Harmonize terraform with Cloudformation (#6)

* Harmonize terraform with cloudformation
- iam roles
- single batch compute
- iam_partition variable
- api gateway basic auth
- db migration functionality
- fargate batch type
- networking
- general cleanup / organization

* fix: adding this depends to prevent an issue where compute env cannot be destroyed

Author: kldavis4

aws/terraform/modules/metaflow/data.tf

@@ -0,0 +1,3 @@
+data "aws_region" "current" {}
+
+data "aws_caller_identity" "current" {}

aws/terraform/modules/metaflow/iam.tf

@@ -0,0 +1,255 @@
+data "aws_iam_policy_document" "batch_s3_task_role_assume_role" {
+  statement {
+    actions = [
+      "sts:AssumeRole"
+    ]
+
+    effect = "Allow"
+
+    principals {
+      identifiers = [
+        "ecs-tasks.amazonaws.com",
+      ]
+      type = "Service"
+    }
+  }
+}
+
+resource "aws_iam_role" "batch_s3_task_role" {
+  name = local.batch_s3_task_role_name
+
+  description = "Role for AWS Batch to Access Amazon S3 [METAFLOW_ECS_S3_ACCESS_IAM_ROLE]"
+
+  assume_role_policy = data.aws_iam_policy_document.batch_s3_task_role_assume_role.json
+
+  tags = var.tags
+}
+
+data "aws_iam_policy_document" "custom_s3_list_batch" {
+  statement {
+    sid = "BucketAccessBatch"
+    actions = [
+      "s3:ListBucket"
+    ]
+
+    effect = "Allow"
+
+    resources = [
+      module.metaflow-datastore.s3_bucket_arn
+    ]
+  }
+}
+
+data "aws_iam_policy_document" "custom_s3_batch" {
+  statement {
+    sid = "ObjectAccessBatch"
+    actions = [
+      "s3:PutObject",
+      "s3:GetObject",
+      "s3:DeleteObject"
+    ]
+
+    effect = "Allow"
+
+    resources = [
+      "${module.metaflow-datastore.s3_bucket_arn}/*"
+    ]
+  }
+}
+
+data "aws_iam_policy_document" "s3_kms" {
+  statement {
+    effect = "Allow"
+
+    # TODO - reduce to Encrypt, Decrypt?
+    actions = [
+      "kms:Decrypt",
+      "kms:Encrypt",
+      # "kms:ReEncryptTo",
+      # "kms:ReEncryptFrom",
+      # "kms:DescribeKey",
+      # "kms:GenerateDataKey"
+    ]
+
+    resources = [
+      module.metaflow-datastore.datastore_s3_bucket_kms_key_arn
+    ]
+  }
+}
+
+data "aws_iam_policy_document" "deny_presigned_batch" {
+  statement {
+    sid = "DenyPresignedBatch"
+    actions = [
+      "s3:*"
+    ]
+
+    effect = "Deny"
+
+    resources = [
+      "*",
+    ]
+
+    condition {
+      test = "StringNotEquals"
+      values = [
+        "REST-HEADER"
+      ]
+      variable = "s3:authType"
+    }
+  }
+}
+
+data "aws_iam_policy_document" "allow_sagemaker" {
+  statement {
+    sid = "AllowSagemakerCreate"
+    actions = [
+      "sagemaker:CreateTrainingJob"
+    ]
+
+    effect = "Allow"
+
+    resources = [
+      "arn:${var.iam_partition}:sagemaker:${local.aws_region}:${local.aws_account_id}:training-job/*",
+    ]
+  }
+
+  statement {
+    sid = "AllowSagemakerDescribe"
+    actions = [
+      "sagemaker:DescribeTrainingJob"
+    ]
+
+    effect = "Allow"
+
+    resources = [
+      "arn:${var.iam_partition}:sagemaker:${local.aws_region}:${local.aws_account_id}:training-job/*",
+    ]
+  }
+
+  statement {
+    sid = "AllowSagemakerDeploy"
+    actions = [
+      "sagemaker:CreateModel",
+      "sagemaker:CreateEndpointConfig",
+      "sagemaker:CreateEndpoint",
+      "sagemaker:DescribeModel",
+      "sagemaker:DescribeEndpoint",
+      "sagemaker:InvokeEndpoint"
+    ]
+
+    effect = "Allow"
+
+    resources = [
+      "arn:${var.iam_partition}:sagemaker:${local.aws_region}:${local.aws_account_id}:endpoint/*",
+      "arn:${var.iam_partition}:sagemaker:${local.aws_region}:${local.aws_account_id}:model/*",
+      "arn:${var.iam_partition}:sagemaker:${local.aws_region}:${local.aws_account_id}:endpoint-config/*",
+    ]
+  }
+}
+
+data "aws_iam_policy_document" "iam_pass_role" {
+  statement {
+    sid = "AllowPassRole"
+    actions = [
+      "iam:PassRole",
+    ]
+
+    effect = "Allow"
+
+    resources = [
+      "*"
+    ]
+
+    condition {
+      test = "StringEquals"
+      values = [
+        "sagemaker.amazonaws.com"
+      ]
+      variable = "iam:PassedToService"
+    }
+  }
+}
+
+data "aws_iam_policy_document" "dynamodb" {
+  statement {
+    sid = "Items"
+    actions = [
+      "dynamodb:PutItem",
+      "dynamodb:GetItem",
+      "dynamodb:UpdateItem",
+    ]
+
+    effect = "Allow"
+
+    resources = [
+      module.metaflow-step-functions.metaflow_step_functions_dynamodb_table_arn
+    ]
+
+    condition {
+      test = "StringEquals"
+      values = [
+        "sagemaker.amazonaws.com"
+      ]
+      variable = "iam:PassedToService"
+    }
+  }
+}
+
+data "aws_iam_policy_document" "cloudwatch" {
+  statement {
+    sid = "AllowPutLogs"
+    actions = [
+      "logs:CreateLogStream",
+      "logs:PutLogEvents",
+    ]
+
+    effect = "Allow"
+
+    resources = [
+      "*"
+    ]
+  }
+}
+
+resource "aws_iam_role_policy" "grant_custom_s3_list_batch" {
+  name   = "s3_list"
+  role   = aws_iam_role.batch_s3_task_role.name
+  policy = data.aws_iam_policy_document.custom_s3_list_batch.json
+}
+
+resource "aws_iam_role_policy" "grant_custom_s3_batch" {
+  name   = "custom_s3"
+  role   = aws_iam_role.batch_s3_task_role.name
+  policy = data.aws_iam_policy_document.custom_s3_batch.json
+}
+
+resource "aws_iam_role_policy" "grant_deny_presigned_batch" {
+  name   = "deny_presigned"
+  role   = aws_iam_role.batch_s3_task_role.name
+  policy = data.aws_iam_policy_document.deny_presigned_batch.json
+}
+
+resource "aws_iam_role_policy" "grant_allow_sagemaker" {
+  name   = "sagemaker"
+  role   = aws_iam_role.batch_s3_task_role.name
+  policy = data.aws_iam_policy_document.allow_sagemaker.json
+}
+
+resource "aws_iam_role_policy" "grant_iam_pass_role" {
+  name   = "iam_pass_role"
+  role   = aws_iam_role.batch_s3_task_role.name
+  policy = data.aws_iam_policy_document.iam_pass_role.json
+}
+
+resource "aws_iam_role_policy" "grant_dynamodb" {
+  name   = "dynamodb"
+  role   = aws_iam_role.batch_s3_task_role.name
+  policy = data.aws_iam_policy_document.dynamodb.json
+}
+
+resource "aws_iam_role_policy" "grant_cloudwatch" {
+  name   = "cloudwatch"
+  role   = aws_iam_role.batch_s3_task_role.name
+  policy = data.aws_iam_policy_document.cloudwatch.json
+}

