Merge branch 'fix/storage-recipes-mods-combined' into 'develop'

fix: storage recipe security group lookup custom resource fixes and making ClientIpCidr optional

See merge request mwvaughn/aws-hpc-recipes!167

Author: rangfeli

recipes/storage/efs_simple/assets/main.yaml

@@ -135,15 +135,13 @@ Resources:
 
   EfsSecurityGroupInboundRule:
     Type: 'AWS::EC2::SecurityGroupIngress'
+    Condition: CreateSecurityGroup
     Properties:
       IpProtocol: tcp
       Description: Allow incoming traffic to EFS from members of security group
       FromPort: 2049
       ToPort: 2049
-      GroupId: !If 
-          - CreateSecurityGroup
-          - !Ref EfsSecurityGroup
-          - !GetAtt SecurityGroupLookup.GroupId
+      GroupId: !Ref EfsSecurityGroup
       SourceSecurityGroupId: !Ref EfsClientSecurityGroup
 
   EfsClientSecurityGroupOutboundRule:
@@ -197,6 +195,7 @@ Resources:
     Condition: UseExistingSecurityGroup
     Properties:
       ServiceToken: !GetAtt SecurityGroupLookupFunction.Arn
+      ServiceTimeout: 60
       VpcId: !Ref VpcId
       GroupName: !Ref SecurityGroupName
 
@@ -226,6 +225,7 @@ Resources:
     Type: AWS::Lambda::Function
     Condition: UseExistingSecurityGroup
     Properties:
+      Timeout: 60
       Runtime: python3.9
       Handler: index.handler
       Role: !GetAtt SecurityGroupLookupRole.Arn

recipes/storage/fsx_lustre/assets/scratch.yaml

@@ -55,12 +55,12 @@ Conditions:
 Resources:
 
   LustreServersSG:
-      Type: AWS::EC2::SecurityGroup
-      Condition: CreateSecurityGroup
-      Properties:
-        GroupDescription: 'Allows traffic to FSx for Lustre filesystem'
-        GroupName: !Sub '${AWS::StackName}-fsxl-security-group'
-        VpcId: !Ref VpcId
+    Type: AWS::EC2::SecurityGroup
+    Condition: CreateSecurityGroup
+    Properties:
+      GroupDescription: 'Allows traffic to FSx for Lustre filesystem'
+      GroupName: !Sub '${AWS::StackName}-fsxl-security-group'
+      VpcId: !Ref VpcId
 
   LustreClientsSG:
     Type: AWS::EC2::SecurityGroup
@@ -81,16 +81,14 @@ Resources:
 
   LustreClientsSGxxFROMxxLustreServersSG988:
     Type: AWS::EC2::SecurityGroupIngress
+    Condition: CreateSecurityGroup
     Properties:
       IpProtocol: tcp
       Description: Allows Lustre traffic on port 988 between Amazon FSx for Lustre file servers and Lustre clients
       FromPort: 988
       ToPort: 988
       GroupId: !Ref LustreClientsSG
-      SourceSecurityGroupId: !If 
-          - CreateSecurityGroup
-          - !Ref LustreServersSG
-          - !GetAtt SecurityGroupLookup.GroupId
+      SourceSecurityGroupId: !Ref LustreServersSG
 
   LustreClientsSGfromLustreClients1021:
     Type: AWS::EC2::SecurityGroupIngress
@@ -104,16 +102,14 @@ Resources:
 
   LustreClientsSGxxFROMxxLustreServersSG1021:
     Type: AWS::EC2::SecurityGroupIngress
+    Condition: CreateSecurityGroup
     Properties:
       IpProtocol: tcp
       Description: Allows Lustre traffic on ports 1021-23 between Amazon FSx for Lustre file servers and Lustre clients
       FromPort: 1021
       ToPort: 1023
       GroupId: !Ref LustreClientsSG
-      SourceSecurityGroupId: !If 
-          - CreateSecurityGroup
-          - !Ref LustreServersSG
-          - !GetAtt SecurityGroupLookup.GroupId
+      SourceSecurityGroupId: !Ref LustreServersSG
 
