in cli/aws_orbit/remote_files/cdk/env.py [0:0]
def _create_role_cluster(self) -> iam.Role:
name: str = f"orbit-{self.context.name}-{self.context.region}-eks-cluster-role"
role = iam.Role(
scope=self,
id=name,
role_name=name,
assumed_by=cast(
iam.IPrincipal,
iam.CompositePrincipal(
iam.ServicePrincipal("eks.amazonaws.com"),
iam.ServicePrincipal("eks-fargate-pods.amazonaws.com"),
),
),
managed_policies=[
iam.ManagedPolicy.from_aws_managed_policy_name(managed_policy_name="AmazonEKSClusterPolicy"),
iam.ManagedPolicy.from_aws_managed_policy_name(managed_policy_name="AmazonEKSServicePolicy"),
iam.ManagedPolicy.from_aws_managed_policy_name(managed_policy_name="AmazonEKSVPCResourceController"),
],
inline_policies={
"Extras": iam.PolicyDocument(
statements=[
iam.PolicyStatement(
actions=[
"elasticloadbalancing:*",
"ec2:CreateSecurityGroup",
"ec2:Describe*",
"cloudwatch:PutMetricData",
"iam:ListAttachedRolePolicies",
],
resources=["*"],
),
iam.PolicyStatement(
effect=iam.Effect.ALLOW,
actions=["iam:AttachRolePolicy", "iam:PutRolePolicy", "s3:*"],
resources=[
"arn:aws:iam::*:role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/",
f"{self.context.scratch_bucket_arn}",
f"{self.context.scratch_bucket_arn}/*",
],
),
iam.PolicyStatement(
effect=iam.Effect.ALLOW,
actions=[
"iam:CreateServiceLinkedRole",
"s3:ListBucket",
"fsx:CreateFileSystem",
"fsx:DeleteFileSystem",
"fsx:DescribeFileSystems",
"fsx:TagResource",
],
resources=["*"],
),
]
)
},
)
return role