aws/terraform/modules/metaflow/locals.tf

@@ -2,5 +2,9 @@ locals {
   resource_prefix = length(var.resource_prefix) > 0 ? "${var.resource_prefix}-" : ""
   resource_suffix = length(var.resource_suffix) > 0 ? "-${var.resource_suffix}" : ""
 
+  aws_region     = data.aws_region.current.name
+  aws_account_id = data.aws_caller_identity.current.account_id
+
+  batch_s3_task_role_name   = "${local.resource_prefix}batch_s3_task_role${local.resource_suffix}"
   metaflow_batch_image_name = "${local.resource_prefix}batch${local.resource_suffix}"
 }

aws/terraform/modules/metaflow/main.tf

@@ -1,71 +1,72 @@
 module "metaflow-datastore" {
   source = "./modules/datastore"
 
-  resource_prefix                    = local.resource_prefix
-  resource_suffix                    = local.resource_suffix
-  metaflow_vpc_id                    = var.vpc_id
-  ecs_instance_role_arn              = module.metaflow-computation.ecs_instance_role_arn
+  resource_prefix = local.resource_prefix
+  resource_suffix = local.resource_suffix
+
   ecs_execution_role_arn             = module.metaflow-computation.ecs_execution_role_arn
-  aws_batch_service_role_arn         = module.metaflow-computation.batch_service_role_arn
-  subnet_private_1_id                = var.subnet_private_1_id
-  subnet_private_2_id                = var.subnet_private_2_id
+  ecs_instance_role_arn              = module.metaflow-computation.ecs_instance_role_arn
   metadata_service_security_group_id = module.metaflow-metadata-service.metadata_service_security_group_id
+  metaflow_vpc_id                    = var.vpc_id
+  subnet1_id                         = var.subnet1_id
+  subnet2_id                         = var.subnet2_id
 
   standard_tags = var.tags
 }
 
 module "metaflow-metadata-service" {
   source = "./modules/metadata-service"
 