   LustreClientsSGtoLustreClients988:
     Type: AWS::EC2::SecurityGroupEgress
@@ -127,19 +123,18 @@ Resources:
 
   LustreClientsSGtopclusterLustreServersSG:
     Type: AWS::EC2::SecurityGroupEgress
+    Condition: CreateSecurityGroup
     Properties:
       IpProtocol: tcp
       Description: Allow Lustre traffic on port 988 between Amazon FSx for Lustre file servers and Lustre clients
       FromPort: 988
       ToPort: 988
       GroupId: !Ref LustreClientsSG
-      DestinationSecurityGroupId: !If 
-          - CreateSecurityGroup
-          - !Ref LustreServersSG
-          - !GetAtt SecurityGroupLookup.GroupId
+      DestinationSecurityGroupId: !Ref LustreServersSG
 
   LustreClientsSGtoLustreClients1021:
     Type: AWS::EC2::SecurityGroupEgress
+    Condition: CreateSecurityGroup
     Properties:
       IpProtocol: tcp
       Description: Allows Lustre traffic on ports 1021-23 between Amazon FSx for Lustre clients
@@ -150,16 +145,14 @@ Resources:
 
   LustreClientsSGtoLustreServersSG:
     Type: AWS::EC2::SecurityGroupEgress
+    Condition: CreateSecurityGroup
     Properties:
       IpProtocol: tcp
       Description: Allows Lustre traffic on ports 1021-23 between Amazon FSx for Lustre file servers and Lustre clients
       FromPort: 1021
       ToPort: 1023
       GroupId: !Ref LustreClientsSG
-      DestinationSecurityGroupId: !If 
-          - CreateSecurityGroup
-          - !Ref LustreServersSG
-          - !GetAtt SecurityGroupLookup.GroupId
+      DestinationSecurityGroupId: !Ref LustreServersSG
 
   FSxLFilesystem:
     Type: AWS::FSx::FileSystem
@@ -190,6 +183,7 @@ Resources:
     Condition: UseExistingSecurityGroup
     Properties:
       ServiceToken: !GetAtt SecurityGroupLookupFunction.Arn
+      ServiceTimeout: 60
       VpcId: !Ref VpcId
       GroupName: !Ref SecurityGroupName
 
@@ -219,6 +213,7 @@ Resources:
     Type: AWS::Lambda::Function
     Condition: UseExistingSecurityGroup
     Properties:
+      Timeout: 60
       Runtime: python3.9
       Handler: index.handler
       Role: !GetAtt SecurityGroupLookupRole.Arn

