Populates afsxdr-binaries with instance-scheduler.zip

I hate putting binaries in git, but these should not change very often,
and I think it's better than the alternatives of building the zip files
from source, git submodules, or whatelse.

This will be part of v1.0.1, but I do not intend to tag just yet.

base/globally_accessible_bucket/README.md

@@ -2,3 +2,6 @@
 
 Creates an encrypted S3 bucket that is globally accessible.
 
+## Copies contents to s3, as well.
+
+For now, unfortunately, does not update the files if there is a change to the source. While there is an `etag` option to `s3_bucket_object`, it does not currently work with SSE-KMS, which is what we use.

base/globally_accessible_bucket/files.tf

@@ -0,0 +1,23 @@
+# Copy files into the bucket
+locals {
+  all_files = fileset("${path.module}/files/${var.name}/", "**")
+  # ignore any files that include `.terragrunt` in their filename
+  relevant_files = [ for file in local.all_files: file if length(regexall("\\.terragrunt", file)) == 0 ]
+}
+
+output "Files_Copied_to_S3_by_this_Module" {
+  value = local.relevant_files
+}
+
+resource "aws_s3_bucket_object" "populate" {
+  for_each = toset(local.relevant_files)
+
+  bucket = aws_s3_bucket.bucket.bucket
+  key    = each.value
+  source = "${path.module}/files/${var.name}/${each.value}"
+  # etag makes the file update when it changes; see https://stackoverflow.com/questions/56107258/terraform-upload-file-to-s3-on-every-apply
+  # But this does not work with kms encryption... 
+  # TODO: When Source hash is merged, use that: https://github.com/hashicorp/terraform-provider-aws/pull/11522
+  # Until then, leave it disabled.
+  #etag   = filemd5("${path.module}/files/${var.name}/${each.value}")
+}

base/globally_accessible_bucket/files/afsxdr-binaries/aws-instance-scheduler/README.md

@@ -0,0 +1,39 @@
+# afsxdr-binaries distribution files
+
+I hate to put binaries into git, but they need to be zips to send up to lambda. I could conceivably do all of this via terraform's "archive_file" data type (it's useful for lambda deployments!), but it complicates things and hopefully the changes to these binaries are a very rare thing.
+
+
+
+## aws-instance-scheduler
+The lambda function to start/stop instances in test
+
+Method used to create govcloud version:
+
+1. Download the lambda distribution package:
+```
+aws s3 cp s3://aws-instance-scheduler/latest/instance-scheduler-2.2.2.0.zip . --profile mdr-common-services
+```
+
+2. Unzip it.
+```
+mkdir tmp
+cd tmp
+unzip ../instance-scheduler-2.2.2.0.zip
+```
+
+3. Modify `schedulers/instance_scheduler.py`:
+
+Line 91 used go be:
+```
+        self._valid_regions = boto3.Session().get_available_regions(service.service_name)
+```
+
+Change it to:
+```
+        self._valid_regions = boto3.Session().get_available_regions(service=service.service_name, partition='aws-us-gov')
+```
+
+4. Zip it back up:
+```
+zip -r ../instance-scheduler.aws-us-gov.zip *
+```

base/globally_accessible_bucket/kms.tf

@@ -1,3 +1,13 @@
+locals {
+  kms_users = concat( 
+          [
+            "arn:${var.aws_partition}:iam::${var.aws_account_id}:user/MDRAdmin",
+            "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/user/mdr_terraformer",
+          ],
+          local.accounts
+        )
+}
+
 resource "aws_kms_key" "bucketkey" {
   description             = "S3 KMS for ${var.name}."
   deletion_window_in_days = 30
@@ -62,10 +72,7 @@ data "aws_iam_policy_document" "kms_key_policy" {
     effect = "Allow"
     principals {
       type = "AWS"
-      identifiers = [
-        "arn:${var.aws_partition}:iam::${var.aws_account_id}:user/MDRAdmin",
-        "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/user/mdr_terraformer",
-      ]
+      identifiers = local.kms_users
     }
     actions = [
       "kms:Encrypt",
@@ -102,4 +109,3 @@ data "aws_iam_policy_document" "kms_key_policy" {
 
   # TODO: Do we need to grant read access to other accounts?
 }
-