def _add_code_build_notification_lambda(self):
build_notification_lambda_execution_role = None
if self.create_lambda_roles:
build_notification_lambda_execution_role = add_lambda_cfn_role(
scope=self.stack_scope,
function_id="BuildNotification",
statements=[
get_cloud_watch_logs_policy_statement(
resource=self._format_arn(service="logs",
account="*",
region="*",
resource="*"))
],
)
return PclusterLambdaConstruct(
scope=self.stack_scope,
id="BuildNotificationFunctionConstruct",
function_id="BuildNotification",
bucket=self.bucket,
config=self.config,
execution_role=build_notification_lambda_execution_role.attr_arn
if build_notification_lambda_execution_role else
self.config.iam.roles.lambda_functions_role,
handler_func="send_build_notification",
timeout=60,
).lambda_func
def _add_update_waiter_lambda(self):
update_waiter_lambda_execution_role = None
if self.cleanup_lambda_role:
update_waiter_lambda_execution_role = add_lambda_cfn_role(
scope=self.stack_scope,
function_id="UpdateWaiter",
statements=[
iam.PolicyStatement(
actions=["dynamodb:GetItem", "dynamodb:PutItem"],
effect=iam.Effect.ALLOW,
resources=[
self._format_arn(
service="dynamodb",
account=self._stack_account,
resource=f"table/{self.dynamodb_table.ref}",
),
],
sid="DynamoDBTable",
),
get_cloud_watch_logs_policy_statement(
resource=self._format_arn(service="logs",
account="*",
region="*",
resource="*")),
],
)
update_waiter_lambda = PclusterLambdaConstruct(
scope=self.stack_scope,
id="UpdateWaiterFunctionConstruct",
function_id="UpdateWaiter",
bucket=self.bucket,
config=self.config,
execution_role=update_waiter_lambda_execution_role.attr_arn
if update_waiter_lambda_execution_role else
self.config.iam.roles.custom_lambda_resources,
handler_func="wait_for_update",
).lambda_func
self.update_waiter_custom_resource = CfnCustomResource(
self.stack_scope,
"UpdateWaiterCustomResource",
service_token=update_waiter_lambda.attr_arn,
)
self.update_waiter_custom_resource.add_property_override(
"ConfigVersion", self.config.config_version)
self.update_waiter_custom_resource.add_property_override(
"DynamoDBTable", self.dynamodb_table.ref)
CfnOutput(self.stack_scope,
"UpdateWaiterFunctionArn",
value=update_waiter_lambda.attr_arn)
def _add_manage_docker_images_lambda(self):
manage_docker_images_lambda_execution_role = None
if self.create_lambda_roles:
manage_docker_images_lambda_execution_role = add_lambda_cfn_role(
scope=self.stack_scope,
function_id="ManageDockerImages",
statements=[
iam.PolicyStatement(
actions=["ecr:BatchDeleteImage", "ecr:ListImages"],
effect=iam.Effect.ALLOW,
resources=[self._docker_images_repo.attr_arn],
sid="ECRPolicy",
),
iam.PolicyStatement(
actions=[
"codebuild:BatchGetBuilds", "codebuild:StartBuild"
],
effect=iam.Effect.ALLOW,
resources=[
self._code_build_image_builder_project.attr_arn
],
sid="CodeBuildPolicy",
),
get_cloud_watch_logs_policy_statement(
resource=self._format_arn(service="logs",
account="*",
region="*",
resource="*")),
],
)
return PclusterLambdaConstruct(
scope=self.stack_scope,
id="ManageDockerImagesFunctionConstruct",
function_id="ManageDockerImages",
bucket=self.bucket,
config=self.config,
execution_role=manage_docker_images_lambda_execution_role.attr_arn
if manage_docker_images_lambda_execution_role else
self.config.iam.roles.lambda_functions_role,
handler_func="manage_docker_images",
timeout=60,
).lambda_func
def _add_code_build_policy(self):
return iam.CfnPolicy(
self.stack_scope,
"CodeBuildPolicy",
policy_name="CodeBuildPolicy",
policy_document=iam.PolicyDocument(statements=[
iam.PolicyStatement(
