all policydocs are outside pipeline.ts

aws-observability · Sep 28, 2023 · b4c826d · b4c826d
1 parent 7dded6b
commit b4c826d
Show file tree

Hide file tree

Showing 5 changed files with 31 additions and 145 deletions.
diff --git a/...lti-new-eks-observability-accelerators/multi-acc-new-eks-mixed-observability.md b/...lti-new-eks-observability-accelerators/multi-acc-new-eks-mixed-observability.md
@@ -52,7 +52,6 @@ cd cdk-aws-observability-accelerator
 
 ---
 
-
 > ___Pro Tip:___ This document is compatible to run as Notebook with [RUNME for VS Code](https://docs.runme.dev/install#runme-for-vs-code) . There's no need to manually copy and paste commands. You can effortlessly execute them directly from this markdown file. Feel free to give it a try! `code docs/patterns/multi-new-eks-observability-accelerators/multi-acc-new-eks-mixed-observability.md`
 
 ---
@@ -259,7 +258,7 @@ env CDK_NEW_BOOTSTRAP=1 npx cdk bootstrap --profile monitoring-account \
     aws://${COA_MON_ACCOUNT_ID}/${COA_MON_REGION}
 ```
 
-5. Once all pre-requisites are set, you are ready to deploy the pipeline. Run the following command from the root of cloned repository to deploy the pipeline stack in `pipelineEnv` account. This step may require approximately **15-20 minutes** to finish.
+5. Once all pre-requisites are set, you are ready to deploy the pipeline. Run the following command from the root of cloned repository to deploy the pipeline stack in `pipelineEnv` account. This step may require approximately **20 minutes** to finish.
 
 ```bash { promptEnv=false }
 export AWS_PROFILE='pipeline-account'
@@ -275,7 +274,7 @@ make pattern multi-acc-new-eks-mixed-observability deploy multi-account-COA-pipe
    - `cloudwatchDataSourceRole` with permissions to retrieve metrics from CloudWatch in `prod2Env` account and
    - Updates Amazon Grafana workspace IAM role in `monitoringEnv` account to assume roles in `prod1Env` and `prod2Env` accounts for retrieving and visualizing metrics in Grafana
 
-   This step may require approximately **15-20 minutes** to finish.
+   This step may require approximately **50 minutes** to finish.
 
 ## Post Deployment
 

diff --git a/lib/multi-acc-new-eks-mixed-observability-pattern/amg-iam-setup.ts b/lib/multi-acc-new-eks-mixed-observability-pattern/amg-iam-setup.ts
@@ -31,16 +31,6 @@ export class AmgIamSetupStack extends NestedStack {
 
         const account = this.account;
 
-        // Create role - commented as we are expecting pre-existing AMG and their role from it.
-        // const workspaceRole = new Role(this, 'amg-iam-role', {
-        //     roleName: props.roleName,
-        //     assumedBy: new ServicePrincipal('grafana.amazonaws.com').withConditions({
-        //         StringEquals: {'aws:SourceAccount': `${account}`},
-        //         StringLike: {'aws:SourceArn': `arn:aws:grafana:${region}:${account}:/workspaces/*`}
-        //     }),
-        //     description: 'Service Role for Amazon Managed Grafana',
-        // });
-
         const workspaceRole = Role.fromRoleArn(this, 'ExistingRole', props.roleArn);
 
         // Inline policy for SNS
@@ -52,7 +42,6 @@ export class AmgIamSetupStack extends NestedStack {
             resources: [`arn:aws:sns:*:${account}:grafana*`]
         });
 
