def _add_code_build_notification_lambda(self): build_notification_lambda_execution_role = None if self.create_lambda_roles: build_notification_lambda_execution_role = add_lambda_cfn_role( scope=self.stack_scope, function_id="BuildNotification", statements=[ get_cloud_watch_logs_policy_statement( resource=self._format_arn(service="logs", account="*", region="*", resource="*")) ], ) return PclusterLambdaConstruct( scope=self.stack_scope, id="BuildNotificationFunctionConstruct", function_id="BuildNotification", bucket=self.bucket, config=self.config, execution_role=build_notification_lambda_execution_role.attr_arn if build_notification_lambda_execution_role else self.config.iam.roles.lambda_functions_role, handler_func="send_build_notification", timeout=60, ).lambda_func
def _add_update_waiter_lambda(self): update_waiter_lambda_execution_role = None if self.cleanup_lambda_role: update_waiter_lambda_execution_role = add_lambda_cfn_role( scope=self.stack_scope, function_id="UpdateWaiter", statements=[ iam.PolicyStatement( actions=["dynamodb:GetItem", "dynamodb:PutItem"], effect=iam.Effect.ALLOW, resources=[ self._format_arn( service="dynamodb", account=self._stack_account, resource=f"table/{self.dynamodb_table.ref}", ), ], sid="DynamoDBTable", ), get_cloud_watch_logs_policy_statement( resource=self._format_arn(service="logs", account="*", region="*", resource="*")), ], ) update_waiter_lambda = PclusterLambdaConstruct( scope=self.stack_scope, id="UpdateWaiterFunctionConstruct", function_id="UpdateWaiter", bucket=self.bucket, config=self.config, execution_role=update_waiter_lambda_execution_role.attr_arn if update_waiter_lambda_execution_role else self.config.iam.roles.custom_lambda_resources, handler_func="wait_for_update", ).lambda_func self.update_waiter_custom_resource = CfnCustomResource( self.stack_scope, "UpdateWaiterCustomResource", service_token=update_waiter_lambda.attr_arn, ) self.update_waiter_custom_resource.add_property_override( "ConfigVersion", self.config.config_version) self.update_waiter_custom_resource.add_property_override( "DynamoDBTable", self.dynamodb_table.ref) CfnOutput(self.stack_scope, "UpdateWaiterFunctionArn", value=update_waiter_lambda.attr_arn)
def _add_manage_docker_images_lambda(self): manage_docker_images_lambda_execution_role = None if self.create_lambda_roles: manage_docker_images_lambda_execution_role = add_lambda_cfn_role( scope=self.stack_scope, function_id="ManageDockerImages", statements=[ iam.PolicyStatement( actions=["ecr:BatchDeleteImage", "ecr:ListImages"], effect=iam.Effect.ALLOW, resources=[self._docker_images_repo.attr_arn], sid="ECRPolicy", ), iam.PolicyStatement( actions=[ "codebuild:BatchGetBuilds", "codebuild:StartBuild" ], effect=iam.Effect.ALLOW, resources=[ self._code_build_image_builder_project.attr_arn ], sid="CodeBuildPolicy", ), get_cloud_watch_logs_policy_statement( resource=self._format_arn(service="logs", account="*", region="*", resource="*")), ], ) return PclusterLambdaConstruct( scope=self.stack_scope, id="ManageDockerImagesFunctionConstruct", function_id="ManageDockerImages", bucket=self.bucket, config=self.config, execution_role=manage_docker_images_lambda_execution_role.attr_arn if manage_docker_images_lambda_execution_role else self.config.iam.roles.lambda_functions_role, handler_func="manage_docker_images", timeout=60, ).lambda_func
