data/data/aws: remove iam roles from master and worker nodes

data/data/aws/main.tf

@@ -42,7 +42,6 @@ module "masters" {
   ec2_type                 = "${var.tectonic_aws_master_ec2_type}"
   extra_tags               = "${var.tectonic_aws_extra_tags}"
   instance_count           = "${var.tectonic_master_count}"
-  master_iam_role          = "${var.tectonic_aws_master_iam_role_name}"
   master_sg_ids            = "${concat(var.tectonic_aws_master_extra_sg_ids, list(module.vpc.master_sg_id))}"
   public_endpoints         = "${local.public_endpoints}"
   root_volume_iops         = "${var.tectonic_aws_master_root_volume_iops}"
@@ -55,13 +54,6 @@ module "masters" {
   user_data_ign            = "${var.ignition_master}"
 }
 
-module "iam" {
-  source = "./iam"
-
-  cluster_name    = "${var.tectonic_cluster_name}"
-  worker_iam_role = "${var.tectonic_aws_worker_iam_role_name}"
-}
-
 module "dns" {
   source = "./route53"
 

data/data/aws/master/main.tf

@@ -2,83 +2,10 @@ locals {
   arn = "aws"
 }
 
-resource "aws_iam_instance_profile" "master" {
-  name = "${var.cluster_name}-master-profile"
-
-  role = "${var.master_iam_role == "" ?
-    join("|", aws_iam_role.master_role.*.name) :
-    join("|", data.aws_iam_role.master_role.*.name)
-  }"
-}
-
-data "aws_iam_role" "master_role" {
-  count = "${var.master_iam_role == "" ? 0 : 1}"
-  name  = "${var.master_iam_role}"
-}
-
-resource "aws_iam_role" "master_role" {
-  count = "${var.master_iam_role == "" ? 1 : 0}"
-  name  = "${var.cluster_name}-master-role"
-  path  = "/"
-
-  assume_role_policy = <<EOF
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Action": "sts:AssumeRole",
-            "Principal": {
-                "Service": "ec2.amazonaws.com"
-            },
-            "Effect": "Allow",
-            "Sid": ""
-        }
-    ]
-}
-EOF
-}
-
-resource "aws_iam_role_policy" "master_policy" {
-  count = "${var.master_iam_role == "" ? 1 : 0}"
-  name  = "${var.cluster_name}_master_policy"
-  role  = "${aws_iam_role.master_role.id}"
-
-  policy = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Action": "ec2:*",
-      "Resource": "*",
-      "Effect": "Allow"
-    },
-    {
-      "Action": "iam:PassRole",
-      "Resource": "*",
-      "Effect": "Allow"
-    },
-    {
-      "Action" : [
-        "s3:GetObject"
-      ],
-      "Resource": "arn:${local.arn}:s3:::*",
-      "Effect": "Allow"
-    },
-    {
-      "Action": "elasticloadbalancing:*",
-      "Resource": "*",
-      "Effect": "Allow"
-    }
-  ]
-}
-EOF
-}
-
 resource "aws_instance" "master" {
   count = "${var.instance_count}"
   ami   = "${var.ec2_ami}"
 
-  iam_instance_profile = "${aws_iam_instance_profile.master.name}"
   instance_type        = "${var.ec2_type}"
   subnet_id            = "${element(var.subnet_ids, count.index)}"
   user_data            = "${var.user_data_ign}"

data/data/aws/master/variables.tf

@@ -40,12 +40,6 @@ variable "kubeconfig_content" {
   default = ""
 }
 
-variable "master_iam_role" {
-  type        = "string"
-  default     = ""
-  description = "IAM role to use for the instance profiles of master nodes."
-}
-
 variable "master_sg_ids" {
   type        = "list"
   description = "The security group IDs to be applied to the master nodes."

data/data/aws/variables-aws.tf

@@ -199,7 +199,7 @@ variable "tectonic_aws_region" {
   description = "The target AWS region for the cluster."
 }
 
-variable "tectonic_aws_installer_role" {
+variable ":ectonic_aws_installer_role" {
   type    = "string"
   default = ""
 
@@ -212,34 +212,6 @@ Example:
 EOF
 }
 
-variable "tectonic_aws_master_iam_role_name" {
-  type    = "string"
-  default = ""
-
-  description = <<EOF
-(optional) Name of IAM role to use for the instance profiles of master nodes.
-The name is also the last part of a role's ARN.
-
-Example:
- * Role ARN  = arn:aws:iam::123456789012:role/tectonic-installer
- * Role Name = tectonic-installer
-EOF
-}
-
-variable "tectonic_aws_worker_iam_role_name" {
-  type    = "string"
-  default = ""
-
-  description = <<EOF
-(optional) Name of IAM role to use for the instance profiles of worker nodes.
-The name is also the last part of a role's ARN.
-
-Example:
- * Role ARN  = arn:aws:iam::123456789012:role/tectonic-installer
- * Role Name = tectonic-installer
-EOF
-}
-
 variable "tectonic_aws_worker_load_balancers" {
   type    = "list"
   default = []