Add winbuilder (#1491)

compiler-explorer · Feb 1, 2025 · b9f52f8 · b9f52f8
1 parent c7d1be4
commit b9f52f8
Show file tree

Hide file tree

Showing 2 changed files with 110 additions and 0 deletions.
diff --git a/terraform/ec2.tf b/terraform/ec2.tf
@@ -2,6 +2,7 @@ locals {
   runner_image_id        = "ami-0a1472d1b7c289619"
   conan_image_id         = "ami-0b41dc7a318b530bd"
   builder_image_id       = "ami-0ef4921e9d82c03fb"
+  win_builder_image_id   = "ami-0877f331ce3ae9820"
   smbserver_image_id     = "ami-01e7c7963a9c4755d"
   smbtestserver_image_id = "ami-0284c821376912369"
   admin_subnet           = module.ce_network.subnet["1a"].id
@@ -101,6 +102,36 @@ resource "aws_instance" "BuilderNode" {
   }
 }
 
+resource "aws_instance" "WinBuilderNode" {
+  ami                         = local.win_builder_image_id
+  iam_instance_profile        = aws_iam_instance_profile.WinBuilder.name
+  ebs_optimized               = true
+  instance_type               = "c5d.2xlarge"
+  monitoring                  = false
+  key_name                    = "mattgodbolt"
+  subnet_id                   = local.admin_subnet
+  vpc_security_group_ids      = [aws_security_group.WinBuilder.id]
+  associate_public_ip_address = true
+  source_dest_check           = false
+  user_data                   = "win-builder"
+
+  root_block_device {
+    volume_type           = "gp2"
+    volume_size           = 100
+    delete_on_termination = true
+  }
+
+  lifecycle {
+    ignore_changes = [
+      associate_public_ip_address
+    ]
+  }
+
+  tags = {
+    Name = "WinBuilder"
+  }
+}
+
 resource "aws_instance" "CERunner" {
   ami                         = local.runner_image_id
   iam_instance_profile        = aws_iam_instance_profile.CompilerExplorerRole.name

diff --git a/terraform/security.tf b/terraform/security.tf
@@ -650,3 +650,82 @@ resource "aws_iam_role_policy_attachment" "api_gw_logging_policy" {
   role       = aws_iam_role.iam_for_apigw.name
   policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs"
 }
+
+
+// WinBuilder SG
+
+resource "aws_security_group" "WinBuilder" {
+  vpc_id      = module.ce_network.vpc.id
+  name        = "WinBuilderNodeSecGroup"
+  description = "Compiler Explorer Windows builder security group"
+  tags = {
+    Name = "WinBuilder"
+  }
+}
+
+resource "aws_security_group_rule" "WinBuilder_EgressToAll" {
+  security_group_id = aws_security_group.WinBuilder.id
+  type              = "egress"
+  from_port         = 0
+  to_port           = 65535
+  cidr_blocks       = ["0.0.0.0/0"]
+  ipv6_cidr_blocks  = ["::/0"]
+  protocol          = "-1"
+  description       = "Unfettered outbound access"
+}
+
+resource "aws_security_group_rule" "WinBuilder_WinRMFromAdminNode" {
+  security_group_id        = aws_security_group.WinBuilder.id
+  type                     = "ingress"
+  from_port                = 5986
+  to_port                  = 5986
+  source_security_group_id = aws_security_group.AdminNode.id
+  protocol                 = "tcp"
+  description              = "Allow WinRM access from the admin node only"
+}
+
+resource "aws_security_group_rule" "WinBuilder_SmbLocally" {
+  security_group_id        = aws_security_group.CompilerExplorer.id
+  type                     = "ingress"
+  from_port                = 445
+  to_port                  = 445
+  source_security_group_id = aws_security_group.WinBuilder.id
+  protocol                 = "tcp"
+  description              = "Allow SMB access locally"
+}
+
+resource "aws_iam_role" "WinBuilder" {
+  name               = "WinBuilder"
+  description        = "Compiler Explorer Windows builder role"
+  assume_role_policy = data.aws_iam_policy_document.InstanceAssumeRolePolicy.json
+}
+
+resource "aws_iam_instance_profile" "WinBuilder" {
+  name = "WinBuilder"
+  role = aws_iam_role.WinBuilder.name
+}
+
+resource "aws_iam_role_policy_attachment" "WinBuilder_attach_CloudWatchAgentServerPolicy" {
+  role       = aws_iam_role.WinBuilder.name
+  policy_arn = data.aws_iam_policy.CloudWatchAgentServerPolicy.arn
+}
+
+resource "aws_iam_role_policy_attachment" "WinBuilder_attach_UpdateLibraryBuildHistory" {
+  role       = aws_iam_role.WinBuilder.name
+  policy_arn = aws_iam_policy.UpdateLibraryBuildHistory.arn
+}
+
+resource "aws_iam_role_policy_attachment" "WinBuilder_attach_AccessCeParams" {
+  role       = aws_iam_role.WinBuilder.name
+  policy_arn = aws_iam_policy.AccessCeParams.arn
+}
+
+resource "aws_iam_role_policy_attachment" "WinBuilder_attach_ReadS3Minimal" {
+  role       = aws_iam_role.WinBuilder.name
+  policy_arn = aws_iam_policy.ReadS3Minimal.arn
+}
+
+resource "aws_iam_role_policy_attachment" "WinBuilder_attach_AmazonSSMManagedInstanceCore" {
+  role       = aws_iam_role.WinBuilder.name
+  policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+}