Skip to content

Commit

Permalink
policydoc outside
Browse files Browse the repository at this point in the history
  • Loading branch information
iamprakkie committed Sep 28, 2023
1 parent f5a7818 commit 7dded6b
Show file tree
Hide file tree
Showing 2 changed files with 85 additions and 85 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -19,9 +19,9 @@ interface Statement {
export interface CreateIAMRoleNestedStackProps extends NestedStackProps {
roleName: string,
trustArn: string,
actions: string[],
resources: string[],
// statement: Statement[],
// actions: string[],
// resources: string[],
policyDocument: Statement[],
}

// Stack that creates IAM role with trust relationship to other account
Expand All @@ -45,16 +45,16 @@ export class CreateIAMRoleNestedStack extends NestedStack {
description: 'IAM Role created as part of CDK Observability Accelerator',
});

// props.statement.forEach((statement) => {
// role.addToPolicy(iam.PolicyStatement.fromJson(statement));
// });
props.policyDocument.forEach((statement) => {
console.log(statement);
role.addToPolicy(iam.PolicyStatement.fromJson(statement));
});

// role.addToPolicy(iam.PolicyStatement.fromJson(props.statement));

role.addToPolicy(new iam.PolicyStatement({
actions: props.actions,
resources: props.resources,
}));
// role.addToPolicy(new iam.PolicyStatement({
// actions: props.actions,
// resources: props.resources,
// }));

new cdk.CfnOutput(this, `COAIAMRole-${props.roleName}`, { value: role ? role.roleArn : "none" });
}
Expand Down
148 changes: 74 additions & 74 deletions lib/multi-acc-new-eks-mixed-observability-pattern/pipeline.ts
Original file line number Diff line number Diff line change
Expand Up @@ -100,91 +100,91 @@ export class PipelineMultiEnvMonitoring {

// Props for cross-account trust role in PROD1 account to trust AMG from MON account, inorder to access PROD1's AMP.
ampAssumeRoleName = "AMPAccessForTrustedAMGRole";
// const AMPAccessRoleStackProps: CreateIAMRoleNestedStackProps = {
// roleName: ampAssumeRoleName!,
// trustArn: amgWorkspaceIAMRoleARN!,
// statement: getAMPAccessPolicyDocument()
// };
const AMPAccessRoleStackProps: CreateIAMRoleNestedStackProps = {
roleName: ampAssumeRoleName!,
trustArn: amgWorkspaceIAMRoleARN!,
actions: [
"aps:ListWorkspaces",
"aps:DescribeWorkspace",
"aps:QueryMetrics",
"aps:GetLabels",
"aps:GetSeries",
"aps:GetMetricMetadata",
"xray:PutTraceSegments",
"xray:PutTelemetryRecords",
"xray:GetSamplingRules",
"xray:GetSamplingTargets",
"xray:GetSamplingStatisticSummaries",
"xray:BatchGetTraces",
"xray:GetServiceGraph",
"xray:GetTraceGraph",
"xray:GetTraceSummaries",
"xray:GetGroups",
"xray:GetGroup",
"xray:ListTagsForResource",
"xray:GetTimeSeriesServiceStatistics",
"xray:GetInsightSummaries",
"xray:GetInsight",
"xray:GetInsightEvents",
"xray:GetInsightImpactGraph",
"ssm:GetParameter"
],
resources: ["*"]
policyDocument: getAMPAccessPolicyDocument()
};
// const AMPAccessRoleStackProps: CreateIAMRoleNestedStackProps = {
// roleName: ampAssumeRoleName!,
// trustArn: amgWorkspaceIAMRoleARN!,
// actions: [
// "aps:ListWorkspaces",
// "aps:DescribeWorkspace",
// "aps:QueryMetrics",
// "aps:GetLabels",
// "aps:GetSeries",
// "aps:GetMetricMetadata",
// "xray:PutTraceSegments",
// "xray:PutTelemetryRecords",
// "xray:GetSamplingRules",
// "xray:GetSamplingTargets",
// "xray:GetSamplingStatisticSummaries",
// "xray:BatchGetTraces",
// "xray:GetServiceGraph",
// "xray:GetTraceGraph",
// "xray:GetTraceSummaries",
// "xray:GetGroups",
// "xray:GetGroup",
// "xray:ListTagsForResource",
// "xray:GetTimeSeriesServiceStatistics",
// "xray:GetInsightSummaries",
// "xray:GetInsight",
// "xray:GetInsightEvents",
// "xray:GetInsightImpactGraph",
// "ssm:GetParameter"
// ],
// resources: ["*"]
// };

