Skip to content

Commit

Permalink
[Infrastructure] Add support for IAM Roles and Policies prefix.
Browse files Browse the repository at this point in the history 
Now the user can optionally specify a prefix for IAM roles and policies created as part of both PCUI and PCAPI infrastructure.
  • Loading branch information
@gmarciani
gmarciani committed Nov 10, 2023
1 parent 13b2358 commit ce73b4d
Show file tree
Hide file tree
Showing 2 changed files with 68 additions and 7 deletions.
13 changes: 12 additions & 1 deletion infrastructure/parallelcluster-ui-cognito.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,11 @@ Parameters:
Description: 'ARN of the IAM policy to use as permissions boundary for every IAM role'
Default: ''
AllowedPattern: "^(arn:.*:iam::.*:policy\\/([a-zA-Z0-9_-]+))|()$"
IAMRoleAndPolicyPrefix:
Type: String
Description: 'Prefix applied to the name of every IAM role and policy (max length: 10)'
Default: ''
MaxLength: 10

Conditions:
GovCloud: !Equals [!Ref AWS::Region, 'us-gov-west-1']
Expand All @@ -27,10 +32,13 @@ Metadata:
- Label:
default: (Optional) Permissions
Parameters:
- IAMRoleAndPolicyPrefix
- PermissionsBoundaryPolicy
ParameterLabels:
AdminUserEmail:
default: Initial Admin's Email
IAMRoleAndPolicyPrefix:
default: Prefix for IAM Roles and Policies
PermissionsBoundaryPolicy:
default: Permissions Boundary

