Update terraform to use instance profile
All checks were successful
Gitea Actions Demo / Explore-Gitea-Actions (push) Successful in 52s
All checks were successful
Gitea Actions Demo / Explore-Gitea-Actions (push) Successful in 52s
This commit is contained in:
141
terraform/main.tf
Normal file
141
terraform/main.tf
Normal file
@ -0,0 +1,141 @@
|
||||
resource "aws_instance" "my_first_linux" {
|
||||
instance_type = "t2.micro"
|
||||
ami = "ami-06971c49acd687c30"
|
||||
|
||||
security_groups = ["ssh-access-witch"]
|
||||
iam_instance_profile = aws_iam_instance_profile.daphodell_profile.name
|
||||
|
||||
tags = {
|
||||
Name = "labs"
|
||||
}
|
||||
}
|
||||
|
||||
resource "aws_s3_bucket" "resume-bucket" {
|
||||
tags = {
|
||||
Name = "labs"
|
||||
}
|
||||
}
|
||||
|
||||
resource "aws_s3_bucket" "lab-bucket" {
|
||||
tags = {
|
||||
Name = "labs"
|
||||
}
|
||||
}
|
||||
|
||||
## Security Group
|
||||
resource "aws_security_group" "ec2_security_group" {
|
||||
description = "Restrict SSH to my IP"
|
||||
}
|
||||
|
||||
resource "aws_security_group" "default" {
|
||||
description = "default VPC security group"
|
||||
}
|
||||
|
||||
|
||||
## Roles
|
||||
resource "aws_iam_role" "daphodell_role" {
|
||||
assume_role_policy = jsonencode({
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [
|
||||
{
|
||||
"Effect": "Allow",
|
||||
"Principal": {
|
||||
"Service": "ec2.amazonaws.com"
|
||||
},
|
||||
"Action": "sts:AssumeRole"
|
||||
},
|
||||
{
|
||||
"Effect": "Allow",
|
||||
"Principal": {
|
||||
"AWS": var.ACCOUNT_ROOT_ARN
|
||||
},
|
||||
"Action": "sts:AssumeRole",
|
||||
"Condition": {
|
||||
"BoolIfExists": {
|
||||
"aws:MultiFactorAuthPresent": "true"
|
||||
}
|
||||
}
|
||||
}
|
||||
]})
|
||||
tags = {
|
||||
Name = "labs"
|
||||
}
|
||||
}
|
||||
|
||||
resource "aws_iam_instance_profile" "daphodell_profile" {
|
||||
name = "daphodell_profile"
|
||||
role = aws_iam_role.daphodell_role.name
|
||||
}
|
||||
|
||||
## Policies
|
||||
## Allow user CLI -> S3 read/write
|
||||
resource "aws_iam_policy" "assume_role_s3_policy" {
|
||||
policy = jsonencode({
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [
|
||||
{
|
||||
"Effect": "Allow",
|
||||
"Action": "sts:AssumeRole",
|
||||
"Resource": aws_iam_role.daphodell_role.arn
|
||||
}
|
||||
]
|
||||
})
|
||||
tags = {
|
||||
Name = "labs"
|
||||
}
|
||||
}
|
||||
|
||||
## Allow ec2 -> s3 read/write
|
||||
resource "aws_iam_policy" "ec2_s3_policy" {
|
||||
policy = jsonencode({
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [
|
||||
{
|
||||
"Effect": "Allow",
|
||||
"Action": "s3:ListBucket",
|
||||
"Resource": "arn:aws:s3:::witch-lab-3"
|
||||
},
|
||||
{
|
||||
"Effect": "Allow",
|
||||
"Action": "s3:GetObject",
|
||||
"Resource": "arn:aws:s3:::witch-lab-3/*"
|
||||
}
|
||||
]
|
||||
})
|
||||
tags = {
|
||||
Name = "labs"
|
||||
}
|
||||
}
|
||||
|
||||
# # Create AMI
|
||||
# resource "aws_ami_from_instance" "ami_snapshot" {
|
||||
# name = "ami-snapshot-2025-06-17"
|
||||
# source_instance_id = aws_instance.my_first_linux.id
|
||||
# snapshot_without_reboot = true
|
||||
#
|
||||
# tags = {
|
||||
# Name = "labs"
|
||||
# }
|
||||
# }
|
||||
#
|
||||
# # Launch new instance from AMI
|
||||
# resource "aws_instance" "my_second_linux" {
|
||||
# instance_type = "t2.micro"
|
||||
# ami = aws_ami_from_instance.ami_snapshot.id
|
||||
# security_groups = ["ssh-access-witch"]
|
||||
#
|
||||
# tags = {
|
||||
# Name = "labs"
|
||||
# }
|
||||
# }
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user