From 754ff1f7c1287e3c30c9f93f1c24900c3418ebf9 Mon Sep 17 00:00:00 2001 From: Giacomo Marciani Date: Tue, 25 Feb 2025 16:38:34 -0500 Subject: [PATCH] [Permissions] Add new stack parameter 'AdditionalPoliciesPCAPI' to add custom permissions for the ParallelCluster API Lambda role, on top of the default ones. --- infrastructure/environments/demo-cfn-create-args.yaml | 2 ++ infrastructure/environments/demo-cfn-update-args.yaml | 2 ++ infrastructure/parallelcluster-ui.yaml | 10 ++++++++++ 3 files changed, 14 insertions(+) diff --git a/infrastructure/environments/demo-cfn-create-args.yaml b/infrastructure/environments/demo-cfn-create-args.yaml index 92220d82..eae0d71e 100644 --- a/infrastructure/environments/demo-cfn-create-args.yaml +++ b/infrastructure/environments/demo-cfn-create-args.yaml @@ -26,6 +26,8 @@ Parameters: # ParameterValue: "subnet-xxxxxxxxxx,subnet-xxxxxxxxxx,subnet-xxxxxxxxxx" # - ParameterKey: LambdaSecurityGroupIds # ParameterValue: sg-xxxxxxxxxx +# - ParameterKey: AdditionalPoliciesPCAPI +# ParameterValue: arn:aws:iam::xxxxxxxxxx:policy/xxxxxxxxxx # - ParameterKey: PermissionsBoundaryPolicy # ParameterValue: arn:aws:iam::xxxxxxxxxx:policy/xxxxxxxxxx # - ParameterKey: PermissionsBoundaryPolicyPCAPI diff --git a/infrastructure/environments/demo-cfn-update-args.yaml b/infrastructure/environments/demo-cfn-update-args.yaml index 076fbd65..da3e45bf 100644 --- a/infrastructure/environments/demo-cfn-update-args.yaml +++ b/infrastructure/environments/demo-cfn-update-args.yaml @@ -26,6 +26,8 @@ Parameters: UsePreviousValue: true - ParameterKey: LambdaSecurityGroupIds UsePreviousValue: true + - ParameterKey: AdditionalPoliciesPCAPI + UsePreviousValue: true - ParameterKey: PermissionsBoundaryPolicy UsePreviousValue: true - ParameterKey: PermissionsBoundaryPolicyPCAPI diff --git a/infrastructure/parallelcluster-ui.yaml b/infrastructure/parallelcluster-ui.yaml index fdd63496..70a98cfc 100644 --- a/infrastructure/parallelcluster-ui.yaml +++ b/infrastructure/parallelcluster-ui.yaml @@ -57,6 +57,13 @@ Parameters: Description: 'ARN of the IAM policy to use as permissions boundary for every IAM role created by ParallelCluster API infrastructure. [ParallelCluster >= 3.8.0]' Default: '' AllowedPattern: "^(arn:.*:iam::.*:policy\\/([a-zA-Z0-9_-]+))|()$" + AdditionalPoliciesPCAPI: + Type: String + Description: | + (OPTIONAL) ARN of the additional IAM policy to be attached to the default execution role for the ParallelCluster Lambda function. + Only one policy can be specified. + Default: '' + AllowedPattern: "^(arn:.*:iam::.*:policy\\/([a-zA-Z0-9_-]+))|()$" IAMRoleAndPolicyPrefix: Type: String Description: 'Prefix applied to the name of every IAM role and policy (max length: 10). [ParallelCluster >= 3.8.0]' @@ -113,6 +120,7 @@ Metadata: - Label: default: (Optional) Permissions Parameters: + - AdditionalPoliciesPCAPI - IAMRoleAndPolicyPrefix - PermissionsBoundaryPolicy - PermissionsBoundaryPolicyPCAPI @@ -169,6 +177,7 @@ Conditions: UseIAMRoleAndPolicyPrefix: !Not [!Equals [!Ref IAMRoleAndPolicyPrefix, '']] UseCustomDomain: !Not [!Equals [!Ref CustomDomain, '']] UseCognitoCustomDomain: !Not [!Equals [!Ref CognitoCustomDomain, '']] + UseAdditionalPoliciesPCAPI: !Not [!Equals [!Ref AdditionalPoliciesPCAPI, '']] Mappings: ParallelClusterUI: @@ -204,6 +213,7 @@ Resources: Parameters: PermissionsBoundaryPolicy: !If [ UsePermissionBoundaryPCAPI, !Ref PermissionsBoundaryPolicyPCAPI, !Ref AWS::NoValue ] IAMRoleAndPolicyPrefix: !If [ UseIAMRoleAndPolicyPrefix, !Ref IAMRoleAndPolicyPrefix, !Ref AWS::NoValue ] + ParallelClusterFunctionAdditionalPolicies: !If [ UseAdditionalPoliciesPCAPI, !Ref AdditionalPoliciesPCAPI, !Ref AWS::NoValue ] ApiDefinitionS3Uri: !Sub s3://${AWS::Region}-aws-parallelcluster/parallelcluster/${Version}/api/ParallelCluster.openapi.yaml CreateApiUserRole: False EnableIamAdminAccess: True