Updating RES BI and Demo stacks to make AD optional

Mohjeet Singh · Mohjeet Singh · commit a23876a9ffac · 2025-02-04T17:31:03.000-08:00
diff --git a/recipes/res/res_demo_env/assets/bi.yaml b/recipes/res/res_demo_env/assets/bi.yaml
@@ -6,6 +6,7 @@ Metadata:
       - Label:
           default: "AD Configuration"
         Parameters:
+          - CreateActiveDirectory
           - DomainName
           - SubDomain
           - AdminPassword
@@ -21,10 +22,10 @@ Metadata:
 
 Parameters:
   DomainName:
-    Description: Active Directory Domain Name. The supplied LDIF file which provides bootstrap users uses this domain. A different LDIF file needs to be provided for a different domain.
+    Description: (Optional) Active Directory Domain Name. The supplied LDIF file which provides bootstrap users uses this domain. A different LDIF file needs to be provided for a different domain.
     Type: String
     Default: corp.res.com
-    AllowedPattern: ^([a-zA-Z0-9]+[\\.-])+([a-zA-Z0-9])+$
+    AllowedPattern: ^$|^([a-zA-Z0-9]+[\\.-])+([a-zA-Z0-9])+$
   SubDomain:
     Description: (Optional, but required for GovCloud regions) SubDomain for the Active Directory Domain Name. If provided, Active Directory Domain Name will be {SubDomain}.{DomainName}
     Type: String
@@ -37,21 +38,20 @@ Parameters:
     Description: (Optional) EnvironmentName must start with "res-"and should be less than or equal to 11 characters. Required to generate certificates.
     Type: String
     AllowedPattern: ^$|^res-[A-Za-z\-\_0-9]{0,7}$
-
     Default: res-demo
   AdminPassword:
-    Description: Provide the Active Directory Administrator Account Password Directly or Resource ARN to Secret Containing Password.
+    Description: (Optional) Provide the Active Directory Administrator Account Password Directly or Resource ARN to Secret Containing Password.
     Type: String
-    MinLength: 8
+    MinLength: 0
     MaxLength: 2048
-    AllowedPattern: (arn:(aws(-cn|-us-gov)?):secretsmanager:(us(-gov)?|ap|ca|cn|eu|il|sa)-(central|(north|south)?(east|west)?)-\d:\d{12}:secret:[a-zA-Z0-9/_+=.@-]+)|(?=^.{8,64}$)((?=.*\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[^A-Za-z0-9\s])(?=.*[a-z])|(?=.*[^A-Za-z0-9\s])(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9\s]))^.*
+    AllowedPattern: ^$|(arn:(aws(-cn|-us-gov)?):secretsmanager:(us(-gov)?|ap|ca|cn|eu|il|sa)-(central|(north|south)?(east|west)?)-\d:\d{12}:secret:[a-zA-Z0-9/_+=.@-]+)|(?=^.{8,64}$)((?=.*\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[^A-Za-z0-9\s])(?=.*[a-z])|(?=.*[^A-Za-z0-9\s])(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9\s]))^.*
     NoEcho: true
   ServiceAccountPassword:
-    Description: Provide the Active Directory Service Account Password Directly or Resource ARN to Secret Containing Password.
+    Description: (Optional) Provide the Active Directory Service Account Password Directly or Resource ARN to Secret Containing Password.
     Type: String
-    MinLength: 8
+    MinLength: 0
     MaxLength: 2048
-    AllowedPattern: (arn:(aws(-cn|-us-gov)?):secretsmanager:(us(-gov)?|ap|ca|cn|eu|il|sa)-(central|(north|south)?(east|west)?)-\d:\d{12}:secret:[a-zA-Z0-9/_+=.@-]+)|(?=^.{8,64}$)((?=.*\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[^A-Za-z0-9\s])(?=.*[a-z])|(?=.*[^A-Za-z0-9\s])(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9\s]))^.*
+    AllowedPattern: ^$|(arn:(aws(-cn|-us-gov)?):secretsmanager:(us(-gov)?|ap|ca|cn|eu|il|sa)-(central|(north|south)?(east|west)?)-\d:\d{12}:secret:[a-zA-Z0-9/_+=.@-]+)|(?=^.{8,64}$)((?=.*\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[^A-Za-z0-9\s])(?=.*[a-z])|(?=.*[^A-Za-z0-9\s])(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9\s]))^.*
     NoEcho: true
   LDIFS3Path:
     Description: (Optional) An S3 Path (without the s3://) to an LDIF file that will be used during stack creation.
@@ -65,10 +65,12 @@ Parameters:
          - "True"
          - "False"
   Keypair:
-    Description: EC2 Keypair to access AD management instances.
-    Type: AWS::EC2::KeyPair::KeyName
+    Description: (Optional) EC2 Keypair to access AD management instances.
+    Type: String
+    MinLength: 0
+    MaxLength: 2048
   ClientIpCidr:
-    Description: CIDR controlling incoming traffic to AD management instances.
+    Description: (Optional) CIDR controlling incoming traffic to AD management instances.
     Default: ""
     Type: String
     AllowedPattern: ^((\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}))?$
@@ -93,13 +95,21 @@ Parameters:
     AllowedValues:
       - "True"
       - "False"
+  CreateActiveDirectory:
+    Description: Create a demo Active Directory for RES to connect to. If `True` is selected, the following parameters are required DomainName, AdminPassword, ServiceAccountPassword, and Keypair.
+    Type: String
+    Default: "False"
+    AllowedValues:
+         - "True"
+         - "False"
 
