Rstudio AppStream integration

addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/onboard-account.cfn.yml

@@ -97,6 +97,11 @@ Parameters:
     AllowedValues: [ALWAYS_ON, ON_DEMAND]
     Default: ON_DEMAND
 
+  DomainName:
+    Description: Optional custom Domain name to be created in Route53
+    Type: String
+    Default: ''
+
 Metadata:
   AWS::CloudFormation::Interface:
     ParameterGroups:
@@ -119,7 +124,20 @@ Conditions:
     - !Ref EnableAppStream
     - true
   isNotAppStream: !Not [Condition: isAppStream]
+  isAppStreamAndCustomDomain: !And
+    - !Not [!Equals [!Ref "DomainName", ""]]
+    - !Condition isAppStream
+
 Resources:
+  Route53HostedZone:
+    Type: AWS::Route53::HostedZone
+    Condition: isAppStreamAndCustomDomain
+    Properties:
+      Name: !Ref DomainName
+      VPCs:
+        - VPCId: !Ref VPC
+          VPCRegion: !Ref "AWS::Region"
+
   # A role used for launching environments using AWS Service Catalog
   # This is the role that code (ApiHandlerLambda and WorkflowLoopRunnerLambda) in central account
   # assumes before performing any AWS Service Catalog interactions in this account (the on-boarded account)
@@ -244,6 +262,17 @@ Resources:
                 Resource:
                   - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${LaunchConstraintRolePrefix}LaunchConstraint'
                   - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:role/*presigned-url-sagemaker-notebook-role'
+        - !If
+          - isAppStreamAndCustomDomain
+          - PolicyName: route53-access
+            PolicyDocument:
+              Statement:
+                - Effect: Allow
+                  Action:
+                    - route53:ChangeResourceRecordSets
+                  Resource:
+                    - !Sub 'arn:aws:route53:::hostedzone/${Route53HostedZone}'
+          - !Ref 'AWS::NoValue'
       PermissionsBoundary: !Ref CrossAccountEnvMgmtPermissionsBoundary
 
   CrossAccountEnvMgmtPermissionsBoundary:
@@ -317,6 +346,14 @@ Resources:
               - iam:ListRoles
               - iam:ListUsers
             Resource: '*' # These non-mutating IAM actions cover the permissions in managed policy AWSServiceCatalogAdminFullAccess
+          - !If
+            - isAppStreamAndCustomDomain
+            - Effect: Allow
+              Action:
+                - route53:ChangeResourceRecordSets
+              Resource:
+                - !Sub 'arn:aws:route53:::hostedzone/${Route53HostedZone}'
+            - !Ref 'AWS::NoValue'
 
   PolicyCrossAccountExecution:
     Type: AWS::IAM::ManagedPolicy
@@ -675,6 +712,17 @@ Resources:
         - SourceSecurityGroupId: !GetAtt VPC.DefaultSecurityGroup
           IpProtocol: '-1'
 
+  SSMEndpoint:
+    Type: 'AWS::EC2::VPCEndpoint'
+    Condition: isAppStreamAndCustomDomain
+    Properties:
+      SubnetIds:
+        - !Ref PrivateWorkspaceSubnet
+      VpcEndpointType: Interface
+      PrivateDnsEnabled: true
+      ServiceName: !Sub 'com.amazonaws.${AWS::Region}.ssm'
+      VpcId: !Ref VPC
+
     # https://docs.aws.amazon.com/sagemaker/latest/dg/notebook-interface-endpoint.html
   SagemakerNotebookEndpoint:
     Type: 'AWS::EC2::VPCEndpoint'
@@ -866,3 +914,8 @@ Outputs:
     Value: !Ref SagemakerNotebookEndpoint
     Export:
       Name: !Join ['', [Ref: Namespace, '-SageMakerVPCE']]
+
+  Route53HostedZone:
+    Description: Route53 hosted zone
+    Condition: isAppStreamAndCustomDomain
+    Value: !Ref Route53HostedZone

addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/service-catalog/ec2-rstudio-instance.cfn.yml

