in packages/constructs/L3/dataops/dataops-nifi-l3-construct/lib/nifi-cluster.ts [103:273]
constructor(scope: Construct, id: string, props: NifiClusterProps) {
super(scope, id);
this.props = props;
const nifiNamespaceName = `nifi-${props.clusterName}`;
this.httpsPort = this.props.httpsPort ?? 8443;
this.remotePort = this.props.remotePort ?? 10000;
this.clusterPort = this.props.clusterPort ?? 14443;
const nodeCount = props.nodeCount ?? 1;
this.adminIdentities = props.adminIdentities;
this.securityGroup = this.createNifiSecurityGroup(props.vpc);
const additionalEfsIngressSecurityGroups = props.additionalEfsIngressSecurityGroupIds?.map(id => {
return SecurityGroup.fromSecurityGroupId(this, `nifi-cluster-efs-ingress-sg-${id}`, id);
});
const efsSecurityGroup = NifiCluster.createEfsSecurityGroup('nifi-cluster', this, props.naming, props.vpc, [
this.securityGroup,
...(additionalEfsIngressSecurityGroups || []),
]);
const nifiEfsPvs = NifiCluster.createEfsPvs({
scope: this,
naming: props.naming,
name: 'nifi',
nodeCount: nodeCount,
vpc: props.vpc,
subnets: props.subnets,
kmsKey: props.kmsKey,
efsSecurityGroup: efsSecurityGroup,
});
const efsManagedPolicy = NifiCluster.createEfsAccessPolicy(
'nifi-cluster',
this,
props.naming,
props.kmsKey,
nifiEfsPvs,
);
props.fargateProfile.podExecutionRole.addManagedPolicy(efsManagedPolicy);
const nifiAdminCredentialsSecret = NifiCluster.createSecret(
this,
'nifi-admin-creds-secret',
props.naming,
'admin-creds-secret',
props.kmsKey,
);
const nifiSensitivePropSecret = NifiCluster.createSecret(
this,
'nifi-sensitive-props-secret',
props.naming,
'sensitive-props-key',
props.kmsKey,
);
const keystorePasswordSecret = NifiCluster.createSecret(
this,
'keystore-password-secret',
props.naming,
'keystore-password',
props.kmsKey,
);
const externalSecretsRole = NifiCluster.createExternalSecretsServiceRole(
this,
'external-secrets',
props.naming,
nifiNamespaceName,
props.eksCluster,
props.kmsKey,
[nifiSensitivePropSecret, keystorePasswordSecret, nifiAdminCredentialsSecret],
);
const clusterServiceRole = NifiCluster.createServiceRole(
this,
'nifi-service-role',
props.naming.resourceName('nifi-service-role', 64),
nifiNamespaceName,
props.eksCluster,
);
this.props.clusterRoleAwsManagedPolicies?.forEach(managedPolicySpec => {
const managedPolicy = ManagedPolicy.fromAwsManagedPolicyName(managedPolicySpec.policyName);
clusterServiceRole.addManagedPolicy(managedPolicy);
MdaaNagSuppressions.addCodeResourceSuppressions(clusterServiceRole, [
{
id: 'AwsSolutions-IAM4',
reason: managedPolicySpec.suppressionReason,
},
]);
});
this.props.clusterRoleManagedPolicies?.forEach(managedPolicyName => {
const managedPolicy = ManagedPolicy.fromManagedPolicyName(
this,
`imported-policy-${managedPolicyName}`,
managedPolicyName,
);
clusterServiceRole.addManagedPolicy(managedPolicy);
});
const nodeSize = NifiCluster.nodeSizeMap[this.props.nodeSize || 'SMALL'];
this.props.nifiManagerImage.repository.grantPull(props.fargateProfile.podExecutionRole);
MdaaNagSuppressions.addCodeResourceSuppressions(
props.fargateProfile.podExecutionRole,
[
{ id: 'AwsSolutions-IAM5', reason: 'ecr:GetAuthorizationToken does not accept a resource.' },
{ id: 'NIST.800.53.R5-IAMNoInlinePolicy', reason: 'Permissions are appropriate as inline policy.' },
{ id: 'HIPAA.Security-IAMNoInlinePolicy', reason: 'Permissions are appropriate as inline policy.' },
{ id: 'PCI.DSS.321-IAMNoInlinePolicy', reason: 'Permissions are appropriate as inline policy.' },
],
true,
);
const nifiK8sChart = new NifiClusterChart(new cdk8s.App(), 'nifi-chart', {
namespace: nifiNamespaceName,
externalSecretsRoleArn: externalSecretsRole.roleArn,
nodeCount: nodeCount,
nodeCpu: nodeSize.cpu,
nodeMemory: nodeSize.memory,
nifiImageTag: props.nifiImageTag,
awsRegion: props.region,
adminCredsSecretName: nifiAdminCredentialsSecret.secretName,
nifiSensitivePropSecretName: nifiSensitivePropSecret.secretName,
keystorePasswordSecretName: keystorePasswordSecret.secretName,
efsPersistentVolumes: nifiEfsPvs.map(x => {
return { efsFsId: x[0].fileSystemId, efsApId: x[1].accessPointId };
}),
efsStorageClassName: props.eksCluster.efsStorageClassName,
saml: props.saml ? { ...props.saml, entityId: `org:apache:nifi:saml:sp-${props.clusterName}` } : undefined,
hostedZoneName: props.nifiHostedZone.zoneName,
zkConnectString: props.zkConnectString,
zkRootNode: `/nifi/${props.clusterName}`,
httpsPort: this.httpsPort,
remotePort: this.remotePort,
clusterPort: this.clusterPort,
caIssuerName: this.props.nifiCAIssuerName,
nifiServiceRoleArn: clusterServiceRole.roleArn,
nifiServiceRoleName: clusterServiceRole.roleName,
nifiCertDuration: this.props.nifiCertDuration,
nifiCertRenewBefore: this.props.nifiCertRenewBefore,
certKeyAlg: this.props.certKeyAlg ?? 'ECDSA',
certKeySize: this.props.certKeySize ?? '384',
nifiManagerImageUri: props.nifiManagerImage.imageUri,
adminIdentities: props.adminIdentities,
externalNodeIdentities: props.externalNodeIdentities,
identities: props.identities,
groups: props.groups,
authorizations: props.authorizations,
registryClients: props.registryClients,
});
this.nodeList = nifiK8sChart.nodeList.map(nodeName => `${nodeName}.${nifiK8sChart.domain}`);
const nifiNamespaceManifest = props.eksCluster.addNamespace(
new cdk8s.App(),
`nifi-namespace-${props.clusterName}`,
nifiNamespaceName,
this.securityGroup,
);
nifiNamespaceManifest.node.addDependency(props.fargateProfile);
this.nifiManifest = props.eksCluster.addCdk8sChart(`nifi-${props.clusterName}`, nifiK8sChart);
this.nifiManifest.node.addDependency(nifiNamespaceManifest);
const restartNifiCmdProps: KubernetesCmdProps = {
cluster: props.eksCluster,
namespace: nifiNamespaceName,
cmd: ['delete', 'pod', '-l', 'app=nifi'],
executionKey: nifiK8sChart.hash(),
};
const restartNifiCmd = new KubernetesCmd(this, 'restart-nifi-cmd', restartNifiCmdProps);
restartNifiCmd.node.addDependency(this.nifiManifest);
}