 Conditions:
   GenerateCerts: !Not [!Equals [!Ref PortalDomainName, ""]]
   UseEnvironmentName: !Not [!Equals [!Ref EnvironmentName, ""]]
   SubDomainNotProvided: !Equals [!Ref SubDomain, ""]
   InGovCloud: !Equals [!Ref 'AWS::Partition', "aws-us-gov"]
   RetainStorageAndNetworking: !Equals [!Ref RetainStorageResources, "True"]
+  CreateAD: !Equals [!Ref CreateActiveDirectory, "True"]
 
 Resources:
 
@@ -114,6 +124,7 @@ Resources:
       TemplateURL: https://aws-hpc-recipes.s3.us-east-1.amazonaws.com/main/recipes/net/hpc_large_scale/assets/main.yaml
 
   DirectoryService:
+    Condition: CreateAD
     Type: AWS::CloudFormation::Stack
     Properties:
       Parameters:
@@ -135,6 +146,7 @@ Resources:
       TemplateURL: https://aws-hpc-recipes.s3.us-east-1.amazonaws.com/main/recipes/dir/demo_managed_ad/assets/main.yaml
 
   WindowsManagementHost:
+    Condition: CreateAD
     Type: AWS::CloudFormation::Stack
     Properties:
       Parameters:
@@ -532,47 +544,59 @@ Outputs:
   Keypair:
     Description: Keypair used for management instances
     Value: !Ref Keypair
+    Condition: CreateAD
   ActiveDirectoryName:
     Description: Fully Qualified Domain Name (FQDN) for your Active Directory
     Value: !If [ SubDomainNotProvided, !Ref DomainName, !Join [ ".", [ !Ref SubDomain, !Ref DomainName] ] ]
+    Condition: CreateAD
   ADShortName:
     Description: Please provide the short name in Active directory
     Value: !GetAtt [ DirectoryService, Outputs.DomainShortName ]
+    Condition: CreateAD
   LDAPConnectionURI:
     Value: !Sub
       - ldap://${DomainName}
       - { DomainName: !If [ SubDomainNotProvided, !Ref DomainName, !Join [ ".", [ !Ref SubDomain, !Ref DomainName] ] ] }
+    Condition: CreateAD
   SudoersGroupName:
     Value: RESAdministrators
+    Condition: CreateAD
   LDAPBase:
     Value: !Sub
       - dc=${dc}
       - { dc: !Join [",dc=", !Split [".", !If [ SubDomainNotProvided, !Ref DomainName, !Join [ ".", [ !Ref SubDomain, !Ref DomainName] ] ] ]] }
+    Condition: CreateAD
   ServiceAccountCredentialsSecretArn:
     Value: !GetAtt [ DirectoryService, Outputs.CredentialsSecretArn ]
+    Condition: CreateAD
   ServiceAccountUserDN:
     Description: The Distinguished Name (DN) of the ServiceAccount user in your Active Directory
     Value: !Sub
       - CN=ServiceAccount,OU=Users,OU=${ou},DC=${dc}
       - {dc: !Join [",DC=", !Split [".", !If [ SubDomainNotProvided, !Ref DomainName, !Join [ ".", [ !Ref SubDomain, !Ref DomainName]]]]], ou:  !GetAtt [ DirectoryService, Outputs.DomainShortName ]}
+    Condition: CreateAD
   SharedHomeFilesystemId:
     Value: !GetAtt [ Storage, Outputs.EFSFilesystemId ]
   UsersOU:
     Description: The OU for all users who might join the system. The value provided here is based off of a supplied LDIF file.
     Value: !Sub
       - OU=Users,OU=RES,OU=${ou},DC=${dc}
       - { dc: !Join [",DC=", !Split [".", !If [ SubDomainNotProvided, !Ref DomainName, !Join [ ".", [ !Ref SubDomain, !Ref DomainName]]]]], ou:  !GetAtt [ DirectoryService, Outputs.DomainShortName ]}
+    Condition: CreateAD
   GroupsOU:
