-
Notifications
You must be signed in to change notification settings - Fork 25
/
Copy pathspark-emr-containers-helpers.ts
106 lines (97 loc) · 4.16 KB
/
spark-emr-containers-helpers.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
import * as path from 'path';
import { RemovalPolicy, Stack } from 'aws-cdk-lib';
import { SecurityGroup, SubnetType, IVpc } from 'aws-cdk-lib/aws-ec2';
import { ManagedPolicy, PolicyStatement } from 'aws-cdk-lib/aws-iam';
import { IBucket } from 'aws-cdk-lib/aws-s3';
import { Construct } from 'constructs';
import { DsfProvider } from '../../../../utils/lib/dsf-provider';
export function interactiveSessionsProviderSetup(
scope: Construct,
removalPolicy: RemovalPolicy,
vpc: IVpc,
assetBucket?: IBucket) : DsfProvider {
let lambdaProviderSecurityGroup: SecurityGroup = new SecurityGroup(scope, 'interactiveEndpointCrSg', {
vpc,
});
//The policy allowing the managed endpoint custom resource to create call the APIs for managed endpoint
const lambdaPolicy = [
new PolicyStatement({
resources: ['*'],
actions: ['emr-containers:DescribeManagedEndpoint'],
}),
new PolicyStatement({
resources: [`arn:${Stack.of(scope).partition}:emr-containers:${Stack.of(scope).region}:${Stack.of(scope).account}:/virtualclusters/*/endpoints/*`],
actions: [
'emr-containers:DeleteManagedEndpoint',
],
conditions: { StringEquals: { 'aws:ResourceTag/data-solutions-fwk:owned': 'true' } },
}),
new PolicyStatement({
resources: [`arn:${Stack.of(scope).partition}:emr-containers:${Stack.of(scope).region}:${Stack.of(scope).account}:/virtualclusters/*`],
actions: ['emr-containers:CreateManagedEndpoint'],
conditions: { StringEquals: { 'aws:ResourceTag/data-solutions-fwk:owned': 'true' } },
}),
new PolicyStatement({
resources: [`arn:${Stack.of(scope).partition}:emr-containers:${Stack.of(scope).region}:${Stack.of(scope).account}:/virtualclusters/*/endpoints/*`],
actions: ['emr-containers:TagResource'],
conditions: { StringEquals: { 'aws:RequestTag/data-solutions-fwk:owned': 'true' } },
}),
new PolicyStatement({
resources: [
`arn:aws:ec2:${Stack.of(scope).region}:${Stack.of(scope).account}:security-group-rule/*`,
`arn:aws:ec2:${Stack.of(scope).region}:${Stack.of(scope).account}:security-group/*`,
],
actions: [
'ec2:DeleteSecurityGroup',
'ec2:AuthorizeSecurityGroupEgress',
'ec2:AuthorizeSecurityGroupIngress',
'ec2:RevokeSecurityGroupEgress',
'ec2:RevokeSecurityGroupIngress',
],
}),
new PolicyStatement({
resources: [
vpc.vpcArn,
`arn:aws:ec2:${Stack.of(scope).region}:${Stack.of(scope).account}:security-group/*`,
],
actions: [
'ec2:CreateSecurityGroup',
],
}),
];
if (assetBucket) {
lambdaPolicy.push(
new PolicyStatement({
resources: [assetBucket.bucketArn],
actions: ['s3:GetObject*', 's3:GetBucket*', 's3:List*'],
}),
);
}
//Policy to allow lambda access to cloudwatch logs
const lambdaExecutionRolePolicy = new ManagedPolicy(scope, 'LambdaExecutionRolePolicy', {
statements: lambdaPolicy,
description: 'Policy for emr containers CR to create managed endpoint',
});
const provider = new DsfProvider(scope, 'InteractiveSessionProvider', {
providerName: 'emr-containers-interactive-endpoint-provider',
onEventHandlerDefinition: {
handler: 'index.onEventHandler',
depsLockFilePath: path.join(__dirname, './resources/lambdas/managed-endpoint/package-lock.json'),
entryFile: path.join(__dirname, './resources/lambdas/managed-endpoint/index.mjs'),
managedPolicy: lambdaExecutionRolePolicy,
},
isCompleteHandlerDefinition: {
handler: 'index.isCompleteHandler',
depsLockFilePath: path.join(__dirname, './resources/lambdas/managed-endpoint/package-lock.json'),
entryFile: path.join(__dirname, './resources/lambdas/managed-endpoint/index.mjs'),
managedPolicy: lambdaExecutionRolePolicy,
},
vpc: vpc ? vpc: undefined,
subnets: vpc ? vpc.selectSubnets({ subnetType: SubnetType.PRIVATE_WITH_EGRESS }) : undefined,
securityGroups: lambdaProviderSecurityGroup ? [lambdaProviderSecurityGroup] : undefined,
removalPolicy,
});
return provider;
}