From c97f861ea4536fbb05f5eb2e9aedc35cf32727e0 Mon Sep 17 00:00:00 2001 From: nsxshota Date: Thu, 23 Nov 2023 12:45:45 +0900 Subject: [PATCH] add: iam construct --- deploy/scripts/cdk/lib/cdk-stack.ts | 12 +++--- deploy/scripts/cdk/lib/construct/backend.ts | 14 ------- deploy/scripts/cdk/lib/construct/iam.ts | 45 ++++++++++++++++----- 3 files changed, 42 insertions(+), 29 deletions(-) diff --git a/deploy/scripts/cdk/lib/cdk-stack.ts b/deploy/scripts/cdk/lib/cdk-stack.ts index b991827f8..3ef9abd23 100644 --- a/deploy/scripts/cdk/lib/cdk-stack.ts +++ b/deploy/scripts/cdk/lib/cdk-stack.ts @@ -13,9 +13,6 @@ export class LangflowAppStack extends cdk.Stack { // VPC const { vpc, cluster, alb, targetGroup, cloudmapNamespace, ecsFrontSG, ecsBackSG, dbSG, albSG, backendLogGroup, frontendLogGroup} = new Network(this, 'Network') - - // IAM - const { backendTaskRole, TaskExecutionRole, frontendTaskRole } = new EcsIAM(this, 'EcsIAM') // ECR const { ecrFrontEndRepository,ecrBackEndRepository} = new EcrRepository(this, 'Ecr', { @@ -27,12 +24,17 @@ export class LangflowAppStack extends cdk.Stack { // VPCとSGのリソース情報をPropsとして引き渡す const { rdsCluster } = new Rds(this, 'Rds', { vpc, dbSG }) + // IAM + const { frontendTaskRole, frontendTaskExecutionRole, backendTaskRole, backendTaskExecutionRole } = new EcsIAM(this, 'EcsIAM',{ + rdsCluster:rdsCluster + }) + const backendService = new BackEndCluster(this, 'backend', { cluster:cluster, ecsBackSG:ecsBackSG, ecrBackEndRepository:ecrBackEndRepository, backendTaskRole:backendTaskRole, - backendTaskExecutionRole:TaskExecutionRole, + backendTaskExecutionRole:backendTaskExecutionRole, backendLogGroup:backendLogGroup, cloudmapNamespace:cloudmapNamespace, rdsCluster:rdsCluster, @@ -47,7 +49,7 @@ export class LangflowAppStack extends cdk.Stack { targetGroup: targetGroup, backendServiceName: backendService.backendServiceName, frontendTaskRole: frontendTaskRole, - frontendTaskExecutionRole: TaskExecutionRole, + frontendTaskExecutionRole: frontendTaskExecutionRole, frontendLogGroup: frontendLogGroup, cloudmapNamespace: cloudmapNamespace, arch:arch diff --git a/deploy/scripts/cdk/lib/construct/backend.ts b/deploy/scripts/cdk/lib/construct/backend.ts index e39d1e210..7863f0d3d 100644 --- a/deploy/scripts/cdk/lib/construct/backend.ts +++ b/deploy/scripts/cdk/lib/construct/backend.ts @@ -95,19 +95,5 @@ export class BackEndCluster extends Construct { vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS }, }); - // Secrets ManagerからのSecret取得ロール - const ecsBackEndExecutionRole = iam.Role.fromRoleArn( - this, - "ecsBackEndExecutionRole", - backendService.taskDefinition.executionRole!.roleArn, - {} - ); - ecsBackEndExecutionRole.attachInlinePolicy(new iam.Policy(this, 'SMGetPolicy', { - statements: [new iam.PolicyStatement({ - actions: ['secretsmanager:GetSecretValue'], - resources: [secretsDB.secretArn], - })], - })); - } } \ No newline at end of file diff --git a/deploy/scripts/cdk/lib/construct/iam.ts b/deploy/scripts/cdk/lib/construct/iam.ts index 001ed11ec..6ee20051b 100644 --- a/deploy/scripts/cdk/lib/construct/iam.ts +++ b/deploy/scripts/cdk/lib/construct/iam.ts @@ -1,18 +1,22 @@ import { RemovalPolicy, Duration } from 'aws-cdk-lib' import { Construct } from 'constructs' +import { Props } from '../../cdk.out/asset.a565eb91ccb4c3ed87fd8f7d890173b077c2d2aa3a9837e3e4ecc8349b6a3483/src/frontend/src/types/components/index'; import { - aws_ec2 as ec2, - aws_ecs as ecs, + aws_rds as rds, aws_iam as iam, - aws_logs as logs, } from 'aws-cdk-lib'; -export class EcsIAM extends Construct { - readonly backendTaskRole: iam.Role; - readonly TaskExecutionRole: iam.Role; - readonly frontendTaskRole: iam.Role; +interface IAMProps { + rdsCluster:rds.DatabaseCluster +} - constructor(scope: Construct, id: string) { +export class EcsIAM extends Construct { + readonly frontendTaskRole: iam.Role; + readonly frontendTaskExecutionRole: iam.Role; + readonly backendTaskRole: iam.Role; + readonly backendTaskExecutionRole: iam.Role; + + constructor(scope: Construct, id: string, props:IAMProps) { super(scope, id) // Policy Statements @@ -60,8 +64,8 @@ export class EcsIAM extends Construct { this.backendTaskRole.addToPolicy(KendraPolicyStatement); this.backendTaskRole.addToPolicy(BedrockPolicyStatement); - // Task ExecutionRole -> ここは共通 - this.TaskExecutionRole = new iam.Role(this, 'TaskExecutionRole', { + // FrontEnd Task ExecutionRole + this.frontendTaskExecutionRole = new iam.Role(this, 'TaskExecutionRole', { assumedBy: new iam.ServicePrincipal('ecs-tasks.amazonaws.com'), managedPolicies: [ { @@ -70,5 +74,26 @@ export class EcsIAM extends Construct { }, ], }); + + // Secrets ManagerからDB認証情報を取ってくる + const secretsDB = props.rdsCluster.secret!; + + // BackEnd Task ExecutionRole + this.backendTaskExecutionRole = new iam.Role(this, 'TaskExecutionRole', { + assumedBy: new iam.ServicePrincipal('ecs-tasks.amazonaws.com'), + managedPolicies: [ + { + managedPolicyArn: + 'arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy', + }, + ], + }); + + this.backendTaskExecutionRole.attachInlinePolicy(new iam.Policy(this, 'SMGetPolicy', { + statements: [new iam.PolicyStatement({ + actions: ['secretsmanager:GetSecretValue'], + resources: [secretsDB.secretArn], + })], + })); } } \ No newline at end of file