@@ -26,6 +26,7 @@ Parameters:
   AccessFromCIDRBlock:
     Type: String
     Description: The CIDR used to access the ec2 instances.
+    Default: 10.0.0.0/19
   S3Mounts:
     Type: String
     Description: A JSON array of objects with name, bucket, and prefix properties used to mount data
@@ -150,35 +151,43 @@ Resources:
           FromPort: 0
           ToPort: 65535
           CidrIp: 0.0.0.0/0
-        - IpProtocol: icmp
-          FromPort: -1
-          ToPort: -1
-          CidrIp: !Ref AccessFromCIDRBlock
+        - !If
+          - AppStreamEnabled
+          - !Ref "AWS::NoValue"
+          - IpProtocol: icmp
+            FromPort: -1
+            ToPort: -1
+            CidrIp: !Ref AccessFromCIDRBlock
         - !If
           - AppStreamEnabled
           - DestinationSecurityGroupId:
               Fn::ImportValue: !Sub "${SolutionNamespace}-CfnEndpointSecurityGroup"
             IpProtocol: '-1'
           - !Ref "AWS::NoValue"
       SecurityGroupIngress:
-        - IpProtocol: tcp
-          FromPort: 22
-          ToPort: 22
-          CidrIp: !Ref AccessFromCIDRBlock
-        - IpProtocol: tcp
-          FromPort: 80
-          ToPort: 80
-          CidrIp: !Ref AccessFromCIDRBlock
-        - IpProtocol: tcp
-          FromPort: 443
-          ToPort: 443
-          CidrIp: !Ref AccessFromCIDRBlock
         - !If
           - AppStreamEnabled
           - SourceSecurityGroupId:
               Fn::ImportValue: !Sub "${SolutionNamespace}-SwbAppStreamSG"
             IpProtocol: '-1'
+          - IpProtocol: tcp
+            FromPort: 22
+            ToPort: 22
+            CidrIp: !Ref AccessFromCIDRBlock
+        - !If
+          - AppStreamEnabled
+          - !Ref "AWS::NoValue"
+          - IpProtocol: tcp
+            FromPort: 80
+            ToPort: 80
+            CidrIp: !Ref AccessFromCIDRBlock
+        - !If
+          - AppStreamEnabled
           - !Ref "AWS::NoValue"
+          - IpProtocol: tcp
+            FromPort: 443
+            ToPort: 443
+            CidrIp: !Ref AccessFromCIDRBlock
       Tags:
         - Key: Name
           Value: !Join ['-', [Ref: Namespace, 'ec2-sg']]
@@ -237,6 +246,10 @@ Outputs:
     Description: Public IP address of the EC2 workspace instance
     Value: !GetAtt [EC2Instance, PublicIp]
 
+  Ec2WorkspacePrivateIp:
+    Description: Public IP address of the EC2 workspace instance
+    Value: !GetAtt [EC2Instance, PrivateIp]
+
   Ec2WorkspaceInstanceId:
     Description: Instance Id for the EC2 workspace instance
     Value: !Ref EC2Instance

addons/addon-base-raas/packages/base-raas-services/lib/aws-accounts/__tests__/aws-accounts-service.test.js

@@ -207,6 +207,23 @@ describe('AwsAccountService', () => {
       expect(dbService.table.update).toHaveBeenCalled();
     });
 
+    it('should save awsAccount if it has hostedzone', async () => {
+      // BUILD
+      const requestContext = {};
+      awsAccount.route53HostedZone = 'HOSTEDZONE123';
+      service.updateEnvironmentInstanceFilesBucketPolicy = jest.fn();
+      uuidMock.mockReturnValueOnce('abc-123-456');
+
+      // OPERATE
+      await service.create(requestContext, awsAccount);
+
+      // CHECK
+      expect(dbService.table.condition).toHaveBeenCalledWith('attribute_not_exists(id)');
+      expect(dbService.table.key).toHaveBeenCalledWith({ id: 'abc-123-456' });
+      expect(dbService.table.item).toHaveBeenCalledWith(expect.objectContaining(awsAccount));
+      expect(dbService.table.update).toHaveBeenCalled();
+    });
+
     it('should update the bucket policy', async () => {
       // BUILD
       const requestContext = {};
@@ -359,6 +376,21 @@ describe('AwsAccountService', () => {
       expect(dbService.table.update).toHaveBeenCalled();
     });
 
+    it('should update awsAccount with HostedZone', async () => {
+      // BUILD
+      awsAccount.route53HostedZone = 'HOSTEDZONE123';
+      const requestContext = { username: 'oneUser' };
+      service.updateEnvironmentInstanceFilesBucketPolicy = jest.fn();
+
+      // OPERATE
+      await service.update(requestContext, awsAccount);
+
+      // CHECK
+      expect(dbService.table.condition).toHaveBeenCalledWith('attribute_exists(id)');
+      expect(dbService.table.key).toHaveBeenCalledWith({ id: 'xyz' });
+      expect(dbService.table.update).toHaveBeenCalled();
+    });
+
     it('should save an audit record', async () => {
       // BUILD
       const requestContext = {};