add: iam construct

deploy/scripts/cdk/lib/cdk-stack.ts

@@ -13,9 +13,6 @@ export class LangflowAppStack extends cdk.Stack {
 
     // VPC
     const { vpc, cluster, alb, targetGroup, cloudmapNamespace, ecsFrontSG, ecsBackSG, dbSG, albSG, backendLogGroup, frontendLogGroup} = new Network(this, 'Network')
-    
-    // IAM
-    const { backendTaskRole, TaskExecutionRole, frontendTaskRole } = new EcsIAM(this, 'EcsIAM')
 
     // ECR
     const { ecrFrontEndRepository,ecrBackEndRepository} = new EcrRepository(this, 'Ecr', {
@@ -27,12 +24,17 @@ export class LangflowAppStack extends cdk.Stack {
     // VPCとSGのリソース情報をPropsとして引き渡す
     const { rdsCluster } = new Rds(this, 'Rds', { vpc, dbSG })
 
+    // IAM
+    const { frontendTaskRole, frontendTaskExecutionRole, backendTaskRole, backendTaskExecutionRole } = new EcsIAM(this, 'EcsIAM',{
+      rdsCluster:rdsCluster
+    })
+
     const backendService = new BackEndCluster(this, 'backend', {
       cluster:cluster,
       ecsBackSG:ecsBackSG,
       ecrBackEndRepository:ecrBackEndRepository,
       backendTaskRole:backendTaskRole,
-      backendTaskExecutionRole:TaskExecutionRole,
+      backendTaskExecutionRole:backendTaskExecutionRole,
       backendLogGroup:backendLogGroup,
       cloudmapNamespace:cloudmapNamespace,
       rdsCluster:rdsCluster,
@@ -47,7 +49,7 @@ export class LangflowAppStack extends cdk.Stack {
       targetGroup: targetGroup,
       backendServiceName: backendService.backendServiceName,
       frontendTaskRole: frontendTaskRole,
-      frontendTaskExecutionRole: TaskExecutionRole,
+      frontendTaskExecutionRole: frontendTaskExecutionRole,
       frontendLogGroup: frontendLogGroup,
       cloudmapNamespace: cloudmapNamespace,
       arch:arch 

deploy/scripts/cdk/lib/construct/backend.ts

@@ -95,19 +95,5 @@ export class BackEndCluster extends Construct {
       vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS },
     });
 
-    // Secrets ManagerからのSecret取得ロール
-    const ecsBackEndExecutionRole = iam.Role.fromRoleArn(
-      this,
-      "ecsBackEndExecutionRole",
-      backendService.taskDefinition.executionRole!.roleArn,
-      {}
-    );
-    ecsBackEndExecutionRole.attachInlinePolicy(new iam.Policy(this, 'SMGetPolicy', {
-      statements: [new iam.PolicyStatement({
-        actions: ['secretsmanager:GetSecretValue'],
-        resources: [secretsDB.secretArn],
-      })],
-    }));
-
   }
 }

deploy/scripts/cdk/lib/construct/iam.ts

@@ -1,18 +1,22 @@
 import { RemovalPolicy, Duration } from 'aws-cdk-lib'
 import { Construct } from 'constructs'
+import { Props } from '../../cdk.out/asset.a565eb91ccb4c3ed87fd8f7d890173b077c2d2aa3a9837e3e4ecc8349b6a3483/src/frontend/src/types/components/index';
 import {
-  aws_ec2 as ec2,
-  aws_ecs as ecs,
+  aws_rds as rds,
   aws_iam as iam,
-  aws_logs as logs,
 } from 'aws-cdk-lib';
 
-export class EcsIAM extends Construct {
-  readonly backendTaskRole: iam.Role;
-  readonly TaskExecutionRole: iam.Role;
-  readonly frontendTaskRole: iam.Role;
+interface IAMProps {
+  rdsCluster:rds.DatabaseCluster
+}
 
-  constructor(scope: Construct, id: string) {
+export class EcsIAM extends Construct {
+  readonly frontendTaskRole: iam.Role;
+  readonly frontendTaskExecutionRole: iam.Role;
+  readonly backendTaskRole: iam.Role;
+  readonly backendTaskExecutionRole: iam.Role;
+
+  constructor(scope: Construct, id: string, props:IAMProps) {
     super(scope, id)
 
     // Policy Statements
@@ -60,8 +64,8 @@ export class EcsIAM extends Construct {
     this.backendTaskRole.addToPolicy(KendraPolicyStatement);
     this.backendTaskRole.addToPolicy(BedrockPolicyStatement);
 
-    // Task ExecutionRole -> ここは共通
-    this.TaskExecutionRole = new iam.Role(this, 'TaskExecutionRole', {
+    // FrontEnd Task ExecutionRole 
+    this.frontendTaskExecutionRole = new iam.Role(this, 'TaskExecutionRole', {
       assumedBy: new iam.ServicePrincipal('ecs-tasks.amazonaws.com'),
       managedPolicies: [
         {
@@ -70,5 +74,26 @@ export class EcsIAM extends Construct {
         },
       ],
     });
+
+    // Secrets ManagerからDB認証情報を取ってくる
+    const secretsDB = props.rdsCluster.secret!;
+
+    // BackEnd Task ExecutionRole 
+    this.backendTaskExecutionRole = new iam.Role(this, 'TaskExecutionRole', {
+      assumedBy: new iam.ServicePrincipal('ecs-tasks.amazonaws.com'),
+      managedPolicies: [
+        {
+          managedPolicyArn:
+            'arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy',
+        },
+      ],
+    });
+  
+    this.backendTaskExecutionRole.attachInlinePolicy(new iam.Policy(this, 'SMGetPolicy', {
+      statements: [new iam.PolicyStatement({
+        actions: ['secretsmanager:GetSecretValue'],
+        resources: [secretsDB.secretArn],
+      })],
+    }));
   }
 }