fixed issues with roles

2026-01-25 02:08:27 +00:00 · 2021-07-03 17:36:30 -04:00
parent 797fb82ffd
commit 81192d4317
5 changed files with 59 additions and 38 deletions
--- a/terraform/jambonz-devtest/README.md
+++ b/terraform/jambonz-devtest/README.md
@@ -16,26 +16,10 @@ The deployment generated consists of:

 ### Prerequisites

-Before running the terraform script there are two pre-requisites:
-
-1.  You need to create amis for the SBC and the Feature server by running the [jambonz-sbc-sip-rtp](../../packer/jambonz-sbc-sip-rtp) and [jambonz-feature-server](../../packer/jambonz-feature-server) packer scripts.
-1. You need to create an IAM role with permissions to publish SNS notifications.  These are used by the feature server to gracefully respond to scale-in lifecycle events.
+Before running the terraform script you need to create amis for the SBC and the Feature server by running the [jambonz-sbc-sip-rtp](../../packer/jambonz-sbc-sip-rtp) and [jambonz-feature-server](../../packer/jambonz-feature-server) packer scripts.

 Please refer to the above packer scripts for generating your AMIs.

-### Creating an AMI role
-As mentioned above, we need to create an AMI role that has permissions to generate SNS notifications. To do, so go into the IAM dashboard in AWS and then do the following:
- click on Roles / Create role,
- under "Choose a use case" select the link at the bottom of the page titled "EC2 Auto Scaling",
- under "Select your use case"  choose "EC2 Auto Scaling Notification Access" and then click "Next: Permissions"
- Leave the settings in place and click "Next: Tags"
- You do not need to add any tags, so click "Next: Review"
- Enter a Role name (e.g. "my-jambonz-sns-role") and click Create role
-
-The role will then be created. When you run the terraform script you will provide the role name as the value for the terraform variable named "ami_role_name".
-
-> **Note**: The creation of the AMI role is a one-time thing; you can use the created IAM role for all clusters you deploy.
-
 ### It's go time!