sid="ECRRepoPolicy",
effect=iam.Effect.ALLOW,
actions=[
"ecr:BatchCheckLayerAvailability",
"ecr:CompleteLayerUpload",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart",
],
resources=[self._docker_images_repo.attr_arn],
),
iam.PolicyStatement(sid="ECRPolicy",
effect=iam.Effect.ALLOW,
actions=["ecr:GetAuthorizationToken"],
resources=["*"]),
get_cloud_watch_logs_policy_statement(
resource=self._format_arn(
service="logs", account="*", region="*",
resource="*")),
iam.PolicyStatement(
sid="S3GetObjectPolicy",
effect=iam.Effect.ALLOW,
actions=["s3:GetObject", "s3:GetObjectVersion"],
resources=[
self._format_arn(
service="s3",
region="",
resource=
f"{self.bucket.name}/{self.bucket.artifact_directory}/*",
account="",
)
],
),
]),
roles=[self._code_build_role.ref],
)
def _add_private_hosted_zone(self):
if self._condition_custom_cluster_dns():
hosted_zone_id = self.config.scheduling.settings.dns.hosted_zone_id
cluster_hosted_zone = CustomDns(
ref=hosted_zone_id,
name=self.cluster_dns_domain.value_as_string)
else:
cluster_hosted_zone = route53.CfnHostedZone(
self.stack_scope,
"Route53HostedZone",
name=self.cluster_dns_domain.value_as_string,
vpcs=[
route53.CfnHostedZone.VPCProperty(
vpc_id=self.config.vpc_id,
vpc_region=self._stack_region)
],
)
# If Headnode InstanceRole is created by ParallelCluster, add Route53 policy for InstanceRole
head_node_role_info = self.instance_roles.get("HeadNode")
if head_node_role_info:
iam.CfnPolicy(
self.stack_scope,
"ParallelClusterSlurmRoute53Policies",
policy_name="parallelcluster-slurm-route53",
policy_document=iam.PolicyDocument(statements=[
iam.PolicyStatement(
sid="Route53Add",
effect=iam.Effect.ALLOW,
actions=["route53:ChangeResourceRecordSets"],
resources=[
self._format_arn(
service="route53",
region="",
account="",
resource=
f"hostedzone/{cluster_hosted_zone.ref}",
),
],
),
]),
roles=[head_node_role_info.get("RoleRef")],
)
cleanup_route53_lambda_execution_role = None
if self.cleanup_lambda_role:
cleanup_route53_lambda_execution_role = add_lambda_cfn_role(
scope=self.stack_scope,
function_id="CleanupRoute53",
statements=[
iam.PolicyStatement(
actions=[
"route53:ListResourceRecordSets",
"route53:ChangeResourceRecordSets"
],
effect=iam.Effect.ALLOW,
resources=[
self._format_arn(
service="route53",
region="",
account="",
resource=
f"hostedzone/{cluster_hosted_zone.ref}",
),
],
sid="Route53DeletePolicy",
),
get_cloud_watch_logs_policy_statement(
resource=self._format_arn(service="logs",
account="*",
region="*",
resource="*")),
],
)
cleanup_route53_lambda = PclusterLambdaConstruct(
scope=self.stack_scope,
id="CleanupRoute53FunctionConstruct",
function_id="CleanupRoute53",
bucket=self.bucket,
config=self.config,
execution_role=cleanup_route53_lambda_execution_role.attr_arn
if cleanup_route53_lambda_execution_role else
self.config.iam.roles.custom_lambda_resources,
handler_func="cleanup_resources",
).lambda_func
self.cleanup_route53_custom_resource = CfnCustomResource(
self.stack_scope,
"CleanupRoute53CustomResource",
service_token=cleanup_route53_lambda.attr_arn,
)
self.cleanup_route53_custom_resource.add_property_override(
"ClusterHostedZone", cluster_hosted_zone.ref)
self.cleanup_route53_custom_resource.add_property_override(
"Action", "DELETE_DNS_RECORDS")
self.cleanup_route53_custom_resource.add_property_override(
"ClusterDNSDomain", cluster_hosted_zone.name)
CfnOutput(
self.stack_scope,
"ClusterHostedZone",
description=
"Id of the private hosted zone created within the cluster",
value=cluster_hosted_zone.ref,
)
return cluster_hosted_zone
