add respository-s3 plugin install and support to pass custom iam role…

… for instance Signed-off-by: Rishabh Singh <[email protected]>
opensearch-project · Oct 25, 2023 · d13773f · d13773f
1 parent 07ca896
commit d13773f
Show file tree

Hide file tree

Showing 3 changed files with 62 additions and 23 deletions.
diff --git a/lib/infra/infra-stack.ts b/lib/infra/infra-stack.ts
@@ -29,7 +29,9 @@ import {
 } from 'aws-cdk-lib/aws-ec2';
 import { NetworkListener, NetworkLoadBalancer, Protocol } from 'aws-cdk-lib/aws-elasticloadbalancingv2';
 import { InstanceTarget } from 'aws-cdk-lib/aws-elasticloadbalancingv2-targets';
-import { ManagedPolicy, Role, ServicePrincipal } from 'aws-cdk-lib/aws-iam';
+import {
+  ManagedPolicy, Role, IRole, ServicePrincipal,
+} from 'aws-cdk-lib/aws-iam';
 import { LogGroup, RetentionDays } from 'aws-cdk-lib/aws-logs';
 import { readFileSync } from 'fs';
 import { dump, load } from 'js-yaml';
@@ -38,7 +40,7 @@ import { CloudwatchAgent } from '../cloudwatch/cloudwatch-agent';
 import { nodeConfig } from '../opensearch-config/node-config';
 import { RemoteStoreResources } from './remote-store-resources';
 
-export interface infraProps extends StackProps{
+export interface infraProps extends StackProps {
     readonly vpc: IVpc,
     readonly securityGroup: ISecurityGroup,
     readonly opensearchVersion: string,
@@ -63,7 +65,8 @@ export interface infraProps extends StackProps{
     readonly use50PercentHeap: boolean,
     readonly isInternal: boolean,
     readonly enableRemoteStore: boolean,
-    readonly storageVolumeType: EbsDeviceVolumeType
+    readonly storageVolumeType: EbsDeviceVolumeType,
+    readonly customRoleArn: string
 }
 
 export class InfraStack extends Stack {
@@ -86,12 +89,16 @@ export class InfraStack extends Stack {
       removalPolicy: RemovalPolicy.DESTROY,
     });
 
-    this.instanceRole = new Role(this, 'instanceRole', {
-      managedPolicies: [ManagedPolicy.fromAwsManagedPolicyName('AmazonEC2ReadOnlyAccess'),
-        ManagedPolicy.fromAwsManagedPolicyName('CloudWatchAgentServerPolicy'),
-        ManagedPolicy.fromAwsManagedPolicyName('AmazonSSMManagedInstanceCore')],
-      assumedBy: new ServicePrincipal('ec2.amazonaws.com'),
-    });
+    if (props.customRoleArn === 'undefined') {
+      this.instanceRole = new Role(this, 'instanceRole', {
+        managedPolicies: [ManagedPolicy.fromAwsManagedPolicyName('AmazonEC2ReadOnlyAccess'),
+          ManagedPolicy.fromAwsManagedPolicyName('CloudWatchAgentServerPolicy'),
+          ManagedPolicy.fromAwsManagedPolicyName('AmazonSSMManagedInstanceCore')],
+        assumedBy: new ServicePrincipal('ec2.amazonaws.com'),
+      });
+    } else {
+      this.instanceRole = <Role>Role.fromRoleArn(this, 'custom-role-arn', `${props.customRoleArn}`);
+    }
 
     if (props.enableRemoteStore) {
       // Remote Store needs an S3 bucket to be registered as snapshot repo
@@ -475,30 +482,26 @@ export class InfraStack extends Stack {
           cwd: '/home/ec2-user',
           ignoreErrors: false,
         }));
+        cfnInitConfig.push(InitCommand.shellCommand('set -ex;cd opensearch;sudo -u ec2-user bin/opensearch-plugin install repository-s3 --batch', {
+          cwd: '/home/ec2-user',
+          ignoreErrors: false,
+        }));
       } else {
         cfnInitConfig.push(InitCommand.shellCommand('set -ex;cd opensearch;sudo -u ec2-user bin/opensearch-plugin install '
             + `https://ci.opensearch.org/ci/dbc/distribution-build-opensearch/${props.opensearchVersion}/latest/linux/${props.cpuArch}`
             + `/tar/builds/opensearch/core-plugins/discovery-ec2-${props.opensearchVersion}.zip --batch`, {
           cwd: '/home/ec2-user',
           ignoreErrors: false,
         }));
+        cfnInitConfig.push(InitCommand.shellCommand('set -ex;cd opensearch;sudo -u ec2-user bin/opensearch-plugin install '
+            + `https://ci.opensearch.org/ci/dbc/distribution-build-opensearch/${props.opensearchVersion}/latest/linux/${props.cpuArch}`
+            + `/tar/builds/opensearch/core-plugins/repository-s3-${props.opensearchVersion}.zip --batch`, {
+          cwd: '/home/ec2-user',
+          ignoreErrors: false,
+        }));
       }
 
