feat: add initial Terraform configuration for AutoMQ BYOC setup with IAM roles, policies, and EC2 instance (#92)

* feat: add initial Terraform configuration for AutoMQ BYOC setup with IAM roles, policies, and EC2 instance

* fix: standardize spacing in S3 bucket module source declarations

Author: Gezi-lzq

cloudservice-setup/aws/ec2-custom/iam.tf

@@ -0,0 +1,181 @@
+resource "aws_iam_role" "automq_byoc_role" {
+  name = "automq-byoc-role-${local.name_suffix}"
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Sid    = ""
+        Principal = {
+          Service = "ec2.amazonaws.com"
+        }
+      }
+    ]
+  })
+}
+
+resource "aws_iam_policy" "automq_console_policy" {
+  name = "automq-console-policy-${local.name_suffix}"
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid    = "EC2InstanceProfileManagement"
+        Effect = "Allow"
+        Action = [
+          "iam:PassRole"
+        ]
+        Resource = "*"
+        Condition = {
+          StringLike = {
+            "iam:PassedToService" = "ec2.amazonaws.com*"
+          }
+        }
+      },
+      {
+        Effect   = "Allow"
+        Action   = ["ec2:DescribeVolumes", "ec2:DescribeSecurityGroups"]
+        Resource = "*"
+      },
+      {
+        Effect = "Allow"
+        Action = [
+          "cloudwatch:PutMetricData",
+          "ec2:DescribeSubnets",
+          "ec2:DescribeVpcs",
+          "ec2:DescribeTags",
+          "ec2:DescribeAvailabilityZones",
+          "route53:CreateHostedZone",
+          "route53:GetHostedZone",
+          "route53:ChangeResourceRecordSets",
+          "route53:ListHostedZonesByName",
+          "route53:ListResourceRecordSets",
+          "route53:DeleteHostedZone"
+        ]
+        Resource = "*"
+      },
+      {
+        Effect   = "Allow"
+        Action   = ["eks:DescribeCluster", "eks:ListNodegroups", "eks:DescribeNodegroup"]
+        Resource = "*"
+      },
+      {
+        Sid    = "ConsoleEC2Management"
+        Effect = "Allow"
+        Action = [
+          "ec2:DescribeRouteTables",
+          "ssm:GetParameters",
+          "pricing:GetProducts",
+          "cloudwatch:PutMetricData",
+          "ec2:DescribeImages",
+          "ec2:CreateLaunchTemplate",
+          "ec2:CreateLaunchTemplateVersion",
+          "ec2:ModifyLaunchTemplate",
+          "ec2:RebootInstances",
+          "ec2:RunInstances",
+          "ec2:StopInstances",
+          "ec2:TerminateInstances",
+          "ec2:CreateKeyPair",
+          "ec2:CreateTags",
+          "ec2:AttachVolume",
+          "ec2:DetachVolume",
+          "ec2:DescribeInstances",
+          "ec2:DescribeLaunchTemplates",
+          "ec2:DescribeLaunchTemplateVersions",
+          "ec2:DescribeVolumes",
+          "ec2:DescribeSubnets",
+          "ec2:DescribeKeyPairs",
+          "ec2:DescribeVpcs",
+          "ec2:DescribeTags",
+          "ec2:DeleteKeyPair",
+          "ec2:CreateVolume",
+          "ec2:DeleteVolume",
+          "ec2:DeleteLaunchTemplate",
+          "ec2:DescribeInstanceTypeOfferings",
+          "ec2:DescribeSecurityGroups",
+          "ec2:CreateSecurityGroup",
+          "ec2:AuthorizeSecurityGroupIngress",
+          "ec2:AuthorizeSecurityGroupEgress",
+          "ec2:DeleteSecurityGroup",
+          "ec2:DescribeVpcEndpoints",
+          "ec2:DescribeAvailabilityZones",
+          "autoscaling:CreateAutoScalingGroup",
+          "autoscaling:DescribeAutoScalingGroups",
+          "autoscaling:UpdateAutoScalingGroup",
+          "autoscaling:DeleteAutoScalingGroup",
+          "autoscaling:AttachInstances",
+          "autoscaling:DetachInstances",
+          "autoscaling:ResumeProcesses",
+          "autoscaling:SuspendProcesses",
+          "route53:CreateHostedZone",
+          "route53:GetHostedZone",
+          "route53:ChangeResourceRecordSets",
+          "route53:ListHostedZonesByName",
+          "route53:ListResourceRecordSets",
+          "route53:DeleteHostedZone",
+          "elasticloadbalancing:DescribeTargetGroups",
+          "elasticloadbalancing:DescribeTags",
+          "elasticloadbalancing:DeleteTargetGroup",
+          "elasticloadbalancing:DeleteLoadBalancer"
+        ]
+        Resource = "*"
+      },
+      {
+        Effect = "Allow"
+        Action = [
+          "s3:GetLifecycleConfiguration",
+          "s3:PutLifecycleConfiguration",
+          "s3:ListBucket"
+        ]
+        Resource = [
+          "arn:aws:s3:::${local.data_bucket_name}",
+          "arn:aws:s3:::${local.ops_bucket_name}"
+        ]
+      },
+      {
+        Effect = "Allow"
+        Action = [
+          "s3:PutObject",
+          "s3:GetObject",
+          "s3:AbortMultipartUpload",
+          "s3:PutObjectTagging",
+          "s3:DeleteObject"
+        ]
+        Resource = [
+          "arn:aws:s3:::${local.data_bucket_name}/*",
+          "arn:aws:s3:::${local.ops_bucket_name}/*"
+        ]
+      },
+      {
+        Effect = "Allow"
+        Action = [
+          "fsx:CreateFileSystem",
+          "fsx:DeleteFileSystem",
+          "fsx:CreateStorageVirtualMachine",
+          "fsx:TagResource",
+          "fsx:DescribeStorageVirtualMachines",
+          "fsx:UpdateVolume",
+          "fsx:DescribeFileSystems",
+          "fsx:DeleteStorageVirtualMachine",
+          "fsx:UpdateFileSystem",
+          "fsx:CreateVolume",
+          "fsx:DescribeVolumes",
+          "fsx:DeleteVolume"
+        ]
+        Resource = "*"
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "automq_console_attach" {
+  role       = aws_iam_role.automq_byoc_role.name
+  policy_arn = aws_iam_policy.automq_console_policy.arn
+}
+
+resource "aws_iam_instance_profile" "automq_byoc_instance_profile" {
+  name = "automq-byoc-instance-profile-${local.name_suffix}"
+  role = aws_iam_role.automq_byoc_role.name
+}
+

