Skip to content

Commit 97af46e

Browse files
author
Yuriy Bezsonov
committed
Infra test
1 parent cb9b99f commit 97af46e

7 files changed

Lines changed: 220 additions & 98 deletions

File tree

infra/cdk/src/main/java/sample/com/constructs/Eks.java

Lines changed: 51 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,12 @@
1212
import software.amazon.awscdk.services.eks.v2.alpha.AccessPolicyNameOptions;
1313
import software.amazon.awscdk.services.eks.v2.alpha.AccessScopeType;
1414
import software.amazon.awscdk.services.eks.v2.alpha.Addon;
15+
import software.amazon.awscdk.services.iam.Effect;
16+
import software.amazon.awscdk.services.iam.ManagedPolicy;
17+
import software.amazon.awscdk.services.iam.PolicyStatement;
18+
import software.amazon.awscdk.services.iam.Role;
19+
import software.amazon.awscdk.services.iam.ServicePrincipal;
20+
import software.amazon.awscdk.CfnOutput;
1521

1622
import java.util.List;
1723

@@ -20,6 +26,7 @@
2026
public class Eks extends Construct {
2127

2228
private final Cluster cluster;
29+
private final Role cloudwatchAgentRole;
2330

2431
public Eks(final Construct scope, final String id, final EksProps props) {
2532
super(scope, id);
@@ -39,13 +46,53 @@ public Eks(final Construct scope, final String id, final EksProps props) {
3946

4047
cluster = clusterBuilder.build();
4148

49+
// Create CloudWatch Agent Pod Identity role
50+
cloudwatchAgentRole = createCloudWatchAgentRole(prefix);
51+
4252
// Add EKS add-ons
4353
createAddons();
4454

4555
// Create Access Entries for workshop access
4656
createAccessEntries(props);
4757
}
4858

59+
/**
60+
* Creates EKS Pod Identity role for CloudWatch Observability add-on.
61+
* This role is used by the cloudwatch-agent service account to collect
62+
* metrics, logs, and traces from the cluster.
63+
*/
64+
private Role createCloudWatchAgentRole(String prefix) {
65+
ServicePrincipal eksPods = ServicePrincipal.Builder.create("pods.eks.amazonaws.com").build();
66+
67+
Role role = Role.Builder.create(this, "CloudWatchAgentRole")
68+
.roleName(prefix + "-eks-cloudwatch-agent-role")
69+
.assumedBy(eksPods)
70+
.description("EKS Pod Identity role for CloudWatch Observability add-on")
71+
.managedPolicies(List.of(
72+
ManagedPolicy.fromAwsManagedPolicyName("CloudWatchAgentServerPolicy"),
73+
ManagedPolicy.fromAwsManagedPolicyName("AWSXrayWriteOnlyAccess")
74+
))
75+
.build();
76+
77+
// Add sts:TagSession for Pod Identity
78+
role.getAssumeRolePolicy().addStatements(
79+
PolicyStatement.Builder.create()
80+
.effect(Effect.ALLOW)
81+
.principals(List.of(eksPods))
82+
.actions(List.of("sts:TagSession"))
83+
.build()
84+
);
85+
86+
// Export role ARN for workshop content
87+
CfnOutput.Builder.create(this, "CloudWatchAgentRoleArn")
88+
.value(role.getRoleArn())
89+
.description("CloudWatch Agent Pod Identity Role ARN")
90+
.exportName(prefix + "-eks-cloudwatch-agent-role-arn")
91+
.build();
92+
93+
return role;
94+
}
95+
4996
private void createAddons() {
5097
// AWS Secrets Store CSI Driver
5198
Addon.Builder.create(this, "SecretsStoreDriver")
@@ -100,6 +147,10 @@ public String getClusterEndpoint() {
100147
return cluster.getClusterEndpoint();
101148
}
102149

