task implement "instance permission set" (#550)

Co-authored-by: Casper da Costa-Luis <casper.dcl@physics.org>

Author: dacbd

docs/resources/task.md

@@ -59,6 +59,7 @@ resource "iterative_task" "example" {
 - `disk_size` - (Optional) Size of the ephemeral machine storage in GB. `-1`: automatic based on `image`.
 - `spot` - (Optional) Spot instance price. `-1`: disabled, `0`: automatic price, any other positive number: maximum bidding price in USD per hour (above which the instance is terminated until the price drops).
 - `image` - (Optional) [Machine image](#machine-image) to run the task with.
+- `permission_set` - (Optional) See [Permission Set](#permission-set) below.
 - `parallelism` - (Optional) Number of machines to be launched in parallel.
 - `storage.workdir` - (Optional) Local working directory to upload and use as the `script` working directory.
 - `storage.output` - (Optional) Results directory (**relative to `workdir`**) to download (default: no download).
@@ -257,6 +258,28 @@ In addition to generic regions, it's possible to specify any cloud region suppor
 
 The `region` attribute is ignored.
 
+## Permission Set
+
+A set of "permissions" assigned to the `task` instance, format depends on the cloud provider
+
+#### Amazon Web Services
+
+An [instance profile `arn`](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html), e.g.:
+`permission_set = "arn:aws:iam:1234567890:instance-profile/rolename"`
+
+#### Google Cloud Platform
+
+A service account email and a [list of scopes](https://cloud.google.com/sdk/gcloud/reference/alpha/compute/instances/set-scopes#--scopes), e.g.:
+`permission_set = "sa-name@project_id.iam.gserviceaccount.com,scopes=storage-rw"`
+
+#### Microsoft Azure
+
+[Not yet implemented](https://github.com/iterative/terraform-provider-iterative/issues/559)
+
+#### Kubernetes
+
+[Not yet implemented](https://github.com/iterative/terraform-provider-iterative/issues/560)
+
 ## Known Issues
 
 ### Kubernetes

iterative/resource_task.go

@@ -55,6 +55,12 @@ func resourceTask() *schema.Resource {
 				Optional: true,
 				Default:  "m",
 			},
+			"permission_set": {
+				Type:     schema.TypeString,
+				ForceNew: true,
+				Optional: true,
+				Default:  "",
+			},
 			"disk_size": {
 				Type:     schema.TypeInt,
 				ForceNew: true,
@@ -332,8 +338,9 @@ func resourceTaskBuild(ctx context.Context, d *schema.ResourceData, m interface{
 			},
 			// Egress is open on every port
 		},
-		Spot:        common.Spot(d.Get("spot").(float64)),
-		Parallelism: uint16(d.Get("parallelism").(int)),
+		Spot:          common.Spot(d.Get("spot").(float64)),
+		Parallelism:   uint16(d.Get("parallelism").(int)),
+		PermissionSet: d.Get("permission_set").(string),
 	}
 
 	name := d.Id()

task/aws/resources/data_source_permission_set.go

@@ -0,0 +1,42 @@
+package resources
+
+import (
+	"context"
+	"fmt"
+	"regexp"
+
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/service/ec2/types"
+
+	"terraform-provider-iterative/task/aws/client"
+)
+
+func NewPermissionSet(client *client.Client, identifier string) *PermissionSet {
+	ps := new(PermissionSet)
+	ps.Client = client
+	ps.Identifier = identifier
+	return ps
+}
+
+type PermissionSet struct {
+	Client     *client.Client
+	Identifier string
+	Resource   *types.LaunchTemplateIamInstanceProfileSpecificationRequest
+}
+
+func (ps *PermissionSet) Read(ctx context.Context) error {
+	arn := ps.Identifier
+	// "", "arn:*"
+	if arn == "" {
+		ps.Resource = nil
+		return nil
+	}
+	re := regexp.MustCompile(`arn:aws:iam::[\d]*:instance-profile/[\S]*`)
+	if re.MatchString(arn) {
+		ps.Resource = &types.LaunchTemplateIamInstanceProfileSpecificationRequest{
+			Arn: aws.String(arn),
+		}
+		return nil
+	}
+	return fmt.Errorf("invlaid IAM Instance Profile: %s", arn)
+}

task/aws/resources/resource_launch_template.go

@@ -16,7 +16,7 @@ import (
 	"terraform-provider-iterative/task/common/machine"
 )
 
-func NewLaunchTemplate(client *client.Client, identifier common.Identifier, securityGroup *SecurityGroup, image *Image, keyPair *KeyPair, credentials *Credentials, task common.Task) *LaunchTemplate {
+func NewLaunchTemplate(client *client.Client, identifier common.Identifier, securityGroup *SecurityGroup, permissionSet *PermissionSet, image *Image, keyPair *KeyPair, credentials *Credentials, task common.Task) *LaunchTemplate {
 	l := new(LaunchTemplate)
 	l.Client = client
 	l.Identifier = identifier.Long()
@@ -25,6 +25,7 @@ func NewLaunchTemplate(client *client.Client, identifier common.Identifier, secu
 	l.Dependencies.Image = image
 	l.Dependencies.KeyPair = keyPair
 	l.Dependencies.Credentials = credentials
+	l.Dependencies.PermissionSet = permissionSet
 	return l
 }
 
