in packages/constructs/L3/governance/datazone-l3-construct/lib/datazone-l3-construct.ts [86:279]
private createDomain(domainName: string, domainProps: DomainProps) {
const dataAdminRole = this.props.roleHelper.resolveRoleRefWithRefId(domainProps.dataAdminRole, 'admin');
const kmsKey = this.createDomainKmsKey(domainName, domainProps, dataAdminRole);
const kmsKeyArnParam = new MdaaParamAndOutput(this, {
resourceType: 'kms-cmk',
resourceId: domainName,
name: 'arn',
value: kmsKey.keyArn,
...this.props,
tier: ParameterTier.ADVANCED,
});
// Resolve Execution Role
const executionRole = this.createExecutionRole(`${domainName}-execution-role`, kmsKey, domainProps.domainVersion);
const singleSignOn: CfnDomain.SingleSignOnProperty = {
type: domainProps.singleSignOnType ?? DEFAULT_SSO_TYPE,
userAssignment: domainProps.userAssignment ?? DEFAULT_USER_ASSIGNMENT,
};
const cfnDomainProps: CfnDomainProps = {
domainExecutionRole: executionRole.roleArn,
name: this.props.naming.resourceName(domainName),
kmsKeyIdentifier: kmsKey.keyArn,
description: domainProps.description,
singleSignOn: singleSignOn,
domainVersion: domainProps.domainVersion,
serviceRole: domainProps.domainVersion == 'V2' ? this.createServiceRole('service', kmsKey).roleArn : undefined,
};
// Create domain
const domain = new CfnDomain(this, `${domainName}-domain`, cfnDomainProps);
const adminUserProfileProps: CfnUserProfileProps = {
domainIdentifier: domain.attrId,
userIdentifier: dataAdminRole.arn(),
userType: 'IAM_ROLE',
status: 'ACTIVATED',
};
const adminUserProfile = new CfnUserProfile(this, `${domainName}-admin-user-profile`, adminUserProfileProps);
Object.entries(domainProps.additionalAdminUsers || {}).forEach(adminUser => {
const resolvedUserRole = this.props.roleHelper.resolveRoleRefWithRefId(adminUser[1].role, adminUser[0]);
const accountUserProfileProps: CfnUserProfileProps = {
domainIdentifier: domain.attrId,
userIdentifier: adminUser[1].userType == 'IAM_ROLE' ? resolvedUserRole.arn() : resolvedUserRole.name(),
userType: adminUser[1].userType,
status: 'ACTIVATED',
};
new CfnUserProfile(this, `${domainName}-admin-user-${adminUser[0]}`, accountUserProfileProps);
});
new MdaaParamAndOutput(this, {
resourceType: 'admin-user',
resourceId: domainName,
name: 'id',
value: adminUserProfile.attrId,
...this.props,
tier: ParameterTier.ADVANCED,
});
const customEnvBlueprintConfig = this.createCustomBlueprintConfig(
this,
domain.attrId,
[this.region],
kmsKey.keyArn,
);
new MdaaParamAndOutput(this, {
resourceType: 'custom-datalake-env-blueprint',
resourceId: domainName,
name: 'id',
value: customEnvBlueprintConfig.getAttString('id'),
...this.props,
tier: ParameterTier.ADVANCED,
});
const domainIdParam = new MdaaParamAndOutput(this, {
resourceType: 'domain',
resourceId: domainName,
name: 'id',
value: domain.attrId,
...this.props,
tier: ParameterTier.ADVANCED,
});
const domainArnParam = new MdaaParamAndOutput(this, {
resourceType: 'domain',
resourceId: domainName,
name: 'arn',
value: domain.attrArn,
tier: ParameterTier.ADVANCED,
...this.props,
});
const configParam = this.createDomainConfigParam(
domainName,
domain,
adminUserProfile,
customEnvBlueprintConfig.getAttString('id'),
domain.domainVersion ?? 'V1',
);
if (domainProps.associatedAccounts) {
const ramShareProps: CfnResourceShareProps = {
name: `DataZone-${this.props.naming.resourceName('domain-config-ssm')}-${domain.attrId}`,
resourceArns: [domain.attrArn],
principals: Object.entries(domainProps.associatedAccounts).map(x => x[1].account),
permissionArns: ['arn:aws:ram::aws:permission/AWSRAMDefaultPermissionAmazonDataZoneDomain'],
};
new CfnResourceShare(this, `domain-ram-share`, ramShareProps);
if (configParam.param) {
const ramShareProps: CfnResourceShareProps = {
name: this.props.naming.resourceName('domain-config-ssm'),
resourceArns: [configParam.param.parameterArn],
principals: Object.entries(domainProps.associatedAccounts).map(x => x[1].account),
};
new CfnResourceShare(this, `domain-config-ram-share`, ramShareProps);
}
if (domainArnParam.param) {
const ramShareProps: CfnResourceShareProps = {
name: this.props.naming.resourceName('domain-arn-ssm'),
resourceArns: [domainArnParam.param.parameterArn],
principals: Object.entries(domainProps.associatedAccounts).map(x => x[1].account),
};
new CfnResourceShare(this, `domain-arn-ram-share`, ramShareProps);
}
if (domainIdParam.param && kmsKeyArnParam.param) {
const domainIdShareProps: CfnResourceShareProps = {
name: this.props.naming.resourceName('domain-id-ssm'),
resourceArns: [domainIdParam.param.parameterArn],
principals: Object.entries(domainProps.associatedAccounts).map(x => x[1].account),
};
new CfnResourceShare(this, `domain-id-ram-share`, domainIdShareProps);
const domainKeyArnShareProps: CfnResourceShareProps = {
name: this.props.naming.resourceName('domain-key-arn-ssm'),
resourceArns: [kmsKeyArnParam.param.parameterArn],
principals: Object.entries(domainProps.associatedAccounts).map(x => x[1].account),
};
new CfnResourceShare(this, `domain-key-arn-ram-share`, domainKeyArnShareProps);
Object.entries(domainProps.associatedAccounts).forEach(associatedAccount => {
const accountCdkUserProfileProps: CfnUserProfileProps = {
domainIdentifier: domain.attrId,
userIdentifier:
associatedAccount[1].cdkRoleArn ??
`arn:${this.partition}:iam::${associatedAccount[1].account}:role/cdk-hnb659fds-cfn-exec-role-${associatedAccount[1].account}-${this.region}`,
userType: 'IAM_ROLE',
status: 'ACTIVATED',
};
new CfnUserProfile(
this,
`${domainName}-${associatedAccount[1].account}-cdk-user-profile`,
accountCdkUserProfileProps,
);
if (this.props.crossAccountStacks) {
const crossAccountStack = this.props.crossAccountStacks[associatedAccount[1].account];
if (crossAccountStack) {
const domainIdSsmParamArn = `arn:${this.partition}:ssm:${associatedAccount[1].region ?? this.region}:${
this.account
}:parameter${domainIdParam.paramName}`;
const kmsKeyArnParamArn = `arn:${this.partition}:ssm:${associatedAccount[1].region ?? this.region}:${
this.account
}:parameter${kmsKeyArnParam.paramName}`;
this.createCustomBlueprintConfig(
crossAccountStack,
StringParameter.fromStringParameterArn(
crossAccountStack,
`domain-id-import-${associatedAccount}`,
domainIdSsmParamArn,
).stringValue,
[associatedAccount[1].region || this.region],
StringParameter.fromStringParameterArn(
crossAccountStack,
`domain-key-arn-id-import-${associatedAccount}`,
kmsKeyArnParamArn,
).stringValue,
);
} else {
console.warn(
`Cross account stack not defined for associated account ${associatedAccount[0]}/${associatedAccount[1].account} on domain ${domainName}`,
);
}
}
});
}
}
}