Switch from default role to custom Role

Signed-off-by: Sayali Gaikawad <[email protected]>
opensearch-project · Apr 18, 2024 · eaa976a · eaa976a
1 parent 12f44cd
commit eaa976a
Show file tree

Hide file tree

Showing 3 changed files with 98 additions and 17 deletions.
diff --git a/nightly-playground/lib/common-tools-stack.ts b/nightly-playground/lib/common-tools-stack.ts
@@ -7,30 +7,60 @@ compatible open source license. */
 
 import { Stack, StackProps } from 'aws-cdk-lib';
 import { Certificate, CertificateValidation } from 'aws-cdk-lib/aws-certificatemanager';
+import {
+  Effect, ManagedPolicy, PolicyStatement, Role, ServicePrincipal,
+} from 'aws-cdk-lib/aws-iam';
 import { HostedZone } from 'aws-cdk-lib/aws-route53';
 import { Bucket } from 'aws-cdk-lib/aws-s3';
 import { Construct } from 'constructs';
 
 export class CommonToolsStack extends Stack {
-    readonly certificateArn: string
+  readonly certificateArn: string
 
-    readonly zone = 'playground.nightly.opensearch.org'
+  public readonly customRole: Role
 
-    constructor(scope: Construct, id: string, props: StackProps) {
-      super(scope, id, props);
+  readonly zone = 'playground.nightly.opensearch.org'
 
-      const route53HostedZone = new HostedZone(this, 'nigghhtlyHostedZone', {
-        zoneName: this.zone,
-      });
+  constructor(scope: Construct, id: string, props: StackProps) {
+    super(scope, id, props);
 
-      const certificate = new Certificate(this, 'cert', {
-        domainName: this.zone,
-        validation: CertificateValidation.fromDns(route53HostedZone),
-      });
-      this.certificateArn = certificate.certificateArn;
+    const route53HostedZone = new HostedZone(this, 'nigghhtlyHostedZone', {
+      zoneName: this.zone,
+    });
 
-      const snapshotS3Bucket = new Bucket(this, 'snapshotS3Bucket', {
-        bucketName: 'nightly-playgrounds-snapshots-bucket',
-      });
-    }
+    const certificate = new Certificate(this, 'cert', {
+      domainName: this.zone,
+      validation: CertificateValidation.fromDns(route53HostedZone),
+    });
+    this.certificateArn = certificate.certificateArn;
+
+    this.customRole = new Role(this, 'customInstanceRole', {
+      managedPolicies: [ManagedPolicy.fromAwsManagedPolicyName('AmazonEC2ReadOnlyAccess'),
+        ManagedPolicy.fromAwsManagedPolicyName('CloudWatchAgentServerPolicy'),
+        ManagedPolicy.fromAwsManagedPolicyName('AmazonSSMManagedInstanceCore')],
+      assumedBy: new ServicePrincipal('ec2.amazonaws.com'),
+    });
+
+    const snapshotS3Bucket = new Bucket(this, 'snapshotS3Bucket', {
+      bucketName: 'nightly-playgrounds-snapshots-bucket',
+    });
+
+    const s3bucketPolicyStatement = new PolicyStatement({
+      effect: Effect.ALLOW,
+      actions: [
+        's3:ListBucket',
+        's3:GetBucketLocation',
+        's3:ListBucketMultipartUploads',
+        's3:ListBucketVersions',
+        's3:GetObject',
+        's3:PutObject',
+        's3:DeleteObject',
+        's3:AbortMultipartUpload',
+        's3:ListMultipartUploadParts',
+      ],
+      resources: [snapshotS3Bucket.bucketArn, `${snapshotS3Bucket.bucketArn}/*`],
+    });
+
+    this.customRole.addToPolicy(s3bucketPolicyStatement);
+  }
 }
diff --git a/nightly-playground/lib/nightly-playground-stack.ts b/nightly-playground/lib/nightly-playground-stack.ts
@@ -79,9 +79,9 @@ export class NightlyPlaygroundStack {
       certificateArn: commonToolsStack.certificateArn,
       mapOpensearchPortTo: 8443,
       mapOpensearchDashboardsPortTo: 443,
+      customRoleArn: commonToolsStack.customRole.roleArn,
     });
     this.stacks.push(infraStack);
-
     infraStack.addDependency(networkStack);
 
     const endpoint2x = scope.node.tryGetContext('endpoint2x');

diff --git a/nightly-playground/test/nightly-playground.test.ts b/nightly-playground/test/nightly-playground.test.ts
@@ -140,9 +140,60 @@ test('Test commons stack resources', () => {
     Name: 'playground.nightly.opensearch.org.',
   });
   commonsStackTemplate.resourceCountIs('AWS::S3::Bucket', 1);
+  commonsStackTemplate.resourceCountIs('AWS::IAM::Role', 1);
+  commonsStackTemplate.resourceCountIs('AWS::IAM::Policy', 1);
   commonsStackTemplate.hasResourceProperties('AWS::S3::Bucket', {
     BucketName: 'nightly-playgrounds-snapshots-bucket',
   });
+  commonsStackTemplate.hasResourceProperties('AWS::IAM::Policy', {
+    PolicyDocument: {
+      Statement: [
+        {
+          Action: [
+            's3:ListBucket',
+            's3:GetBucketLocation',
+            's3:ListBucketMultipartUploads',
+            's3:ListBucketVersions',
+            's3:GetObject',
+            's3:PutObject',
+            's3:DeleteObject',
+            's3:AbortMultipartUpload',
+            's3:ListMultipartUploadParts',
+          ],
+          Effect: 'Allow',
+          Resource: [
+            {
+              'Fn::GetAtt': [
+                'snapshotS3Bucket9CDAA6D3',
+                'Arn',
+              ],
+            },
+            {
+              'Fn::Join': [
+                '',
+                [
+                  {
+                    'Fn::GetAtt': [
+                      'snapshotS3Bucket9CDAA6D3',
+                      'Arn',
+                    ],
+                  },
+                  '/*',
+                ],
+              ],
+            },
+          ],
+        },
+      ],
+      Version: '2012-10-17',
+    },
+    PolicyName: 'customInstanceRoleDefaultPolicy5AD458B6',
+    Roles: [
+      {
+        Ref: 'customInstanceRole001450EE',
+      },
+    ],
+  });
   commonsStackTemplate.hasResourceProperties('AWS::CertificateManager::Certificate', {
     DomainName: 'playground.nightly.opensearch.org',
     DomainValidationOptions: [