add: iam construct

2023-11-23 12:34:34 +09:00 · 2023-11-23 12:34:34 +09:00 · 34eac25963
commit 34eac25963
parent 70d613dbd9
5 changed files with 82 additions and 69 deletions
--- a/deploy/scripts/cdk/lib/cdk-stack.ts
+++ b/deploy/scripts/cdk/lib/cdk-stack.ts
@ -2,7 +2,7 @@ import * as cdk from 'aws-cdk-lib';
 import { Construct } from 'constructs';
 import * as ecs from 'aws-cdk-lib/aws-ecs'

-import { Network, EcrRepository, FrontEndCluster, BackEndCluster, Rds } from './construct';
+import { Network, EcrRepository, FrontEndCluster, BackEndCluster, Rds, EcsIAM } from './construct';
 // import * as sqs from 'aws-cdk-lib/aws-sqs';

 export class LangflowAppStack extends cdk.Stack {
@ -12,7 +12,11 @@ export class LangflowAppStack extends cdk.Stack {
    const arch = ecs.CpuArchitecture.X86_64

    // VPC
-    const { vpc, cluster, alb, targetGroup, cloudmapNamespace, ecsFrontSG, ecsBackSG, dbSG, albSG, backendTaskRole, TaskExecutionRole, frontendTaskRole, backendLogGroup, frontendLogGroup} = new Network(this, 'Network')
+    const { vpc, cluster, alb, targetGroup, cloudmapNamespace, ecsFrontSG, ecsBackSG, dbSG, albSG, backendLogGroup, frontendLogGroup} = new Network(this, 'Network')
+    
+    // IAM
+    const { backendTaskRole, TaskExecutionRole, frontendTaskRole } = new EcsIAM(this, 'EcsIAM')
+
    // ECR
    const { ecrFrontEndRepository,ecrBackEndRepository} = new EcrRepository(this, 'Ecr', {
      cloudmapNamespace:cloudmapNamespace,
--- a/deploy/scripts/cdk/lib/construct/backend.ts
+++ b/deploy/scripts/cdk/lib/construct/backend.ts
@ -95,6 +95,7 @@ export class BackEndCluster extends Construct {
      vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS },
    });

+    // Secrets ManagerからのSecret取得ロール
    const ecsBackEndExecutionRole = iam.Role.fromRoleArn(
      this,
      "ecsBackEndExecutionRole",
--- a/deploy/scripts/cdk/lib/construct/iam.ts
+++ b/deploy/scripts/cdk/lib/construct/iam.ts
@ -0,0 +1,74 @@
+import { RemovalPolicy, Duration } from 'aws-cdk-lib'
+import { Construct } from 'constructs'
+import {
+  aws_ec2 as ec2,
+  aws_ecs as ecs,
+  aws_iam as iam,
+  aws_logs as logs,
+} from 'aws-cdk-lib';
+
+export class EcsIAM extends Construct {
+  readonly backendTaskRole: iam.Role;
+  readonly TaskExecutionRole: iam.Role;
+  readonly frontendTaskRole: iam.Role;
+
+  constructor(scope: Construct, id: string) {
+    super(scope, id)
+
+    // Policy Statements
+    // ECS Policy State
+    const ECSExecPolicyStatement = new iam.PolicyStatement({
+      sid: 'allowECSExec',
+      resources: ['*'],
+      actions: [
+        'ecr:GetAuthorizationToken',
+        'ecr:BatchCheckLayerAvailability',
+        'ecr:GetDownloadUrlForLayer',
+        'ecr:BatchGetImage',
+      ],
+    });
+    // Bedrock Policy State
+    const BedrockPolicyStatement = new iam.PolicyStatement({
+      sid: 'allowBedrockAccess',
+      resources: ['*'],
+      actions: [
+        'bedrock:*',
+      ],
+    });
+    // Kendra Policy State
+    const KendraPolicyStatement = new iam.PolicyStatement({
+      sid: 'allowKendraAccess',
+      resources: ['*'],
+      actions: [
+        'kendra:*'
+      ],
+    });
+
+    // FrontEnd Task Role
+    this.frontendTaskRole = new iam.Role(this, 'FrontendTaskRole', {
+      assumedBy: new iam.ServicePrincipal('ecs-tasks.amazonaws.com'),
+    });
+    this.frontendTaskRole.addToPolicy(ECSExecPolicyStatement);
+
+    // BackEnd Task Role
+    this.backendTaskRole = new iam.Role(this, 'BackendTaskRole', {
+      assumedBy: new iam.ServicePrincipal('ecs-tasks.amazonaws.com'),
+    });
+    // ECS Exec Policyの付与
+    this.backendTaskRole.addToPolicy(ECSExecPolicyStatement);
+    // KendraとBedrockのアクセス権付与
+    this.backendTaskRole.addToPolicy(KendraPolicyStatement);
+    this.backendTaskRole.addToPolicy(BedrockPolicyStatement);
+
+    // Task ExecutionRole -> ここは共通
+    this.TaskExecutionRole = new iam.Role(this, 'TaskExecutionRole', {
+      assumedBy: new iam.ServicePrincipal('ecs-tasks.amazonaws.com'),
+      managedPolicies: [
+        {
+          managedPolicyArn:
+            'arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy',
+        },
+      ],
+    });
+  }
+}
--- a/deploy/scripts/cdk/lib/construct/index.ts
+++ b/deploy/scripts/cdk/lib/construct/index.ts
@ -1,5 +1,6 @@
 export * from './db';
 export * from './ecr';
+export * from './iam';
 export * from './frontend';
 export * from './backend';
 export * from './network';
--- a/deploy/scripts/cdk/lib/construct/network.ts
+++ b/deploy/scripts/cdk/lib/construct/network.ts
@ -3,8 +3,6 @@ import { Construct } from 'constructs'
 import {
  aws_ec2 as ec2,
  aws_ecs as ecs,
-  aws_dynamodb as dynamodb,
-  aws_iam as iam,
  aws_logs as logs,
  aws_servicediscovery as servicediscovery,
  aws_elasticloadbalancingv2 as elb,
@ -20,9 +18,6 @@ export class Network extends Construct {
  readonly ecsBackSG: ec2.SecurityGroup;
  readonly dbSG: ec2.SecurityGroup;
  readonly albSG: ec2.SecurityGroup;
-  readonly backendTaskRole: iam.Role;
-  readonly TaskExecutionRole: iam.Role;
-  readonly frontendTaskRole: iam.Role;
  readonly backendLogGroup: logs.LogGroup;
  readonly frontendLogGroup: logs.LogGroup;

@ -129,68 +124,6 @@ export class Network extends Construct {
    })
    // AppRunnerSecurityGroupからのポート3306:mysql(5432:postgres)のインバウンドを許可
    this.dbSG.addIngressRule(this.ecsBackSG, ec2.Port.tcp(3306))
-    
-    // ECS Policy State
-    const ECSExecPolicyStatement = new iam.PolicyStatement({
-      sid: 'allowECSExec',
-      resources: ['*'],
-      actions: [
-        'ecr:GetAuthorizationToken',
-        'ecr:BatchCheckLayerAvailability',
-        'ecr:GetDownloadUrlForLayer',
-        'ecr:BatchGetImage',
-        'ssmmessages:CreateControlChannel',
-        'ssmmessages:CreateDataChannel',
-        'ssmmessages:OpenControlChannel',
-        'ssmmessages:OpenDataChannel',
-        'logs:CreateLogStream',
-        'logs:DescribeLogGroups',
-        'logs:DescribeLogStreams',
-        'logs:PutLogEvents',
-      ],
-    });
-    // Bedrock roll
-    const BedrockPolicyStatement = new iam.PolicyStatement({
-      sid: 'allowBedrockAccess',
-      resources: ['*'],
-      actions: [
-        'bedrock:*',
-      ],
-    });
-    // Kendra roll
-    const KendraPolicyStatement = new iam.PolicyStatement({
-      sid: 'allowKendraAccess',
-      resources: ['*'],
-      actions: [
-        'kendra:*'
-      ],
-    });
-
-    this.backendTaskRole = new iam.Role(this, 'BackendTaskRole', {
-      assumedBy: new iam.ServicePrincipal('ecs-tasks.amazonaws.com'),
-    });
-    // ECS Exec Policyの付与
-    this.backendTaskRole.addToPolicy(ECSExecPolicyStatement);
-    // KendraとBedrockのアクセス権付与
-    this.backendTaskRole.addToPolicy(KendraPolicyStatement);
-    this.backendTaskRole.addToPolicy(BedrockPolicyStatement);
-
-    
-
-    this.frontendTaskRole = new iam.Role(this, 'FrontendTaskRole', {
-      assumedBy: new iam.ServicePrincipal('ecs-tasks.amazonaws.com'),
-    });
-    this.frontendTaskRole.addToPolicy(ECSExecPolicyStatement);
-
-    this.TaskExecutionRole = new iam.Role(this, 'TaskExecutionRole', {
-      assumedBy: new iam.ServicePrincipal('ecs-tasks.amazonaws.com'),
-      managedPolicies: [
-        {
-          managedPolicyArn:
-            'arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy',
-        },
-      ],
-    });

    // Create CloudWatch Log Group
    this.backendLogGroup = new logs.LogGroup(this, 'backendLogGroup', {