fix: add condition for trust policy to execution (#365)

* feat: upgrade to CDK v2  (#343)

* move to cdkv2

* e2e utils

* fix for cdk-nag for cdkv2

* fix e2e

* fix API.md

* Force delete retry

* chore: self mutation

* fix: change the layer version for batch replayer to match python 3.9 runtime

* chore: self mutation

Co-authored-by: Florian Chazal <[email protected]>
Co-authored-by: Lotfi Mouhib <[email protected]>
Co-authored-by: Automation <[email protected]>
Co-authored-by: Vincent Gromakowski <[email protected]>

* fix: emr eks instance profile name (#354)

* fix: notebookplatform fix for type mismatch (#353)

* fix: resolve issue failing the deployment of managedendpoint

* fix: adding e2e test for notebook-platform.ts

* fix: add managednode groups for notebook platform without podtempalte labels

* fix: add default version for emr on eks to be used if no version is provided in the managedendpoint definition

* fix: amend the unit tests to pass the tests. Added the new nodegroup -notebookwithoutpodtemplate-

Co-authored-by: Lotfi Mouhib <[email protected]>

* fix: remove non unique rolename for emr on eks instance profile

* fix: upgrade the EMR default version

* fix: notebookplatform fix for type mismatch (#353)

* fix: resolve issue failing the deployment of managedendpoint

* fix: adding e2e test for notebook-platform.ts

* fix: add managednode groups for notebook platform without podtempalte labels

* fix: add default version for emr on eks to be used if no version is provided in the managedendpoint definition

* fix: amend the unit tests to pass the tests. Added the new nodegroup -notebookwithoutpodtemplate-

Co-authored-by: Lotfi Mouhib <[email protected]>

* fixing tests

* chore: self mutation

Co-authored-by: lmouhib <[email protected]>
Co-authored-by: Lotfi Mouhib <[email protected]>
Co-authored-by: Automation <[email protected]>

* feat: batch replayer v2 (#362)

* change BatchReplayer to support requester pay and regional dataset location

* add requester pay to batchreplayer

* chore: self mutation

Co-authored-by: Automation <[email protected]>

* fix: iam scoping -not finished yet code does not synth-

* fix: iam scoping for execution role

* fix: add base 36 conversion library to THIRD-PARTY-LICENSES

* fix: add yarn lock and fix unit tests

* doc: add documentation

* chore: self mutation

Co-authored-by: Florian Chazal <[email protected]>
Co-authored-by: Florian Chazal <[email protected]>
Co-authored-by: Automation <[email protected]>
Co-authored-by: Vincent Gromakowski <[email protected]>
Co-authored-by: Vincent Gromakowski <[email protected]>

Author: 5 people

core/.projen/deps.json

@@ -83,6 +83,7 @@ const project = new awscdk.AwsCdkConstructLibrary({
     'uuid',
     'aws-sdk',
     '@exodus/schemasafe',
+    'simple-base',
   ],
 
   python: {

core/.projen/tasks.json

@@ -2627,7 +2627,7 @@ the EmrEksNodegroup [properties]{@link EmrEksNodegroupOptions}.
 ##### `createExecutionRole` <a name="createExecutionRole" id="aws-analytics-reference-architecture.EmrEksCluster.createExecutionRole"></a>
 
 ```typescript
-public createExecutionRole(scope: Construct, id: string, policy: IManagedPolicy, name?: string): Role
+public createExecutionRole(scope: Construct, id: string, policy: IManagedPolicy, namespace: string, name: string): Role
 ```
 
 Create and configure a new Amazon IAM Role usable as an execution role.
@@ -2658,11 +2658,21 @@ the execution policy to attach to the role.
 
 ---
 
-###### `name`<sup>Optional</sup> <a name="name" id="aws-analytics-reference-architecture.EmrEksCluster.createExecutionRole.parameter.name"></a>
+###### `namespace`<sup>Required</sup> <a name="namespace" id="aws-analytics-reference-architecture.EmrEksCluster.createExecutionRole.parameter.namespace"></a>
 
 - *Type:* string
 
-for the Managed Endpoint.
+The namespace from which the role is going to be used.
+
+MUST be the same as the namespace of the Virtual Cluster from which the job is submitted
+
+---
+
+###### `name`<sup>Required</sup> <a name="name" id="aws-analytics-reference-architecture.EmrEksCluster.createExecutionRole.parameter.name"></a>
+
+- *Type:* string
+
+Name to use for the role, required and is used to scope the iam role.
 
 ---
 

core/.projenrc.js

@@ -0,0 +1,75 @@
+** @exodus/schemasafe -- https://github.com/ExodusMovement/schemasafe
+
+Copyright (c) 2014 Mathias Buus
+Copyright (c) 2020 Exodus Movement
+
+The MIT License
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the 'Software'), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
+of the Software, and to permit persons to whom the Software is furnished to do
+so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+
+------
+
+** Geekoosh/flyway-lambda -- https://github.com/Geekoosh/flyway-lambda
+
+MIT License
+
+Copyright (c) 2021 Assaf Kamil
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+
+------
+
+** g-plane/simple-base -- https://github.com/g-plane/simple-base
+
+MIT License
+
+Copyright (c) 2017-present Pig Fang
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

core/API.md

@@ -1,2 +1,2 @@
 export { BatchReplayerProps, BatchReplayer } from './batch-replayer';
-export { PreparedDataset, PreparedDatasetProps } from './prepared-dataset';
+export { PreparedDataset, PreparedDatasetProps } from './prepared-dataset';