 After [installing terraform](https://learn.hashicorp.com/terraform/getting-started/install.html) install the dependencies on your local machine:
@@ -49,7 +33,6 @@ At that point you are ready to run the script.  There are a couple of variables
 |Variable Name|Value|Required?|Default Value|
 |-----|----|------|-----|
 |ami_owner_account|your aws account id|Yes|None|
-|ami_role_name|name of the IAM role you created above|Yes|None|
 |key_name|name of existing aws key-pair to use to access the instances (e.g. my-keypair)|Yes|None|
 |ssh_key_path|path to key-pair file on local machine (e.g. ~/credentials/my-keypair.pem)|Yes|None|
 |region|AWS region to create instances in|No|us-west-1|
@@ -65,7 +48,6 @@ A command line with variables supplied looks like this:
 ```
 terraform apply \
 -var='ami_owner_account=376029039784' \
-var='ami_role_name=my-jambonz-sns-role' \
 -var='region=us-west-1' \
 -var='public_subnets={"us-west-1a" = "172.31.32.0/24","us-west-1b" = "172.31.33.0/24"}' \
 -var='ssh_key_path=~/aws/~/aws/aws-drachtio-us-west-1.pem' \
--- a/terraform/jambonz-devtest/feature-server.tf
+++ b/terraform/jambonz-devtest/feature-server.tf
@@ -1,11 +1,54 @@
-# retrieve IAM role that you created manually for SNS (see README)
-data "aws_iam_role" "jambonz_ami_role" {
-  name           = var.ami_role_name
-}
-
 # create an SNS notification topic
 resource "aws_sns_topic" "jambonz_sns_topic_open_source" {
-#  name = "${var.prefix}-fs-lifecycle-events"
+}
+
+resource "aws_iam_instance_profile" "jambonz_feature_server_profile" {
+  name = "jambonz_feature_server_profile"
+  role = aws_iam_role.jambonz_sns_publish.name
+}
+
+resource "aws_iam_role" "jambonz_sns_publish" {
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": [
+          "ec2.amazonaws.com",
+          "autoscaling.amazonaws.com"
+        ]
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_policy" "allow_jambonz_sns_publish" {
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "sns:*",
+        "autoscaling:CompleteLifecycleAction",
+        "autoscaling:Describe*"
+      ],
+      "Effect": "Allow",
+      "Resource": "*"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy_attachment" "sns_publish_policy_attachment" {
+    role = aws_iam_role.jambonz_sns_publish.name
+    policy_arn = aws_iam_policy.allow_jambonz_sns_publish.arn
 }

 # select the most recent jambonz AMIs
@@ -19,6 +62,7 @@ data "aws_ami" "jambonz-feature-server" {
 resource "aws_launch_configuration" "jambonz-feature-server" {
  image_id                    = data.aws_ami.jambonz-feature-server.id
  instance_type               = var.ec2_instance_type_fs
+  iam_instance_profile        = aws_iam_instance_profile.jambonz_feature_server_profile.name
  associate_public_ip_address = true
  security_groups             = [aws_security_group.allow_jambonz_feature_server.id]
  key_name                    = var.key_name
@@ -44,7 +88,7 @@ resource "aws_launch_configuration" "jambonz-feature-server" {

 # create a placement group to spread feature server instances
 resource "aws_placement_group" "jambonz-feature-server" {
-  name = "${var.prefix}-feature-server"
+  name = "jambonz-feature-server-placement-group"
  strategy = "spread"
 }

@@ -61,7 +105,7 @@ resource "aws_autoscaling_group" "jambonz-feature-server" {
  
  tag {
    key                 = "Name"
-    value               = "${var.prefix}-feature-server"
+    value               = "jambonz-feature-server"
    propagate_at_launch = true
  }

@@ -81,5 +125,5 @@ resource "aws_autoscaling_lifecycle_hook" "jambonz-scale-in" {
  heartbeat_timeout      = 900
  lifecycle_transition   = "autoscaling:EC2_INSTANCE_TERMINATING"
  notification_target_arn = aws_sns_topic.jambonz_sns_topic_open_source.arn
-  role_arn                = data.aws_iam_role.jambonz_ami_role.arn
+  role_arn                = aws_iam_role.jambonz_sns_publish.arn
 }
--- a/terraform/jambonz-devtest/network.tf
+++ b/terraform/jambonz-devtest/network.tf
@@ -76,7 +76,7 @@ resource "aws_security_group" "allow_redis" {
  }

  tags = {
-    Name = "${var.prefix}_allow_redis"
+    Name = "jambonz_allow_redis"
  }
 }

@@ -102,7 +102,7 @@ resource "aws_security_group" "allow_mysql" {
  }

  tags = {
-    Name = "${var.prefix}_allow_mysql"
+    Name = "jambonz_allow_mysql"
  }
 }

@@ -184,13 +184,12 @@ resource "aws_security_group" "allow_jambonz_feature_server" {
  }

  tags = {
-    Name = "allow_${var.prefix}_feature_server"
+    Name = "jambonz_allow_feature_server"
  }
 }

 # create a security group to allow sip, rtp and http to the sbc sip+rtp server
 resource "aws_security_group" "allow_jambonz_sbc_sip_rtp" {
-  name        = "allow_jambonz_sbc_sip_rtp"
  description = "Allow traffic to jambonz sbc sip rtp server"
  vpc_id      = aws_vpc.jambonz.id

@@ -305,7 +304,7 @@ resource "aws_security_group" "allow_jambonz_sbc_sip_rtp" {
  }

  tags = {
-    Name = "allow_${var.prefix}_sbc_sip"
+    Name = "jambonz_allow_sip_rtp_http"
  }
 }

--- a/terraform/jambonz-devtest/sbc.tf
+++ b/terraform/jambonz-devtest/sbc.tf
@@ -32,6 +32,6 @@ resource "aws_instance" "jambonz-sbc-sip-rtp-server" {
  depends_on = [aws_internet_gateway.jambonz, aws_elasticache_cluster.jambonz, aws_rds_cluster.jambonz]

  tags = {
-    Name = "${var.prefix}-sbc-sip-rtp-server"  
+    Name = "jambonz-sbc-sip-rtp-server"  
  }
 }
--- a/terraform/jambonz-devtest/variables.tf
+++ b/terraform/jambonz-devtest/variables.tf
@@ -2,10 +2,6 @@ variable "ami_owner_account" {
  description = "AWS account id that owns the AMIs that will be installed"
  default = "aws_owner_account here"
 }
-variable "ami_role_name" {
-  description = "Name of AWS AMI role that you created for SNS scale-in notifications (see README)"
-  default = "ami_role_name_here"
-}
 variable "prefix" {
  description = "name of VPC and other identifiers - lower case letters only"
  default = "jambonz"