@@ -37,6 +38,7 @@ type LaunchTemplate struct {
 		*SecurityGroup
 		*Image
 		*Credentials
+		*PermissionSet
 	}
 	Resource *types.LaunchTemplate
 }
@@ -71,11 +73,12 @@ func (l *LaunchTemplate) Create(ctx context.Context) error {
 	input := ec2.CreateLaunchTemplateInput{
 		LaunchTemplateName: aws.String(l.Identifier),
 		LaunchTemplateData: &types.RequestLaunchTemplateData{
-			UserData:         aws.String(userData),
-			ImageId:          l.Dependencies.Image.Resource.ImageId,
-			KeyName:          l.Dependencies.KeyPair.Resource.KeyName,
-			InstanceType:     types.InstanceType(size),
-			SecurityGroupIds: []string{aws.ToString(l.Dependencies.SecurityGroup.Resource.GroupId)},
+			UserData:           aws.String(userData),
+			ImageId:            l.Dependencies.Image.Resource.ImageId,
+			KeyName:            l.Dependencies.KeyPair.Resource.KeyName,
+			InstanceType:       types.InstanceType(size),
+			SecurityGroupIds:   []string{aws.ToString(l.Dependencies.SecurityGroup.Resource.GroupId)},
+			IamInstanceProfile: l.Dependencies.PermissionSet.Resource,
 			BlockDeviceMappings: []types.LaunchTemplateBlockDeviceMappingRequest{
 				{
 					DeviceName: aws.String("/dev/sda1"),

task/aws/task.go

@@ -34,6 +34,10 @@ func New(ctx context.Context, cloud common.Cloud, identifier common.Identifier,
 		t.Client,
 		t.Attributes.Environment.Image,
 	)
+	t.DataSources.PermissionSet = resources.NewPermissionSet(
+		t.Client,
+		t.Attributes.PermissionSet,
+	)
 	t.Resources.Bucket = resources.NewBucket(
 		t.Client,
 		t.Identifier,
@@ -57,6 +61,7 @@ func New(ctx context.Context, cloud common.Cloud, identifier common.Identifier,
 		t.Client,
 		t.Identifier,
 		t.Resources.SecurityGroup,
+		t.DataSources.PermissionSet,
 		t.DataSources.Image,
 		t.Resources.KeyPair,
 		t.DataSources.Credentials,
@@ -82,6 +87,7 @@ type Task struct {
 		*resources.DefaultVPCSubnet
 		*resources.Image
 		*resources.Credentials
+		*resources.PermissionSet
 	}
 	Resources struct {
 		*resources.Bucket
@@ -94,49 +100,53 @@ type Task struct {
 
 func (t *Task) Create(ctx context.Context) error {
 	logrus.Info("Creating resources...")
-	logrus.Info("[1/11] Importing DefaultVPC...")
+	logrus.Info("[1/12] Parsing PermissionSet...")
+	if err := t.DataSources.PermissionSet.Read(ctx); err != nil {
+		return err
+	}
+	logrus.Info("[2/12] Importing DefaultVPC...")
 	if err := t.DataSources.DefaultVPC.Read(ctx); err != nil {
 		return err
 	}
-	logrus.Info("[2/11] Importing DefaultVPCSubnet...")
+	logrus.Info("[3/12] Importing DefaultVPCSubnet...")
 	if err := t.DataSources.DefaultVPCSubnet.Read(ctx); err != nil {
 		return err
 	}
-	logrus.Info("[3/11] Reading Image...")
+	logrus.Info("[4/12] Reading Image...")
 	if err := t.DataSources.Image.Read(ctx); err != nil {
 		return err
 	}
-	logrus.Info("[4/11] Creating Bucket...")
+	logrus.Info("[5/12] Creating Bucket...")
 	if err := t.Resources.Bucket.Create(ctx); err != nil {
 		return err
 	}
-	logrus.Info("[5/11] Creating SecurityGroup...")
+	logrus.Info("[6/12] Creating SecurityGroup...")
 	if err := t.Resources.SecurityGroup.Create(ctx); err != nil {
 		return err
 	}
-	logrus.Info("[6/11] Creating KeyPair...")
+	logrus.Info("[7/12] Creating KeyPair...")
 	if err := t.Resources.KeyPair.Create(ctx); err != nil {
 		return err
 	}
-	logrus.Info("[7/11] Reading Credentials...")
+	logrus.Info("[8/12] Reading Credentials...")
 	if err := t.DataSources.Credentials.Read(ctx); err != nil {
 		return err
 	}
-	logrus.Info("[8/11] Creating LaunchTemplate...")
+	logrus.Info("[9/12] Creating LaunchTemplate...")
 	if err := t.Resources.LaunchTemplate.Create(ctx); err != nil {
 		return err
 	}
-	logrus.Info("[9/11] Creating AutoScalingGroup...")
+	logrus.Info("[10/12] Creating AutoScalingGroup...")
 	if err := t.Resources.AutoScalingGroup.Create(ctx); err != nil {
 		return err
 	}
-	logrus.Info("[10/11] Uploading Directory...")
+	logrus.Info("[11/12] Uploading Directory...")
 	if t.Attributes.Environment.Directory != "" {
 		if err := t.Push(ctx, t.Attributes.Environment.Directory); err != nil {
 			return err
 		}
 	}
-	logrus.Info("[11/11] Starting task...")
+	logrus.Info("[12/12] Starting task...")
 	if err := t.Start(ctx); err != nil {
 		return err
 	}

