fix(stepfunctions-tasks): updated EMR service role to use `AmazonEMRS…

…ervicePolicy_v2` (under feature flag) (#23985) Closes #23915 **Summary** Changed EMR used policies from `AmazonElasticMapReduceRole` to `AmazonEMRServicePolicy_v2` as by [documentation](https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-managed-iam-policies.html). *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · Mar 24, 2023 · f3fd183 · f3fd183
1 parent 02c9d98
commit f3fd183
Show file tree

Hide file tree

Showing 24 changed files with 1,507 additions and 1 deletion.
diff --git a/packages/@aws-cdk/aws-stepfunctions-tasks/lib/emr/emr-create-cluster.ts b/packages/@aws-cdk/aws-stepfunctions-tasks/lib/emr/emr-create-cluster.ts
@@ -1,6 +1,7 @@
 import * as iam from '@aws-cdk/aws-iam';
 import * as sfn from '@aws-cdk/aws-stepfunctions';
 import * as cdk from '@aws-cdk/core';
+import { ENABLE_EMR_SERVICE_POLICY_V2 } from '@aws-cdk/cx-api';
 import { Construct } from 'constructs';
 import {
   ApplicationConfigPropertyToJson,
@@ -340,6 +341,16 @@ export class EmrCreateCluster extends sfn.TaskStateBase {
    * Generate the Role used by the EMR Service
    */
   private createServiceRole(): iam.IRole {
+    if (cdk.FeatureFlags.of(this).isEnabled(ENABLE_EMR_SERVICE_POLICY_V2)) {
+      return new iam.Role(this, 'ServiceRole', {
+        assumedBy: new iam.ServicePrincipal('elasticmapreduce.amazonaws.com', {
+          conditions: {
+            StringEquals: { 'aws:RequestTag/for-use-with-amazon-emr-managed-policies': 'true' },
+          },
+        }),
+        managedPolicies: [iam.ManagedPolicy.fromAwsManagedPolicyName('service-role/AmazonEMRServicePolicy_v2')],
+      });
+    }
     return new iam.Role(this, 'ServiceRole', {
       assumedBy: new iam.ServicePrincipal('elasticmapreduce.amazonaws.com'),
       managedPolicies: [iam.ManagedPolicy.fromAwsManagedPolicyName('service-role/AmazonElasticMapReduceRole')],

diff --git a/packages/@aws-cdk/aws-stepfunctions-tasks/package.json b/packages/@aws-cdk/aws-stepfunctions-tasks/package.json
@@ -116,6 +116,7 @@
     "@aws-cdk/aws-stepfunctions": "0.0.0",
     "@aws-cdk/core": "0.0.0",
     "@aws-cdk/custom-resources": "0.0.0",
+    "@aws-cdk/cx-api": "^0.0.0",
     "@aws-cdk/lambda-layer-awscli": "0.0.0",
     "constructs": "^10.0.0"
   },

diff --git a/packages/@aws-cdk/aws-stepfunctions-tasks/test/emr/emr-create-cluster.test.ts b/packages/@aws-cdk/aws-stepfunctions-tasks/test/emr/emr-create-cluster.test.ts
@@ -2,6 +2,8 @@ import { Template } from '@aws-cdk/assertions';
 import * as iam from '@aws-cdk/aws-iam';
 import * as sfn from '@aws-cdk/aws-stepfunctions';
 import * as cdk from '@aws-cdk/core';
+// eslint-disable-next-line import/no-extraneous-dependencies
+import { ENABLE_EMR_SERVICE_POLICY_V2 } from '@aws-cdk/cx-api';
 import { EmrCreateCluster } from '../../lib';
 
