fix: set 'mutable' to false when using imported roles

aws-solutions-library-samples · Aug 26, 2024 · 6e71475 · 6e71475
1 parent c3f2a63
commit 6e71475
Show file tree

Hide file tree

Showing 6 changed files with 39 additions and 34 deletions.
diff --git a/lib/osml/data_catalog/dc_dataplane.ts b/lib/osml/data_catalog/dc_dataplane.ts
@@ -496,7 +496,10 @@ export class DCDataplane extends Construct {
       this.lambdaRole = Role.fromRoleName(
         this,
         "ImportedDCLambdaRole",
-        this.config.LAMBDA_ROLE_NAME
+        this.config.LAMBDA_ROLE_NAME,
+        {
+          mutable: false
+        }
       );
     } else {
       this.lambdaRole = new DCLambdaRole(this, "DCLambdaRole", {

diff --git a/lib/osml/data_intake/di_dataplane.ts b/lib/osml/data_intake/di_dataplane.ts
@@ -333,7 +333,10 @@ export class DIDataplane extends Construct {
       this.lambdaRole = Role.fromRoleName(
         this,
         "ImportedDILambdaRole",
-        this.config.LAMBDA_ROLE_NAME
+        this.config.LAMBDA_ROLE_NAME,
+        {
+          mutable: false
+        }
       );
     } else {
       this.lambdaRole = new DILambdaRole(this, "DILambdaRole", {

diff --git a/lib/osml/model_endpoint/me_test_endpoints.ts b/lib/osml/model_endpoint/me_test_endpoints.ts
@@ -306,7 +306,10 @@ export class METestEndpoints extends Construct {
       this.smRole = Role.fromRoleName(
         this,
         "ImportedMESageMakerRole",
-        this.config.SM_ROLE_NAME
+        this.config.SM_ROLE_NAME,
+        {
+          mutable: false
+        }
       );
     } else if (props.smRole) {
       // Check if a SageMaker role was provided via properties

diff --git a/lib/osml/model_runner/mr_dataplane.ts b/lib/osml/model_runner/mr_dataplane.ts
@@ -3,7 +3,7 @@
  */
 
 import { EcsIsoServiceAutoscaler } from "@cdklabs/cdk-enterprise-iac";
-import { Duration, region_info, RemovalPolicy } from "aws-cdk-lib";
+import { Duration, RemovalPolicy } from "aws-cdk-lib";
 import {
   BackupPlan,
   BackupPlanRule,
@@ -22,7 +22,7 @@ import {
   Protocol,
   TaskDefinition
 } from "aws-cdk-lib/aws-ecs";
-import { Effect, IRole, PolicyStatement, Role } from "aws-cdk-lib/aws-iam";
+import { IRole, Role } from "aws-cdk-lib/aws-iam";
 import {
   CfnStream,
   Stream,
@@ -734,28 +734,6 @@ export class MRDataplane extends Construct {
       }
     );
 
-    if (props.account.isAdc) {
-      const partition: string = region_info.Fact.find(
-        props.account.region,
-        region_info.FactName.PARTITION
-      )!;
-
-      // Add permission to access fluent bit container
-      this.taskDefinition.addToExecutionRolePolicy(
-        new PolicyStatement({
-          effect: Effect.ALLOW,
-          actions: [
-            "ecr:BatchCheckLayerAvailability",
-            "ecr:GetDownloadUrlForLayer",
-            "ecr:BatchGetImage"
-          ],
-          resources: [
-            `arn:${partition}:ecr:${props.account.region}:${props.account.id}:repository/aws-for-fluent-bit`
-          ]
-        })
-      );
-    }
-
     // Setup autoscaling management for model runner
     this.buildAutoscaling(props);
 
@@ -983,7 +961,10 @@ export class MRDataplane extends Construct {
       this.taskRole = Role.fromRoleName(
         this,
         "ImportedMRECSTaskRole",
-        this.config.ECS_TASK_ROLE_NAME
+        this.config.ECS_TASK_ROLE_NAME,
+        {
+          mutable: false
+        }
       );
     } else {
       this.taskRole = new MRTaskRole(this, "MRECSTaskRole", {
@@ -993,10 +974,13 @@ export class MRDataplane extends Construct {
     }
 
     if (this.config.ECS_EXECUTION_ROLE_NAME != undefined) {
-      this.taskRole = Role.fromRoleName(
+      this.executionRole = Role.fromRoleName(
         this,
         "ImportedMRECSExecutionRole",
-        this.config.ECS_EXECUTION_ROLE_NAME
+        this.config.ECS_EXECUTION_ROLE_NAME,
+        {
+          mutable: false
+        }
       );
     } else {
       this.executionRole = new MRExecutionRole(this, "MRECSExecutionRole", {

diff --git a/lib/osml/osml_vpc.ts b/lib/osml/osml_vpc.ts
@@ -250,7 +250,10 @@ export class OSMLVpc extends Construct {
       this.flowLogRole = Role.fromRoleName(
         this,
         "ImportFlowLog",
-        this.config.IAM_FLOW_LOG_ROLE_NAME
+        this.config.IAM_FLOW_LOG_ROLE_NAME,
+        {
+          mutable: false
+        }
       );
     }
 

diff --git a/lib/osml/tile_server/ts_dataplane.ts b/lib/osml/tile_server/ts_dataplane.ts
@@ -797,7 +797,10 @@ export class TSDataplane extends Construct {
       this.taskRole = Role.fromRoleName(
         this,
         "ImportedTSECSTaskRole",
-        this.config.ECS_TASK_ROLE_NAME
+        this.config.ECS_TASK_ROLE_NAME,
+        {
+          mutable: false
+        }
       );
     } else {
       this.taskRole = new TSTaskRole(this, "TSECSTaskRole", {
@@ -810,7 +813,10 @@ export class TSDataplane extends Construct {
       this.lambdaRole = Role.fromRoleName(
         this,
         "ImportedTSLambdaRole",
-        this.config.LAMBDA_ROLE_NAME
+        this.config.LAMBDA_ROLE_NAME,
+        {
+          mutable: false
+        }
       );
     } else {
       this.lambdaRole = new TSLambdaRole(this, "TSLambdaRole", {
@@ -823,7 +829,10 @@ export class TSDataplane extends Construct {
       this.executionRole = Role.fromRoleName(
         this,
         "ImportedTSECSExecutionRole",
-        this.config.ECS_EXECUTION_ROLE_NAME
+        this.config.ECS_EXECUTION_ROLE_NAME,
+        {
+          mutable: false
+        }
       );
     } else {
       this.executionRole = new TSExecutionRole(this, "TSECSExecutionRole", {