constructor()

in lib/constructs/workstation.ts [21:121]

• 95 lines of code
• 2 McCabe index (conditional complexity)

  constructor(scope: cdk.Construct, id: string, props: WorkstationProps) {
    super(scope, id);

    // for launching from Jenkins
    const workstationRole = new iam.Role(this, "WorkstationRole", {
      assumedBy: new iam.ServicePrincipal("ec2.amazonaws.com"),
    });
    workstationRole.attachInlinePolicy(
      createSSMPolicy(this, props.ssmLogBucket)
    );
    workstationRole.attachInlinePolicy(
      new iam.Policy(this, "for-nice-policy", {
        statements: [
          new iam.PolicyStatement({
            effect: iam.Effect.ALLOW,
            resources: RegionInfo.regions.map(
              (i) => `arn:aws:s3:::dcv-license.${i.name}/*`
            ),
            actions: ["s3:GetObject"],
          }),
        ],
      })
    );
    workstationRole.attachInlinePolicy(
      new iam.Policy(this, "for-gpu-policy", {
        statements: [
          new iam.PolicyStatement({
            effect: iam.Effect.ALLOW,
            resources: [
              "arn:aws:s3:::nvidia-gaming/*",
              "arn:aws:s3:::nvidia-gaming",
              "arn:aws:s3:::ec2-windows-nvidia-drivers/*",
              "arn:aws:s3:::ec2-windows-nvidia-drivers",
            ],
            actions: ["s3:Get*", "s3:List*"],
          }),
        ],
      })
    );
    workstationRole.addManagedPolicy(
      iam.ManagedPolicy.fromAwsManagedPolicyName("AmazonSSMManagedInstanceCore")
    );
    workstationRole.addManagedPolicy(
      iam.ManagedPolicy.fromAwsManagedPolicyName(
        "AmazonSSMDirectoryServiceAccess"
      )
    );

    props.resourceBucket.grantRead(workstationRole);

    const workstationSG = new ec2.SecurityGroup(this, "WorkstationSG", {
      vpc: props.vpc,
      securityGroupName: "WorkstationSG",
    });
    props.allowAccessFrom.forEach((p) => {
      workstationSG.addIngressRule(p, ec2.Port.tcp(3389), "allow RDP access");
      workstationSG.addIngressRule(
        p,
        ec2.Port.tcp(8443),
        "allow NICE DCV access"
      );
      workstationSG.addIngressRule(
        p,
        ec2.Port.udp(8443),
        "allow NICE DCV QUIC access"
      );
    });

    const userData = ec2.UserData.custom(`
        <powershell>
        ${setupFirefoxPowershell()}
        ${this.setupNiceDCV("Administrator")}  // for default session
        ${this.downloadGPUDriver()}
        </powershell>
        `);

    const workstationTemplate = new ec2.LaunchTemplate(this, "workstation-template", {
      launchTemplateName: "workstation-template",
      instanceType: props.instanceType,
      machineImage: ec2.MachineImage.latestWindows(
        ec2.WindowsVersion.WINDOWS_SERVER_2019_JAPANESE_FULL_BASE
      ),
      userData,
      role: workstationRole,
      blockDevices: [
        {
          deviceName: "/dev/sda1",
          volume: {
            ebsDevice: {
              volumeSize: 500,
              volumeType: ec2.EbsDeviceVolumeType.GP3,
            }
          },
        },
      ],
      securityGroup: workstationSG,
    });
    cdk.Tags.of(workstationTemplate).add("Name", "NICE DCV");
    cdk.Tags.of(workstationTemplate).add("Feature", "Join-AD");
    cdk.Tags.of(workstationTemplate).add("NICE DCV AD User", "");
  }