150+
public Role getCloudWatchAgentRole() {
151+
return cloudwatchAgentRole;
152+
}
153+
103154
// Props class
104155
public static class EksProps {
105156
private final String prefix;

infra/cdk/src/main/resources/iam-policy.json

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -64,7 +64,8 @@
6464
"Resource": [
6565
"arn:aws:iam::{{.AccountId}}:role/unicorn*",
6666
"arn:aws:iam::{{.AccountId}}:role/service-role/unicorn*",
67-
"arn:aws:iam::{{.AccountId}}:role/ai-jvm-analyzer*"
67+
"arn:aws:iam::{{.AccountId}}:role/ai-jvm-analyzer*",
68+
"arn:aws:iam::{{.AccountId}}:role/workshop-*"
6869
]
6970
},
7071
{

infra/cfn/base-stack.yaml

Lines changed: 10 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -676,6 +676,16 @@ Resources:
676676
Fn::GetAtt:
677677
- IdeInstanceLauncherFunction803C5A2A
678678
- Arn
679+
SecurityGroupIds:
680+
Fn::Join:
681+
- ""
682+
- - Fn::GetAtt:
683+
- IdeSecurityGroup73B02454
684+
- GroupId
685+
- ","
686+
- Fn::GetAtt:
687+
- IdeInternalSecurityGroupB0A5D76B
688+
- GroupId
679689
ImageId:
680690
Ref: SsmParameterValueawsserviceamiamazonlinuxlatestal2023amikernel61x8664C96584B6F00A464EAD1953AFF4B05118Parameter
681691
UserData:
@@ -827,16 +837,6 @@ Resources:
827837
- - Ref: VpcPublicSubnet1Subnet8E8DEDC0
828838
- ","
829839
- Ref: VpcPublicSubnet2SubnetA811849C
830-
SecurityGroupIds:
831-
Fn::Join:
832-
- ""
833-
- - Fn::GetAtt:
834-
- IdeSecurityGroup73B02454
835-
- GroupId
836-
- ","
837-
- Fn::GetAtt:
838-
- IdeInternalSecurityGroupB0A5D76B
839-
- GroupId
840840
UpdateReplacePolicy: Delete
841841
DeletionPolicy: Delete
842842
IdeEipAssociationDFF81215:

infra/cfn/java-ai-agents-stack.yaml

Lines changed: 22 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -391,6 +391,7 @@ Resources:
391391
- !Sub arn:aws:iam::${AWS::AccountId}:role/ai-jvm-analyzer*
392392
- !Sub arn:aws:iam::${AWS::AccountId}:role/service-role/unicorn*
393393
- !Sub arn:aws:iam::${AWS::AccountId}:role/unicorn*
394+
- !Sub arn:aws:iam::${AWS::AccountId}:role/workshop-*
394395
Sid: PassRole
395396
- Action: ec2:RunInstances
396397
Condition:
@@ -760,7 +761,25 @@ Resources:
760761
Fn::GetAtt:
761762
- IdeInstanceLauncherFunction803C5A2A
762763
- Arn
763-
InstanceTypes: m6a.xlarge,m7a.xlarge
764+
VolumeSize: "50"
765+
SubnetIds:
766+
Fn::Join:
767+
- ""
768+
- - Ref: VpcPublicSubnet1Subnet8E8DEDC0
769+
- ","
770+
- Ref: VpcPublicSubnet2SubnetA811849C
771+
SecurityGroupIds:
772+
Fn::Join:
773+
- ""
774+
- - Fn::GetAtt:
775+
- IdeSecurityGroup73B02454
776+
- GroupId
777+
- ","
778+
- Fn::GetAtt:
779+
- IdeInternalSecurityGroupB0A5D76B
780+
- GroupId
781+
ImageId:
782+
Ref: SsmParameterValueawsserviceamiamazonlinuxlatestal2023amikernel61x8664C96584B6F00A464EAD1953AFF4B05118Parameter
764783
UserData:
765784
Fn::Base64:
766785
Fn::Join:
@@ -897,30 +916,12 @@ Resources:
897916
"
898917
exit 1
899918
fi
900-
ImageId:
901-
Ref: SsmParameterValueawsserviceamiamazonlinuxlatestal2023amikernel61x8664C96584B6F00A464EAD1953AFF4B05118Parameter
902-
SecurityGroupIds:
903-
Fn::Join:
904-
- ""
905-
- - Fn::GetAtt:
906-
- IdeSecurityGroup73B02454
907-
- GroupId
908-
- ","
909-
- Fn::GetAtt:
910-
- IdeInternalSecurityGroupB0A5D76B
911-
- GroupId
912-
SubnetIds:
913-
Fn::Join:
914-
- ""
915-
- - Ref: VpcPublicSubnet1Subnet8E8DEDC0
916-
- ","
917-
- Ref: VpcPublicSubnet2SubnetA811849C
918-
VolumeSize: "50"
919+
InstanceTypes: m6a.xlarge,m7a.xlarge
920+
InstanceName: ide
919921
IamInstanceProfileArn:
920922
Fn::GetAtt:
921923
- IdeInstanceProfile61B92038
922924
- Arn
923-
InstanceName: ide
924925
UpdateReplacePolicy: Delete
925926
DeletionPolicy: Delete
926927
IdeEipAssociationDFF81215:

