Skip to content

Add restart policy to control machine#6815

Open
AmitPhulera wants to merge 3 commits intomasterfrom
ap/add-restart-policy-to-control
Open

Add restart policy to control machine#6815
AmitPhulera wants to merge 3 commits intomasterfrom
ap/add-restart-policy-to-control

Conversation

@AmitPhulera
Copy link
Contributor

@AmitPhulera AmitPhulera commented Feb 24, 2026
edited
Loading

Add a new server role CommCareControlServerRole which has all the permissions from CommCareServerRole but adds the ability to Stop, Start instances.

I have some questions regarding removing things from the new role which probably would not be required for control machine which I have asked as comments on the PR.

Another thing to note here is that we have added iam_instance_profile to the ignore_changes in the terraform lifecycle rules. So to apply these changes, we would have to remove iam_instance_profile from

commcare-cloud/src/commcare_cloud/terraform/modules/server/main.tf

Lines 27 to 30 in 1881e57

lifecycle {
ignore_changes = [user_data, key_name, root_block_device.0.delete_on_termination,
ebs_optimized, ami, iam_instance_profile]
}

And then apply the changes and then add it back.

Environments Affected

All

  • If the changes affect multiple environments, I will ensure they are rolled out consistently across all environments.

AmitPhulera
AmitPhulera commented Feb 24, 2026
View reviewed changes
src/commcare_cloud/terraform/modules/server/iam/main.tf
policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
}

resource "aws_iam_role_policy" "control_request_response_stream_put_policy" {
Copy link
Contributor Author

@AmitPhulera AmitPhulera Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we can remove this because we are not shipping any control logs via firehose?

Copy link
Member

@dannyroberts dannyroberts Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sounds right

AmitPhulera
AmitPhulera commented Feb 24, 2026
View reviewed changes
src/commcare_cloud/terraform/modules/server/iam/main.tf
POLICY
}

resource "aws_iam_role_policy" "control_access_s3_kiss_upload" {
Copy link
Contributor Author

@AmitPhulera AmitPhulera Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This probably is outdated and should be removed from CommCareServerRole as well?

Copy link
Member

@dannyroberts dannyroberts Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dannyroberts dannyroberts Awaiting requested review from dannyroberts

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@AmitPhulera @dannyroberts