Add ability to assume multiple roles

lib/ci-stack.ts

@@ -16,7 +16,6 @@ import {
 } from '@aws-cdk/core';
 import { ListenerCertificate } from '@aws-cdk/aws-elasticloadbalancingv2';
 import { Bucket } from '@aws-cdk/aws-s3';
-import { disconnect } from 'cluster';
 import { CIConfigStack } from './ci-config-stack';
 import { JenkinsMainNode } from './compute/jenkins-main-node';
 import { JenkinsMonitoring } from './monitoring/ci-alarms';
@@ -41,7 +40,7 @@ export interface CIStackProps extends StackProps {
   /** Do you want to retain jenkins jobs and build history */
   readonly dataRetention?: boolean;
   /** IAM role ARN to be assumed by jenkins agent nodes eg: cross-account */
-  readonly agentAssumeRole?: string;
+  readonly agentAssumeRole?: string[];
   /** File path containing global environment variables to be added to jenkins enviornment */
   readonly envVarsFilePath?: string;
   /** Add Mac agent to jenkins */
@@ -69,8 +68,6 @@ export class CIStack extends Stack {
         },
       },
     });
-
-    const agentAssumeRoleContext = `${props?.agentAssumeRole ?? this.node.tryGetContext('agentAssumeRole')}`;
     const macAgentParameter = `${props?.macAgent ?? this.node.tryGetContext('macAgent')}`;
 
     const useSslParameter = `${props?.useSsl ?? this.node.tryGetContext('useSsl')}`;
@@ -152,7 +149,7 @@ export class CIStack extends Stack {
       adminUsers: props?.adminUsers,
       agentNodeSecurityGroup: securityGroups.agentNodeSG.securityGroupId,
       subnetId: vpc.publicSubnets[0].subnetId,
-    }, this.agentNodes, agentAssumeRoleContext.toString(), macAgentParameter.toString());
+    }, this.agentNodes, macAgentParameter.toString(), props?.agentAssumeRole);
 
     const externalLoadBalancer = new JenkinsExternalLoadBalancer(this, {
       vpc,

lib/compute/agent-node-config.ts

@@ -42,7 +42,7 @@ export class AgentNodeConfig {
 
    public readonly SSHEC2KeySecretId: string;
 
-   constructor(stack: Stack, assumeRole: string) {
+   constructor(stack: Stack, assumeRole?: string[]) {
      this.STACKREGION = stack.region;
      this.ACCOUNT = stack.account;
 
@@ -61,7 +61,6 @@ export class AgentNodeConfig {
 
      const ecrManagedPolicy = new ManagedPolicy(stack, 'OpenSearch-CI-AgentNodePolicy', {
        description: 'Jenkins agents Node Policy',
-       managedPolicyName: 'OpenSearch-CI-AgentNodePolicy',
        statements: [
          new PolicyStatement({
            effect: Effect.ALLOW,
@@ -107,11 +106,11 @@ export class AgentNodeConfig {
      );
 
      /* eslint-disable eqeqeq */
-     if (assumeRole.toString() !== 'undefined') {
+     if (assumeRole) {
        // policy to allow assume role AssumeRole
        AgentNodeRole.addToPolicy(
          new PolicyStatement({
-           resources: [assumeRole],
+           resources: assumeRole,
            actions: ['sts:AssumeRole'],
          }),
        );

lib/compute/jenkins-main-node.ts

@@ -91,7 +91,7 @@ export class JenkinsMainNode {
     foundJenkinsProcessCount: Metric
   }
 
-  constructor(stack: Stack, props: JenkinsMainNodeProps, agentNode: AgentNodeProps[], assumeRole: string, macAgent: string) {
+  constructor(stack: Stack, props: JenkinsMainNodeProps, agentNode: AgentNodeProps[], macAgent: string, assumeRole?: string[]) {
     this.ec2InstanceMetrics = {
       cpuTime: new Metric({
         metricName: 'procstat_cpu_usage',

test/compute/agent-node-config.test.ts

@@ -8,12 +8,11 @@
 
 import { Stack, App } from '@aws-cdk/core';
 import {
-  expect as expectCDK, haveResource, haveResourceLike, countResources,
+  expect as expectCDK, haveResourceLike,
 } from '@aws-cdk/assert';
 import { readFileSync } from 'fs';
 import { load } from 'js-yaml';
 import { CIStack } from '../../lib/ci-stack';
-import { JenkinsMainNode } from '../../lib/compute/jenkins-main-node';
 
 test('Agents Resource is present', () => {
   const app = new App({
@@ -49,7 +48,6 @@ test('Agents Resource is present', () => {
   expectCDK(stack).to(haveResourceLike('AWS::IAM::ManagedPolicy', {
     Description: 'Jenkins agents Node Policy',
     Path: '/',
-    ManagedPolicyName: 'OpenSearch-CI-AgentNodePolicy',
     Roles: [
       {
         Ref: 'OpenSearchCIAgentNodeRole4270FE0F',
@@ -124,6 +122,32 @@ test('Agents Resource is present', () => {
   }));
 });
 
+test('Agents Node policy with assume role Resource is present', () => {
+  const app = new App({
+    context: { useSsl: 'true', runWithOidc: 'true' },
+  });
+  const stack = new CIStack(app, 'TestStack', {
+    agentAssumeRole: ['arn:aws:iam::12345:role/test-role', 'arn:aws:iam::901523:role/test-role2'],
+  });
+
+  expectCDK(stack).to(haveResourceLike('AWS::IAM::Policy', {
+    PolicyDocument: {
+      Statement: [
+        {
+          Action: 'sts:AssumeRole',
+          Effect: 'Allow',
+          Resource: [
+            'arn:aws:iam::12345:role/test-role',
+            'arn:aws:iam::901523:role/test-role2',
+          ],
+        },
+      ],
+      Version: '2012-10-17',
+    },
+
+  }));
+});
+
 describe('JenkinsMainNode Config with macAgent template', () => {
   // WHEN
   const testYaml = 'test/data/jenkins.yaml';