recipes/storage/fsx_ontap/assets/main.yaml

@@ -9,8 +9,8 @@ Metadata:
         Parameters:
           - VpcId
           - SubnetId
-          - ClientIpCidr
           - SecurityGroupName
+          - ClientIpCidr
           - KmsKeyId
       - Label:
           default: File System Options
@@ -42,16 +42,16 @@ Parameters:
   SubnetId:
     Type: AWS::EC2::Subnet::Id
     Description: Subnet ID where the file system will be created (must be in same VPC).
-  ClientIpCidr:
-    Description: CIDR block controlling incoming NFS and/or SMB traffic to FSx file system.
-    Default: ""
-    Type: String
-    AllowedPattern: ^((\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}))?$
-    ConstraintDescription: ClientIP must be a valid IP or network range of the form x.x.x.x/x. specify your IP/NETMASK (e.g x.x.x/32 or x.x.x.x/24 for subnet range)
   SecurityGroupName:
     Type: String
     Description: (Optional) An existing security group to associate to the file system (must be in same VPC). If none is provided, a new security group will be created.
     Default: ""
+  ClientIpCidr:
+    Type: String
+    Description: (Optional) If no existing security group is provided, then provide a CIDR block controlling incoming NFS and/or SMB traffic to FSx file system.
+    Default: ""
+    AllowedPattern: ^$|^((\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}))?$
+    ConstraintDescription: ClientIP must be a valid IP or network range of the form x.x.x.x/x. specify your IP/NETMASK (e.g x.x.x/32 or x.x.x.x/24 for subnet range)
   KmsKeyId:
     Type: String
     Description: (Optional) An existing ID of the AWS Key Management Service (AWS KMS) key used to encrypt Amazon FSx file system data. If none is provided, the default aws/fsx encryption key will be used.
@@ -78,9 +78,9 @@ Parameters:
   OntapHAPairs:
     Type: Number
     Description: Number of high-availability (HA) pairs of file servers will power your file system. Default is set to 1 HA pair.
-    ConstraintDescription: "Minimum: 1 HA pair"
     Default: 1
     MinValue: 1
+    ConstraintDescription: "Minimum: 1 HA pair"
   OntapDiskIopsMode:
     Type: String
     Description: Specifies whether the file system is using the AUTOMATIC setting of SSD IOPS of 3 IOPS per GB of storage capacity, or if it is using a USER_PROVISIONED value. Default is set to AUTOMATIC.
@@ -91,15 +91,15 @@ Parameters:
   OntapDiskIops:
     Type: Number
     Description: Total number of SSD IOPS provisioned for the file system if using USER_PROVISIONED for file system's disk IOPS. Default is set to 3,072 SSD IOPS.
-    ConstraintDescription: "Minimum: 3,072 SSD IOPS"
     Default: 3072
     MinValue: 3072
+    ConstraintDescription: "Minimum: 3,072 SSD IOPS"
   OntapThroughputCapacity:
     Type: Number
     Description: Throughput capacity for the file system (MBps). Default is set to 384 MBps.
-    ConstraintDescription: "Minimum: 384 MBps"
     Default: 384
     MinValue: 384
+    ConstraintDescription: "Minimum: 384 MBps"
   OntapSecurityStyle:
     Type: String
     Description: Security style of the file system's volumes. Default is set to UNIX.
@@ -111,9 +111,9 @@ Parameters:
   OntapVolumeJunctionPath:
     Type: String
     Description: The location in the storage virtual machine's namespace where the non-root volume is mounted. Default is set to /vol1.
-    ConstraintDescription: "Must start with /"
     Default: "/vol1"
     AllowedPattern: "^/[a-zA-Z0-9-_/]+$"
+    ConstraintDescription: "Must start with /"
   EnableActiveDirectory:
     Type: String
     Description: Enable file system to join an Active Directory. Required for Windows SMB clients to mount file system. Default is set to false.
@@ -132,9 +132,9 @@ Parameters:
   ServiceAccountCredentialsSecretArn:
     Type: String
     Description: Directory Service Root (Service Account) Credentials Secret ARN. The username and password for the Active Directory ServiceAccount user formatted as a username:password key/value pair.
-    ConstraintDescription: "Secret name can be 512 characters long and may include letters, numbers, and the following characters: /_+=.@-."
-    AllowedPattern: ^$|^(?:arn:(?:aws|aws-us-gov|aws-cn):secretsmanager:[a-z0-9-]+:[0-9]{12}:secret:[A-Za-z0-9\-\_\+\=\/\.\@]{1,519})?$
     Default: ""
+    AllowedPattern: ^$|^(?:arn:(?:aws|aws-us-gov|aws-cn):secretsmanager:[a-z0-9-]+:[0-9]{12}:secret:[A-Za-z0-9\-\_\+\=\/\.\@]{1,519})?$
+    ConstraintDescription: "Secret name can be 512 characters long and may include letters, numbers, and the following characters: /_+=.@-."
   ComputersOU:
     Type: String
     Description: Organization Unit (OU) for compute and storage servers in the Active Directory.
@@ -164,6 +164,11 @@ Conditions:
     - !Condition CreateCIFSShare
 
 Rules:
+  RequireSecurityGroupRule:
+    RuleCondition: !Equals [!Ref SecurityGroupName, ""]
+    Assertions:
+      - Assert: !Not [!Equals [!Ref ClientIpCidr, ""]]
+        AssertDescription: If a SecurityGroupName is not provided, a valid ClientIpCidr must be provided.
   ActiveDirectoryParametersRule:
     RuleCondition: !Equals [!Ref EnableActiveDirectory, "true"]
     Assertions: