aws-cloudformation · gimki · May 26, 2020 · May 19, 2020 · May 19, 2020 · May 20, 2020
diff --git a/aws-codeguruprofiler-profilinggroup/README.md b/aws-codeguruprofiler-profilinggroup/README.md
@@ -51,7 +51,7 @@ pre-commit run --all-files && AWS_REGION=us-east-1 mvn clean verify package
 
 5. Create a sample CloudFormation stack that defines a profiling group:
  ```
- aws cloudformation create-stack --region us-east-1 --template-body "file://sample-template.json" --stack-name "sample-profiling-group-resource-creation"
+ aws cloudformation create-stack --region us-east-1 --template-body "file://sample-template.json" --stack-name "sample-profiling-group-resource-creation" --capabilities CAPABILITY_IAM
  ```
 
 6. Validate the creation of the profiling group!

diff --git a/aws-codeguruprofiler-profilinggroup/aws-codeguruprofiler-profilinggroup.json b/aws-codeguruprofiler-profilinggroup/aws-codeguruprofiler-profilinggroup.json
@@ -6,6 +6,10 @@
  "Arn": {
  "type": "string",
  "pattern": "^arn:aws(-(cn|gov))?:[a-z-]+:(([a-z]+-)+[0-9]+):([0-9]{12}):[^.]+$"
+ },
+ "ArnIam": {
+ "type": "string",
+ "pattern": "^arn:aws(-(cn|gov))?:iam::([0-9]{12}):[^.]+$"
  }
  },
  "properties": {
@@ -16,6 +20,23 @@
  "maxLength": 255,
  "pattern": "^[\\w-]+$"
  },
+ "AgentPermissions": {
+ "description": "The agent permissions attached to this profiling group.",
+ "type": "object",
+ "additionalProperties": false,
+ "required": [
+ "Principals"
+ ],
+ "properties": {
+ "Principals": {
+ "description": "The principals for the agent permissions.",
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/ArnIam"
+ }
+ }
+ }
+ },
  "Arn": {
  "description": "The Amazon Resource Name (ARN) of the specified profiling group.",
  "$ref": "#/definitions/Arn",
@@ -40,7 +61,8 @@
  "handlers": {
  "create": {
  "permissions": [
- "codeguru-profiler:CreateProfilingGroup"
+ "codeguru-profiler:CreateProfilingGroup",
+ "codeguru-profiler:PutPermission"
  ]
  },
  "read": {

diff --git a/aws-codeguruprofiler-profilinggroup/resource-role.yaml b/aws-codeguruprofiler-profilinggroup/resource-role.yaml
@@ -27,6 +27,7 @@ Resources:
  - "codeguru-profiler:DeleteProfilingGroup"
  - "codeguru-profiler:DescribeProfilingGroup"
  - "codeguru-profiler:ListProfilingGroups"
+ - "codeguru-profiler:PutPermission"
  Resource: "*"
 Outputs:
  ExecutionRoleArn:

diff --git a/aws-codeguruprofiler-profilinggroup/sample-template.json b/aws-codeguruprofiler-profilinggroup/sample-template.json
@@ -7,6 +7,43 @@
  "Properties": {
  "ProfilingGroupName": "MySampleProfilingGroup"
  }
+ },
+ "MyProfilingGroupWithAgentPermissions": {
+ "Type": "AWS::CodeGuruProfiler::ProfilingGroup",
+ "Properties": {
+ "ProfilingGroupName": "MySampleProfilingGroupWithAgentPermissions",
+ "AgentPermissions": {
+ "Principals": [
+ {
+ "Fn::GetAtt": [
+ "MyProfilingGroupRole",
+ "Arn"
+ ]
+ }
+ ]
+ }
+ }
+ },
+ "MyProfilingGroupRole": {
+ "Type": "AWS::IAM::Role",
+ "Properties": {
+ "AssumeRolePolicyDocument": {
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Principal": {
+ "Service": [
+ "ec2.amazonaws.com"
+ ]
+ },
+ "Action": [
+ "sts:AssumeRole"
+ ]
+ }
+ ]
+ }
+ }
  }
  },
  "Outputs": {

diff --git a/...inggroup/src/main/java/software/amazon/codeguruprofiler/profilinggroup/CreateHandler.java b/...inggroup/src/main/java/software/amazon/codeguruprofiler/profilinggroup/CreateHandler.java
@@ -1,9 +1,12 @@
 package software.amazon.codeguruprofiler.profilinggroup;
 
 import software.amazon.awssdk.services.codeguruprofiler.CodeGuruProfilerClient;
+import software.amazon.awssdk.services.codeguruprofiler.model.CodeGuruProfilerException;
 import software.amazon.awssdk.services.codeguruprofiler.model.ConflictException;
 import software.amazon.awssdk.services.codeguruprofiler.model.CreateProfilingGroupRequest;
+import software.amazon.awssdk.services.codeguruprofiler.model.DeleteProfilingGroupRequest;
 import software.amazon.awssdk.services.codeguruprofiler.model.InternalServerException;
+import software.amazon.awssdk.services.codeguruprofiler.model.PutPermissionRequest;
 import software.amazon.awssdk.services.codeguruprofiler.model.ServiceQuotaExceededException;
 import software.amazon.awssdk.services.codeguruprofiler.model.ThrottlingException;
 import software.amazon.awssdk.services.codeguruprofiler.model.ValidationException;
@@ -17,6 +20,12 @@
 import software.amazon.cloudformation.proxy.ProgressEvent;
 import software.amazon.cloudformation.proxy.ResourceHandlerRequest;
 
+import java.util.List;
+import java.util.Optional;
+
+import static java.lang.String.format;
+import static software.amazon.awssdk.services.codeguruprofiler.model.ActionGroup.AGENT_PERMISSIONS;
+
 public class CreateHandler extends BaseHandler<CallbackContext> {
 
  private final CodeGuruProfilerClient profilerClient = CodeGuruProfilerClientBuilder.create();
@@ -28,21 +37,67 @@ public ProgressEvent<ResourceModel, CallbackContext> handleRequest(
  final CallbackContext callbackContext,
  final Logger logger) {
 
- final ResourceModel model = request.getDesiredResourceState();
  final String awsAccountId = request.getAwsAccountId();
- final String idempotencyToken = request.getClientRequestToken();
-
- try {
- CreateProfilingGroupRequest createProfilingGroupRequest = CreateProfilingGroupRequest.builder()
- .profilingGroupName(model.getProfilingGroupName())
- .clientToken(idempotencyToken)
- .build();
+ final ResourceModel model = request.getDesiredResourceState();
+ final String pgName = model.getProfilingGroupName();
 
+ CreateProfilingGroupRequest createProfilingGroupRequest = CreateProfilingGroupRequest.builder()
+ .profilingGroupName(pgName)
+ .clientToken(request.getClientRequestToken())
+ .build();
+ safelyInvokeApi(() -> {
  proxy.injectCredentialsAndInvokeV2(createProfilingGroupRequest, profilerClient::createProfilingGroup);
+ });
+ logger.log(format("%s [%s] for accountId [%s] has been successfully created!", ResourceModel.TYPE_NAME, pgName, awsAccountId));
 
- logger.log(String.format("%s [%s] for accountId [%s] has been successfully created!", ResourceModel.TYPE_NAME, model.getProfilingGroupName(), awsAccountId));
+ Optional<List<String>> principals = principalsForAgentPermissionsFrom(model);
+ if (principals.isPresent()) {
+ putAgentPermissions(proxy, logger, pgName, principals.get(), awsAccountId);
+ logger.log(format("%s [%s] for accountId [%s] has been successfully updated with agent permissions!",
+ ResourceModel.TYPE_NAME, pgName, awsAccountId));
+ }
+
+ return ProgressEvent.defaultSuccessHandler(model);
+ }
 
- return ProgressEvent.defaultSuccessHandler(model);
+ private void putAgentPermissions(final AmazonWebServicesClientProxy proxy, final Logger logger,
+ final String pgName, final List<String> principals, final String awsAccountId) {
+ PutPermissionRequest putPermissionRequest = PutPermissionRequest.builder()
+ .profilingGroupName(pgName)
+ .actionGroup(AGENT_PERMISSIONS)
+ .principals(principals)
+ .build();
+
+ safelyInvokeApi(() -> {
+ try {
+ proxy.injectCredentialsAndInvokeV2(putPermissionRequest, profilerClient::putPermission);
+ } catch (CodeGuruProfilerException putPermissionException) {
+ logger.log(format("%s [%s] for accountId [%s] has failed when updating the agent permissions, trying to delete the profiling group!",
+ ResourceModel.TYPE_NAME, pgName, awsAccountId));
+ deleteProfilingGroup(proxy, logger, pgName, awsAccountId, putPermissionException);
+ throw putPermissionException;
+ }
+ });
+ }
+
+ private void deleteProfilingGroup(AmazonWebServicesClientProxy proxy, Logger logger,
+ String pgName, String awsAccountId, CodeGuruProfilerException putPermissionException) {
+ DeleteProfilingGroupRequest deletePgRequest = DeleteProfilingGroupRequest.builder().profilingGroupName(pgName).build();
+ try {
+ proxy.injectCredentialsAndInvokeV2(deletePgRequest, profilerClient::deleteProfilingGroup);
+ logger.log(format("%s [%s] for accountId [%s] has succeeded when deleting the profiling group!",
+ ResourceModel.TYPE_NAME, pgName, awsAccountId));
+ } catch (CodeGuruProfilerException deleteException) {
+ logger.log(format("%s [%s] for accountId [%s] has failed when deleting the profiling group!",
+ ResourceModel.TYPE_NAME, pgName, awsAccountId));
+ putPermissionException.addSuppressed(deleteException);
+ throw putPermissionException;
+ }
+ }
+
+ private static void safelyInvokeApi(final Runnable lambda) {
+ try {
+ lambda.run();
  } catch (ConflictException e) {
  throw new CfnAlreadyExistsException(e);
  } catch (InternalServerException e) {
@@ -55,4 +110,14 @@ public ProgressEvent<ResourceModel, CallbackContext> handleRequest(
  throw new CfnInvalidRequestException(ResourceModel.TYPE_NAME + e.getMessage(), e);
  }
  }
+
+ private static Optional<List<String>> principalsForAgentPermissionsFrom(final ResourceModel model) {
+ if (model.getAgentPermissions() == null) {
+ return Optional.empty();
+ }
+ if (model.getAgentPermissions().getPrincipals() == null) {
+ return Optional.empty();
+ }
+ return Optional.of(model.getAgentPermissions().getPrincipals());
+ }
 }