Skip to content

Commit 204ff19

Browse files
author
Lenox Hsu
committed
Merge branch 'fix/modify-efs-FSxL-recipes' into 'develop'
fix: allow efs and FSxL associate to optionally provided sg and make efs TLS statement optional See merge request mwvaughn/aws-hpc-recipes!158
2 parents 14adaaa + d5abeb3 commit 204ff19

File tree

2 files changed

+214
-21
lines changed

2 files changed

+214
-21
lines changed

recipes/storage/efs_simple/assets/main.yaml

Lines changed: 116 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -9,12 +9,14 @@ Metadata:
99
Parameters:
1010
- AutomaticBackups
1111
- ThroughputMode
12+
- EnforceTLS
1213
- Label:
1314
default: Networking and Access
1415
Parameters:
1516
- VpcId
1617
- SubnetIds
1718
- SubnetCount
19+
- SecurityGroupName
1820

1921
Parameters:
2022
VpcId:
@@ -45,6 +47,17 @@ Parameters:
4547
AllowedValues:
4648
- "elastic"
4749
- "bursting"
50+
EnforceTLS:
51+
Description: Enforce TLS for data in transit
52+
Type: String
53+
Default: "true"
54+
AllowedValues:
55+
- "true"
56+
- "false"
57+
SecurityGroupName:
58+
Type: String
59+
Description: (Optional) An existing security group to associate to the file system. If none is provided, a new security group will be created.
60+
Default: ""
4861

4962
Conditions:
5063
1AZCondition: !Or
@@ -54,6 +67,9 @@ Conditions:
5467
- !Equals [!Ref 'SubnetCount', '2']
5568
- !Condition '3AZCondition'
5669
3AZCondition: !Equals [!Ref 'SubnetCount', '3']
70+
EnforceTLSCondition: !Equals ["true", !Ref EnforceTLS]
71+
CreateSecurityGroup: !Equals ["", !Ref SecurityGroupName]
72+
UseExistingSecurityGroup: !Not [!Equals ["", !Ref SecurityGroupName]]
5773

5874
Resources:
5975

@@ -80,14 +96,17 @@ Resources:
8096
Condition:
8197
Bool:
8298
'elasticfilesystem:AccessedViaMountTarget': 'true'
83-
- Sid: efs-enforce-tls
84-
Effect: Deny
85-
Principal:
86-
AWS: '*'
87-
Action: '*'
88-
Condition:
89-
Bool:
90-
'aws:SecureTransport': 'false'
99+
- !If
100+
- EnforceTLSCondition
101+
- Sid: efs-enforce-tls
102+
Effect: Deny
103+
Principal:
104+
AWS: '*'
105+
Action: '*'
106+
Condition:
107+
Bool:
108+
'aws:SecureTransport': 'false'
109+
- !Ref 'AWS::NoValue'
91110
BackupPolicy:
92111
Status: !Ref AutomaticBackups
93112
Encrypted: true
@@ -96,6 +115,7 @@ Resources:
96115
# Security group
97116
EfsSecurityGroup:
98117
Type: AWS::EC2::SecurityGroup
118+
Condition: CreateSecurityGroup
99119
Properties:
100120
GroupDescription: !Sub
101121
- 'Allows traffic to EFS filesystem ${FileSystemId}'
@@ -120,7 +140,10 @@ Resources:
120140
Description: Allow incoming traffic to EFS from members of security group
121141
FromPort: 2049
122142
ToPort: 2049
123-
GroupId: !Ref EfsSecurityGroup
143+
GroupId: !If
144+
- CreateSecurityGroup
145+
- !Ref EfsSecurityGroup
146+
- !GetAtt SecurityGroupLookup.GroupId
124147
SourceSecurityGroupId: !Ref EfsClientSecurityGroup
125148

126149
EfsClientSecurityGroupOutboundRule:
@@ -131,35 +154,112 @@ Resources:
131154
FromPort: 2049
132155
ToPort: 2049
133156
GroupId: !Ref EfsClientSecurityGroup
134-
DestinationSecurityGroupId: !Ref EfsSecurityGroup
157+
DestinationSecurityGroupId: !If
158+
- CreateSecurityGroup
159+
- !Ref EfsSecurityGroup
160+
- !GetAtt SecurityGroupLookup.GroupId
135161

136162
EfsMountTarget1:
137163
Type: AWS::EFS::MountTarget
138164
Condition: 1AZCondition
139165
Properties:
140166
FileSystemId: !Ref EfsFilesystem
141-
SecurityGroups:
142-
- !Ref EfsSecurityGroup
167+
SecurityGroups: !If
168+
- CreateSecurityGroup
169+
- [!Ref EfsSecurityGroup]
170+
- [!GetAtt SecurityGroupLookup.GroupId]
143171
SubnetId: !Select [ 0, !Ref SubnetIds ]
144172