core/THIRD-PARTY-LICENSES

@@ -27,7 +27,7 @@ import {
 import { LogGroup, RetentionDays } from 'aws-cdk-lib/aws-logs';
 import { Bucket, BucketEncryption, Location } from 'aws-cdk-lib/aws-s3';
 import { BucketDeployment, Source } from 'aws-cdk-lib/aws-s3-deployment';
-import { Aws, CfnOutput, CustomResource, Duration, Fn, Stack, Tags, RemovalPolicy } from 'aws-cdk-lib';
+import { Aws, CfnOutput, CustomResource, Duration, Fn, Stack, Tags, RemovalPolicy, CfnJson } from 'aws-cdk-lib';
 import { AraBucket } from '../ara-bucket';
 import { SingletonKey } from '../singleton-kms-key';
 import { SingletonCfnLaunchTemplate } from '../singleton-launch-template';
@@ -36,6 +36,7 @@ import { EmrEksNodegroup, EmrEksNodegroupOptions } from './emr-eks-nodegroup';
 import { EmrEksNodegroupAsgTagProvider } from './emr-eks-nodegroup-asg-tag';
 import { EmrManagedEndpointOptions, EmrManagedEndpointProvider } from './emr-managed-endpoint';
 import { EmrVirtualClusterOptions } from './emr-virtual-cluster';
+import * as SimpleBase from 'simple-base';
 import * as configOverrideSchema from './resources/k8s/emr-eks-config/config-override-schema.json';
 import * as CriticalDefaultConfig from './resources/k8s/emr-eks-config/critical.json';
 import * as NotebookDefaultConfig from './resources/k8s/emr-eks-config/notebook.json';
@@ -175,7 +176,6 @@ export class EmrEksCluster extends TrackedConstruct {
   private readonly awsNodeRole: Role;
   private readonly ec2InstanceNodeGroupRole: Role;
   private readonly defaultNodeGroups: boolean;
-
   /**
    * Constructs a new instance of the EmrEksCluster construct.
    * @param {Construct} scope the Scope of the CDK Construct
@@ -900,15 +900,27 @@ ${userData.join('\r\n')}
    * @param {Construct} scope of the IAM role
    * @param {string} id of the CDK resource to be created, it should be unique across the stack
    * @param {IManagedPolicy} policy the execution policy to attach to the role
-   * @param {string} name for the Managed Endpoint
+   * @param {string} namespace The namespace from which the role is going to be used. MUST be the same as the namespace of the Virtual Cluster from which the job is submitted
+   * @param {string} name Name to use for the role, required and is used to scope the iam role
    */
-  public createExecutionRole(scope: Construct, id: string, policy: IManagedPolicy, name?: string): Role {
+  public createExecutionRole(scope: Construct, id: string, policy: IManagedPolicy, namespace: string, name: string): Role {
 
     const stack = Stack.of(this);
 
+    let irsaConditionkey: CfnJson = new CfnJson(this, 'irsaConditionkey', {
+      value: {
+        [`${this.eksCluster.openIdConnectProvider.openIdConnectProviderIssuer}:sub`]: 'system:serviceaccount:' + namespace + ':emr-containers-sa-*-*-' + Aws.ACCOUNT_ID.toString() +'-'+ SimpleBase.base36.encode(name),
+      },
+    });
+
     // Create an execution role assumable by EKS OIDC provider
     return new Role(scope, `${id}ExecutionRole`, {
-      assumedBy: this.eksOidcProvider,
+      assumedBy: new FederatedPrincipal(
+        this.eksCluster.openIdConnectProvider.openIdConnectProviderArn,
+        {
+          StringLike: irsaConditionkey,
+        },
+        'sts:AssumeRoleWithWebIdentity'),
       roleName: name ? name : undefined,
       managedPolicies: [policy],
       inlinePolicies: {

core/package.json

@@ -186,6 +186,7 @@ export class NotebookPlatform extends TrackedConstruct {
   private readonly federatedIdPARN : string | undefined;
   private readonly authMode :string;
   private studioServiceRole: IRole;
+  private vcNamespace: string;
 
   /**
    * @public
@@ -208,6 +209,7 @@ export class NotebookPlatform extends TrackedConstruct {
     this.studioSubnetList = [];
     this.managedEndpointExecutionPolicyArnMapping = new Map<string, string>();
     this.authMode = props.studioAuthMode;
+    this.vcNamespace = props.eksNamespace ? props.eksNamespace : 'default';
 
     if (props.idpArn !== undefined) {
       this.federatedIdPARN = props.idpArn;
@@ -392,6 +394,8 @@ export class NotebookPlatform extends TrackedConstruct {
                 this,
                 `${user.identityName}${index}`,
                 notebookManagedEndpoint.executionPolicy,
+                this.vcNamespace,
+                `${endpointName}-execRole`,
               ),
               emrOnEksVersion: emrOnEksVersion ? emrOnEksVersion : NotebookPlatform.DEFAULT_EMR_VERSION,
               configurationOverrides: configOverride ? configOverride : undefined,

core/src/data-generator/index.ts

@@ -30,7 +30,7 @@ const policy = new ManagedPolicy(emrEksClusterStack, 'testPolicy', {
     ],
   }),
 });
-cluster.createExecutionRole(emrEksClusterStack, 'test', policy);
+cluster.createExecutionRole(emrEksClusterStack, 'test', policy, 'default', 'myExecRole');
 const template = Template.fromStack(emrEksClusterStack);
 
 test('EKS cluster created with correct version and name', () => {