infra/cfn/java-on-amazon-eks-stack.yaml

Lines changed: 62 additions & 28 deletions
Original file line numberDiff line numberDiff line change
@@ -411,6 +411,7 @@ Resources:
411411
- !Sub arn:aws:iam::${AWS::AccountId}:role/ai-jvm-analyzer*
412412
- !Sub arn:aws:iam::${AWS::AccountId}:role/service-role/unicorn*
413413
- !Sub arn:aws:iam::${AWS::AccountId}:role/unicorn*
414+
- !Sub arn:aws:iam::${AWS::AccountId}:role/workshop-*
414415
Sid: PassRole
415416
- Action: ec2:RunInstances
416417
Condition:
@@ -780,6 +781,27 @@ Resources:
780781
Fn::GetAtt:
781782
- IdeInstanceLauncherFunction803C5A2A
782783
- Arn
784+
SecurityGroupIds:
785+
Fn::Join:
786+
- ""
787+
- - Fn::GetAtt:
788+
- IdeSecurityGroup73B02454
789+
- GroupId
790+
- ","
791+
- Fn::GetAtt:
792+
- IdeInternalSecurityGroupB0A5D76B
793+
- GroupId
794+
SubnetIds:
795+
Fn::Join:
796+
- ""
797+
- - Ref: VpcPublicSubnet1Subnet8E8DEDC0
798+
- ","
799+
- Ref: VpcPublicSubnet2SubnetA811849C
800+
VolumeSize: "50"
801+
IamInstanceProfileArn:
802+
Fn::GetAtt:
803+
- IdeInstanceProfile61B92038
804+
- Arn
783805
InstanceName: ide
784806
InstanceTypes: m6a.xlarge,m7a.xlarge
785807
UserData:
@@ -920,27 +942,6 @@ Resources:
920942
fi
921943
ImageId:
922944
Ref: SsmParameterValueawsserviceamiamazonlinuxlatestal2023amikernel61x8664C96584B6F00A464EAD1953AFF4B05118Parameter
923-
SecurityGroupIds:
924-
Fn::Join:
925-
- ""
926-
- - Fn::GetAtt:
927-
- IdeSecurityGroup73B02454
928-
- GroupId
929-
- ","
930-
- Fn::GetAtt:
931-
- IdeInternalSecurityGroupB0A5D76B
932-
- GroupId
933-
SubnetIds:
934-
Fn::Join:
935-
- ""
936-
- - Ref: VpcPublicSubnet1Subnet8E8DEDC0
937-
- ","
938-
- Ref: VpcPublicSubnet2SubnetA811849C
939-
VolumeSize: "50"
940-
IamInstanceProfileArn:
941-
Fn::GetAtt:
942-
- IdeInstanceProfile61B92038
943-
- Arn
944945
UpdateReplacePolicy: Delete
945946
DeletionPolicy: Delete
946947
IdeEipAssociationDFF81215:
@@ -1319,12 +1320,12 @@ Resources:
13191320
Environment:
13201321
ComputeType: BUILD_GENERAL1_MEDIUM
13211322
EnvironmentVariables:
1322-
- Name: GIT_BRANCH
1323-
Type: PLAINTEXT
1324-
Value: new-ws-infra
13251323
- Name: TEMPLATE_TYPE
13261324
Type: PLAINTEXT
13271325
Value: java-on-amazon-eks
1326+
- Name: GIT_BRANCH
1327+
Type: PLAINTEXT
1328+
Value: new-ws-infra
13281329
Image: aws/codebuild/amazonlinux2-x86_64-standard:5.0
13291330
ImagePullCredentialsType: CODEBUILD
13301331
PrivilegedMode: false
@@ -1529,12 +1530,12 @@ Resources:
15291530
Description: workshop-setup build complete
15301531
EventPattern:
15311532
detail:
1533+
project-name:
