-
Notifications
You must be signed in to change notification settings - Fork 42
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fixes #265
- Loading branch information
Showing
10 changed files
with
172 additions
and
15 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
/** | ||
* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. | ||
* SPDX-License-Identifier: Apache-2.0 | ||
*/ | ||
|
||
import { | ||
IGrantable, | ||
PolicyStatement, | ||
} from '@aws-cdk/aws-iam'; | ||
|
||
/** | ||
* This is a helper class meant to make it easier to use the AWS Systems Manager Session Manager | ||
* with any EC2 Instances or AutoScalingGroups. Once enabled, the Session Manager can be used to | ||
* connect to an EC2 Instance through the AWS Console and open a shell session in the browser. | ||
* More details about the AWS Systems Manager Session Manager ca be found here: | ||
* https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html | ||
*/ | ||
export class SessionManagerHelper { | ||
/** | ||
* Grants the permissions required to enable Session Manager for the provided IGrantable. | ||
*/ | ||
public static grantPermissionsTo(grantable: IGrantable): void { | ||
grantable.grantPrincipal.addToPolicy(new PolicyStatement({ | ||
actions: [ | ||
'ssmmessages:CreateControlChannel', | ||
'ssmmessages:CreateDataChannel', | ||
'ssmmessages:OpenControlChannel', | ||
'ssmmessages:OpenDataChannel', | ||
'ssm:UpdateInstanceInformation', | ||
], | ||
resources: ['*'], | ||
})); | ||
} | ||
} |
93 changes: 93 additions & 0 deletions
93
packages/aws-rfdk/lib/core/test/sessions-manager-helper.test.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,93 @@ | ||
/** | ||
* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. | ||
* SPDX-License-Identifier: Apache-2.0 | ||
*/ | ||
|
||
import { | ||
expect as expectCDK, | ||
haveResourceLike, | ||
} from '@aws-cdk/assert'; | ||
import { | ||
AutoScalingGroup, | ||
} from '@aws-cdk/aws-autoscaling'; | ||
import { | ||
AmazonLinuxImage, | ||
Instance, | ||
InstanceClass, | ||
InstanceSize, | ||
InstanceType, | ||
Vpc, | ||
} from '@aws-cdk/aws-ec2'; | ||
import { CfnElement, Stack } from '@aws-cdk/core'; | ||
|
||
import { SessionManagerHelper } from '../lib'; | ||
|
||
let stack: Stack; | ||
let vpc: Vpc; | ||
const instanceType = InstanceType.of(InstanceClass.T3, InstanceSize.MICRO); | ||
const machineImage = new AmazonLinuxImage(); | ||
|
||
beforeEach(() => { | ||
stack = new Stack(); | ||
vpc = new Vpc(stack, 'VPC'); | ||
}); | ||
|
||
test('Grant SSM permissions to Instance', () => { | ||
const instance = new Instance(stack, 'Instance', { | ||
vpc, | ||
instanceType, | ||
machineImage, | ||
}); | ||
SessionManagerHelper.grantPermissionsTo(instance); | ||
|
||
const instanceRole = stack.getLogicalId(instance.role.node.defaultChild as CfnElement); | ||
|
||
expectCDK(stack).to(haveResourceLike('AWS::IAM::Policy', { | ||
PolicyDocument: { | ||
Statement: [ | ||
{ | ||
Action: [ | ||
'ssmmessages:CreateControlChannel', | ||
'ssmmessages:CreateDataChannel', | ||
'ssmmessages:OpenControlChannel', | ||
'ssmmessages:OpenDataChannel', | ||
'ssm:UpdateInstanceInformation', | ||
], | ||
Effect: 'Allow', | ||
Resource: '*', | ||
}, | ||
], | ||
}, | ||
Roles: [{ Ref: instanceRole }], | ||
})); | ||
}); | ||
|
||
test('Grant SSM permissions to ASG', () => { | ||
const asg = new AutoScalingGroup(stack, 'ASG', { | ||
vpc, | ||
instanceType, | ||
machineImage, | ||
}); | ||
SessionManagerHelper.grantPermissionsTo(asg); | ||
|
||
const asgRole = stack.getLogicalId(asg.role.node.defaultChild as CfnElement); | ||
|
||
expectCDK(stack).to(haveResourceLike('AWS::IAM::Policy', { | ||
PolicyDocument: { | ||
Statement: [ | ||
{ | ||
Action: [ | ||
'ssmmessages:CreateControlChannel', | ||
'ssmmessages:CreateDataChannel', | ||
'ssmmessages:OpenControlChannel', | ||
'ssmmessages:OpenDataChannel', | ||
'ssm:UpdateInstanceInformation', | ||
], | ||
Effect: 'Allow', | ||
Resource: '*', | ||
}, | ||
], | ||
}, | ||
Roles: [{ Ref: asgRole }], | ||
})); | ||
}); |