Skip to content

Commit ae86a91

Browse files
mwvaughnmwvaughn
committed
Merge branch 'delete_shared_storage_security' into 'develop'
Add lambda to remove shared storage security group for res demo See merge request mwvaughn/aws-hpc-recipes!99
2 parents 54bd41d + 2d5b28d commit ae86a91

File tree

1 file changed

+89
-0
lines changed

1 file changed

+89
-0
lines changed

recipes/res/res_demo_env/assets/res-demo-stack.yaml

Lines changed: 89 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -100,6 +100,7 @@ Resources:
100100

101101
RES:
102102
Type: AWS::CloudFormation::Stack
103+
DependsOn: InvokeDeleteSharedStorageSecurityGroup
103104
Properties:
104105
Parameters:
105106
EnvironmentName: !Ref EnvironmentName
@@ -152,6 +153,94 @@ Resources:
152153
LDAPConnectionURI: !GetAtt [ RESExternal, Outputs.LDAPConnectionURI ]
153154
TemplateURL: https://aws-hpc-recipes.s3.us-east-1.amazonaws.com/main/recipes/res/res_demo_env/assets/res-sso-keycloak.yaml
154155

156+
InvokeDeleteSharedStorageSecurityGroupRole:
157+
Type: 'AWS::IAM::Role'
158+
Properties:
159+
AssumeRolePolicyDocument:
160+
Version: '2012-10-17'
161+
Statement:
162+
- Effect: Allow
163+
Principal:
164+
Service: lambda.amazonaws.com
165+
Action: 'sts:AssumeRole'
166+
Policies:
167+
- PolicyName: InvokeConfigureSSOLambdaPolicy
168+
PolicyDocument:
169+
Version: '2012-10-17'
170+
Statement:
171+
- Effect: Allow
172+
Action:
173+
- lambda:InvokeFunction
174+
Resource:
175+
- !Sub arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:${EnvironmentName}-delete_shared_storage_security_group
176+
- Effect: Allow
177+
Action:
178+
- ec2:DescribeSecurityGroups
179+
- ec2:DeleteSecurityGroup
180+
- ec2:DescribeNetworkInterfaces
181+
Resource: '*'
182+
183+
InvokeDeleteSharedSecurityGroupHandlerFunction:
184+
Type: 'AWS::Lambda::Function'
185+
DependsOn:
186+
- InvokeDeleteSharedStorageSecurityGroupRole
187+
Properties:
188+
Description: 'Deletes the shared storage security group when the stack is deleted.'
189+
FunctionName: !Sub InvokeDeleteSharedSecurityGroupHandlerFunction-${AWS::StackName}
190+
Timeout: 360 # 6 minutes
191+
Role: !GetAtt InvokeDeleteSharedStorageSecurityGroupRole.Arn
192+
Handler: index.handler
193+
Runtime: python3.11
194+
Code:
195+
ZipFile: |
196+
import boto3
197+
import os
198+
import logging
199+
import cfnresponse
200+
201+
logger = logging.getLogger()
202+
logger.setLevel(logging.INFO)
203+
204+
def handler(event, context):
205+
logger.info(f"Received event: {event}")
206+
response = {}
207+
208+
if event["RequestType"] == "Delete":
209+
try:
210+
ec2 = boto3.client("ec2")
211+
sgResponse = ec2.describe_security_groups(
212+
Filters=[
213+
{
214+
'Name': 'group-name',
215+
'Values': [
216+
f"{os.environ['ENVIRONMENT_NAME']}-shared-storage-security-group",
217+
]
218+
}
219+
]
220+
)
221+
222+
if len(sgResponse['SecurityGroups']) == 0:
223+
response['Output'] = "Shared storage security group not found."
224+
else:
225+
ec2.delete_security_group(GroupId=sgResponse['SecurityGroups'][0]['GroupId'])
226+
response['Output'] = "Shared storage security group deleted."s
227+
228+
cfnresponse.send(event, context, cfnresponse.SUCCESS, response)
229+
except Exception as e:
230+
logger.error(f"Error: Unable to delete shared storage security group: {e}")
231+
response['Output'] = f"Error: Unable to delete shared storage security group: {e}"
232+
cfnresponse.send(event, context, cfnresponse.FAILED, response)
233+
else:
234+
cfnresponse.send(event, context, cfnresponse.SUCCESS, response)
235+
Environment:
236+
Variables:
237+
ENVIRONMENT_NAME: !Ref EnvironmentName
238+
239+
InvokeDeleteSharedStorageSecurityGroup:
240+
Type: Custom::DeleteSharedStorageSecurityGroup
241+
Properties:
242+
ServiceToken: !GetAtt InvokeDeleteSharedSecurityGroupHandlerFunction.Arn
243+
155244
Outputs:
156245
KeycloakUrl:
157246
Description: Keycloak Administrator Url

0 commit comments

Comments
 (0)