protected createRole()

in source/lib/kda-flink-studio.ts [30:111]

• 76 lines of code
• 2 McCabe index (conditional complexity)

    protected createRole(_props: FlinkBaseProps): iam.IRole {
        const glueDb = new glue.CfnDatabase(this, 'Database', {
            catalogId: cdk.Aws.ACCOUNT_ID,
            databaseInput: {
                description: `${cdk.Aws.STACK_NAME} - Database for Amazon Kinesis Data Analytics Studio`
            }
        });

        this.DatabaseName = glueDb.ref;

        const logsPolicy = new iam.PolicyDocument({
            statements: [
                new iam.PolicyStatement({
                    resources: [`arn:${cdk.Aws.PARTITION}:logs:${cdk.Aws.REGION}:${cdk.Aws.ACCOUNT_ID}:log-group:*`],
                    actions: ['logs:DescribeLogGroups']
                }),
                new iam.PolicyStatement({
                    resources: [this.LogGroup.logGroupArn],
                    actions: ['logs:DescribeLogStreams', 'logs:PutLogEvents']
                })
            ]
        });

        const vpcPolicy = new iam.PolicyDocument({
            statements: [
                new iam.PolicyStatement({
                    resources: ['*'],
                    actions: [
                        'ec2:CreateNetworkInterface',
                        'ec2:DescribeNetworkInterfaces',
                        'ec2:DescribeVpcs',
                        'ec2:DeleteNetworkInterface',
                        'ec2:DescribeDhcpOptions',
                        'ec2:DescribeSubnets',
                        'ec2:DescribeSecurityGroups'
                    ]
                }),
                new iam.PolicyStatement({
                    resources: [`arn:${cdk.Aws.PARTITION}:ec2:${cdk.Aws.REGION}:${cdk.Aws.ACCOUNT_ID}:network-interface/*`],
                    actions: ['ec2:CreateNetworkInterfacePermission']
                })
            ]
        });

        // This policy is based on https://docs.aws.amazon.com/kinesisanalytics/latest/java/how-zeppelin-appendix-iam.html
        const gluePolicy = new iam.PolicyDocument({
            statements: [
                new iam.PolicyStatement({
                    resources: [
                        `arn:${cdk.Aws.PARTITION}:glue:${cdk.Aws.REGION}:${cdk.Aws.ACCOUNT_ID}:connection/*`,
                        `arn:${cdk.Aws.PARTITION}:glue:${cdk.Aws.REGION}:${cdk.Aws.ACCOUNT_ID}:table/${this.DatabaseName}/*`,
                        `arn:${cdk.Aws.PARTITION}:glue:${cdk.Aws.REGION}:${cdk.Aws.ACCOUNT_ID}:database/${this.DatabaseName}`,
                        `arn:${cdk.Aws.PARTITION}:glue:${cdk.Aws.REGION}:${cdk.Aws.ACCOUNT_ID}:database/hive`,
                        `arn:${cdk.Aws.PARTITION}:glue:${cdk.Aws.REGION}:${cdk.Aws.ACCOUNT_ID}:catalog`,
                        `arn:${cdk.Aws.PARTITION}:glue:${cdk.Aws.REGION}:${cdk.Aws.ACCOUNT_ID}:userDefinedFunction/*`
                    ],
                    actions: [
                        'glue:GetConnection',
                        'glue:GetTable',
                        'glue:GetTables',
                        'glue:GetDatabase',
                        'glue:CreateTable',
                        'glue:UpdateTable',
                        'glue:GetUserDefinedFunction'
                    ]
                }),
                new iam.PolicyStatement({
                    resources: ['*'],
                    actions: ['glue:GetDatabases']
                }),
            ]
        });

        return new iam.Role(this, 'AppRole', {
            assumedBy: new iam.ServicePrincipal('kinesisanalytics.amazonaws.com'),
            inlinePolicies: {
                LogsPolicy: logsPolicy,
                VpcPolicy: vpcPolicy,
                GluePolicy: gluePolicy
            }
        });
    }