       if (props.enableRemoteStore) {
-        if (props.distributionUrl.includes('artifacts.opensearch.org') && !props.minDistribution) {
-          cfnInitConfig.push(InitCommand.shellCommand('set -ex;cd opensearch;sudo -u ec2-user bin/opensearch-plugin install repository-s3 --batch', {
-            cwd: '/home/ec2-user',
-            ignoreErrors: false,
-          }));
-        } else {
-          cfnInitConfig.push(InitCommand.shellCommand('set -ex;cd opensearch;sudo -u ec2-user bin/opensearch-plugin install '
-              + `https://ci.opensearch.org/ci/dbc/distribution-build-opensearch/${props.opensearchVersion}/latest/linux/${props.cpuArch}`
-              + `/tar/builds/opensearch/core-plugins/repository-s3-${props.opensearchVersion}.zip --batch`, {
-            cwd: '/home/ec2-user',
-            ignoreErrors: false,
-          }));
-        }
-
         // eslint-disable-next-line max-len
         cfnInitConfig.push(InitCommand.shellCommand(`set -ex;cd opensearch; echo "node.attr.remote_store.segment.repository: ${scope.stackName}-repo" >> config/opensearch.yml`, {
           cwd: '/home/ec2-user',

diff --git a/lib/os-cluster-entrypoint.ts b/lib/os-cluster-entrypoint.ts
@@ -199,6 +199,8 @@ export class OsClusterEntrypoint {
       const remoteStore = `${scope.node.tryGetContext('enableRemoteStore')}`;
       const enableRemoteStore = remoteStore === 'true';
 
+      const customRoleArn = `${scope.node.tryGetContext('customRoleArn')}`;
+
       const network = new NetworkStack(scope, 'opensearch-network-stack', {
         cidrBlock: cidrRange,
         maxAzs: 3,
@@ -249,6 +251,7 @@ export class OsClusterEntrypoint {
         isInternal,
         enableRemoteStore,
         storageVolumeType: volumeType,
+        customRoleArn,
         ...props,
       });
 

diff --git a/test/os-cluster.test.ts b/test/os-cluster.test.ts
@@ -447,3 +447,36 @@ test('Throw error on unsupported ebs volume type', () => {
     expect(error.message).toEqual('Invalid volume type provided, please provide any one of the following: standard, gp2, gp3');
   }
 });
+
+test('Test multi-node cluster with custom IAM Role', () => {
+  const app = new App({
+    context: {
+      securityDisabled: true,
+      minDistribution: false,
+      distributionUrl: 'www.example.com',
+      cpuArch: 'x64',
+      singleNodeCluster: false,
+      dashboardsUrl: 'www.example.com',
+      distVersion: '1.0.0',
+      serverAccessType: 'ipv4',
+      restrictServerAccessTo: 'all',
+      managerNodeCount: 0,
+      dataNodeCount: 3,
+      dataNodeStorage: 200,
+      customRoleArn: 'arn:aws:iam::12345678:role/customRoleName',
+    },
+  });
+
+  // WHEN
+  const testStack = new OsClusterEntrypoint(app, {
+    env: { account: 'test-account', region: 'us-east-1' },
+  });
+  expect(testStack.stacks).toHaveLength(2);
+
+  const infraStack = testStack.stacks.filter((s) => s.stackName === 'opensearch-infra-stack')[0];
+  const infraTemplate = Template.fromStack(infraStack);
+  infraTemplate.resourceCountIs('AWS::IAM::Role', 0);
+  infraTemplate.hasResourceProperties('AWS::IAM::InstanceProfile', {
+    Roles: ['customRoleName'],
+  });
+});