1534+
- Ref: CodeBuildProjectA0FF5539
15321535
build-status:
15331536
- SUCCEEDED
15341537
- FAILED
15351538
- STOPPED
1536-
project-name:
1537-
- Ref: CodeBuildProjectA0FF5539
15381539
detail-type:
15391540
- CodeBuild Build State Change
15401541
source:
@@ -1566,13 +1567,13 @@ Resources:
15661567
Fn::GetAtt:
15671568
- CodeBuildStartLambdaFunction8349284F
15681569
- Arn
1569-
ContentHash: "1766939994295"
15701570
CodeBuildIamRoleArn:
15711571
Fn::GetAtt:
15721572
- CodeBuildRoleE9A44575
15731573
- Arn
15741574
ProjectName:
15751575
Ref: CodeBuildProjectA0FF5539
1576+
ContentHash: "1767018258469"
15761577
DependsOn:
15771578
- CodeBuildCompleteRuleAllowEventRuleWorkshopStackCodeBuildReportLambdaFunctionD77C60919E0B0C89
15781579
- CodeBuildCompleteRuleEE9277E8
@@ -1837,6 +1838,31 @@ Resources:
18371838
- ThreadAnalysisSecurityGroup28B00BCE
18381839
- GroupId
18391840
ToPort: 443
1841+
EksCloudWatchAgentRole1979BC79:
1842+
Type: AWS::IAM::Role
1843+
Properties:
1844+
AssumeRolePolicyDocument:
1845+
Statement:
1846+
- Action:
1847+
- sts:AssumeRole
1848+
- sts:TagSession
1849+
Effect: Allow
1850+
Principal:
1851+
Service: pods.eks.amazonaws.com
1852+
Version: "2012-10-17"
1853+
Description: EKS Pod Identity role for CloudWatch Observability add-on
1854+
ManagedPolicyArns:
1855+
- Fn::Join:
1856+
- ""
1857+
- - "arn:"
1858+
- Ref: AWS::Partition
1859+
- :iam::aws:policy/CloudWatchAgentServerPolicy
1860+
- Fn::Join:
1861+
- ""
1862+
- - "arn:"
1863+
- Ref: AWS::Partition
1864+
- :iam::aws:policy/AWSXrayWriteOnlyAccess
1865+
RoleName: workshop-eks-cloudwatch-agent-role
18401866
EksSecretsStoreDriverA84665C0:
18411867
Type: AWS::EKS::Addon
18421868
Properties:
@@ -1884,7 +1910,7 @@ Resources:
18841910
- Ref: AWS::AccountId
18851911
- "-"
18861912
- Ref: AWS::Region
1887-
- "-20251228173954"
1913+
- "-20251229152418"
18881914
PublicAccessBlockConfiguration:
18891915
BlockPublicAcls: true
18901916
BlockPublicPolicy: true
@@ -3021,6 +3047,14 @@ Outputs:
30213047
- password
30223048
Export:
30233049
Name: ide-password
3050+
EksCloudWatchAgentRoleArn304F2D87:
3051+
Description: CloudWatch Agent Pod Identity Role ARN
3052+
Value:
3053+
Fn::GetAtt:
3054+
- EksCloudWatchAgentRole1979BC79
3055+
- Arn
3056+
Export:
3057+
Name: workshop-eks-cloudwatch-agent-role-arn
30243058
Parameters:
30253059
SsmParameterValueawsserviceamiamazonlinuxlatestal2023amikernel61x8664C96584B6F00A464EAD1953AFF4B05118Parameter:
30263060
Type: AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>

0 commit comments

Comments
 (0)