-        // workspaceRole.addToPolicy(AMGSNSPolicy);
         workspaceRole.addToPrincipalPolicy(AMGSNSPolicy);
 
         for (let i = 0; i < props.accounts.length; i++) {

diff --git a/lib/multi-acc-new-eks-mixed-observability-pattern/amp-monitoring.ts b/lib/multi-acc-new-eks-mixed-observability-pattern/amp-monitoring.ts
@@ -57,13 +57,6 @@ export default class AmpMonitoringConstruct {
             new blueprints.addons.XrayAdotAddOn(),
             new blueprints.addons.ClusterAutoScalerAddOn(),
             new blueprints.addons.SecretsStoreAddOn(),
-            /* already part of enableOpenSourcePatternAddOns
-            new blueprints.addons.AwsLoadBalancerControllerAddOn(), // part of enableOpenSourcePatternAddOns
-            new blueprints.addons.CertManagerAddOn(), // part of enableOpenSourcePatternAddOns
-            new blueprints.addons.KubeStateMetricsAddOn(), // part of enableOpenSourcePatternAddOns
-            new blueprints.addons.PrometheusNodeExporterAddOn(), // part of enableOpenSourcePatternAddOns
-            new blueprints.addons.AdotCollectorAddOn(), // part of enableOpenSourcePatternAddOns
-            */
         ];
 
         return ObservabilityBuilder.builder()

diff --git a/lib/multi-acc-new-eks-mixed-observability-pattern/create-iam-role.ts b/lib/multi-acc-new-eks-mixed-observability-pattern/create-iam-role.ts
@@ -14,13 +14,11 @@ interface Statement {
 /* Properties for Cross Account Trust Role:
 * roleName - new role name
 * trustArn - Role ARN principal from trusted account
-* statement - policy statement as json
+* policyDocument - policy statement of property Statement[]
 */
 export interface CreateIAMRoleNestedStackProps extends NestedStackProps {
     roleName: string,
     trustArn: string,
-    // actions: string[],
-    // resources: string[],
     policyDocument: Statement[],
 }
 
@@ -41,21 +39,13 @@ export class CreateIAMRoleNestedStack extends NestedStack {
         const role = new iam.Role(this, 'coa-iam-role', {
             roleName: props.roleName,
             assumedBy: new iam.ArnPrincipal(props.trustArn),
-            // assumedBy: new iam.AccountPrincipal(this.account),
             description: 'IAM Role created as part of CDK Observability Accelerator',
         });
 
         props.policyDocument.forEach((statement) => {
-            console.log(statement);
             role.addToPolicy(iam.PolicyStatement.fromJson(statement));
         });
 
-
-        // role.addToPolicy(new iam.PolicyStatement({
-        //     actions: props.actions,
-        //     resources: props.resources,
-        // }));
-
         new cdk.CfnOutput(this, `COAIAMRole-${props.roleName}`, { value: role ? role.roleArn : "none" });
     }
 }
diff --git a/lib/multi-acc-new-eks-mixed-observability-pattern/pipeline.ts b/lib/multi-acc-new-eks-mixed-observability-pattern/pipeline.ts
@@ -34,10 +34,7 @@ let nodeExporterDashUrl: string;
 let nodesDashUrl: string;
 let workloadsDashUrl: string;
 
-/**
- * Function relies on a secret called "cdk-context" defined in COA_PIPELINE_REGION region in pipeline account. Its a MANDATORY STEP.
- * @returns
- */
+// Function relies on a secret called "cdk-context" defined in COA_PIPELINE_REGION region in pipeline account. Its a MANDATORY STEP.
 export async function populateAccountWithContextDefaults(region: string): Promise<PipelineMultiEnvMonitoringProps> {
     const cdkContext = JSON.parse(await getSSMSecureString('/cdk-accelerator/cdk-context',region))['context'] as PipelineMultiEnvMonitoringProps;
     logger.debug(`Retrieved CDK context ${JSON.stringify(cdkContext)}`);
@@ -93,99 +90,6 @@ export class PipelineMultiEnvMonitoring {
         const PROD2_ENV_ID = `coa-eks-prod2-${context.prodEnv2.region}`;
         const MON_ENV_ID = `coa-cntrl-mon-${context.monitoringEnv.region}`;
 
