Merge pull request #246 from aws-samples/staging

Merging changes from Staging to main

PetAdoptions/cdk/pet_stack/lib/modules/core/cloud9.ts

@@ -0,0 +1,39 @@
+import { Construct } from "constructs";
+import * as cloudformation_include from "aws-cdk-lib/cloudformation-include";
+import { CfnRole } from "aws-cdk-lib/aws-iam";
+
+export interface Cloud9EnvironmentProps {
+    name?: string;
+    vpcId: string;
+    subnetId: string;
+    templateFile: string;
+    cloud9OwnerArn?: string;
+}
+
+export class Cloud9Environment extends Construct {
+    public readonly c9Role: CfnRole;
+    constructor(scope: Construct, id: string, props: Cloud9EnvironmentProps) {
+        super(scope, id);
+
+        const template = new  cloudformation_include.CfnInclude(this, 'Cloud9Template', {
+            templateFile: props.templateFile,
+            parameters: {
+                'CreateVPC': false,
+                'Cloud9VPC': props.vpcId,
+                'Cloud9Subnet': props.subnetId
+            },
+            preserveLogicalIds: false
+        });
+
+        if (props.name) {
+            template.getParameter("EnvironmentName").default = props.name;
+        }
+
+        if (props.cloud9OwnerArn) {
+            template.getParameter("Cloud9OwnerRole").default = props.cloud9OwnerArn.valueOf();
+        }
+
+        this.c9Role = template.getResource("C9Role") as CfnRole;
+
+    }
+}

PetAdoptions/cdk/pet_stack/lib/services.ts

@@ -9,6 +9,7 @@ import * as s3 from 'aws-cdk-lib/aws-s3'
 import * as s3seeder from 'aws-cdk-lib/aws-s3-deployment'
 import * as rds from 'aws-cdk-lib/aws-rds';
 import * as ssm from 'aws-cdk-lib/aws-ssm';
+import * as kms from 'aws-cdk-lib/aws-kms';
 import * as eks from 'aws-cdk-lib/aws-eks';
 import * as yaml from 'js-yaml';
 import * as path from 'path';
@@ -31,6 +32,8 @@ import { CfnJson, RemovalPolicy, Fn, Duration, Stack, StackProps, CfnOutput } fr
 import { readFileSync } from 'fs';
 import 'ts-replace-all'
 import { TreatMissingData, ComparisonOperator } from 'aws-cdk-lib/aws-cloudwatch';
+import { KubectlLayer } from 'aws-cdk-lib/lambda-layer-kubectl';
+import { Cloud9Environment } from './modules/core/cloud9';
 
 export class Services extends Stack {
     constructor(scope: Construct, id: string, props?: StackProps) {
@@ -109,7 +112,8 @@ export class Services extends Stack {
         }
         // The VPC where all the microservices will be deployed into
         const theVPC = new ec2.Vpc(this, 'Microservices', {
-            cidr: cidrRange,
+            ipAddresses: ec2.IpAddresses.cidr(cidrRange),
+            // cidr: cidrRange,
             natGateways: 1,
             maxAzs: 2
         });
@@ -327,13 +331,16 @@ export class Services extends Stack {
             parameterName: '/eks/petsite/EKSMasterRoleArn'
           })
 
+        const secretsKey = new kms.Key(this, 'SecretsKey');
         const cluster = new eks.Cluster(this, 'petsite', {
             clusterName: 'PetSite',
             mastersRole: clusterAdmin,
             vpc: theVPC,
             defaultCapacity: 2,
             defaultCapacityInstance: ec2.InstanceType.of(ec2.InstanceClass.T3, ec2.InstanceSize.MEDIUM),
-            version: KubernetesVersion.V1_23
+            secretsEncryptionKey: secretsKey,
+            version: KubernetesVersion.of('1.27'),
+            kubectlLayer: new KubectlLayer(this, 'kubectl') 
         });
 
         const clusterSG = ec2.SecurityGroup.fromSecurityGroupId(this,'ClusterSG',cluster.clusterSecurityGroupId);
@@ -448,9 +455,16 @@ export class Services extends Stack {
 
         if (isEventEngine === 'true')
         {
-            var c9role = undefined
-            var c9InstanceProfile = undefined
-            var c9env = undefined
+
+            var c9Env = new Cloud9Environment(this, 'Cloud9Environment', {
+                vpcId: theVPC.vpcId,
+                subnetId: theVPC.publicSubnets[0].subnetId,
+                cloud9OwnerArn: "assumed-role/WSParticipantRole/Participant",
+                templateFile: __dirname + "/../../../../cloud9-cfn.yaml"
+
+            });
+
+            var c9role = c9Env.c9Role;
 
             // Dynamically check if AWSCloud9SSMAccessRole and AWSCloud9SSMInstanceProfile exists
             const c9SSMRole = new iam.Role(this,'AWSCloud9SSMAccessRole', {
@@ -460,51 +474,15 @@ export class Services extends Stack {
                 managedPolicies: [iam.ManagedPolicy.fromAwsManagedPolicyName("AWSCloud9SSMInstanceProfile"),iam.ManagedPolicy.fromAwsManagedPolicyName("AdministratorAccess")]
             });
 
