in source/idea/idea-administrator/src/ideaadministrator/app/cdk/stacks/virtual_desktop_controller_stack.py [0:0]
def build_custom_credential_broker_infra(self):
lambda_name = f'{self.module_id}-custom-credential-broker-lambda'
api_gateway_name = f'{self.module_id}-custom-credential-broker-api-gateway'
self.custom_credential_broker_lambda_role = Role(
context=self.context,
name=app_constants.CUSTOM_CREDENTIAL_BROKER_ROLE_NAME,
scope=self.stack,
assumed_by=['lambda'],
description=f'{lambda_name}-role',
)
self.s3_mount_base_bucket_read_only_role = Role(
context=self.context,
name=app_constants.S3_MOUNT_BUCKET_READ_ONLY_ROLE_NAME,
scope=self.stack,
description='Base bucket role for read only access to S3 buckets onboarded to RES.',
assumed_by=['lambda'],
inline_policies=[
Policy(
context=self.context,
name='S3MountReadOnlyPolicy',
scope=self.stack,
policy_template_name='s3-mount-base-bucket-read-only.yml'
)
],
)
self.s3_mount_base_bucket_read_write_role = Role(
context=self.context,
name=app_constants.S3_MOUNT_BUCKET_READ_WRITE_ROLE_NAME,
scope=self.stack,
description='Base bucket role for read and write access to S3 buckets onboarded to RES.',
assumed_by=['lambda'],
inline_policies=[
Policy(
context=self.context,
name='S3MountReadWritePolicy',
scope=self.stack,
policy_template_name='s3-mount-base-bucket-read-write.yml'
)
],
)
self.s3_mount_base_bucket_read_only_role.assume_role_policy.add_statements(
iam.PolicyStatement(
effect=iam.Effect.ALLOW,
actions=['sts:AssumeRole'],
principals=[
iam.ArnPrincipal(self.custom_credential_broker_lambda_role.role_arn)
]
)
)
self.s3_mount_base_bucket_read_write_role.assume_role_policy.add_statements(
iam.PolicyStatement(
effect=iam.Effect.ALLOW,
actions=['sts:AssumeRole'],
principals=[
iam.ArnPrincipal(self.custom_credential_broker_lambda_role.role_arn)
]
)
)
variable = SocaAnyPayload()
variable.s3_bucket_iam_role_resource_tag_value = constants.S3_BUCKET_IAM_ROLE_RESOURCE_TAG_VALUE
custom_credential_broker_lambda_role_policy = ManagedPolicy(
context=self.context,
name=f'{lambda_name}-policy',
scope=self.stack,
managed_policy_name=f'{self.cluster_name}-{self.aws_region}-{lambda_name}-policy',
description='Required policy for RES Custom Credential Broker Lambda.',
policy_template_name='custom-credential-broker.yml',
vars=variable
)
self.custom_credential_broker_lambda_role.add_managed_policy(custom_credential_broker_lambda_role_policy)
# Determine if we have a specific list of subnets configured for VDI
configured_vdi_subnets = self.context.config().get_list(
'vdc.dcv_session.network.private_subnets',
default=[]
)
# Required=True as these should always be available, and we want to error otherwise
cluster_private_subnets = self.context.config().get_list(
'cluster.network.private_subnets',
required=True
)
if configured_vdi_subnets:
vdi_cidr_blocks = [
subnet['CidrBlock'] for subnet in self.aws.ec2().describe_subnets(SubnetIds=configured_vdi_subnets)['Subnets']
]
else:
vdi_cidr_blocks = [
subnet['CidrBlock'] for subnet in self.aws.ec2().describe_subnets(SubnetIds=cluster_private_subnets)['Subnets']
]
custom_credential_broker_security_group = VirtualDesktopCustomCredentialBrokerSecurityGroup(
context=self.context,
name=f'{lambda_name}-security-group',
scope=self.stack,
vpc=self.cluster.vpc,
component_name="Custom Credential Broker",
vdi_cidr_blocks=vdi_cidr_blocks,
)
self.custom_credential_broker_lambda_function = LambdaFunction(
context=self.context,
name=lambda_name,
description=f'{self.module_id} lambda to provide temporary credentials for mounting object storage to virtual desktop infrastructure (VDI) instances.',
scope=self.stack,
vpc=self.cluster.vpc,
vpc_subnets=ec2.SubnetSelection(subnets=self.cluster.private_subnets),
security_groups=[custom_credential_broker_security_group],
environment={
"CLUSTER_NAME": f'{self.cluster_name}',
"CLUSTER_SETTINGS_TABLE_NAME": f'{self.cluster_name}.cluster-settings',
"DCV_HOST_DB_HASH_KEY": app_constants.DCV_HOST_DB_HASH_KEY,
"DCV_HOST_DB_IDEA_SESSION_ID_KEY": app_constants.DCV_HOST_DB_IDEA_SESSION_ID_KEY,
"DCV_HOST_DB_IDEA_SESSION_OWNER_KEY": app_constants.DCV_HOST_DB_IDEA_SESSION_OWNER_KEY,
"MODULE_ID": f'{self.module_id}',
"OBJECT_STORAGE_CUSTOM_PROJECT_NAME_AND_USERNAME_PREFIX": constants.OBJECT_STORAGE_CUSTOM_PROJECT_NAME_AND_USERNAME_PREFIX,
"OBJECT_STORAGE_CUSTOM_PROJECT_NAME_PREFIX": constants.OBJECT_STORAGE_CUSTOM_PROJECT_NAME_PREFIX,
"OBJECT_STORAGE_NO_CUSTOM_PREFIX": constants.OBJECT_STORAGE_NO_CUSTOM_PREFIX,
"READ_AND_WRITE_ROLE_NAME_ARN": self.arn_builder.get_iam_arn("s3-mount-bucket-read-write"),
"READ_ONLY_ROLE_NAME_ARN": self.arn_builder.get_iam_arn("s3-mount-bucket-read-only"),
"SHARED_STORAGE_PREFIX": f'{constants.MODULE_SHARED_STORAGE}',
"STORAGE_PROVIDER_S3_BUCKET": constants.STORAGE_PROVIDER_S3_BUCKET,
"USER_SESSION_OWNER_KEY": app_constants.USER_SESSION_DB_HASH_KEY,
"USER_SESSION_SESSION_ID_KEY": app_constants.USER_SESSION_DB_RANGE_KEY
},
role=self.custom_credential_broker_lambda_role,
timeout_seconds=60,
idea_code_asset=IdeaCodeAsset(
lambda_package_name='res_custom_credential_broker',
lambda_platform=SupportedLambdaPlatforms.PYTHON
),
)
self.custom_credential_broker_lambda_function.node.add_dependency(custom_credential_broker_lambda_role_policy)
self.add_common_tags(self.custom_credential_broker_lambda_function)
self.custom_credential_broker_api_gateway_rest_api = self._build_private_api_for_lambda(
lambda_function=self.custom_credential_broker_lambda_function,
api_name=api_gateway_name,
resource_name=constants.API_GATEWAY_CUSTOM_CREDENTIAL_BROKER_RESOURCE,
stage_name=constants.API_GATEWAY_CUSTOM_CREDENTIAL_BROKER_STAGE,
api_description=f'{self.module_id} API Gateway for custom credential broker',
http_method='GET',
cidr_blocks=vdi_cidr_blocks
)
self.custom_credential_broker_api_gateway_rest_api.node.add_dependency(self.custom_credential_broker_lambda_function)