     Description: The OU for groups that users belong to who might join the system. The value provided here is based off of a supplied LDIF file.
     Value: !Sub
       - OU=Users,OU=RES,OU=${ou},DC=${dc}
       - { dc: !Join [",DC=", !Split [".", !If [ SubDomainNotProvided, !Ref DomainName, !Join [ ".", [ !Ref SubDomain, !Ref DomainName]]]]], ou:  !GetAtt [ DirectoryService, Outputs.DomainShortName ]}
+    Condition: CreateAD
   ComputersOU:
     Description: The OU for computers that join the AD. The value provided here is based off of a supplied LDIF file.
     Value: !Sub
       - OU=Computers,OU=RES,OU=${ou},DC=${dc}
       - { dc: !Join [",DC=", !Split [".", !If [ SubDomainNotProvided, !Ref DomainName, !Join [ ".", [ !Ref SubDomain, !Ref DomainName]]]]], ou:  !GetAtt [ DirectoryService, Outputs.DomainShortName ]}
+    Condition: CreateAD
   ActiveDirectoryDNSIPs:
     Description: The DNS IPs of your Active Directory
     Value: !Join [ ",", [ !GetAtt [ DirectoryService, Outputs.DnsIpAddress1 ], !GetAtt [ DirectoryService, Outputs.DnsIpAddress2 ] ] ]
+    Condition: CreateAD
 
diff --git a/recipes/res/res_demo_env/assets/res-demo-stack.yaml b/recipes/res/res_demo_env/assets/res-demo-stack.yaml
@@ -8,6 +8,7 @@ Metadata:
         Parameters:
           - EnvironmentName
           - AdministratorEmail
+          - CreateActiveDirectory
       - Label:
           default: Access Management
         Parameters:
@@ -46,12 +47,22 @@ Parameters:
     AllowedPattern: ^(pl-[a-z0-9]{8,20})?$
     ConstraintDescription: Must be a valid VPC Prefix List ID, which begins with `pl-` or be empty.
 
+  CreateActiveDirectory:
+    Description: Create a demo Active Directory for RES to connect to.
+    Type: String
+    Default: "False"
+    AllowedValues:
+         - "True"
+         - "False"
+
 Conditions:
   UseEnvironmentName: !Not [!Equals [!Ref EnvironmentName, ""]]
+  CreateAD: !Equals [!Ref CreateActiveDirectory, "True"]
 
 Resources:
 
   AdminPassword:
+    Condition: CreateAD
     Type: AWS::SecretsManager::Secret
     Properties:
       Description: Active Directory Administrator Account Password.
@@ -67,6 +78,7 @@ Resources:
           Value: !Ref EnvironmentName
 
   ServiceAccountPassword:
+    Condition: CreateAD
     Type: AWS::SecretsManager::Secret
     Properties:
       Description: Active Directory Service Account Password.
@@ -88,11 +100,12 @@ Resources:
         PortalDomainName: ""
         Keypair: !Ref Keypair
         EnvironmentName: !If [UseEnvironmentName, !Ref EnvironmentName, ""]
-        AdminPassword: !Ref AdminPassword
-        ServiceAccountPassword: !Ref ServiceAccountPassword
+        AdminPassword: !If [CreateAD, !Ref AdminPassword, ""]
+        ServiceAccountPassword: !If [CreateAD, !Ref ServiceAccountPassword, ""]
         ClientIpCidr: !Ref ClientIpCidr
         ClientPrefixList: !Ref InboundPrefixList
         RetainStorageResources: "False"  
+        CreateActiveDirectory: !Ref CreateActiveDirectory
       TemplateURL: https://aws-hpc-recipes.s3.us-east-1.amazonaws.com/main/recipes/res/res_demo_env/assets/bi.yaml
 