-        // Get AMG info from SSM SecureString
-        const amgInfo = JSON.parse(await getSSMSecureString('/cdk-accelerator/amg-info',this.pipelineRegion))['amg'];
-        amgWorkspaceUrl = amgInfo.workspaceURL;
-        const amgWorkspaceIAMRoleARN = amgInfo.workspaceIAMRoleARN;
-
-        // Props for cross-account trust role in PROD1 account to trust AMG from MON account, inorder to access PROD1's AMP.
-        ampAssumeRoleName = "AMPAccessForTrustedAMGRole";
-        const AMPAccessRoleStackProps: CreateIAMRoleNestedStackProps = {
-            roleName: ampAssumeRoleName!,
-            trustArn: amgWorkspaceIAMRoleARN!,
-            policyDocument: getAMPAccessPolicyDocument()
-        };
-        // const AMPAccessRoleStackProps: CreateIAMRoleNestedStackProps = {
-        //     roleName: ampAssumeRoleName!,
-        //     trustArn: amgWorkspaceIAMRoleARN!,
-        //     actions: [
-        //         "aps:ListWorkspaces",
-        //         "aps:DescribeWorkspace",
-        //         "aps:QueryMetrics",
-        //         "aps:GetLabels",
-        //         "aps:GetSeries",
-        //         "aps:GetMetricMetadata",
-        //         "xray:PutTraceSegments",
-        //         "xray:PutTelemetryRecords",
-        //         "xray:GetSamplingRules",
-        //         "xray:GetSamplingTargets",
-        //         "xray:GetSamplingStatisticSummaries",
-        //         "xray:BatchGetTraces",
-        //         "xray:GetServiceGraph",
-        //         "xray:GetTraceGraph",
-        //         "xray:GetTraceSummaries",
-        //         "xray:GetGroups",
-        //         "xray:GetGroup",
-        //         "xray:ListTagsForResource",
-        //         "xray:GetTimeSeriesServiceStatistics",
-        //         "xray:GetInsightSummaries",
-        //         "xray:GetInsight",
-        //         "xray:GetInsightEvents",
-        //         "xray:GetInsightImpactGraph",
-        //         "ssm:GetParameter"
-        //     ],
-        //     resources: ["*"]
-        // };
-
-        // Props for cross-account trust role in PROD2 account to trust AMG from MON account, inorder to access PROD2's CloudWatch data
-        cwAssumeRoleName = "CWAccessForTrustedAMGRole";
-        const CWAccessRoleStackProps: CreateIAMRoleNestedStackProps = {
-            roleName: cwAssumeRoleName,
-            trustArn: amgWorkspaceIAMRoleARN!,
-            policyDocument: getCWAccessPolicyDocument()
-        };
-        // const CWAccessRoleStackProps: CreateIAMRoleNestedStackProps = {
-        //     roleName: cwAssumeRoleName,
-        //     trustArn: amgWorkspaceIAMRoleARN!,
-        //     actions: [
-        //         "cloudwatch:DescribeAlarmsForMetric",
-        //         "cloudwatch:DescribeAlarmHistory",
-        //         "cloudwatch:DescribeAlarms",
-        //         "cloudwatch:ListMetrics",
-        //         "cloudwatch:GetMetricStatistics",
-        //         "cloudwatch:GetMetricData",
-        //         "logs:DescribeLogGroups",
-        //         "logs:GetLogGroupFields",
-        //         "logs:StartQuery",
-        //         "logs:StopQuery",
-        //         "logs:GetQueryResults",
-        //         "logs:GetLogEvents",
-        //         "ec2:DescribeTags",
-        //         "ec2:DescribeInstances",
-        //         "ec2:DescribeRegions",
-        //         "tag:GetResources",
-        //         "xray:PutTraceSegments",
-        //         "xray:PutTelemetryRecords",
-        //         "xray:GetSamplingRules",
-        //         "xray:GetSamplingTargets",
-        //         "xray:GetSamplingStatisticSummaries",
-        //         "xray:BatchGetTraces",
-        //         "xray:GetServiceGraph",
-        //         "xray:GetTraceGraph",
-        //         "xray:GetTraceSummaries",
-        //         "xray:GetGroups",
-        //         "xray:GetGroup",
-        //         "xray:ListTagsForResource",
-        //         "xray:GetTimeSeriesServiceStatistics",
-        //         "xray:GetInsightSummaries",
-        //         "xray:GetInsight",
-        //         "xray:GetInsightEvents",
-        //         "xray:GetInsightImpactGraph",
-        //         "ssm:GetParameter"
-        //     ],
-        //     resources: ["*"]
-        // };
-
         // creating constructs
         const ampConstruct = new AmpMonitoringConstruct();
         const blueprintAmp = ampConstruct.create(scope, context.prodEnv1.account, context.prodEnv1.region);
@@ -221,6 +125,27 @@ export class PipelineMultiEnvMonitoring {
             'private'
         );
 
