From ca83ee75e97d24cbcd152a237ebe809bddbd4faf Mon Sep 17 00:00:00 2001
From: root <root@a35683082012>
Date: Thu, 24 Oct 2024 08:36:18 +0000
Subject: [PATCH] 2.190.0

---
 aws_v2/main.tf                     | 10 ++++++----
 aws_v2/modules/deploy/main.tf      |  7 ++++---
 aws_v2/modules/deploy/variables.tf |  4 ++++
 aws_v2/modules/iam/main.tf         | 14 ++++++++++++--
 aws_v2/modules/iam/variables.tf    |  4 ++++
 aws_v2/variables.tf                |  6 ++++++
 gcp/modules/iam/main.tf            |  7 ++++---
 7 files changed, 40 insertions(+), 12 deletions(-)

diff --git a/aws_v2/main.tf b/aws_v2/main.tf
index 12e0fcc..51f6c2a 100644
--- a/aws_v2/main.tf
+++ b/aws_v2/main.tf
@@ -26,10 +26,11 @@ module "networking" {
 }
 
 module "iam" {
-  source       = "./modules/iam"
-  region       = var.region
-  tags         = var.tags
-  s3_bucket_id = module.deploy.s3_bucket_id
+  source                  = "./modules/iam"
+  region                  = var.region
+  tags                    = var.tags
+  s3_bucket_id            = module.deploy.s3_bucket_id
+  minimum_role_deployment = var.minimum_role_deployment
 }
 
 module "deploy" {
@@ -55,4 +56,5 @@ module "deploy" {
   deploy_nfs                    = var.deploy_nfs
   local_workers                 = var.local_workers
   use_secrets_manager           = var.use_secrets_manager
+  minimum_role_deployment       = var.minimum_role_deployment
 }
diff --git a/aws_v2/modules/deploy/main.tf b/aws_v2/modules/deploy/main.tf
index 1b3382f..af3fcd3 100644
--- a/aws_v2/modules/deploy/main.tf
+++ b/aws_v2/modules/deploy/main.tf
@@ -1,5 +1,6 @@
 data "aws_iam_role" "role" {
-  name = var.role_name
+  count = var.minimum_role_deployment ? 0 : 1
+  name  = var.role_name
 }
 
 data "aws_iam_role" "instance_role" {
@@ -137,7 +138,7 @@ resource "aws_instance" "main" {
   user_data = join("\n", concat([
     "#!/bin/bash -x",
     "s3bucket=${aws_s3_bucket.bucket.id}",
-    "aws_role=${data.aws_iam_role.role.arn}",
+    var.minimum_role_deployment ? "" : "aws_role=${data.aws_iam_role.role[0].arn}",
     "aws_rds_db=${""}",
     "aws_elastic_endpoint=${""}",
     "aws_elastic_id=${""}",
@@ -164,7 +165,7 @@ resource "aws_instance" "main" {
     "echo PROXY_url = $feature_flag_http_proxy >> /home/admin/processor/first_run.cfg",
     "echo PROXY_cert_url = $proxy_cert_url >> /home/admin/processor/first_run.cfg",
     "echo PROXY_whitelist = $proxy_whitelist >> /home/admin/processor/first_run.cfg",
-    "echo minimum_role_deployment = true >> /home/admin/processor/first_run.cfg",
+    "echo minimum_role_deployment = ${var.minimum_role_deployment} >> /home/admin/processor/first_run.cfg",
     ],
     [
       for k, v in var.tags :
diff --git a/aws_v2/modules/deploy/variables.tf b/aws_v2/modules/deploy/variables.tf
index d5de5dd..607e1da 100644
--- a/aws_v2/modules/deploy/variables.tf
+++ b/aws_v2/modules/deploy/variables.tf
@@ -86,3 +86,7 @@ variable "local_workers" {
 variable "use_secrets_manager" {
   type = bool
 }
+
+variable "minimum_role_deployment" {
+  type = bool
+}
diff --git a/aws_v2/modules/iam/main.tf b/aws_v2/modules/iam/main.tf
index 1aec757..3f900b0 100644
--- a/aws_v2/modules/iam/main.tf
+++ b/aws_v2/modules/iam/main.tf
@@ -3,6 +3,7 @@ data "aws_caller_identity" "current" {}
 data "aws_region" "current" {}
 
 resource "aws_iam_role" "role" {
+  count       = var.minimum_role_deployment ? 0 : 1
   name_prefix = "myCadoResponseRole"
   assume_role_policy = jsonencode({
     Version = "2012-10-17"
@@ -124,6 +125,14 @@ resource "aws_iam_role_policy" "instance_policy" {
             ],
             "Resource": "*"
         },
+        {
+            "Sid": "RequiredForWorkersAndUpdatesIAM",
+            "Effect": "Allow",
+            "Action": [
+                "iam:PassRole"
+            ],
+            "Resource": "arn:aws:iam::*:role/*CadoResponse*"
+        },
         {
             "Sid": "RequiredForNativeUpdates",
             "Effect": "Allow",
@@ -207,8 +216,9 @@ JSON
 }
 
 resource "aws_iam_role_policy" "policy" {
+  count       = var.minimum_role_deployment ? 0 : 1
   name_prefix = "myCadoResponseRolePolicy"
-  role        = aws_iam_role.role.id
+  role = aws_iam_role.role[0].id
   policy = <<JSON
 {
     "Statement": [
@@ -555,7 +565,7 @@ JSON
 }
 
 output "role_name" {
-  value = aws_iam_role.role.name
+  value = var.minimum_role_deployment ? "not-deployed" : aws_iam_role.role[0].name
 }
 
 output "instance_role_name" {
diff --git a/aws_v2/modules/iam/variables.tf b/aws_v2/modules/iam/variables.tf
index 5fceba5..0f5ea89 100644
--- a/aws_v2/modules/iam/variables.tf
+++ b/aws_v2/modules/iam/variables.tf
@@ -9,3 +9,7 @@ variable "tags" {
 variable "s3_bucket_id" {
   type = string
 }
+
+variable "minimum_role_deployment" {
+  type = bool
+}
diff --git a/aws_v2/variables.tf b/aws_v2/variables.tf
index 8212318..efcdf49 100644
--- a/aws_v2/variables.tf
+++ b/aws_v2/variables.tf
@@ -145,3 +145,9 @@ variable "use_secrets_manager" {
   default     = true
   description = "Use AWS Secrets Manager for storing secrets"
 }
+
+variable "minimum_role_deployment" {
+  type        = bool
+  default     = false
+  description = "Deploy without an IAM role for acquisitions."
+}
diff --git a/gcp/modules/iam/main.tf b/gcp/modules/iam/main.tf
index 7c73c8c..91adbdb 100644
--- a/gcp/modules/iam/main.tf
+++ b/gcp/modules/iam/main.tf
@@ -37,6 +37,7 @@ locals {
     "compute.subnetworks.use",
     "compute.networks.get",
     "compute.networks.list",
+    "compute.instances.setTags",
 
     // Adjusting Settings
     "compute.machineTypes.get",
@@ -95,10 +96,10 @@ locals {
   # Generate the full list of permissions
   permissions = concat(
     local.base_permissions,
+    local.secretmanager_permissions,
+    local.upgrade_permissions,
+    local.workers_permissions,
     var.deploy_acquisition_permissions ? local.acquisition_permissions : [],
-    var.use_secrets_manager ? local.secretmanager_permissions : [],
-    var.enable_platform_updates ? local.upgrade_permissions : [],
-    !var.local_workers ? local.workers_permissions : []
   )
 }