Cloud9 to CloudShell migration

Author: rapgaws

PetAdoptions/cdk/pet_stack/lib/services.ts

@@ -342,7 +342,8 @@ export class Services extends Stack {
             defaultCapacityInstance: ec2.InstanceType.of(ec2.InstanceClass.T3, ec2.InstanceSize.MEDIUM),
             secretsEncryptionKey: secretsKey,
             version: KubernetesVersion.of('1.28'),
-            kubectlLayer: new KubectlLayer(this, 'kubectl') 
+            kubectlLayer: new KubectlLayer(this, 'kubectl'),
+            authenticationMode: eks.AuthenticationMode.API_AND_CONFIG_MAP,
         });
 
         const clusterSG = ec2.SecurityGroup.fromSecurityGroupId(this,'ClusterSG',cluster.clusterSecurityGroupId);
@@ -445,60 +446,27 @@ export class Services extends Stack {
 
         loadBalancerserviceaccount.assumeRolePolicy?.addStatements(loadBalancer_trustRelationship);
 
-        // Fix for EKS Dashboard access
-
-        const dashboardRoleYaml = yaml.loadAll(readFileSync("./resources/dashboard.yaml","utf8")) as Record<string,any>[];
-
-        const dashboardRoleArn = this.node.tryGetContext('dashboard_role_arn');
-        if((dashboardRoleArn != undefined)&&(dashboardRoleArn.length > 0)) {
-            const role = iam.Role.fromRoleArn(this, "DashboardRoleArn",dashboardRoleArn,{mutable:false});
-            cluster.awsAuth.addRoleMapping(role,{groups:["dashboard-view"]});
-        }
 
         if (isEventEngine === 'true')
         {
-
-            var c9Env = new Cloud9Environment(this, 'Cloud9Environment', {
-                vpcId: theVPC.vpcId,
-                subnetId: theVPC.publicSubnets[0].subnetId,
-                cloud9OwnerArn: "assumed-role/WSParticipantRole/Participant",
-                templateFile: __dirname + "/../../../../cloud9-cfn.yaml"
-            
-            });
-    
-            var c9role = c9Env.c9Role;
-
-            // Dynamically check if AWSCloud9SSMAccessRole and AWSCloud9SSMInstanceProfile exists
-            const c9SSMRole = new iam.Role(this,'AWSCloud9SSMAccessRole', {
-                path: '/service-role/',
-                roleName: 'AWSCloud9SSMAccessRole',
-                assumedBy: new iam.CompositePrincipal(new iam.ServicePrincipal("ec2.amazonaws.com"), new iam.ServicePrincipal("cloud9.amazonaws.com")),
-                managedPolicies: [iam.ManagedPolicy.fromAwsManagedPolicyName("AWSCloud9SSMInstanceProfile"),iam.ManagedPolicy.fromAwsManagedPolicyName("AdministratorAccess")]
-            });
-
             const teamRole = iam.Role.fromRoleArn(this,'TeamRole',"arn:aws:iam::" + stack.account +":role/WSParticipantRole");
-            cluster.awsAuth.addRoleMapping(teamRole,{groups:["dashboard-view"]});
-            
-
-            if (c9role!=undefined) {
-                cluster.awsAuth.addMastersRole(iam.Role.fromRoleArn(this, 'c9role', c9role.attrArn, { mutable: false }));
-            }
-
-
+            cluster.grantAccess('TeamRoleAccess', teamRole.roleArn, [
+                eks.AccessPolicy.fromAccessPolicyName('AmazonEKSClusterAdminPolicy', {
+                    accessScopeType: eks.AccessScopeType.CLUSTER
+                })
+            ]);  
         }
 
         const eksAdminArn = this.node.tryGetContext('admin_role');
         if ((eksAdminArn!=undefined)&&(eksAdminArn.length > 0)) {
-            const role = iam.Role.fromRoleArn(this,"ekdAdminRoleArn",eksAdminArn,{mutable:false});
-            cluster.awsAuth.addMastersRole(role)
+            const adminRole = iam.Role.fromRoleArn(this,"ekdAdminRoleArn",eksAdminArn,{mutable:false});
+            cluster.grantAccess('TeamRoleAccess', adminRole.roleArn, [
+                eks.AccessPolicy.fromAccessPolicyName('AmazonEKSClusterAdminPolicy', {
+                    accessScopeType: eks.AccessScopeType.CLUSTER
+                })
+            ]);  
         }
 
-        const dahshboardManifest = new eks.KubernetesManifest(this,"k8sdashboardrbac",{
-            cluster: cluster,
-            manifest: dashboardRoleYaml
-        });
-
-
         var xRayYaml = yaml.loadAll(readFileSync("./resources/k8s_petsite/xray-daemon-config.yaml","utf8")) as Record<string,any>[];
 
         xRayYaml[0].metadata.annotations["eks.amazonaws.com/role-arn"] = new CfnJson(this, "xray_Role", { value : `${xrayserviceaccount.roleArn}` });

PetAdoptions/cdk/pet_stack/tsconfig.json

@@ -1,8 +1,8 @@
 {
   "compilerOptions": {
-    "target":"ES2018",
+    "target":"ES2021",
     "module": "commonjs",
-    "lib": ["es2018"],
+    "lib": ["es2021"],
     "declaration": true,
     "strict": true,
     "noImplicitAny": true,

README.md

@@ -6,6 +6,17 @@ This repo contains a sample application which is used in the One Observability D
 
 See [CONTRIBUTING](CONTRIBUTING.md#security-issue-notifications) for more information.
 
+## Instructions
+
+To deploy this workshop on your own account you need to have an IAM role with elevated priviliges and the `aws-cli` installed. Then, from the root
+of the repository run the following command:
+
+```
+aws cloudformation create-stack --stack-name Observability-Workshop --template-body file://codepipeline-stack.yaml --capabilities CAPABILITY_NAMED_IAM --parameters ParameterKey=UserRoleArn,ParameterValue=$(aws sts get-caller-identity --query Arn --output text)
+```
+
+You can replace the role specified in the paramter `UserRoleArn` with any other role with access to AWS CloudShell if you need so.
+
 ## License
 
 This library is licensed under the MIT-0 License. See the LICENSE file.