Adding RBAC

2020-11-14 16:12:42 -08:00
parent ecde2a83a2
commit ac9f476d30
6 changed files with 50 additions and 6 deletions
--- a/app/constructs/airflow-construct.ts
+++ b/app/constructs/airflow-construct.ts
@@ -1,4 +1,4 @@
-import { Construct, CfnOutput } from "@aws-cdk/core";
+import {CfnOutput, Construct} from "@aws-cdk/core";
 import { IVpc } from "@aws-cdk/aws-ec2";

 import ecs = require('@aws-cdk/aws-ecs');
@@ -6,8 +6,10 @@ import ec2 = require("@aws-cdk/aws-ec2");
 import { DockerImageAsset } from '@aws-cdk/aws-ecr-assets';
 import { FargateTaskDefinition } from '@aws-cdk/aws-ecs';

-import { airflowTaskConfig, ContainerConfig } from "../config";
+import {airflowTaskConfig, ContainerConfig} from "../config";
 import { ServiceConstruct } from "./service-construct";
+import { v4 as uuidv4 } from 'uuid';
+

 export interface AirflowConstructProps {
  readonly vpc: IVpc;
@@ -18,16 +20,20 @@ export interface AirflowConstructProps {
 }

 export class AirflowConstruct extends Construct {
-  public readonly loadBalancerDnsName: CfnOutput;
+  public readonly adminPasswordOutput?: CfnOutput;

  constructor(parent: Construct, name: string, props: AirflowConstructProps) {
    super(parent, name);

+    const adminPassword = uuidv4();
+
    const ENV_VAR = {
      AIRFLOW__CORE__SQL_ALCHEMY_CONN: props.dbConnection,
      AIRFLOW__CELERY__BROKER_URL: "sqs://",
      AIRFLOW__CELERY__RESULT_BACKEND: "db+" + props.dbConnection,
      AIRFLOW__CORE__EXECUTOR: "CeleryExecutor",
+      AIRFLOW__WEBSERVER__RBAC: "True",
+      ADMIN_PASS: adminPassword,
      CLUSTER: props.cluster.clusterName,
      SECURITY_GROUP: props.defaultVpcSecurityGroup.securityGroupId,
      SUBNETS: props.privateSubnets.map(subnet => subnet.subnetId).join(",")
@@ -95,5 +101,9 @@ export class AirflowConstruct extends Construct {
        isWorkerService: true
      });
    }
+
+    this.adminPasswordOutput = new CfnOutput(this, 'AdminPassword', {
+      value: adminPassword
+    });
  }
 }
--- a/app/policies.ts
+++ b/app/policies.ts
@@ -10,7 +10,6 @@ export class PolicyConstruct extends Construct {

        // Both managed policies and policy statements will be attached to Task Role of Airflow Instance
        this.managedPolicies = [
-            ManagedPolicy.fromAwsManagedPolicyName("IAMFullAccess"),
            ManagedPolicy.fromAwsManagedPolicyName("AmazonSQSFullAccess"),
            ManagedPolicy.fromAwsManagedPolicyName("AmazonECS_FullAccess"),
        ];