def _add_code_build_policy(self): return iam.CfnPolicy( self.stack_scope, "CodeBuildPolicy", policy_name="CodeBuildPolicy", policy_document=iam.PolicyDocument(statements=[ iam.PolicyStatement( sid="ECRRepoPolicy", effect=iam.Effect.ALLOW, actions=[ "ecr:BatchCheckLayerAvailability", "ecr:CompleteLayerUpload", "ecr:InitiateLayerUpload", "ecr:PutImage", "ecr:UploadLayerPart", ], resources=[self._docker_images_repo.attr_arn], ), iam.PolicyStatement(sid="ECRPolicy", effect=iam.Effect.ALLOW, actions=["ecr:GetAuthorizationToken"], resources=["*"]), get_cloud_watch_logs_policy_statement( resource=self._format_arn( service="logs", account="*", region="*", resource="*")), iam.PolicyStatement( sid="S3GetObjectPolicy", effect=iam.Effect.ALLOW, actions=["s3:GetObject", "s3:GetObjectVersion"], resources=[ self._format_arn( service="s3", region="", resource= f"{self.bucket.name}/{self.bucket.artifact_directory}/*", account="", ) ], ), ]), roles=[self._code_build_role.ref], )
def _add_private_hosted_zone(self): if self._condition_custom_cluster_dns(): hosted_zone_id = self.config.scheduling.settings.dns.hosted_zone_id cluster_hosted_zone = CustomDns( ref=hosted_zone_id, name=self.cluster_dns_domain.value_as_string) else: cluster_hosted_zone = route53.CfnHostedZone( self.stack_scope, "Route53HostedZone", name=self.cluster_dns_domain.value_as_string, vpcs=[ route53.CfnHostedZone.VPCProperty( vpc_id=self.config.vpc_id, vpc_region=self._stack_region) ], ) # If Headnode InstanceRole is created by ParallelCluster, add Route53 policy for InstanceRole head_node_role_info = self.instance_roles.get("HeadNode") if head_node_role_info: iam.CfnPolicy( self.stack_scope, "ParallelClusterSlurmRoute53Policies", policy_name="parallelcluster-slurm-route53", policy_document=iam.PolicyDocument(statements=[ iam.PolicyStatement( sid="Route53Add", effect=iam.Effect.ALLOW, actions=["route53:ChangeResourceRecordSets"], resources=[ self._format_arn( service="route53", region="", account="", resource= f"hostedzone/{cluster_hosted_zone.ref}", ), ], ), ]), roles=[head_node_role_info.get("RoleRef")], ) cleanup_route53_lambda_execution_role = None if self.cleanup_lambda_role: cleanup_route53_lambda_execution_role = add_lambda_cfn_role( scope=self.stack_scope, function_id="CleanupRoute53", statements=[ iam.PolicyStatement( actions=[ "route53:ListResourceRecordSets", "route53:ChangeResourceRecordSets" ], effect=iam.Effect.ALLOW, resources=[ self._format_arn( service="route53", region="", account="", resource= f"hostedzone/{cluster_hosted_zone.ref}", ), ], sid="Route53DeletePolicy", ), get_cloud_watch_logs_policy_statement( resource=self._format_arn(service="logs", account="*", region="*", resource="*")), ], ) cleanup_route53_lambda = PclusterLambdaConstruct( scope=self.stack_scope, id="CleanupRoute53FunctionConstruct", function_id="CleanupRoute53", bucket=self.bucket, config=self.config, execution_role=cleanup_route53_lambda_execution_role.attr_arn if cleanup_route53_lambda_execution_role else self.config.iam.roles.custom_lambda_resources, handler_func="cleanup_resources", ).lambda_func self.cleanup_route53_custom_resource = CfnCustomResource( self.stack_scope, "CleanupRoute53CustomResource", service_token=cleanup_route53_lambda.attr_arn, ) self.cleanup_route53_custom_resource.add_property_override( "ClusterHostedZone", cluster_hosted_zone.ref) self.cleanup_route53_custom_resource.add_property_override( "Action", "DELETE_DNS_RECORDS") self.cleanup_route53_custom_resource.add_property_override( "ClusterDNSDomain", cluster_hosted_zone.name) CfnOutput( self.stack_scope, "ClusterHostedZone", description= "Id of the private hosted zone created within the cluster", value=cluster_hosted_zone.ref, ) return cluster_hosted_zone