145173
EfsMountTarget2:
146174
Type: AWS::EFS::MountTarget
147175
Condition: 2AZCondition
148176
Properties:
149177
FileSystemId: !Ref EfsFilesystem
150-
SecurityGroups:
151-
- !Ref EfsSecurityGroup
178+
SecurityGroups: !If
179+
- CreateSecurityGroup
180+
- [!Ref EfsSecurityGroup]
181+
- [!GetAtt SecurityGroupLookup.GroupId]
152182
SubnetId: !Select [ 1, !Ref SubnetIds ]
153183

154184
EfsMountTarget3:
155185
Type: AWS::EFS::MountTarget
156186
Condition: 3AZCondition
157187
Properties:
158188
FileSystemId: !Ref EfsFilesystem
159-
SecurityGroups:
160-
- !Ref EfsSecurityGroup
189+
SecurityGroups: !If
190+
- CreateSecurityGroup
191+
- [!Ref EfsSecurityGroup]
192+
- [!GetAtt SecurityGroupLookup.GroupId]
161193
SubnetId: !Select [ 2, !Ref SubnetIds ]
162194

195+
SecurityGroupLookup:
196+
Type: Custom::SecurityGroupLookup
197+
Condition: UseExistingSecurityGroup
198+
Properties:
199+
ServiceToken: !GetAtt SecurityGroupLookupFunction.Arn
200+
VpcId: !Ref VpcId
201+
GroupName: !Ref SecurityGroupName
202+
203+
SecurityGroupLookupRole:
204+
Type: AWS::IAM::Role
205+
Condition: UseExistingSecurityGroup
206+
Properties:
207+
AssumeRolePolicyDocument:
208+
Version: '2012-10-17'
209+
Statement:
210+
- Effect: Allow
211+
Principal:
212+
Service: lambda.amazonaws.com
213+
Action: sts:AssumeRole
214+
ManagedPolicyArns:
215+
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
216+
Policies:
217+
- PolicyName: DescribeSecurityGroups
218+
PolicyDocument:
219+
Version: '2012-10-17'
220+
Statement:
221+
- Effect: Allow
222+
Action: ec2:DescribeSecurityGroups
223+
Resource: '*'
224+
225+
SecurityGroupLookupFunction:
226+
Type: AWS::Lambda::Function
227+
Condition: UseExistingSecurityGroup
228+
Properties:
229+
Runtime: python3.9
230+
Handler: index.handler
231+
Role: !GetAtt SecurityGroupLookupRole.Arn
232+
Code:
233+
ZipFile: |
234+
import boto3
235+
import cfnresponse
236+
237+
def handler(event, context):
238+
try:
239+
if event['RequestType'] in ['Create', 'Update']:
240+
ec2 = boto3.client('ec2')
241+
vpc_id = event['ResourceProperties']['VpcId']
242+
group_name = event['ResourceProperties']['GroupName']
243+
244+
response = ec2.describe_security_groups(
245+
Filters=[
246+
{'Name': 'vpc-id', 'Values': [vpc_id]},
247+
{'Name': 'group-name', 'Values': [group_name]}
248+
]
249+
)
250+
251+
if len(response['SecurityGroups']) == 0:
252+
raise Exception(f"Security group {group_name} not found in VPC {vpc_id}")
253+
254+
group_id = response['SecurityGroups'][0]['GroupId']
255+
cfnresponse.send(event, context, cfnresponse.SUCCESS,
256+
{'GroupId': group_id})
257+
else:
258+
cfnresponse.send(event, context, cfnresponse.SUCCESS, {})
259+
except Exception as e:
260+
cfnresponse.send(event, context, cfnresponse.FAILED,
261+
{'Error': str(e)})
262+
163263
Outputs:
164264
EFSFilesystemId:
165265
Description: The ID of the EFS filesystem that has been created

recipes/storage/fsx_lustre/assets/scratch.yaml

Lines changed: 98 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,7 @@ Metadata:
1616
Parameters:
1717
- VpcId
1818
- SubnetId
19+
- SecurityGroupName
1920

2021
Parameters:
2122
VpcId:
@@ -42,11 +43,20 @@ Parameters:
4243
- "2.15"
4344
- "2.12"
4445
Default: "2.15"
46+
SecurityGroupName:
47+
Type: String
48+
Description: (Optional) An existing security group to associate to the file system. If none is provided, a new security group will be created.
49+
Default: ""
50+
51+
Conditions:
52+
CreateSecurityGroup: !Equals ["", !Ref SecurityGroupName]
53+
UseExistingSecurityGroup: !Not [!Equals ["", !Ref SecurityGroupName]]
4554

4655
Resources:
4756

4857
LustreServersSG:
4958
Type: AWS::EC2::SecurityGroup
59+
Condition: CreateSecurityGroup
5060
Properties:
5161
GroupDescription: 'Allows traffic to FSx for Lustre filesystem'
5262
GroupName: !Sub '${AWS::StackName}-fsxl-security-group'
@@ -77,7 +87,10 @@ Resources:
7787
FromPort: 988
7888
ToPort: 988
7989
GroupId: !Ref LustreClientsSG
80-
SourceSecurityGroupId: !Ref LustreServersSG
90+
SourceSecurityGroupId: !If
91+
- CreateSecurityGroup
92+
- !Ref LustreServersSG
93+
- !GetAtt SecurityGroupLookup.GroupId
8194

