Merge pull request #291 from aws-samples/staging

Update main

Author: bonclay7

PetAdoptions/cdk/pet_stack/buildspec.yml

@@ -41,12 +41,6 @@ export class Services extends Stack {
     constructor(scope: Construct, id: string, props?: StackProps) {
         super(scope, id, props);
 
-        var isEventEngine = 'false';
-        if (this.node.tryGetContext('is_event_engine') != undefined)
-        {
-            isEventEngine = this.node.tryGetContext('is_event_engine');
-        }
-
         const stackName = id;
 
         // Create SQS resource to send Pet adoption messages to
@@ -342,7 +336,8 @@ export class Services extends Stack {
             defaultCapacityInstance: ec2.InstanceType.of(ec2.InstanceClass.T3, ec2.InstanceSize.MEDIUM),
             secretsEncryptionKey: secretsKey,
             version: KubernetesVersion.of('1.28'),
-            kubectlLayer: new KubectlLayer(this, 'kubectl') 
+            kubectlLayer: new KubectlLayer(this, 'kubectl'),
+            authenticationMode: eks.AuthenticationMode.API_AND_CONFIG_MAP,
         });
 
         const clusterSG = ec2.SecurityGroup.fromSecurityGroupId(this,'ClusterSG',cluster.clusterSecurityGroupId);
@@ -445,60 +440,16 @@ export class Services extends Stack {
 
         loadBalancerserviceaccount.assumeRolePolicy?.addStatements(loadBalancer_trustRelationship);
 
-        // Fix for EKS Dashboard access
-
-        const dashboardRoleYaml = yaml.loadAll(readFileSync("./resources/dashboard.yaml","utf8")) as Record<string,any>[];
-
-        const dashboardRoleArn = this.node.tryGetContext('dashboard_role_arn');
-        if((dashboardRoleArn != undefined)&&(dashboardRoleArn.length > 0)) {
-            const role = iam.Role.fromRoleArn(this, "DashboardRoleArn",dashboardRoleArn,{mutable:false});
-            cluster.awsAuth.addRoleMapping(role,{groups:["dashboard-view"]});
-        }
-
-        if (isEventEngine === 'true')
-        {
-
-            var c9Env = new Cloud9Environment(this, 'Cloud9Environment', {
-                vpcId: theVPC.vpcId,
-                subnetId: theVPC.publicSubnets[0].subnetId,
-                cloud9OwnerArn: "assumed-role/WSParticipantRole/Participant",
-                templateFile: __dirname + "/../../../../cloud9-cfn.yaml"
-            
-            });
-    
-            var c9role = c9Env.c9Role;
-
-            // Dynamically check if AWSCloud9SSMAccessRole and AWSCloud9SSMInstanceProfile exists
-            const c9SSMRole = new iam.Role(this,'AWSCloud9SSMAccessRole', {
-                path: '/service-role/',
-                roleName: 'AWSCloud9SSMAccessRole',
-                assumedBy: new iam.CompositePrincipal(new iam.ServicePrincipal("ec2.amazonaws.com"), new iam.ServicePrincipal("cloud9.amazonaws.com")),
-                managedPolicies: [iam.ManagedPolicy.fromAwsManagedPolicyName("AWSCloud9SSMInstanceProfile"),iam.ManagedPolicy.fromAwsManagedPolicyName("AdministratorAccess")]
-            });
-
-            const teamRole = iam.Role.fromRoleArn(this,'TeamRole',"arn:aws:iam::" + stack.account +":role/WSParticipantRole");
-            cluster.awsAuth.addRoleMapping(teamRole,{groups:["dashboard-view"]});
-            
-
-            if (c9role!=undefined) {
-                cluster.awsAuth.addMastersRole(iam.Role.fromRoleArn(this, 'c9role', c9role.attrArn, { mutable: false }));
-            }
-
-
-        }
-
         const eksAdminArn = this.node.tryGetContext('admin_role');
         if ((eksAdminArn!=undefined)&&(eksAdminArn.length > 0)) {
-            const role = iam.Role.fromRoleArn(this,"ekdAdminRoleArn",eksAdminArn,{mutable:false});
-            cluster.awsAuth.addMastersRole(role)
+            const adminRole = iam.Role.fromRoleArn(this,"ekdAdminRoleArn",eksAdminArn,{mutable:false});
+            cluster.grantAccess('TeamRoleAccess', adminRole.roleArn, [
+                eks.AccessPolicy.fromAccessPolicyName('AmazonEKSClusterAdminPolicy', {
+                    accessScopeType: eks.AccessScopeType.CLUSTER
+                })
+            ]);  
         }
 
-        const dahshboardManifest = new eks.KubernetesManifest(this,"k8sdashboardrbac",{
-            cluster: cluster,
-            manifest: dashboardRoleYaml
-        });
-
-
         var xRayYaml = yaml.loadAll(readFileSync("./resources/k8s_petsite/xray-daemon-config.yaml","utf8")) as Record<string,any>[];
 
         xRayYaml[0].metadata.annotations["eks.amazonaws.com/role-arn"] = new CfnJson(this, "xray_Role", { value : `${xrayserviceaccount.roleArn}` });

