Merge branch 'main' into adot-go-update

bonclay7 · web-flow · commit f6fdbcefcec4 · 2025-03-05T17:32:20.000+01:00
diff --git a/PetAdoptions/cdk/pet_stack/lib/services.ts b/PetAdoptions/cdk/pet_stack/lib/services.ts
@@ -513,6 +513,53 @@ export class Services extends Stack {
             serviceAccountRoleArn: cwserviceaccount.roleArn,
         });
 
+        // IAM Role for Network Flow Monitor
+        const networkFlowMonitorRole = new iam.CfnRole(this, 'NetworkFlowMonitorRole', {
+            roleName: 'network-flow-monitor-demo-role',
+            assumeRolePolicyDocument: {
+              Version: '2012-10-17',
+              Statement: [
+                {
+                  Effect: 'Allow',
+                  Principal: {
+                    Service: 'pods.eks.amazonaws.com',
+                  },
+                  Action: [
+                    'sts:AssumeRole',
+                    'sts:TagSession',
+                  ],
+                },
+              ],
+            },
+            managedPolicyArns: [
+              'arn:aws:iam::aws:policy/CloudWatchNetworkFlowMonitorAgentPublishPolicy',
+            ],
+          });
+
+        // Amazon EKS Pod Identity Agent Addon for Network Flow Monitor
+        const podIdentityAgentAddon = new eks.CfnAddon(this, 'PodIdentityAgentAddon', {
+            addonName: 'eks-pod-identity-agent',
+            addonVersion: 'v1.3.4-eksbuild.1',
+            clusterName: cluster.clusterName,
+            resolveConflicts: 'OVERWRITE',
+            preserveOnDelete: false,
+          });
+
+        // Amazon EKS AWS Network Flow Monitor Agent add-on
+        const networkFlowMonitoringAgentAddon = new eks.CfnAddon(this, 'NetworkFlowMonitoringAgentAddon', {
+            addonName: 'aws-network-flow-monitoring-agent',
+            addonVersion: 'v1.0.1-eksbuild.2',
+            clusterName: cluster.clusterName,
+            resolveConflicts: 'OVERWRITE',
+            preserveOnDelete: false,
+            podIdentityAssociations: [
+              {
+                roleArn: networkFlowMonitorRole.attrArn,
+                serviceAccount: 'aws-network-flow-monitor-agent-service-account',
+              },
+            ],
+          });
+
         const customWidgetResourceControllerPolicy = new iam.PolicyStatement({
             effect: iam.Effect.ALLOW,
             actions: [
@@ -606,6 +653,7 @@ export class Services extends Stack {
 
         this.createOuputs(new Map(Object.entries({
             'CWServiceAccountArn': cwserviceaccount.roleArn,
+            'NetworkFlowMonitorServiceAccountArn': networkFlowMonitorRole.attrArn,
             'XRayServiceAccountArn': xrayserviceaccount.roleArn,
             'OIDCProviderUrl': cluster.clusterOpenIdConnectIssuerUrl,
             'OIDCProviderArn': cluster.openIdConnectProvider.openIdConnectProviderArn,
diff --git a/PetAdoptions/cdk/pet_stack/resources/destroy_stack.sh b/PetAdoptions/cdk/pet_stack/resources/destroy_stack.sh
@@ -13,6 +13,14 @@ fi
 DDB_CONTRIB=$(aws ssm get-parameter --name '/petstore/dynamodbtablename' | jq .Parameter.Value -r)
 aws dynamodb update-contributor-insights --table-name $DDB_CONTRIB --contributor-insights-action DISABLE
 
+# Delete Network Flow Monitor
+if aws networkflowmonitor get-monitor --monitor-name network-flow-monitor-demo >/dev/null 2>&1; then
+    echo "Deleting network flow monitor..."
+    aws networkflowmonitor delete-monitor --monitor-name network-flow-monitor-demo
+else
+    echo "Network flow monitor not found, skipping delete."
+fi
+
 echo STARTING SERVICES CLEANUP
 echo -----------------------------
 
@@ -46,4 +54,4 @@ aws cloudformation wait stack-delete-complete --stack-name $STACK_NAME_CODEPIPEL
 
 echo CDK BOOTSTRAP WAS NOT DELETED
 
-echo ----- ✅ DONE --------
+echo ----- ✅ DONE --------