8295
LustreClientsSGfromLustreClients1021:
8396
Type: AWS::EC2::SecurityGroupIngress
@@ -97,7 +110,10 @@ Resources:
97110
FromPort: 1021
98111
ToPort: 1023
99112
GroupId: !Ref LustreClientsSG
100-
SourceSecurityGroupId: !Ref LustreServersSG
113+
SourceSecurityGroupId: !If
114+
- CreateSecurityGroup
115+
- !Ref LustreServersSG
116+
- !GetAtt SecurityGroupLookup.GroupId
101117

102118
LustreClientsSGtoLustreClients988:
103119
Type: AWS::EC2::SecurityGroupEgress
@@ -117,7 +133,10 @@ Resources:
117133
FromPort: 988
118134
ToPort: 988
119135
GroupId: !Ref LustreClientsSG
120-
DestinationSecurityGroupId: !Ref LustreServersSG
136+
DestinationSecurityGroupId: !If
137+
- CreateSecurityGroup
138+
- !Ref LustreServersSG
139+
- !GetAtt SecurityGroupLookup.GroupId
121140

122141
LustreClientsSGtoLustreClients1021:
123142
Type: AWS::EC2::SecurityGroupEgress
@@ -137,7 +156,10 @@ Resources:
137156
FromPort: 1021
138157
ToPort: 1023
139158
GroupId: !Ref LustreClientsSG
140-
DestinationSecurityGroupId: !Ref LustreServersSG
159+
DestinationSecurityGroupId: !If
160+
- CreateSecurityGroup
161+
- !Ref LustreServersSG
162+
- !GetAtt SecurityGroupLookup.GroupId
141163

142164
FSxLFilesystem:
143165
Type: AWS::FSx::FileSystem
@@ -149,7 +171,10 @@ Resources:
149171
FileSystemTypeVersion: !Ref LustreVersion
150172
StorageCapacity: !Ref Capacity
151173
SecurityGroupIds:
152-
- !Ref LustreServersSG
174+
- !If
175+
- CreateSecurityGroup
176+
- !Ref LustreServersSG
177+
- !GetAtt SecurityGroupLookup.GroupId
153178
- !Ref LustreClientsSG
154179
SubnetIds:
155180
- !Ref SubnetId
@@ -159,6 +184,74 @@ Resources:
159184
Tags:
160185
- Key: HPCRecipes
161186
Value: "true"
187+
188+
SecurityGroupLookup:
189+
Type: Custom::SecurityGroupLookup
190+
Condition: UseExistingSecurityGroup
191+
Properties:
192+
ServiceToken: !GetAtt SecurityGroupLookupFunction.Arn
193+
VpcId: !Ref VpcId
194+
GroupName: !Ref SecurityGroupName
195+
196+
SecurityGroupLookupRole:
197+
Type: AWS::IAM::Role
198+
Condition: UseExistingSecurityGroup
199+
Properties:
200+
AssumeRolePolicyDocument:
201+
Version: '2012-10-17'
202+
Statement:
203+
- Effect: Allow
204+
Principal:
205+
Service: lambda.amazonaws.com
206+
Action: sts:AssumeRole
207+
ManagedPolicyArns:
208+
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
209+
Policies:
210+
- PolicyName: DescribeSecurityGroups
211+
PolicyDocument:
212+
Version: '2012-10-17'
213+
Statement:
214+
- Effect: Allow
215+
Action: ec2:DescribeSecurityGroups
216+
Resource: '*'
217+
218+
SecurityGroupLookupFunction:
219+
Type: AWS::Lambda::Function
220+
Condition: UseExistingSecurityGroup
221+
Properties:
222+
Runtime: python3.9
223+
Handler: index.handler
224+
Role: !GetAtt SecurityGroupLookupRole.Arn
225+
Code:
226+
ZipFile: |
227+
import boto3
228+
import cfnresponse
229+
230+
def handler(event, context):
231+
try:
232+
if event['RequestType'] in ['Create', 'Update']:
233+
ec2 = boto3.client('ec2')
234+
vpc_id = event['ResourceProperties']['VpcId']
235+
group_name = event['ResourceProperties']['GroupName']
236+
237+
response = ec2.describe_security_groups(
238+
Filters=[
239+
{'Name': 'vpc-id', 'Values': [vpc_id]},
240+
{'Name': 'group-name', 'Values': [group_name]}
241+
]
242+
)
243+
244+
if len(response['SecurityGroups']) == 0:
245+
raise Exception(f"Security group {group_name} not found in VPC {vpc_id}")
246+
247+
group_id = response['SecurityGroups'][0]['GroupId']
248+
cfnresponse.send(event, context, cfnresponse.SUCCESS,
249+
{'GroupId': group_id})
250+
else:
251+
cfnresponse.send(event, context, cfnresponse.SUCCESS, {})
252+
except Exception as e:
253+
cfnresponse.send(event, context, cfnresponse.FAILED,
254+
{'Error': str(e)})
162255
163256
Outputs:
164257
FSxLustreFilesystemId:

0 commit comments

Comments
 (0)