Revert worker group IAM role policy for Nomad Autoscaler [ONPREM-553] (…

…#185) * Revert "Merge pull request #182 from CircleCI-Public/ONPREM-129/worker-policy" This reverts commit b6befb4, reversing changes made to 8fc0b83. * Revert "Merge pull request #181 from CircleCI-Public/ONPREM-129/nodegroup-policy" This reverts commit 8fc0b83, reversing changes made to 4388a74. * Unrevert README updates * Temporarily ignore failing `tfsec` hits to pass CI * Fix dead link
CircleCI-Public · Nov 1, 2023 · e590e8b · e590e8b
1 parent 4ccd211
commit e590e8b
Show file tree

Hide file tree

Showing 8 changed files with 6 additions and 48 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -28,7 +28,7 @@ executors:
   tfsec:
     resource_class: small
     docker:
-      - image: circleci/python:latest
+      - image: cimg/base:current
   default:
     resource_class: small
     docker:

diff --git a/nomad-aws/README.md b/nomad-aws/README.md
@@ -46,11 +46,6 @@ module "nomad_clients" {
   }
   nomad_auto_scaler = false # If true, terraform will generate an IAM user to be used by nomad-autoscaler in CircleCI Server.
 
-  # If `nomad_auto_scaler` is enabled, `nodes_iam_role` must be populated with the IAM role name for the node group (AWS-managed)
-  # or worker group (self-managed) associated with the EKS cluster the Nomad Autoscaler is deployed on.
-  # This ensures an IAM policy is created with the minimum permissions required by the Nomad Autoscaler.
-  nodes_iam_role = ""
-
   # enable_irsa input will allow K8s service account to use IAM roles, you have to replace REGION, ACCOUNT_ID, OIDC_ID and K8S_NAMESPACE with appropriate value
   # for more info, visit - https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html
   enable_irsa = {}
@@ -101,7 +96,6 @@ There are more examples in the [examples](./examples/) directory.
 | [aws_iam_access_key.nomad_asg_user](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key) | resource |
 | [aws_iam_instance_profile.nomad_client_profile](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource |
 | [aws_iam_role.nomad_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
-| [aws_iam_role_policy.nomad_nodes_iam_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_user.nomad_asg_user](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource |
 | [aws_iam_user_policy.nomad_asg_user](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy) | resource |
 | [aws_key_pair.ssh_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/key_pair) | resource |
@@ -130,7 +124,6 @@ There are more examples in the [examples](./examples/) directory.
 | <a name="input_machine_image_owners"></a> [machine\_image\_owners](#input\_machine\_image\_owners) | List of AWS account IDs that own the images to be used for nomad virtual machines. | `list(string)` | <pre>[<br>  "099720109477",<br>  "513442679011"<br>]</pre> | no |
 | <a name="input_max_nodes"></a> [max\_nodes](#input\_max\_nodes) | Maximum number of nomad clients to create. Must be greater than or equal to nodes | `number` | `5` | no |
 | <a name="input_nodes"></a> [nodes](#input\_nodes) | Number of nomad clients to create | `number` | n/a | yes |
-| <a name="input_nodes_iam_role"></a> [nodes\_iam\_role](#input\_nodes\_iam\_role) | The IAM role name for the node group (AWS-managed) or worker group (self-managed) that is associated with the EKS<br>    cluster where the Nomad Autoscaler is deployed. This must be populated if `nomad_auto_scaler` is enabled.<br>    It ensures that an IAM policy with the minimum permissions required by the Nomad Autoscaler is created. | `string` | `""` | no |
 | <a name="input_nomad_auto_scaler"></a> [nomad\_auto\_scaler](#input\_nomad\_auto\_scaler) | If set to true, A Nomad User or A Role will be created based on enable\_irsa variable values | `bool` | `false` | no |
 | <a name="input_nomad_server_hostname"></a> [nomad\_server\_hostname](#input\_nomad\_server\_hostname) | Hostname of RPC service of Nomad control plane (e.g circleci.example.com) | `string` | n/a | yes |
 | <a name="input_nomad_server_port"></a> [nomad\_server\_port](#input\_nomad\_server\_port) | Port that the server endpoint listens on for nomad connections. | `number` | `4647` | no |

diff --git a/nomad-aws/main.tf b/nomad-aws/main.tf
@@ -68,6 +68,7 @@ resource "aws_iam_instance_profile" "nomad_client_profile" {
   role  = var.role_name
 }
 
+#tfsec:ignore:aws-ec2-enforce-launch-config-http-token-imds
 resource "aws_launch_template" "nomad_clients" {
   name_prefix   = "${var.basename}-nomad-clients-"
   instance_type = var.instance_type

diff --git a/nomad-aws/nomad-autoscaler.tf b/nomad-aws/nomad-autoscaler.tf
@@ -39,11 +39,3 @@ resource "aws_iam_role" "nomad_role" {
   }
   tags = local.tags
 }
-
-resource "aws_iam_role_policy" "nomad_nodes_iam_role_policy" {
-  count = var.nomad_auto_scaler ? 1 : 0
-
-  name   = "${var.basename}-nomad-nodes-iam-role-policy"
-  role   = var.nodes_iam_role
-  policy = templatefile("${path.module}/template/nomad_nodes_iam_role_policy.tpl", {})
-}
diff --git a/nomad-aws/security_groups.tf b/nomad-aws/security_groups.tf
@@ -8,14 +8,15 @@ resource "aws_security_group" "nomad_sg" {
     from_port   = 64535
     to_port     = 65535
     protocol    = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
+    cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:aws-ec2-no-public-ingress-sgr
   }
 
+  #tfsec:ignore:aws-ec2-add-description-to-security-group-rule
   egress {
     from_port   = 0
     to_port     = 0
     protocol    = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
+    cidr_blocks = ["0.0.0.0/0"] #tfsec:ignore:aws-ec2-no-public-egress-sgr
   }
 }
 resource "aws_security_group" "ssh_sg" {

diff --git a/nomad-aws/template/nomad_nodes_iam_role_policy.tpl b/nomad-aws/template/nomad_nodes_iam_role_policy.tpl
diff --git a/nomad-aws/variables.tf b/nomad-aws/variables.tf
@@ -141,17 +141,6 @@ variable "enable_irsa" {
   description = "If passed a valid OIDC MAP, terraform will create K8s Service Account Role to be used by nomad autoscaler."
 }
 
-variable "nodes_iam_role" {
-  type    = string
-  default = ""
-
-  description = <<EOF
-    The IAM role name for the node group (AWS-managed) or worker group (self-managed) that is associated with the EKS
-    cluster where the Nomad Autoscaler is deployed. This must be populated if `nomad_auto_scaler` is enabled.
-    It ensures that an IAM policy with the minimum permissions required by the Nomad Autoscaler is created.
-  EOF
-}
-
 variable "disk_size_gb" {
   type        = number
   default     = 100

diff --git a/nomad-gcp/main.tf b/nomad-gcp/main.tf
@@ -140,6 +140,6 @@ resource "google_compute_firewall" "default" {
     ports    = ["64535-65535"]
   }
 
-  source_ranges = var.retry_with_ssh_allowed_cidr_blocks
+  source_ranges = var.retry_with_ssh_allowed_cidr_blocks #tfsec:ignore:google-compute-no-public-ingress
   target_tags   = ["nomad", "circleci-server", var.name]
 }