Allow IAM bootstrap without AMI and add snapshot permissions

Author: joshp123

AGENTS.md

@@ -57,8 +57,8 @@ Bootstrap (local):
   - `RULES=../nix/nix-secrets/secrets.nix agenix -d homelab-admin.age -i ~/.ssh/id_ed25519`
 - OpenTofu env:
   - `TF_VAR_aws_region=eu-central-1`
-  - `TF_VAR_ami_id=ami-...`
-  - `TF_VAR_ssh_public_key="$(cat ~/.ssh/id_ed25519.pub)"`
+  - `TF_VAR_ami_id=ami-...` (empty string skips instance creation)
+  - `TF_VAR_ssh_public_key="$(cat ~/.ssh/id_ed25519.pub)"` (required when ami_id is set)
 - Run `tofu init` + `tofu apply` in `infra/opentofu/aws`.
 - After apply, update CI secrets from outputs:
   - `tofu output -raw access_key_id` → `clawdinator-image-uploader-access-key-id.age`

infra/opentofu/aws/README.md

@@ -10,8 +10,8 @@ Usage:
 - export AWS_SECRET_ACCESS_KEY=...
 - export AWS_REGION=eu-central-1
 - export TF_VAR_aws_region=eu-central-1
-- export TF_VAR_ami_id=ami-...
-- export TF_VAR_ssh_public_key="$(cat ~/.ssh/id_ed25519.pub)"
+- export TF_VAR_ami_id=ami-...   # leave empty to skip instance creation
+- export TF_VAR_ssh_public_key="$(cat ~/.ssh/id_ed25519.pub)"   # required when ami_id is set
 - tofu init
 - tofu apply
 

infra/opentofu/aws/main.tf

@@ -4,6 +4,7 @@ provider "aws" {
 
 locals {
   tags = merge(var.tags, { "app" = "clawdinator" })
+  instance_enabled = var.ami_id != ""
 }
 
 resource "aws_s3_bucket" "image_bucket" {
@@ -121,8 +122,12 @@ data "aws_iam_policy_document" "ami_importer" {
     sid = "ImportImage"
     actions = [
       "ec2:ImportImage",
+      "ec2:ImportSnapshot",
+      "ec2:DescribeImportSnapshotTasks",
       "ec2:DescribeImportImageTasks",
       "ec2:DescribeImages",
+      "ec2:DescribeSnapshots",
+      "ec2:RegisterImage",
       "ec2:CreateTags"
     ]
     resources = ["*"]
@@ -153,51 +158,57 @@ data "aws_subnets" "default" {
 }
 
 resource "aws_key_pair" "operator" {
+  count      = local.instance_enabled ? 1 : 0
   key_name   = "clawdinator-operator"
   public_key = var.ssh_public_key
   tags       = local.tags
 }
 
 resource "aws_security_group" "clawdinator" {
+  count       = local.instance_enabled ? 1 : 0
   name        = "clawdinator"
   description = "CLAWDINATOR access"
   vpc_id      = data.aws_vpc.default.id
   tags        = local.tags
 }
 
 resource "aws_security_group_rule" "ssh_ingress" {
+  count             = local.instance_enabled ? 1 : 0
   type              = "ingress"
-  security_group_id = aws_security_group.clawdinator.id
+  security_group_id = aws_security_group.clawdinator[0].id
   from_port         = 22
   to_port           = 22
   protocol          = "tcp"
   cidr_blocks       = var.allowed_cidrs
 }
 
 resource "aws_security_group_rule" "gateway_ingress" {
+  count             = local.instance_enabled ? 1 : 0
   type              = "ingress"
-  security_group_id = aws_security_group.clawdinator.id
+  security_group_id = aws_security_group.clawdinator[0].id
   from_port         = 18789
   to_port           = 18789
   protocol          = "tcp"
   cidr_blocks       = var.allowed_cidrs
 }
 
 resource "aws_security_group_rule" "egress" {
+  count             = local.instance_enabled ? 1 : 0
   type              = "egress"
-  security_group_id = aws_security_group.clawdinator.id
+  security_group_id = aws_security_group.clawdinator[0].id
   from_port         = 0
   to_port           = 0
   protocol          = "-1"
   cidr_blocks       = ["0.0.0.0/0"]
 }
 
 resource "aws_instance" "clawdinator" {
+  count                       = local.instance_enabled ? 1 : 0
   ami                         = var.ami_id
   instance_type               = var.instance_type
   subnet_id                   = element(data.aws_subnets.default.ids, 0)
-  vpc_security_group_ids      = [aws_security_group.clawdinator.id]
-  key_name                    = aws_key_pair.operator.key_name
+  vpc_security_group_ids      = [aws_security_group.clawdinator[0].id]
+  key_name                    = aws_key_pair.operator[0].key_name
   associate_public_ip_address = true
 
   tags = merge(local.tags, {

infra/opentofu/aws/outputs.tf

@@ -24,16 +24,16 @@ output "secret_access_key" {
 }
 
 output "instance_id" {
-  value       = aws_instance.clawdinator.id
+  value       = local.instance_enabled ? aws_instance.clawdinator[0].id : null
   description = "CLAWDINATOR instance ID."
 }
 
 output "instance_public_ip" {
-  value       = aws_instance.clawdinator.public_ip
+  value       = local.instance_enabled ? aws_instance.clawdinator[0].public_ip : null
   description = "CLAWDINATOR public IP."
 }
 
 output "instance_public_dns" {
-  value       = aws_instance.clawdinator.public_dns
+  value       = local.instance_enabled ? aws_instance.clawdinator[0].public_dns : null
   description = "CLAWDINATOR public DNS."
 }

infra/opentofu/aws/variables.tf

@@ -24,6 +24,7 @@ variable "tags" {
 variable "ami_id" {
   description = "AMI ID for CLAWDINATOR instances."
   type        = string
+  default     = ""
 }
 
 variable "instance_name" {
@@ -41,6 +42,11 @@ variable "instance_type" {
 variable "ssh_public_key" {
   description = "SSH public key for the CLAWDINATOR operator."
   type        = string
+  default     = ""
+  validation {
+    condition     = var.ami_id == "" || length(var.ssh_public_key) > 0
+    error_message = "ssh_public_key is required when ami_id is set."
+  }
 }
 
 variable "allowed_cidrs" {