   RES:
@@ -116,27 +129,28 @@ Resources:
         InfrastructureHostSubnets: !GetAtt [ RESExternal, Outputs.PrivateSubnets ]
         VdiSubnets: !GetAtt [ RESExternal, Outputs.PrivateSubnets ]
         IsLoadBalancerInternetFacing: "true"
-        ActiveDirectoryName: !GetAtt [ RESExternal, Outputs.ActiveDirectoryName ]
-        ADShortName: !GetAtt [ RESExternal, Outputs.ADShortName ]
-        LDAPBase: !GetAtt [ RESExternal, Outputs.LDAPBase ]
-        LDAPConnectionURI: !GetAtt [ RESExternal, Outputs.LDAPConnectionURI ]
-        SudoersGroupName: RESAdministrators
-        ServiceAccountCredentialsSecretArn: !GetAtt [ RESExternal, Outputs.ServiceAccountCredentialsSecretArn ]
-        UsersOU: !GetAtt [ RESExternal, Outputs.UsersOU ]
-        GroupsOU: !GetAtt [ RESExternal, Outputs.GroupsOU ]
-        ComputersOU: !GetAtt [ RESExternal, Outputs.ComputersOU ]
+        ActiveDirectoryName: !If [CreateAD, !GetAtt [ RESExternal, Outputs.ActiveDirectoryName ], ""]
+        ADShortName: !If [CreateAD, !GetAtt [ RESExternal, Outputs.ADShortName ], ""]
+        LDAPBase: !If [CreateAD, !GetAtt [ RESExternal, Outputs.LDAPBase ], ""]
+        LDAPConnectionURI: !If [CreateAD, !GetAtt [ RESExternal, Outputs.LDAPConnectionURI ], ""]
+        SudoersGroupName: !If [CreateAD, RESAdministrators, ""]
+        ServiceAccountCredentialsSecretArn: !If [CreateAD, !GetAtt [ RESExternal, Outputs.ServiceAccountCredentialsSecretArn ], ""]
+        UsersOU: !If [CreateAD, !GetAtt [ RESExternal, Outputs.UsersOU ], ""]
+        GroupsOU: !If [CreateAD, !GetAtt [ RESExternal, Outputs.GroupsOU ], ""]
+        ComputersOU: !If [CreateAD, !GetAtt [ RESExternal, Outputs.ComputersOU ], ""]
         SharedHomeFileSystemId: !GetAtt [ RESExternal, Outputs.SharedHomeFilesystemId ]
         InfrastructureHostAMI: ""
         EnableLdapIDMapping: "True"
         IAMPermissionBoundary: ""
         DisableADJoin: "False"
-        ServiceAccountUserDN: !GetAtt [ RESExternal, Outputs.ServiceAccountUserDN ]
+        ServiceAccountUserDN: !If [CreateAD, !GetAtt [ RESExternal, Outputs.ServiceAccountUserDN ], ""]
         HttpProxy: ""
         HttpsProxy: ""
         NoProxy: ""
       TemplateURL: https://research-engineering-studio-us-east-1.s3.amazonaws.com/releases/latest/ResearchAndEngineeringStudio.template.json
 
   RESSsoKeycloak:
+    Condition: CreateAD
     Type: AWS::CloudFormation::Stack
     DependsOn: RES
     Properties:
@@ -362,9 +376,12 @@ Outputs:
   KeycloakUrl:
     Description: Keycloak Administrator Url
     Value: !GetAtt [ RESSsoKeycloak, Outputs.KeycloakUrl ]
+    Condition: CreateAD
   KeycloakAdminPasswordSecretArn:
     Description: Keycloak password for admin user
     Value: !GetAtt [ RESSsoKeycloak, Outputs.KeycloakAdminPasswordSecretArn ]
+    Condition: CreateAD
   ApplicationUrl:
     Description: RES application Url
     Value: !GetAtt [ RESSsoKeycloak, Outputs.ApplicationUrl ]
+    Condition: CreateAD
