module "s3_fvp_policy" {
+  source      = "./modules/resources/role_policy"
+  role_id     = aws_iam_role.ecr_pushpull_role.id
+  policy_file = "templates/role_policy.tmpl"
+  actions = [
+                "s3:AbortMultipartUpload",
+                "s3:CompleteMultipartUpload",
+                "s3:ListBucket",
+                "s3:PutObject",
+                "s3:GetObject",
+                "s3:DeleteObject",
+                "s3:PutObjectAcl"
+  ]
+  resources = [
+                "arn:aws:s3:::trustedfirmware-fvp/*"
+  ]
+}
+
+
+module "jenkins_instance_profile" {
+  source    = "./modules/resources/instance_profile"
+  name      = "jenkins_instance_profile"
+  role_name =  aws_iam_role.ecr_pushpull_role.name
+}
+
+
diff --git a/modules/resources/instance_profile/main.tf b/modules/resources/instance_profile/main.tf
new file mode 100644
index 0000000..8b071ab
--- /dev/null
+++ b/modules/resources/instance_profile/main.tf
@@ -0,0 +1,4 @@
+resource "aws_iam_instance_profile" "profile" {
+  name = var.name
+  role = var.role_name
+}
diff --git a/modules/resources/instance_profile/outputs.tf b/modules/resources/instance_profile/outputs.tf
new file mode 100644
index 0000000..4c5c455
--- /dev/null
+++ b/modules/resources/instance_profile/outputs.tf
@@ -0,0 +1,3 @@
+output "arn" {
+  value = "${aws_iam_instance_profile.profile.arn}"
+}
diff --git a/modules/resources/instance_profile/vars.tf b/modules/resources/instance_profile/vars.tf
new file mode 100644
index 0000000..ae30b15
--- /dev/null
+++ b/modules/resources/instance_profile/vars.tf
@@ -0,0 +1,6 @@
+variable "name" {
+  default = "gitlab_role"
+}
+
+variable "role_name" {
+}
diff --git a/modules/resources/role_policy/main.tf b/modules/resources/role_policy/main.tf
new file mode 100644
index 0000000..be7a939
--- /dev/null
+++ b/modules/resources/role_policy/main.tf
@@ -0,0 +1,9 @@
+resource "aws_iam_role_policy" "role_policy" {
+  role = var.role_id
+  policy = templatefile(var.policy_file, {
+    effect    = var.effect
+    actions   = jsonencode(var.actions)
+    resources = jsonencode(var.resources)
+    }
+  )
+}
diff --git a/modules/resources/role_policy/vars.tf b/modules/resources/role_policy/vars.tf
new file mode 100644
index 0000000..a296803
--- /dev/null
+++ b/modules/resources/role_policy/vars.tf
@@ -0,0 +1,25 @@
+variable "role_id" {
+  default = ""
+}
+
+variable "name" {
+  default = ""
+}
+
+variable "policy_file" {
+  default = ""
+}
+
+variable "resources" {
+  type    = list
+  default = []
+}
+
+variable "actions" {
+  type    = list
+  default = []
+}
+
+variable "effect" {
+  default = "Allow"
+}