cloudservice-setup/aws/ec2-custom/main.tf

@@ -0,0 +1,187 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "> 5.0"
+    }
+  }
+  required_version = "~> 1.3"
+}
+
+provider "aws" {
+  region = var.region
+}
+
+data "aws_availability_zones" "available_azs" {}
+
+data "aws_vpc" "selected" {
+  id = var.vpc_id
+}
+
+data "aws_subnet" "public" {
+  id = var.public_subnet_id
+}
+
+module "automq_byoc_data_bucket" {
+  source = "terraform-aws-modules/s3-bucket/aws"
+
+  bucket        = local.data_bucket_name
+  force_destroy = true
+
+  create_bucket = local.create_data_bucket
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+
+  tags = merge(local.common_tags, {
+    Name = "automq-data-${local.env_id}"
+  })
+}
+
+module "automq_byoc_ops_bucket_name" {
+  source = "terraform-aws-modules/s3-bucket/aws"
+
+  bucket        = local.ops_bucket_name
+  force_destroy = true
+
+  create_bucket = local.create_ops_bucket
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+
+  tags = merge(local.common_tags, {
+    Name = "automq-ops-${local.env_id}"
+  })
+}
+
+resource "tls_private_key" "key_pair" {
+  algorithm = "RSA"
+  rsa_bits  = 4096
+}
+
+resource "local_file" "private_key" {
+  content         = tls_private_key.key_pair.private_key_pem
+  filename        = "${pathexpand("~/.ssh")}/automq-console-${local.env_id}.pem"
+  file_permission = "0600"
+}
+
+resource "aws_key_pair" "key_pair" {
+  key_name   = "automq-console-${local.env_id}"
+  public_key = tls_private_key.key_pair.public_key_openssh
+}
+
+data "aws_ami" "console_ami" {
+  most_recent = true
+  # owners      = ["self"]
+  allow_unsafe_filter = true
+
+  filter {
+    name   = "name"
+    values = [var.image_name]
+  }
+
+  filter {
+    name   = "state"
+    values = ["available"]
+  }
+}
+
+resource "aws_security_group" "automq_byoc_console_sg" {
+  name   = "automq-byoc-console-sg-${local.env_id}"
+  vpc_id = var.vpc_id
+
+  ingress {
+    from_port   = 8080
+    to_port     = 8080
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  ingress {
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = merge(local.common_tags, {
+    Name = "automq-byoc-console-sg-${local.env_id}"
+  })
+}
+
+resource "aws_eip" "web_ip" {
+  instance = aws_instance.automq_byoc_console.id
+  tags     = local.common_tags
+}
+
+resource "aws_instance" "automq_byoc_console" {
+  ami                         = data.aws_ami.console_ami.id
+  instance_type               = var.automq_byoc_ec2_instance_type
+  subnet_id                   = var.public_subnet_id
+  vpc_security_group_ids      = [aws_security_group.automq_byoc_console_sg.id]
+  iam_instance_profile        = aws_iam_instance_profile.automq_byoc_instance_profile.name
+  key_name                    = aws_key_pair.key_pair.key_name
+  associate_public_ip_address = true
+
+  root_block_device {
+    volume_size = 30
+    volume_type = "gp3"
+  }
+
+  user_data = templatefile("${path.module}/userdata.tpl", {
+    aws_iam_instance_profile_arn_encoded = urlencode(aws_iam_instance_profile.automq_byoc_instance_profile.arn),
+    automq_data_bucket                   = local.data_bucket_name,
+    automq_ops_bucket                    = local.ops_bucket_name,
+    instance_security_group_id           = aws_security_group.automq_byoc_console_sg.id,
+    instance_dns                         = aws_route53_zone.private_r53.zone_id,
+    instance_profile_arn                 = aws_iam_instance_profile.automq_byoc_instance_profile.arn,
+    environment_id                       = local.env_id
+  })
+
+  tags = merge(local.common_tags, {
+    Name = "automq-byoc-console-${local.env_id}"
+  })
+}
+
+resource "aws_ebs_volume" "data_volume" {
+  availability_zone = data.aws_subnet.public.availability_zone
+  size              = 20
+  type              = "gp3"
+
+  tags = merge(local.common_tags, {
+    Name = "automq-console-data-${local.env_id}"
+  })
+}
+
+resource "aws_volume_attachment" "data_volume_attachment" {
+  device_name = "/dev/sdh"
+  volume_id   = aws_ebs_volume.data_volume.id
+  instance_id = aws_instance.automq_byoc_console.id
+}
+
+resource "aws_route53_zone" "private_r53" {
+  name = "${local.name_suffix}.automq.private"
+
+  vpc {
+    vpc_id = var.vpc_id
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  tags = merge(local.common_tags, {
+    Name = "automq-private-zone-${local.env_id}"
+  })
+}