Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
327 views
in Technique[技术] by (71.8m points)

amazon web services - How to specify IAM role for spot fleet role with terraform?

I'm trying to figure out a "one command" approach to spin up spot instances with terraform.

I've managed to get this far:

resource "aws_iam_role" "spot_role" {
  name_prefix = "spot_role_"

  assume_role_policy = <<-EOF
  {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Action": "sts:AssumeRole",
        "Principal": {
          "Service": "spotfleet.amazonaws.com"
        },
        "Effect": "Allow",
        "Sid": ""
      }
    ]
  }
  EOF
}

resource "aws_iam_policy" "spot_policy" {
  name_prefix = "spot_policy_"
  description = "EC2 Spot Fleet Policy"

  policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeImages",
                "ec2:DescribeSubnets",
                "ec2:RequestSpotInstances",
                "ec2:TerminateInstances",
                "ec2:DescribeInstanceStatus",
                "ec2:CreateTags",
                "ec2:RunInstances"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": [
                        "ec2.amazonaws.com",
                        "ec2.amazonaws.com.cn"
                    ]
                }
            },
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:RegisterInstancesWithLoadBalancer"
            ],
            "Resource": [
                "arn:aws:elasticloadbalancing:*:*:loadbalancer/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:RegisterTargets"
            ],
            "Resource": [
                "arn:aws:elasticloadbalancing:*:*:*/*"
            ]
        }
    ]
}
EOF
}

locals {
  role = aws_iam_role.spot_role
  zone = join("", [var.region, "a"])
}

// -----------------------------------------------------------------------------

resource "aws_iam_role_policy_attachment" "spot_role_policy_attachment" {
  role       = local.role.name
  policy_arn = aws_iam_policy.spot_policy.arn
}

// -----------------------------------------------------------------------------

resource "aws_security_group" "spot_security_group" {
  name        = "allow_ssh"
  description = "Allow SSH inbound traffic"
  vpc_id      = aws_vpc.spot_vpc.id

  ingress {
    description = "SSH from anywhere"
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }

  tags = {
    Name = "allow_ssh"
  }
}

resource "aws_vpc" "spot_vpc" {
  cidr_block = "10.0.0.0/16"

  tags = {
    Name = "spot_vpc"
  }
}

resource "aws_subnet" "spot_subnet" {
  vpc_id                  = aws_vpc.spot_vpc.id
  cidr_block              = "10.0.0.0/24"
  map_public_ip_on_launch = true
  availability_zone       = local.zone

  tags = {
    Name = "spot_subnet"
  }
}

resource "aws_spot_fleet_request" "spot_fleet_request" {
  iam_fleet_role  = local.role.arn
  spot_price      = "0.022"
  target_capacity = 1

  launch_specification {
    instance_type     = "r6g.medium"
    ami               = var.ami
    key_name          = var.key_name
    subnet_id         = aws_subnet.spot_subnet.id
    availability_zone = local.zone
  }

  launch_specification {
    instance_type     = "a1.large"
    ami               = var.ami
    key_name          = var.key_name
    subnet_id         = aws_subnet.spot_subnet.id
    availability_zone = local.zone
  }
}

// -----------------------------------------------------------------------------

output "spot_fleet_request_id" {
  value = aws_spot_fleet_request.spot_fleet_request.id
}

But I get the following error in the Spot Requests -> Details view:

spotFleetRequestConfigurationInvalid
r6g.medium, ami-0c582118883b46f4f, Linux/UNIX (Amazon VPC): The provided credentials do not have permission to create the service-linked role for EC2 Spot Instances.

EDIT

aws iam create-service-linked-role --aws-service-name spot.amazonaws.com

An error occurred (InvalidInput) when calling the CreateServiceLinkedRole operation: Service role name AWSServiceRoleForEC2Spot has been taken in this account, please try a different suffix.

arn:aws:iam::20XXXXXXX22:role/aws-service-role/spot.amazonaws.com/AWSServiceRoleForEC2Spot has the following AWSEC2SpotServiceRolePolicy attached

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
                "ec2:StartInstances",
                "ec2:StopInstances",
                "ec2:RunInstances"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Deny",
            "Action": [
                "ec2:RunInstances"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:instance/*"
            ],
            "Condition": {
                "StringNotEquals": {
                    "ec2:InstanceMarketType": "spot"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:PassRole"
            ],
            "Resource": [
                "*"
            ],
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": [
                        "ec2.amazonaws.com",
                        "ec2.amazonaws.com.cn"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:CreateTags"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ec2:CreateAction": "RunInstances"
                }
            }
        }
    ]
}
question from:https://stackoverflow.com/questions/65861955/how-to-specify-iam-role-for-spot-fleet-role-with-terraform

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)
Waitting for answers

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...