-            const c9SSMRoleNoPath = iam.Role.fromRoleArn(this,'c9SSMRoleNoPath', "arn:aws:iam::" + stack.account + ":role/AWSCloud9SSMAccessRole")
-            cluster.awsAuth.addMastersRole(c9SSMRoleNoPath);
-
-            new iam.CfnInstanceProfile(this, 'AWSCloud9SSMInstanceProfile', {
-                path: '/cloud9/',
-                roles: [c9SSMRole.roleName],
-                instanceProfileName: 'AWSCloud9SSMInstanceProfile'
-            });
-
-            c9env = new cloud9.CfnEnvironmentEC2(this,"CloudEnv",{
-                ownerArn: "arn:aws:iam::" + stack.account +":assumed-role/WSParticipantRole/Participant",
-                instanceType: "t2.micro",
-                name: "observabilityworkshop",
-                subnetId: theVPC.privateSubnets[0].subnetId,
-                connectionType: 'CONNECT_SSM',
-                repositories: [
-                    {
-                        repositoryUrl: "https://github.com/aws-samples/one-observability-demo.git",
-                        pathComponent: "workshopfiles/one-observability-demo"
-                    }
-                ]
-            });
-
-            c9role = new iam.Role(this,'cloud9InstanceRole', {
-                assumedBy: new iam.ServicePrincipal("ec2.amazonaws.com"),
-                managedPolicies: [iam.ManagedPolicy.fromAwsManagedPolicyName("AdministratorAccess"), iam.ManagedPolicy.fromAwsManagedPolicyName("AmazonSSMManagedInstanceCore")],
-                roleName: "observabilityworkshop-admin"
-            });
-
-            c9InstanceProfile = new iam.CfnInstanceProfile(this,'cloud9InstanceProfile', {
-                roles: [c9role.roleName],
-                instanceProfileName: "observabilityworkshop-profile"
-            })
-
-            const teamRole = iam.Role.fromRoleArn(this,'TeamRole',"arn:aws:iam::" + stack.account +":role/TeamRole");
+            const teamRole = iam.Role.fromRoleArn(this,'TeamRole',"arn:aws:iam::" + stack.account +":role/WSParticipantRole");
             cluster.awsAuth.addRoleMapping(teamRole,{groups:["dashboard-view"]});
+
 
+            if (c9role!=undefined) {
+                cluster.awsAuth.addMastersRole(iam.Role.fromRoleArn(this, 'c9role', c9role.attrArn, { mutable: false }));
+            }
 
 
-            if (c9role!=undefined)
-                cluster.awsAuth.addMastersRole(c9role)
-
-            if (c9env!=undefined)
-                cluster.node.addDependency(c9env)
-
         }
 
         const eksAdminArn = this.node.tryGetContext('admin_role');

PetAdoptions/cdk/pet_stack/lib/services/stepfn.ts

@@ -59,7 +59,7 @@ export class PetAdoptionsStepFn extends Construct {
 
 
     this.stepFn = new sfn.StateMachine(this, 'StateMachine', {
-      definition,
+      definitionBody: sfn.DefinitionBody.fromChainable(definition),
       tracingEnabled: true,
       timeout: Duration.minutes(5)
     });

PetAdoptions/cdk/pet_stack/package.json

@@ -13,22 +13,22 @@
   },
   "devDependencies": {
     "@aws-cdk/assert": "2.68.0",
-    "@types/jest": "^29.5.2",
-    "@types/node": "^20.2.5",
-    "aws-cdk": "2.82.0",
-    "constructs": "^10.2.43",
-    "ts-jest": "^29.1.0",
+    "@types/jest": "^29.5.4",
+    "@types/node": "^20.5.7",
+    "aws-cdk": "2.93.0",
+    "constructs": "^10.2.69",
+    "ts-jest": "^29.1.1",
     "ts-node": "^10.9.1",
     "ts-replace-all": "1.0.0",
-    "typescript": "^5.1.3",
-    "cdk-nag": "^2.27.28"
+    "typescript": "^5.2.2",
+    "cdk-nag": "^2.27.114"
   },
   "dependencies": {
-    "@aws-cdk/aws-lambda-python-alpha": "^2.82.0-alpha.0",
+    "@aws-cdk/aws-lambda-python-alpha": "^2.93.0-alpha.0",
     "@types/js-yaml": "4.0.5",
-    "aws-cdk-lib": "^2.82.0",
-    "cdk-ecr-deployment": "^2.5.6",
-    "jest": "^29.5.0",
+    "aws-cdk-lib": "^2.93.0",
+    "cdk-ecr-deployment": "^2.5.30",
+    "jest": "^29.6.4",
     "js-yaml": "^4.1.0",
     "source-map-support": "^0.5.21"
   }

PetAdoptions/cdk/pet_stack/resources/destroy_stack.sh

@@ -28,6 +28,9 @@ if [ -z $STACK_NAME_APP ]; then STACK_NAME_APP="Applications"; fi
 aws eks update-kubeconfig --name PetSite
 kubectl delete -f https://raw.githubusercontent.com/aws-samples/one-observability-demo/main/PetAdoptions/cdk/pet_stack/resources/load_balancer/crds.yaml
 
+#Deleting keycloak 
+kubectl delete namespace keycloak --force
+
 # Get rid of all resources (Application first, then cluster or it will fail)
 cdk destroy $STACK_NAME_APP --force
 cdk destroy $STACK_NAME --force

PetAdoptions/cdk/pet_stack/resources/setup-ssm-agent.yaml

@@ -34,22 +34,6 @@ subjects:
   name: ssm-agent-installer 
   namespace: node-configuration-daemonset
 ---
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: ssm-agent-installer
-spec:
-  privileged: true
-  hostPID: true 
-  seLinux:
-    rule: RunAsAny
-  supplementalGroups:
-    rule: RunAsAny
-  runAsUser:
-    rule: RunAsAny
-  fsGroup:
-    rule: RunAsAny
----
 apiVersion: v1
 kind: ConfigMap
 metadata: