diff --git a/deploy/scripts/cdk/lib/cdk-stack.ts b/deploy/scripts/cdk/lib/cdk-stack.ts index f83fcb0f5..b991827f8 100644 --- a/deploy/scripts/cdk/lib/cdk-stack.ts +++ b/deploy/scripts/cdk/lib/cdk-stack.ts @@ -2,7 +2,7 @@ import * as cdk from 'aws-cdk-lib'; import { Construct } from 'constructs'; import * as ecs from 'aws-cdk-lib/aws-ecs' -import { Network, EcrRepository, FrontEndCluster, BackEndCluster, Rds } from './construct'; +import { Network, EcrRepository, FrontEndCluster, BackEndCluster, Rds, EcsIAM } from './construct'; // import * as sqs from 'aws-cdk-lib/aws-sqs'; export class LangflowAppStack extends cdk.Stack { @@ -12,7 +12,11 @@ export class LangflowAppStack extends cdk.Stack { const arch = ecs.CpuArchitecture.X86_64 // VPC - const { vpc, cluster, alb, targetGroup, cloudmapNamespace, ecsFrontSG, ecsBackSG, dbSG, albSG, backendTaskRole, TaskExecutionRole, frontendTaskRole, backendLogGroup, frontendLogGroup} = new Network(this, 'Network') + const { vpc, cluster, alb, targetGroup, cloudmapNamespace, ecsFrontSG, ecsBackSG, dbSG, albSG, backendLogGroup, frontendLogGroup} = new Network(this, 'Network') + + // IAM + const { backendTaskRole, TaskExecutionRole, frontendTaskRole } = new EcsIAM(this, 'EcsIAM') + // ECR const { ecrFrontEndRepository,ecrBackEndRepository} = new EcrRepository(this, 'Ecr', { cloudmapNamespace:cloudmapNamespace, diff --git a/deploy/scripts/cdk/lib/construct/backend.ts b/deploy/scripts/cdk/lib/construct/backend.ts index 26100d711..e39d1e210 100644 --- a/deploy/scripts/cdk/lib/construct/backend.ts +++ b/deploy/scripts/cdk/lib/construct/backend.ts @@ -95,6 +95,7 @@ export class BackEndCluster extends Construct { vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS }, }); + // Secrets ManagerからのSecret取得ロール const ecsBackEndExecutionRole = iam.Role.fromRoleArn( this, "ecsBackEndExecutionRole", diff --git a/deploy/scripts/cdk/lib/construct/iam.ts b/deploy/scripts/cdk/lib/construct/iam.ts new file mode 100644 index 000000000..001ed11ec --- /dev/null +++ b/deploy/scripts/cdk/lib/construct/iam.ts @@ -0,0 +1,74 @@ +import { RemovalPolicy, Duration } from 'aws-cdk-lib' +import { Construct } from 'constructs' +import { + aws_ec2 as ec2, + aws_ecs as ecs, + aws_iam as iam, + aws_logs as logs, +} from 'aws-cdk-lib'; + +export class EcsIAM extends Construct { + readonly backendTaskRole: iam.Role; + readonly TaskExecutionRole: iam.Role; + readonly frontendTaskRole: iam.Role; + + constructor(scope: Construct, id: string) { + super(scope, id) + + // Policy Statements + // ECS Policy State + const ECSExecPolicyStatement = new iam.PolicyStatement({ + sid: 'allowECSExec', + resources: ['*'], + actions: [ + 'ecr:GetAuthorizationToken', + 'ecr:BatchCheckLayerAvailability', + 'ecr:GetDownloadUrlForLayer', + 'ecr:BatchGetImage', + ], + }); + // Bedrock Policy State + const BedrockPolicyStatement = new iam.PolicyStatement({ + sid: 'allowBedrockAccess', + resources: ['*'], + actions: [ + 'bedrock:*', + ], + }); + // Kendra Policy State + const KendraPolicyStatement = new iam.PolicyStatement({ + sid: 'allowKendraAccess', + resources: ['*'], + actions: [ + 'kendra:*' + ], + }); + + // FrontEnd Task Role + this.frontendTaskRole = new iam.Role(this, 'FrontendTaskRole', { + assumedBy: new iam.ServicePrincipal('ecs-tasks.amazonaws.com'), + }); + this.frontendTaskRole.addToPolicy(ECSExecPolicyStatement); + + // BackEnd Task Role + this.backendTaskRole = new iam.Role(this, 'BackendTaskRole', { + assumedBy: new iam.ServicePrincipal('ecs-tasks.amazonaws.com'), + }); + // ECS Exec Policyの付与 + this.backendTaskRole.addToPolicy(ECSExecPolicyStatement); + // KendraとBedrockのアクセス権付与 + this.backendTaskRole.addToPolicy(KendraPolicyStatement); + this.backendTaskRole.addToPolicy(BedrockPolicyStatement); + + // Task ExecutionRole -> ここは共通 + this.TaskExecutionRole = new iam.Role(this, 'TaskExecutionRole', { + assumedBy: new iam.ServicePrincipal('ecs-tasks.amazonaws.com'), + managedPolicies: [ + { + managedPolicyArn: + 'arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy', + }, + ], + }); + } +} \ No newline at end of file diff --git a/deploy/scripts/cdk/lib/construct/index.ts b/deploy/scripts/cdk/lib/construct/index.ts index 8ca22911a..8c2efcb1b 100644 --- a/deploy/scripts/cdk/lib/construct/index.ts +++ b/deploy/scripts/cdk/lib/construct/index.ts @@ -1,5 +1,6 @@ export * from './db'; export * from './ecr'; +export * from './iam'; export * from './frontend'; export * from './backend'; export * from './network'; \ No newline at end of file diff --git a/deploy/scripts/cdk/lib/construct/network.ts b/deploy/scripts/cdk/lib/construct/network.ts index 9ce50adb3..aa9e48dc5 100644 --- a/deploy/scripts/cdk/lib/construct/network.ts +++ b/deploy/scripts/cdk/lib/construct/network.ts @@ -3,8 +3,6 @@ import { Construct } from 'constructs' import { aws_ec2 as ec2, aws_ecs as ecs, - aws_dynamodb as dynamodb, - aws_iam as iam, aws_logs as logs, aws_servicediscovery as servicediscovery, aws_elasticloadbalancingv2 as elb, @@ -20,9 +18,6 @@ export class Network extends Construct { readonly ecsBackSG: ec2.SecurityGroup; readonly dbSG: ec2.SecurityGroup; readonly albSG: ec2.SecurityGroup; - readonly backendTaskRole: iam.Role; - readonly TaskExecutionRole: iam.Role; - readonly frontendTaskRole: iam.Role; readonly backendLogGroup: logs.LogGroup; readonly frontendLogGroup: logs.LogGroup; @@ -129,68 +124,6 @@ export class Network extends Construct { }) // AppRunnerSecurityGroupからのポート3306:mysql(5432:postgres)のインバウンドを許可 this.dbSG.addIngressRule(this.ecsBackSG, ec2.Port.tcp(3306)) - - // ECS Policy State - const ECSExecPolicyStatement = new iam.PolicyStatement({ - sid: 'allowECSExec', - resources: ['*'], - actions: [ - 'ecr:GetAuthorizationToken', - 'ecr:BatchCheckLayerAvailability', - 'ecr:GetDownloadUrlForLayer', - 'ecr:BatchGetImage', - 'ssmmessages:CreateControlChannel', - 'ssmmessages:CreateDataChannel', - 'ssmmessages:OpenControlChannel', - 'ssmmessages:OpenDataChannel', - 'logs:CreateLogStream', - 'logs:DescribeLogGroups', - 'logs:DescribeLogStreams', - 'logs:PutLogEvents', - ], - }); - // Bedrock roll - const BedrockPolicyStatement = new iam.PolicyStatement({ - sid: 'allowBedrockAccess', - resources: ['*'], - actions: [ - 'bedrock:*', - ], - }); - // Kendra roll - const KendraPolicyStatement = new iam.PolicyStatement({ - sid: 'allowKendraAccess', - resources: ['*'], - actions: [ - 'kendra:*' - ], - }); - - this.backendTaskRole = new iam.Role(this, 'BackendTaskRole', { - assumedBy: new iam.ServicePrincipal('ecs-tasks.amazonaws.com'), - }); - // ECS Exec Policyの付与 - this.backendTaskRole.addToPolicy(ECSExecPolicyStatement); - // KendraとBedrockのアクセス権付与 - this.backendTaskRole.addToPolicy(KendraPolicyStatement); - this.backendTaskRole.addToPolicy(BedrockPolicyStatement); - - - - this.frontendTaskRole = new iam.Role(this, 'FrontendTaskRole', { - assumedBy: new iam.ServicePrincipal('ecs-tasks.amazonaws.com'), - }); - this.frontendTaskRole.addToPolicy(ECSExecPolicyStatement); - - this.TaskExecutionRole = new iam.Role(this, 'TaskExecutionRole', { - assumedBy: new iam.ServicePrincipal('ecs-tasks.amazonaws.com'), - managedPolicies: [ - { - managedPolicyArn: - 'arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy', - }, - ], - }); // Create CloudWatch Log Group this.backendLogGroup = new logs.LogGroup(this, 'backendLogGroup', {