// Props for cross-account trust role in PROD2 account to trust AMG from MON account, inorder to access PROD2's CloudWatch data
cwAssumeRoleName = "CWAccessForTrustedAMGRole";
// const CWAccessRoleStackProps: CreateIAMRoleNestedStackProps = {
// roleName: cwAssumeRoleName,
// trustArn: amgWorkspaceIAMRoleARN!,
// statement: getCWAccessPolicyDocument()
// };
const CWAccessRoleStackProps: CreateIAMRoleNestedStackProps = {
roleName: cwAssumeRoleName,
trustArn: amgWorkspaceIAMRoleARN!,
actions: [
"cloudwatch:DescribeAlarmsForMetric",
"cloudwatch:DescribeAlarmHistory",
"cloudwatch:DescribeAlarms",
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricStatistics",
"cloudwatch:GetMetricData",
"logs:DescribeLogGroups",
"logs:GetLogGroupFields",
"logs:StartQuery",
"logs:StopQuery",
"logs:GetQueryResults",
"logs:GetLogEvents",
"ec2:DescribeTags",
"ec2:DescribeInstances",
"ec2:DescribeRegions",
"tag:GetResources",
"xray:PutTraceSegments",
"xray:PutTelemetryRecords",
"xray:GetSamplingRules",
"xray:GetSamplingTargets",
"xray:GetSamplingStatisticSummaries",
"xray:BatchGetTraces",
"xray:GetServiceGraph",
"xray:GetTraceGraph",
"xray:GetTraceSummaries",
"xray:GetGroups",
"xray:GetGroup",
"xray:ListTagsForResource",
"xray:GetTimeSeriesServiceStatistics",
"xray:GetInsightSummaries",
"xray:GetInsight",
"xray:GetInsightEvents",
"xray:GetInsightImpactGraph",
"ssm:GetParameter"
],
resources: ["*"]
policyDocument: getCWAccessPolicyDocument()
};
// const CWAccessRoleStackProps: CreateIAMRoleNestedStackProps = {
// roleName: cwAssumeRoleName,
// trustArn: amgWorkspaceIAMRoleARN!,
// actions: [
// "cloudwatch:DescribeAlarmsForMetric",
// "cloudwatch:DescribeAlarmHistory",
// "cloudwatch:DescribeAlarms",
// "cloudwatch:ListMetrics",
// "cloudwatch:GetMetricStatistics",
// "cloudwatch:GetMetricData",
// "logs:DescribeLogGroups",
// "logs:GetLogGroupFields",
// "logs:StartQuery",
// "logs:StopQuery",
// "logs:GetQueryResults",
// "logs:GetLogEvents",
// "ec2:DescribeTags",
// "ec2:DescribeInstances",
// "ec2:DescribeRegions",
// "tag:GetResources",
// "xray:PutTraceSegments",
// "xray:PutTelemetryRecords",
// "xray:GetSamplingRules",
// "xray:GetSamplingTargets",
// "xray:GetSamplingStatisticSummaries",
// "xray:BatchGetTraces",
// "xray:GetServiceGraph",
// "xray:GetTraceGraph",
// "xray:GetTraceSummaries",
// "xray:GetGroups",
// "xray:GetGroup",
// "xray:ListTagsForResource",
// "xray:GetTimeSeriesServiceStatistics",
// "xray:GetInsightSummaries",
// "xray:GetInsight",
// "xray:GetInsightEvents",
// "xray:GetInsightImpactGraph",
// "ssm:GetParameter"
// ],
// resources: ["*"]
// };

// creating constructs
const ampConstruct = new AmpMonitoringConstruct();
Expand Down

0 comments on commit 7dded6b

Please sign in to comment.