Fix EC2 node deployment invoker role mixup (#33)

* Add an explicit Invoker Role separate from the Instance Role This makes it simpler to understand the relationship between Restate's runtime role and the invoker role which is only used for remote invocations. This also keeps the role chaining more consistent with other environments like Restate Cloud, where customers manage the Invoker Role directly. Fixes: #32 * Update dependencies
restatedev · Aug 8, 2024 · e6d9f92 · e6d9f92
1 parent 1c0e702
commit e6d9f92
Show file tree

Hide file tree

Showing 4 changed files with 452 additions and 248 deletions.
diff --git a/lib/restate-constructs/single-node-restate-deployment.ts b/lib/restate-constructs/single-node-restate-deployment.ts
@@ -63,6 +63,7 @@ export interface SingleNodeRestateProps {
  */
 export class SingleNodeRestateDeployment extends Construct implements IRestateEnvironment {
   readonly instance: ec2.Instance;
+  readonly instanceRole: iam.IRole;
   readonly invokerRole: iam.IRole;
   readonly vpc: ec2.IVpc;
 
@@ -74,19 +75,33 @@ export class SingleNodeRestateDeployment extends Construct implements IRestateEn
 
     this.vpc = props.vpc ?? ec2.Vpc.fromLookup(this, "Vpc", { isDefault: true });
 
-    this.invokerRole = new iam.Role(this, "InstanceRole", {
+    this.instanceRole = new iam.Role(this, "InstanceRole", {
       assumedBy: new iam.ServicePrincipal("ec2.amazonaws.com"),
       managedPolicies: [iam.ManagedPolicy.fromAwsManagedPolicyName("AmazonSSMManagedInstanceCore")],
     });
 
+    this.invokerRole = new iam.Role(this, "InvokerRole", {
+      assumedBy: this.instanceRole,
+    });
+
+    new iam.Policy(this, "AssumeInvokerRolePolicy", {
+      statements: [
+        new iam.PolicyStatement({
+          sid: "AllowAssumeInvokerRole",
+          actions: ["sts:AssumeRole"],
+          resources: [this.invokerRole.roleArn],
+        }),
+      ],
+    }).attachToRole(this.instanceRole);
+
     const logGroup =
       props.logGroup ??
       new logs.LogGroup(this, "Logs", {
         logGroupName: `/restate/${id}`,
         retention: RetentionDays.ONE_MONTH,
         removalPolicy: props.removalPolicy ?? RemovalPolicy.DESTROY,
       });
-    logGroup.grantWrite(this.invokerRole);
+    logGroup.grantWrite(this.instanceRole);
 
     const restateImage = props.restateImage ?? RESTATE_IMAGE_DEFAULT;
     const restateTag = props.restateTag ?? RESTATE_DOCKER_DEFAULT_TAG;
@@ -130,7 +145,7 @@ export class SingleNodeRestateDeployment extends Construct implements IRestateEn
       machineImage: ec2.MachineImage.latestAmazonLinux2023({
         cpuType: ec2.AmazonLinuxCpuType.ARM_64,
       }),
-      role: this.invokerRole,
+      role: this.instanceRole,
       userData: restateInitCommands,
     });
     this.instance = restateInstance;