-  resource_prefix              = local.resource_prefix
-  resource_suffix              = local.resource_suffix
-  metaflow_vpc_id              = var.vpc_id
-  vpc_cidr_block               = var.vpc_cidr_block
-  subnet_private_1_id          = var.subnet_private_1_id
-  subnet_private_2_id          = var.subnet_private_2_id
-  rds_master_instance_endpoint = module.metaflow-datastore.rds_master_instance_endpoint
-  database_username            = module.metaflow-datastore.database_username
-  database_password            = module.metaflow-datastore.database_password
-  fargate_task_role_arn        = module.metaflow-datastore.iam_s3_access_role_arn
-  fargate_execution_role_arn   = module.metaflow-computation.ecs_execution_role_arn
-  access_list_cidr_blocks      = var.access_list_cidr_blocks
+  resource_prefix = local.resource_prefix
+  resource_suffix = local.resource_suffix
+
+  access_list_cidr_blocks         = var.access_list_cidr_blocks
+  api_basic_auth                  = var.api_basic_auth
+  database_password               = module.metaflow-datastore.database_password
+  database_username               = module.metaflow-datastore.database_username
+  datastore_s3_bucket_kms_key_arn = module.metaflow-datastore.datastore_s3_bucket_kms_key_arn
+  fargate_execution_role_arn      = module.metaflow-computation.ecs_execution_role_arn
+  iam_partition                   = var.iam_partition
+  metaflow_vpc_id                 = var.vpc_id
+  rds_master_instance_endpoint    = module.metaflow-datastore.rds_master_instance_endpoint
+  s3_bucket_arn                   = module.metaflow-datastore.s3_bucket_arn
+  subnet1_id                      = var.subnet1_id
+  subnet2_id                      = var.subnet2_id
+  vpc_cidr_block                  = var.vpc_cidr_block
 
   standard_tags = var.tags
 }
 
 module "metaflow-computation" {
   source = "./modules/computation"
 
-  resource_prefix                                   = local.resource_prefix
-  resource_suffix                                   = local.resource_suffix
-  metaflow_vpc_id                                   = var.vpc_id
-  subnet_private_1_id                               = var.subnet_private_1_id
-  subnet_private_2_id                               = var.subnet_private_2_id
-  s3_kms_policy_arn                                 = module.metaflow-datastore.metaflow_kms_s3_policy_arn
-  metaflow_policy_arn                               = var.metaflow_policy_arn
-  metaflow_step_functions_dynamodb_policy           = module.metaflow-step-functions.metaflow_step_functions_dynamodb_policy
-  batch_compute_environment_cpu_max_vcpus           = var.cpu_max_compute_vcpus
-  batch_compute_environment_cpu_desired_vcpus       = var.cpu_desired_compute_vcpus
-  batch_compute_environment_cpu_min_vcpus           = var.cpu_min_compute_vcpus
-  batch_compute_environment_large_cpu_max_vcpus     = var.large_cpu_max_compute_vcpus
-  batch_compute_environment_large_cpu_desired_vcpus = var.large_cpu_desired_compute_vcpus
-  batch_compute_environment_large_cpu_min_vcpus     = var.large_cpu_min_compute_vcpus
-  batch_compute_environment_gpu_max_vcpus           = var.gpu_max_compute_vcpus
-  batch_compute_environment_gpu_desired_vcpus       = var.gpu_desired_compute_vcpus
-  batch_compute_environment_gpu_min_vcpus           = var.gpu_min_compute_vcpus
-  enable_step_functions                             = var.enable_step_functions
+  resource_prefix = local.resource_prefix
+  resource_suffix = local.resource_suffix
+
+  batch_type                              = var.batch_type
+  compute_environment_desired_vcpus       = var.compute_environment_desired_vcpus
+  compute_environment_instance_types      = var.compute_environment_instance_types
+  compute_environment_max_vcpus           = var.compute_environment_max_vcpus
+  compute_environment_min_vcpus           = var.compute_environment_min_vcpus
+  enable_step_functions                   = var.enable_step_functions
+  iam_partition                           = var.iam_partition
+  metaflow_step_functions_dynamodb_policy = module.metaflow-step-functions.metaflow_step_functions_dynamodb_policy
+  metaflow_vpc_id                         = var.vpc_id
+  subnet1_id                              = var.subnet1_id
+  subnet2_id                              = var.subnet2_id
 
   standard_tags = var.tags
 }
 
 module "metaflow-step-functions" {
   source = "./modules/step-functions"
 
-  active          = var.enable_step_functions
   resource_prefix = local.resource_prefix
   resource_suffix = local.resource_suffix
 
+  active              = var.enable_step_functions
   batch_job_queue_arn = module.metaflow-computation.METAFLOW_BATCH_JOB_QUEUE
+  iam_partition       = var.iam_partition
   s3_bucket_arn       = module.metaflow-datastore.s3_bucket_arn
   s3_bucket_kms_arn   = module.metaflow-datastore.datastore_s3_bucket_kms_key_arn