-
Notifications
You must be signed in to change notification settings - Fork 42
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fixes #265
- Loading branch information
Showing
10 changed files
with
206 additions
and
17 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
/** | ||
* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. | ||
* SPDX-License-Identifier: Apache-2.0 | ||
*/ | ||
|
||
import { | ||
IGrantable, | ||
PolicyStatement, | ||
} from '@aws-cdk/aws-iam'; | ||
|
||
/** | ||
* This is a helper class meant to make it easier to use the AWS Systems Manager Session Manager | ||
* with any EC2 Instances or AutoScalingGroups. Once enabled, the Session Manager can be used to | ||
* connect to an EC2 Instance through the AWS Console and open a shell session in the browser. | ||
* | ||
* Note that in order for the Session Manager to work, you will need an AMI that has the SSM-Agent | ||
* installed and set to run at startup. The Amazon Linux 2 and Amazon provided Windows Server AMI's | ||
* have this configured by default. | ||
* | ||
* More details about the AWS Systems Manager Session Manager ca be found here: | ||
* https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html | ||
*/ | ||
export class SessionManagerHelper { | ||
/** | ||
* Grants the permissions required to enable Session Manager for the provided IGrantable. | ||
*/ | ||
public static grantPermissionsTo(grantable: IGrantable): void { | ||
grantable.grantPrincipal.addToPolicy(new PolicyStatement({ | ||
actions: [ | ||
'ssmmessages:CreateControlChannel', | ||
'ssmmessages:CreateDataChannel', | ||
'ssmmessages:OpenControlChannel', | ||
'ssmmessages:OpenDataChannel', | ||
'ssm:UpdateInstanceInformation', | ||
], | ||
resources: ['*'], | ||
})); | ||
} | ||
} |
93 changes: 93 additions & 0 deletions
93
packages/aws-rfdk/lib/core/test/sessions-manager-helper.test.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,93 @@ | ||
/** | ||
* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. | ||
* SPDX-License-Identifier: Apache-2.0 | ||
*/ | ||
|
||
import { | ||
expect as expectCDK, | ||
haveResourceLike, | ||
} from '@aws-cdk/assert'; | ||
import { | ||
AutoScalingGroup, | ||
} from '@aws-cdk/aws-autoscaling'; | ||
import { | ||
AmazonLinuxImage, | ||
Instance, | ||
InstanceClass, | ||
InstanceSize, | ||
InstanceType, | ||
Vpc, | ||
} from '@aws-cdk/aws-ec2'; | ||
import { CfnElement, Stack } from '@aws-cdk/core'; | ||
|
||
import { SessionManagerHelper } from '../lib'; | ||
|
||
let stack: Stack; | ||
let vpc: Vpc; | ||
const instanceType = InstanceType.of(InstanceClass.T3, InstanceSize.MICRO); | ||
const machineImage = new AmazonLinuxImage(); | ||
|
||
beforeEach(() => { | ||
stack = new Stack(); | ||
vpc = new Vpc(stack, 'VPC'); | ||
}); | ||
|
||
test('Grant SSM permissions to Instance', () => { | ||
const instance = new Instance(stack, 'Instance', { | ||
vpc, | ||
instanceType, | ||
machineImage, | ||
}); | ||
SessionManagerHelper.grantPermissionsTo(instance); | ||
|
||
const instanceRole = stack.getLogicalId(instance.role.node.defaultChild as CfnElement); | ||
|
||
expectCDK(stack).to(haveResourceLike('AWS::IAM::Policy', { | ||
PolicyDocument: { | ||
Statement: [ | ||
{ | ||
Action: [ | ||
'ssmmessages:CreateControlChannel', | ||
'ssmmessages:CreateDataChannel', | ||
'ssmmessages:OpenControlChannel', | ||
'ssmmessages:OpenDataChannel', | ||
'ssm:UpdateInstanceInformation', | ||
], | ||
Effect: 'Allow', | ||
Resource: '*', | ||
}, | ||
], | ||
}, | ||
Roles: [{ Ref: instanceRole }], | ||
})); | ||
}); | ||
|
||
test('Grant SSM permissions to ASG', () => { | ||
const asg = new AutoScalingGroup(stack, 'ASG', { | ||
vpc, | ||
instanceType, | ||
machineImage, | ||
}); | ||
SessionManagerHelper.grantPermissionsTo(asg); | ||
|
||
const asgRole = stack.getLogicalId(asg.role.node.defaultChild as CfnElement); | ||
|
||
expectCDK(stack).to(haveResourceLike('AWS::IAM::Policy', { | ||
PolicyDocument: { | ||
Statement: [ | ||
{ | ||
Action: [ | ||
'ssmmessages:CreateControlChannel', | ||
'ssmmessages:CreateDataChannel', | ||
'ssmmessages:OpenControlChannel', | ||
'ssmmessages:OpenDataChannel', | ||
'ssm:UpdateInstanceInformation', | ||
], | ||
Effect: 'Allow', | ||
Resource: '*', | ||
}, | ||
], | ||
}, | ||
Roles: [{ Ref: asgRole }], | ||
})); | ||
}); |