forked from outerbounds/terraform-aws-metaflow
-
Notifications
You must be signed in to change notification settings - Fork 0
/
ec2.tf
72 lines (60 loc) · 2.18 KB
/
ec2.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
resource "aws_launch_template" "cpu" {
count = local.enable_fargate_on_batch ? 0 : 1
/* To provide a large disk space than the default 8GB for AWS Batch.
AWS Batch points to this using the latest version, so we can update the disk size here
and AWS Batch will use that.
This is used for all Metaflow AWS CPU Batch remote jobs.
*/
name = "${var.resource_prefix}batch-launch-tmpl-cpu-100gb${var.resource_suffix}"
# Defines what IAM Role to assume to grant an Amazon EC2 instance
# This role must have a policy to access the kms_key_id used to encrypt the EBS volume
iam_instance_profile {
arn = aws_iam_instance_profile.ecs_instance_role.arn
}
user_data = var.compute_environment_user_data_base64 != null ? var.compute_environment_user_data_base64 : null
image_id = var.compute_environment_ami_id != null ? var.compute_environment_ami_id : jsondecode(data.aws_ssm_parameter.ecs_optimized_cpu_ami.value)["image_id"]
block_device_mappings {
device_name = "/dev/xvda"
ebs {
volume_size = 100
delete_on_termination = true
encrypted = true
}
}
metadata_options {
http_endpoint = "enabled"
http_tokens = "optional"
# Allow ECS containers to use the hosts IMDSv2 endpoint
http_put_response_hop_limit = 2
}
tags = var.standard_tags
}
/*
Instance profile is a container for an IAM role. On console when we define role
instance profile is generated but here we have to manually generate. The instance
profile passes role info to the instance when it starts.
Ref:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
*/
resource "aws_iam_instance_profile" "ecs_instance_role" {
name = local.ecs_instance_role_name
role = aws_iam_role.ecs_instance_role.name
tags = var.standard_tags
}
resource "aws_security_group" "this" {
name = local.batch_security_group_name
vpc_id = var.metaflow_vpc_id
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = var.compute_environment_egress_cidr_blocks
}
ingress {
from_port = 0
to_port = 0
protocol = "-1"
self = true
description = "internal traffic"
}
}