+        // Get AMG info from SSM SecureString
+        const amgInfo = JSON.parse(await getSSMSecureString('/cdk-accelerator/amg-info',this.pipelineRegion))['amg'];
+        amgWorkspaceUrl = amgInfo.workspaceURL;
+        const amgWorkspaceIAMRoleARN = amgInfo.workspaceIAMRoleARN;
+
+        // Props for cross-account trust role in PROD1 account to trust AMG from MON account, inorder to access PROD1's AMP.
+        ampAssumeRoleName = "AMPAccessForTrustedAMGRole";
+        const AMPAccessRoleStackProps: CreateIAMRoleNestedStackProps = {
+            roleName: ampAssumeRoleName!,
+            trustArn: amgWorkspaceIAMRoleARN!,
+            policyDocument: getAMPAccessPolicyDocument()
+        };
+
+        // Props for cross-account trust role in PROD2 account to trust AMG from MON account, inorder to access PROD2's CloudWatch data
+        cwAssumeRoleName = "CWAccessForTrustedAMGRole";
+        const CWAccessRoleStackProps: CreateIAMRoleNestedStackProps = {
+            roleName: cwAssumeRoleName,
+            trustArn: amgWorkspaceIAMRoleARN!,
+            policyDocument: getCWAccessPolicyDocument()
+        };
+
         const AmgIamSetupStackProps: AmgIamSetupStackProps = {
             roleArn: amgWorkspaceIAMRoleARN,
             accounts: [context.prodEnv1.account!, context.prodEnv2.account!]
@@ -232,25 +157,16 @@ export class PipelineMultiEnvMonitoring {
         const gitRepositoryName = pipelineSrcInfo.gitRepoName;
         const gitBranch = pipelineSrcInfo.gitBranch;
 
-        // const codeBuiildPoilcies = getCodeBuildPolicyDocument().forEach((statement) => {iam.PolicyStatement.fromJson(statement)}) as unknown;
+        let codeBuildPolicies: unknown;
+        getCodeBuildPolicyDocument().forEach((statement) => {
+            codeBuildPolicies = iam.PolicyStatement.fromJson(statement);
+        });
+
         const pipeline = blueprints.CodePipelineStack.builder()
             .application("npx ts-node bin/multi-acc-new-eks-mixed-observability.ts")
             .name("multi-account-COA-pipeline")
             .owner(gitOwner)
-            .codeBuildPolicies([
-                new iam.PolicyStatement({
-                    resources: ["*"],
-                    actions: [
-                        "sts:AssumeRole",
-                        "secretsmanager:GetSecretValue",
-                        "secretsmanager:DescribeSecret",
-                        "cloudformation:*",
-                        "ssm:GetParameter",
-                        "ssm:PutParameter",
-                        "ssm:DescribeParameter"
-                    ]
-                })
-            ])
+            .codeBuildPolicies([codeBuildPolicies as iam.PolicyStatement])
             .repository({
                 repoUrl: gitRepositoryName,
                 credentialsSecretName: 'github-token',
@@ -289,7 +205,6 @@ export class PipelineMultiEnvMonitoring {
                 .name(PROD2_ENV_ID)
                 .clone(context.prodEnv2.region, context.prodEnv2.account)
                 .addOns(new blueprints.NestedStackAddOn({
-                    // builder: CloudWatchIamSetupStack.builder("CWAccessForTrustedAMGRole", amgWorkspaceIAMRoleARN!),
                     builder: CreateIAMRoleNestedStack.builder(CWAccessRoleStackProps),
                     id: "cloudwatch-iam-nested-stack"
                 }))