Expand All @@ -39,6 +47,9 @@ Resources:
SNSRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub
- ${IAMRoleAndPolicyPrefix}SNSRole-${StackIdSuffix}
- { StackIdSuffix: !Select [ 0, !Split [ '-', !Select [ 2, !Split [ '/', !Ref 'AWS::StackId' ] ] ] ] }
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
Expand All @@ -49,7 +60,7 @@ Resources:
Action:
- sts:AssumeRole
Policies:
- PolicyName: CognitoSNSPolicy
- PolicyName: !Sub ${IAMRoleAndPolicyPrefix}SNSPermissions
PolicyDocument:
Version: 2012-10-17
Statement:
Expand Down
62 changes: 56 additions & 6 deletions infrastructure/parallelcluster-ui.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,11 @@ Parameters:
Description: 'ARN of the IAM policy to use as permissions boundary for every IAM role created by ParallelCluster API infrastructure'
Default: ''
AllowedPattern: "^(arn:.*:iam::.*:policy\\/([a-zA-Z0-9_-]+))|()$"
IAMRoleAndPolicyPrefix:
Type: String
Description: 'Prefix applied to the name of every IAM role and policy (max length: 10)'
Default: ''
MaxLength: 10
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
Expand Down Expand Up @@ -90,8 +95,9 @@ Metadata:
- ImageBuilderVpcId
- ImageBuilderSubnetId
- Label:
default: (Optional) Permissions Boundaries
default: (Optional) Permissions
Parameters:
- IAMRoleAndPolicyPrefix
- PermissionsBoundaryPolicy
- PermissionsBoundaryPolicyPCAPI
- Label:
Expand Down Expand Up @@ -152,7 +158,8 @@ Resources:
Parameters:
AdminUserEmail: !Ref AdminUserEmail
PermissionsBoundaryPolicy: !Ref PermissionsBoundaryPolicy
TemplateURL: !Sub
IAMRoleAndPolicyPrefix: !Ref IAMRoleAndPolicyPrefix
TemplateURL: !Sub
- '${Bucket}/parallelcluster-ui-cognito.yaml'
- Bucket: !If
- HasDefaultInfrastructure
Expand All @@ -166,6 +173,7 @@ Resources:
Properties:
Parameters:
PermissionsBoundaryPolicy: !Ref PermissionsBoundaryPolicy
IAMRoleAndPolicyPrefix: !Ref IAMRoleAndPolicyPrefix
ApiDefinitionS3Uri: !Sub s3://${AWS::Region}-aws-parallelcluster/parallelcluster/${Version}/api/ParallelCluster.openapi.yaml
CreateApiUserRole: False
EnableIamAdminAccess: True
Expand Down Expand Up @@ -301,6 +309,9 @@ Resources:
ApiGatewayLogRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub
- ${IAMRoleAndPolicyPrefix}ApiGatewayLogRole-${StackIdSuffix}
- { StackIdSuffix: !Select [ 0, !Split [ '-', !Select [ 2, !Split [ '/', !Ref 'AWS::StackId' ] ] ] ] }
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
Expand Down Expand Up @@ -463,6 +474,9 @@ Resources:
UserPoolClientSecretRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub
- ${IAMRoleAndPolicyPrefix}UserPoolClientSecretRole-${StackIdSuffix}
- { StackIdSuffix: !Select [ 0, !Split [ '-', !Select [ 2, !Split [ '/', !Ref 'AWS::StackId' ] ] ] ] }
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
Expand All @@ -472,7 +486,7 @@ Resources:
Action:
- 'sts:AssumeRole'
Policies:
- PolicyName: CognitoPermissions
- PolicyName: !Sub ${IAMRoleAndPolicyPrefix}UserPoolPermissions
PolicyDocument:
Version: 2012-10-17
Statement:
Expand All @@ -483,7 +497,7 @@ Resources:
- !Sub
- arn:${AWS::Partition}:cognito-idp:${AWS::Region}:${AWS::AccountId}:userpool/${UserPoolId}
- { UserPoolId: !If [UseExistingCognito, !Ref UserPoolId, !GetAtt [ Cognito, Outputs.UserPoolId ]]}
- PolicyName: SecretsManagerPermissions
- PolicyName: !Sub ${IAMRoleAndPolicyPrefix}SecretsManagerPermissions
PolicyDocument:
Version: 2012-10-17
Statement:
Expand All @@ -508,6 +522,9 @@ Resources:
ImageBuilderInstanceRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub
- ${IAMRoleAndPolicyPrefix}ImageBuilderInstanceRole-${StackIdSuffix}
- { StackIdSuffix: !Select [ 0, !Split [ '-', !Select [ 2, !Split [ '/', !Ref 'AWS::StackId' ] ] ] ] }
ManagedPolicyArns:
- !Sub arn:${AWS::Partition}:iam::aws:policy/AmazonSSMManagedInstanceCore
- !Sub arn:${AWS::Partition}:iam::aws:policy/EC2InstanceProfileForImageBuilderECRContainerBuilds
Expand All @@ -526,6 +543,9 @@ Resources:
ImageBuilderInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
InstanceProfileName: !Sub
- ${IAMRoleAndPolicyPrefix}ImageBuilderInstanceProfile-${StackIdSuffix}
- { StackIdSuffix: !Select [ 0, !Split [ '-', !Select [ 2, !Split [ '/', !Ref 'AWS::StackId' ] ] ] ] }
