ecr: add s3 bucket and role policy for FVP job
for TFC-92. The summary of changes:
Create the S3 bucket for tuxtput
Create policy to access it, and attach it to existing ecr_push_pull role
make an instance profile that grants access to ecr_push_pull for instances it is attached to
Change-Id: Iba6520b9d533ff92255deb3b7bea9d2c708d082e
diff --git a/ecr.tf b/ecr.tf
index ef959cf..7562ad3 100644
--- a/ecr.tf
+++ b/ecr.tf
@@ -54,3 +54,35 @@
EOF
}
+module "trustedfirmware_fvp_storage" {
+ source = "./modules/resources/s3"
+ bucket = "trustedfirmware-fvp"
+ acl = "private"
+}
+
+module "s3_fvp_policy" {
+ source = "./modules/resources/role_policy"
+ role_id = aws_iam_role.ecr_pushpull_role.id
+ policy_file = "templates/role_policy.tmpl"
+ actions = [
+ "s3:AbortMultipartUpload",
+ "s3:CompleteMultipartUpload",
+ "s3:ListBucket",
+ "s3:PutObject",
+ "s3:GetObject",
+ "s3:DeleteObject",
+ "s3:PutObjectAcl"
+ ]
+ resources = [
+ "arn:aws:s3:::trustedfirmware-fvp/*"
+ ]
+}
+
+
+module "jenkins_instance_profile" {
+ source = "./modules/resources/instance_profile"
+ name = "jenkins_instance_profile"
+ role_name = aws_iam_role.ecr_pushpull_role.name
+}
+
+
diff --git a/modules/resources/instance_profile/main.tf b/modules/resources/instance_profile/main.tf
new file mode 100644
index 0000000..8b071ab
--- /dev/null
+++ b/modules/resources/instance_profile/main.tf
@@ -0,0 +1,4 @@
+resource "aws_iam_instance_profile" "profile" {
+ name = var.name
+ role = var.role_name
+}
diff --git a/modules/resources/instance_profile/outputs.tf b/modules/resources/instance_profile/outputs.tf
new file mode 100644
index 0000000..4c5c455
--- /dev/null
+++ b/modules/resources/instance_profile/outputs.tf
@@ -0,0 +1,3 @@
+output "arn" {
+ value = "${aws_iam_instance_profile.profile.arn}"
+}
diff --git a/modules/resources/instance_profile/vars.tf b/modules/resources/instance_profile/vars.tf
new file mode 100644
index 0000000..ae30b15
--- /dev/null
+++ b/modules/resources/instance_profile/vars.tf
@@ -0,0 +1,6 @@
+variable "name" {
+ default = "gitlab_role"
+}
+
+variable "role_name" {
+}
diff --git a/modules/resources/role_policy/main.tf b/modules/resources/role_policy/main.tf
new file mode 100644
index 0000000..be7a939
--- /dev/null
+++ b/modules/resources/role_policy/main.tf
@@ -0,0 +1,9 @@
+resource "aws_iam_role_policy" "role_policy" {
+ role = var.role_id
+ policy = templatefile(var.policy_file, {
+ effect = var.effect
+ actions = jsonencode(var.actions)
+ resources = jsonencode(var.resources)
+ }
+ )
+}
diff --git a/modules/resources/role_policy/vars.tf b/modules/resources/role_policy/vars.tf
new file mode 100644
index 0000000..a296803
--- /dev/null
+++ b/modules/resources/role_policy/vars.tf
@@ -0,0 +1,25 @@
+variable "role_id" {
+ default = ""
+}
+
+variable "name" {
+ default = ""
+}
+
+variable "policy_file" {
+ default = ""
+}
+
+variable "resources" {
+ type = list
+ default = []
+}
+
+variable "actions" {
+ type = list
+ default = []
+}
+
+variable "effect" {
+ default = "Allow"
+}