 let stack: cdk.Stack;
@@ -681,7 +683,92 @@ test('Create Cluster without Roles', () => {
       ],
     },
   });
+});
+
+test('Create Cluster with AmazonElasticMapReduceRole managed policies', () => {
+  // WHEN
+  const app = new cdk.App({ context: { [ENABLE_EMR_SERVICE_POLICY_V2]: false } });
+  const newStack = new cdk.Stack(app, 'NewStack');
+
+  new EmrCreateCluster(newStack, 'Task', {
+    instances: {},
+    name: 'Cluster',
+    integrationPattern: sfn.IntegrationPattern.RUN_JOB,
+  });
+
+  // THEN
+  Template.fromStack(newStack).hasResourceProperties('AWS::IAM::Role', {
+    AssumeRolePolicyDocument: {
+      Version: '2012-10-17',
+      Statement: [
+        {
+          Principal: { Service: 'elasticmapreduce.amazonaws.com' },
+          Action: 'sts:AssumeRole',
+          Effect: 'Allow',
+        },
+      ],
+    },
+    ManagedPolicyArns: [
+      {
+        'Fn::Join': [
+          '',
+          [
+            'arn:',
+            {
+              Ref: 'AWS::Partition',
+            },
+            ':iam::aws:policy/service-role/AmazonElasticMapReduceRole',
+          ],
+        ],
+      },
+    ],
+  });
+});
 
+
+test('Create Cluster with AmazonEMRServicePolicy_v2 managed policies', () => {
+  // WHEN
+  const app = new cdk.App({ context: { [ENABLE_EMR_SERVICE_POLICY_V2]: true } });
+  const newStack = new cdk.Stack(app, 'NewStack');
+
+  new EmrCreateCluster(newStack, 'Task', {
+    instances: {},
+    name: 'Cluster',
+    integrationPattern: sfn.IntegrationPattern.RUN_JOB,
+  });
+
+  // THEN
+  Template.fromStack(newStack).hasResourceProperties('AWS::IAM::Role', {
+    AssumeRolePolicyDocument: {
+      Version: '2012-10-17',
+      Statement: [
+        {
+          Principal: { Service: 'elasticmapreduce.amazonaws.com' },
+          Action: 'sts:AssumeRole',
+          Effect: 'Allow',
+          Condition: {
+            StringEquals: {
+              'aws:RequestTag/for-use-with-amazon-emr-managed-policies': 'true',
+            },
+          },
+        },
+      ],
+    },
+    ManagedPolicyArns: [
+      {
+        'Fn::Join': [
+          '',
+          [
+            'arn:',
+            {
+              Ref: 'AWS::Partition',
+            },
+            ':iam::aws:policy/service-role/AmazonEMRServicePolicy_v2',
+          ],
+        ],
+      },
+    ],
+  });
 });
 
 test('Create Cluster with Instances configuration', () => {

diff --git a/...ith-v1-policy.js.snapshot/EmrCreateClusterTestDefaultTestDeployAssert697DC891.assets.json b/...ith-v1-policy.js.snapshot/EmrCreateClusterTestDefaultTestDeployAssert697DC891.assets.json
@@ -0,0 +1,19 @@
+{
+  "version": "30.1.0",
+  "files": {
+    "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": {
+      "source": {
+        "path": "EmrCreateClusterTestDefaultTestDeployAssert697DC891.template.json",
+        "packaging": "file"
+      },
+      "destinations": {
+        "current_account-current_region": {
+          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+          "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+        }
+      }
+    }
+  },
+  "dockerImages": {}
+}
diff --git a/...h-v1-policy.js.snapshot/EmrCreateClusterTestDefaultTestDeployAssert697DC891.template.json b/...h-v1-policy.js.snapshot/EmrCreateClusterTestDefaultTestDeployAssert697DC891.template.json
@@ -0,0 +1,36 @@
+{
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}
diff --git a/...nteg.emr-create-cluster-with-v1-policy.js.snapshot/aws-cdk-emr-create-cluster.assets.json b/...nteg.emr-create-cluster-with-v1-policy.js.snapshot/aws-cdk-emr-create-cluster.assets.json
@@ -0,0 +1,19 @@
+{
+  "version": "30.1.0",
+  "files": {
+    "0469b61284a24ccea8f9d02b4cd584ade969ef4c117cd51be3ce5576365f73cd": {
+      "source": {
+        "path": "aws-cdk-emr-create-cluster.template.json",
+        "packaging": "file"
+      },
+      "destinations": {
+        "current_account-current_region": {
+          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+          "objectKey": "0469b61284a24ccea8f9d02b4cd584ade969ef4c117cd51be3ce5576365f73cd.json",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+        }
+      }
+    }
+  },
+  "dockerImages": {}
+}
diff --git a/...eg.emr-create-cluster-with-v1-policy.js.snapshot/aws-cdk-emr-create-cluster.template.json b/...eg.emr-create-cluster-with-v1-policy.js.snapshot/aws-cdk-emr-create-cluster.template.json
@@ -0,0 +1,138 @@
+{
+ "Resources": {
+  "EmrCreateClusterServiceRole5251910D": {
+   "Type": "AWS::IAM::Role",
+   "Properties": {
+    "AssumeRolePolicyDocument": {
+     "Statement": [
+      {
+       "Action": "sts:AssumeRole",
+       "Condition": {
+        "StringEquals": {
+         "aws:RequestTag/for-use-with-amazon-emr-managed-policies": "true"
+        }
+       },
+       "Effect": "Allow",
+       "Principal": {
+        "Service": "elasticmapreduce.amazonaws.com"
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    },
+    "ManagedPolicyArns": [
+     {
+      "Fn::Join": [
+       "",
+       [
+        "arn:",
+        {
+         "Ref": "AWS::Partition"
+        },
+        ":iam::aws:policy/service-role/AmazonEMRServicePolicy_v2"
+       ]
+      ]
+     }
+    ]
+   }
+  },
+  "EmrCreateClusterInstanceRoleC80466F5": {
+   "Type": "AWS::IAM::Role",
+   "Properties": {
+    "AssumeRolePolicyDocument": {
+     "Statement": [
+      {
+       "Action": "sts:AssumeRole",
+       "Effect": "Allow",
+       "Principal": {
+        "Service": "ec2.amazonaws.com"
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    }
+   }
+  },
+  "EmrCreateClusterInstanceProfileC1729180": {
+   "Type": "AWS::IAM::InstanceProfile",
+   "Properties": {
+    "Roles": [
+     {
+      "Ref": "EmrCreateClusterInstanceRoleC80466F5"
+     }
+    ],
+    "InstanceProfileName": {
+     "Ref": "EmrCreateClusterInstanceRoleC80466F5"
+    }
+   }
+  },
+  "EmrCreateClusterAutoScalingRoleFDDAF4E2": {
+   "Type": "AWS::IAM::Role",
+   "Properties": {
+    "AssumeRolePolicyDocument": {
+     "Statement": [
+      {
+       "Action": "sts:AssumeRole",
+       "Effect": "Allow",
+       "Principal": {
+        "Service": [
+         "application-autoscaling.amazonaws.com",
+         "elasticmapreduce.amazonaws.com"
+        ]
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    },
+    "ManagedPolicyArns": [
+     {
+      "Fn::Join": [
+       "",
+       [
+        "arn:",
+        {
+         "Ref": "AWS::Partition"
+        },
+        ":iam::aws:policy/service-role/AmazonElasticMapReduceforAutoScalingRole"
+       ]
+      ]
+     }
+    ]
+   }
+  }
+ },
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}
diff --git a/...-stepfunctions-tasks/test/emr/integ.emr-create-cluster-with-v1-policy.js.snapshot/cdk.out b/...-stepfunctions-tasks/test/emr/integ.emr-create-cluster-with-v1-policy.js.snapshot/cdk.out
@@ -0,0 +1 @@
+{"version":"30.1.0"}
diff --git a/...epfunctions-tasks/test/emr/integ.emr-create-cluster-with-v1-policy.js.snapshot/integ.json b/...epfunctions-tasks/test/emr/integ.emr-create-cluster-with-v1-policy.js.snapshot/integ.json
@@ -0,0 +1,12 @@
+{
+  "version": "30.1.0",
+  "testCases": {
+    "EmrCreateClusterTest/DefaultTest": {
+      "stacks": [
+        "aws-cdk-emr-create-cluster"
+      ],
+      "assertionStack": "EmrCreateClusterTest/DefaultTest/DeployAssert",
+      "assertionStackName": "EmrCreateClusterTestDefaultTestDeployAssert697DC891"
+    }
+  }
+}