Path: /executionServiceEC2Role/
Roles:
- !Ref ImageBuilderInstanceRole
Expand Down Expand Up @@ -682,6 +702,9 @@ Resources:
EcrImageDeletionLambdaRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub
- ${IAMRoleAndPolicyPrefix}EcrImageDeletionLambdaRole-${StackIdSuffix}
- { StackIdSuffix: !Select [ 0, !Split [ '-', !Select [ 2, !Split [ '/', !Ref 'AWS::StackId' ] ] ] ] }
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
Expand All @@ -691,7 +714,7 @@ Resources:
Action:
- 'sts:AssumeRole'
Policies:
- PolicyName: LoggingPolicy
- PolicyName: !Sub ${IAMRoleAndPolicyPrefix}LogsPermissions
PolicyDocument:
Version: 2012-10-17
Statement:
Expand All @@ -700,7 +723,7 @@ Resources:
- logs:CreateLogStream
- logs:PutLogEvents
Resource: !Sub arn:${AWS::Partition}:logs:*:*:*
- PolicyName: BatchDeletePolicy
- PolicyName: !Sub ${IAMRoleAndPolicyPrefix}EcrPermissions
PolicyDocument:
Version: 2012-10-17
Statement:
Expand Down Expand Up @@ -741,6 +764,9 @@ Resources:
ParallelClusterUIUserRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub
- ${IAMRoleAndPolicyPrefix}ParallelClusterUIUserRole-${StackIdSuffix}
- { StackIdSuffix: !Select [ 0, !Split [ '-', !Select [ 2, !Split [ '/', !Ref 'AWS::StackId' ] ] ] ] }
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Expand Down Expand Up @@ -777,6 +803,9 @@ Resources:
ParallelClusterApiGatewayInvoke:
Type: AWS::IAM::ManagedPolicy
Properties:
ManagedPolicyName: !Sub
- ${IAMRoleAndPolicyPrefix}ParallelClusterApiGatewayInvoke-${StackIdSuffix}
- { StackIdSuffix: !Select [ 0, !Split [ '-', !Select [ 2, !Split [ '/', !Ref 'AWS::StackId' ] ] ] ] }
PolicyDocument:
Version: '2012-10-17'
Statement:
Expand All @@ -790,6 +819,9 @@ Resources:
CognitoPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
ManagedPolicyName: !Sub
- ${IAMRoleAndPolicyPrefix}CognitoPolicy-${StackIdSuffix}
- { StackIdSuffix: !Select [ 0, !Split [ '-', !Select [ 2, !Split [ '/', !Ref 'AWS::StackId']]]] }
PolicyDocument:
Version: '2012-10-17'
Statement:
Expand All @@ -815,6 +847,9 @@ Resources:
EC2Policy:
Type: AWS::IAM::ManagedPolicy
Properties:
ManagedPolicyName: !Sub
- ${IAMRoleAndPolicyPrefix}EC2Policy-${StackIdSuffix}
- { StackIdSuffix: !Select [ 0, !Split [ '-', !Select [ 2, !Split [ '/', !Ref 'AWS::StackId' ] ] ] ] }
PolicyDocument:
Version: '2012-10-17'
Statement:
Expand Down Expand Up @@ -847,6 +882,9 @@ Resources:
DescribeFsxPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
ManagedPolicyName: !Sub
- ${IAMRoleAndPolicyPrefix}DescribeFsxPolicy-${StackIdSuffix}
- { StackIdSuffix: !Select [ 0, !Split [ '-', !Select [ 2, !Split [ '/', !Ref 'AWS::StackId' ] ] ] ] }
PolicyDocument:
Version: '2012-10-17'
Statement:
Expand All @@ -864,6 +902,9 @@ Resources:
DescribeEfsPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
ManagedPolicyName: !Sub
- ${IAMRoleAndPolicyPrefix}DescribeEfsPolicy-${StackIdSuffix}
- { StackIdSuffix: !Select [ 0, !Split [ '-', !Select [ 2, !Split [ '/', !Ref 'AWS::StackId' ] ] ] ] }
PolicyDocument:
Version: '2012-10-17'
Statement:
Expand All @@ -877,6 +918,9 @@ Resources:
CostMonitoringAndPricingPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
ManagedPolicyName: !Sub
- ${IAMRoleAndPolicyPrefix}CostMonitoringAndPricingPolicy-${StackIdSuffix}
- { StackIdSuffix: !Select [ 0, !Split [ '-', !Select [ 2, !Split [ '/', !Ref 'AWS::StackId' ] ] ] ] }
PolicyDocument:
Version: '2012-10-17'
Statement:
Expand All @@ -902,6 +946,9 @@ Resources:
SsmSendPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
ManagedPolicyName: !Sub
- ${IAMRoleAndPolicyPrefix}SsmSendPolicy-${StackIdSuffix}
- { StackIdSuffix: !Select [ 0, !Split [ '-', !Select [ 2, !Split [ '/', !Ref 'AWS::StackId' ] ] ] ] }
PolicyDocument:
Version: '2012-10-17'
Statement:
Expand All @@ -924,6 +971,9 @@ Resources:
SsmGetCommandInvocationPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
ManagedPolicyName: !Sub
- ${IAMRoleAndPolicyPrefix}SsmGetCommandInvocationPolicy-${StackIdSuffix}
- { StackIdSuffix: !Select [ 0, !Split [ '-', !Select [ 2, !Split [ '/', !Ref 'AWS::StackId' ] ] ] ] }
PolicyDocument:
Version: '2012-10-17'
Statement:
Expand Down

0 comments on commit ce73b4d

Please sign in to comment.