PetAdoptions/cdk/pet_stack/lib/services.ts

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 echo ---------------------------------------------------------------------------------------------
-echo This script destroys the CDK stack
+echo This script destroys the resources created in the workshop
 echo ---------------------------------------------------------------------------------------------
 
 if [ -z "$AWS_REGION" ]; then
@@ -11,7 +11,7 @@ fi
 
 # Disable Contributor Insights
 DDB_CONTRIB=$(aws ssm get-parameter --name '/petstore/dynamodbtablename' | jq .Parameter.Value -r)
-aws dynamodb update-contributor-insights --table-name $DDB_CONTRIB --contributor-insights-action DISABLE  
+aws dynamodb update-contributor-insights --table-name $DDB_CONTRIB --contributor-insights-action DISABLE
 
 echo STARTING SERVICES CLEANUP
 echo -----------------------------
@@ -22,25 +22,28 @@ STACK_NAME_APP=$(aws ssm get-parameter --name '/eks/petsite/stackname' --region
 
 # Set default name in case Parameters are gone (partial deletion)
 if [ -z $STACK_NAME ]; then STACK_NAME="Services"; fi
-if [ -z $STACK_NAME_APP ]; then STACK_NAME_APP="Applications"; fi 
+if [ -z $STACK_NAME_APP ]; then STACK_NAME_APP="Applications"; fi
+if [ -z $STACK_NAME_CODEPIPELINE ]; then STACK_NAME_CODEPIPELINE="Observability-Workshop"; fi
 
 # Fix for CDK teardown issues
 aws eks update-kubeconfig --name PetSite
 kubectl delete -f https://raw.githubusercontent.com/aws-samples/one-observability-demo/main/PetAdoptions/cdk/pet_stack/resources/load_balancer/crds.yaml
 
-#Deleting keycloak 
+#Deleting keycloak
 kubectl delete namespace keycloak --force
 
-# Get rid of all resources (Application first, then cluster or it will fail)
-cdk destroy $STACK_NAME_APP --force
-cdk destroy $STACK_NAME --force
-
 # Sometimes the SqlSeeder doesn't get deleted cleanly. This helps clean up the environment completely including Sqlseeder
 aws cloudformation delete-stack --stack-name $STACK_NAME_APP
+aws cloudformation wait stack-delete-complete --stack-name $STACK_NAME_APP
 aws cloudformation delete-stack --stack-name $STACK_NAME
+aws cloudformation wait stack-delete-complete --stack-name $STACK_NAME
 
 aws cloudwatch delete-dashboards --dashboard-names "EKS_FluentBit_Dashboard"
 
+# delete the code pipeline stack
+aws cloudformation delete-stack --stack-name $STACK_NAME_CODEPIPELINE
+aws cloudformation wait stack-delete-complete --stack-name $STACK_NAME_CODEPIPELINE
+
 echo CDK BOOTSTRAP WAS NOT DELETED
 
 echo ----- ✅ DONE --------

PetAdoptions/cdk/pet_stack/resources/destroy_stack.sh

@@ -1,8 +1,8 @@
 {
   "compilerOptions": {
-    "target":"ES2018",
+    "target":"ES2021",
     "module": "commonjs",
-    "lib": ["es2018"],
+    "lib": ["es2021"],
     "declaration": true,
     "strict": true,
     "noImplicitAny": true,

PetAdoptions/cdk/pet_stack/tsconfig.json

@@ -6,6 +6,17 @@ This repo contains a sample application which is used in the One Observability D
 
 See [CONTRIBUTING](CONTRIBUTING.md#security-issue-notifications) for more information.
 
+## Instructions
+
+To deploy this workshop on your own account you need to have an IAM role with elevated priviliges and the `aws-cli` installed. Then, from the root
+of the repository run the following command:
+
+```
+aws cloudformation create-stack --stack-name Observability-Workshop --template-body file://codepipeline-stack.yaml --capabilities CAPABILITY_NAMED_IAM --parameters ParameterKey=UserRoleArn,ParameterValue=$(aws iam get-role --role-name $(aws sts get-caller-identity --query Arn --output text | awk -F/ '{print $(NF-1)}') --query Role.Arn --output text)
+```
+
+You can replace the role specified in the paramter `UserRoleArn` with any other role with access to AWS CloudShell if you need so.
+
 ## License
 
 This library is licensed under the MIT-0 License. See the LICENSE file.

README.md

@@ -16,7 +16,7 @@ phases:
       - npm install
       - if [ -z "$CDK_STACK" ] ; then cdk bootstrap ; else echo "Already bootstrapped" ; fi
       - npm run build
-      - cdk deploy Services --context admin_role=${EE_TEAM_ROLE_ARN} --context is_event_engine="true" --require-approval=never --verbose -O ./out/out.json
+      - cdk deploy Services --context admin_role=${EE_TEAM_ROLE_ARN} --require-approval=never --verbose -O ./out/out.json
       - cdk deploy Applications --require-approval=never --verbose -O ./out/out.json
 artifacts:
   files: "./PetAdoptions/cdk/pet_stack/out/out.json"