74 lines
No EOL
2.2 KiB
TypeScript
74 lines
No EOL
2.2 KiB
TypeScript
import { RemovalPolicy, Duration } from 'aws-cdk-lib'
|
|
import { Construct } from 'constructs'
|
|
import {
|
|
aws_ec2 as ec2,
|
|
aws_ecs as ecs,
|
|
aws_iam as iam,
|
|
aws_logs as logs,
|
|
} from 'aws-cdk-lib';
|
|
|
|
export class EcsIAM extends Construct {
|
|
readonly backendTaskRole: iam.Role;
|
|
readonly TaskExecutionRole: iam.Role;
|
|
readonly frontendTaskRole: iam.Role;
|
|
|
|
constructor(scope: Construct, id: string) {
|
|
super(scope, id)
|
|
|
|
// Policy Statements
|
|
// ECS Policy State
|
|
const ECSExecPolicyStatement = new iam.PolicyStatement({
|
|
sid: 'allowECSExec',
|
|
resources: ['*'],
|
|
actions: [
|
|
'ecr:GetAuthorizationToken',
|
|
'ecr:BatchCheckLayerAvailability',
|
|
'ecr:GetDownloadUrlForLayer',
|
|
'ecr:BatchGetImage',
|
|
],
|
|
});
|
|
// Bedrock Policy State
|
|
const BedrockPolicyStatement = new iam.PolicyStatement({
|
|
sid: 'allowBedrockAccess',
|
|
resources: ['*'],
|
|
actions: [
|
|
'bedrock:*',
|
|
],
|
|
});
|
|
// Kendra Policy State
|
|
const KendraPolicyStatement = new iam.PolicyStatement({
|
|
sid: 'allowKendraAccess',
|
|
resources: ['*'],
|
|
actions: [
|
|
'kendra:*'
|
|
],
|
|
});
|
|
|
|
// FrontEnd Task Role
|
|
this.frontendTaskRole = new iam.Role(this, 'FrontendTaskRole', {
|
|
assumedBy: new iam.ServicePrincipal('ecs-tasks.amazonaws.com'),
|
|
});
|
|
this.frontendTaskRole.addToPolicy(ECSExecPolicyStatement);
|
|
|
|
// BackEnd Task Role
|
|
this.backendTaskRole = new iam.Role(this, 'BackendTaskRole', {
|
|
assumedBy: new iam.ServicePrincipal('ecs-tasks.amazonaws.com'),
|
|
});
|
|
// ECS Exec Policyの付与
|
|
this.backendTaskRole.addToPolicy(ECSExecPolicyStatement);
|
|
// KendraとBedrockのアクセス権付与
|
|
this.backendTaskRole.addToPolicy(KendraPolicyStatement);
|
|
this.backendTaskRole.addToPolicy(BedrockPolicyStatement);
|
|
|
|
// Task ExecutionRole -> ここは共通
|
|
this.TaskExecutionRole = new iam.Role(this, 'TaskExecutionRole', {
|
|
assumedBy: new iam.ServicePrincipal('ecs-tasks.amazonaws.com'),
|
|
managedPolicies: [
|
|
{
|
|
managedPolicyArn:
|
|
'arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy',
|
|
},
|
|
],
|
|
});
|
|
}
|
|
} |