task/az/resources/data_source_permission_set.go

@@ -0,0 +1,31 @@
+package resources
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/Azure/azure-sdk-for-go/services/compute/mgmt/2020-06-30/compute"
+
+	"terraform-provider-iterative/task/az/client"
+)
+
+func NewPermissionSet(client *client.Client, identifer string) *PermissionSet {
+	ps := new(PermissionSet)
+	ps.Client = client
+	ps.Identifier = identifer
+	return ps
+}
+
+type PermissionSet struct {
+	Client     *client.Client
+	Identifier string
+	Resource   *compute.VirtualMachineScaleSetIdentity
+}
+
+func (ps *PermissionSet) Read(ctx context.Context) error {
+	if ps.Identifier != "" {
+		return fmt.Errorf("not yet implemented")
+	}
+	ps.Resource = nil
+	return nil
+}

task/az/resources/resource_virtual_machine_scale_set.go

@@ -21,7 +21,7 @@ import (
 	"terraform-provider-iterative/task/common/machine"
 )
 
-func NewVirtualMachineScaleSet(client *client.Client, identifier common.Identifier, resourceGroup *ResourceGroup, subnet *Subnet, securityGroup *SecurityGroup, credentials *Credentials, task *common.Task) *VirtualMachineScaleSet {
+func NewVirtualMachineScaleSet(client *client.Client, identifier common.Identifier, resourceGroup *ResourceGroup, subnet *Subnet, securityGroup *SecurityGroup, permissionSet *PermissionSet, credentials *Credentials, task *common.Task) *VirtualMachineScaleSet {
 	v := new(VirtualMachineScaleSet)
 	v.Client = client
 	v.Identifier = identifier.Long()
@@ -35,6 +35,7 @@ func NewVirtualMachineScaleSet(client *client.Client, identifier common.Identifi
 	v.Dependencies.Subnet = subnet
 	v.Dependencies.SecurityGroup = securityGroup
 	v.Dependencies.Credentials = credentials
+	v.Dependencies.PermissionSet = permissionSet
 	return v
 }
 
@@ -57,6 +58,7 @@ type VirtualMachineScaleSet struct {
 		*Subnet
 		*SecurityGroup
 		*Credentials
+		*PermissionSet
 	}
 	Resource *compute.VirtualMachineScaleSet
 }
@@ -126,6 +128,7 @@ func (v *VirtualMachineScaleSet) Create(ctx context.Context) error {
 			Tier:     to.StringPtr("Standard"),
 			Capacity: to.Int64Ptr(0),
 		},
+		Identity: v.Dependencies.PermissionSet.Resource,
 		VirtualMachineScaleSetProperties: &compute.VirtualMachineScaleSetProperties{
 			UpgradePolicy: &compute.UpgradePolicy{
 				Mode: compute.UpgradeModeManual,

task/az/task.go

@@ -23,6 +23,10 @@ func New(ctx context.Context, cloud common.Cloud, identifier common.Identifier,
 	t.Client = client
 	t.Identifier = identifier
 	t.Attributes = task
+	t.DataSources.PermissionSet = resources.NewPermissionSet(
+		t.Client,
+		t.Attributes.PermissionSet,
+	)
 	t.Resources.ResourceGroup = resources.NewResourceGroup(
 		t.Client,
 		t.Identifier,
@@ -69,6 +73,7 @@ func New(ctx context.Context, cloud common.Cloud, identifier common.Identifier,
 		t.Resources.ResourceGroup,
 		t.Resources.Subnet,
 		t.Resources.SecurityGroup,
+		t.DataSources.PermissionSet,
 		t.DataSources.Credentials,
 		&t.Attributes,
 	)
@@ -81,6 +86,7 @@ type Task struct {
 	Attributes  common.Task
 	DataSources struct {
 		*resources.Credentials
+		*resources.PermissionSet
 	}
 	Resources struct {
 		*resources.ResourceGroup

task/common/values.go

@@ -47,6 +47,7 @@ type Task struct {
 	Size
 	Environment
 	Firewall
+	PermissionSet string
 	Spot
 	Parallelism uint16
 	Tags        map[string]string // Deprecated