From ecea7ae263f896cbfa7c15840c6bdb0063daba8d Mon Sep 17 00:00:00 2001
From: Francesco De Martino <fdm@amazon.com>
Date: Thu, 19 Aug 2021 14:50:22 +0200
Subject: [PATCH 1/3] [api] add quotes to !Ref AWS::StackId

Signed-off-by: Francesco De Martino <fdm@amazon.com>
---
 api/infrastructure/parallelcluster-api.yaml | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/api/infrastructure/parallelcluster-api.yaml b/api/infrastructure/parallelcluster-api.yaml
index 0effcdf9e7..20992e6935 100644
--- a/api/infrastructure/parallelcluster-api.yaml
+++ b/api/infrastructure/parallelcluster-api.yaml
@@ -104,7 +104,7 @@ Globals:
                 - CreateApiUserRoleCondition
                 - !Sub
                   - arn:${AWS::Partition}:*::${AWS::AccountId}:*/ParallelClusterApiUserRole-${StackIdSuffix}*
-                  - { StackIdSuffix: !Select [2, !Split ['/', !Ref AWS::StackId]] }
+                  - { StackIdSuffix: !Select [2, !Split ['/', !Ref 'AWS::StackId']] }
                 - '*'
     TracingEnabled: True
     EndpointConfiguration:
@@ -244,7 +244,7 @@ Resources:
     Properties:
       RoleName:  !Sub
         - ParallelClusterApiUserRole-${StackIdSuffix}
-        - { StackIdSuffix: !Select [2, !Split ['/', !Ref AWS::StackId]] }
+        - { StackIdSuffix: !Select [2, !Split ['/', !Ref 'AWS::StackId']] }
       AssumeRolePolicyDocument:
         Statement:
           - Effect: Allow
@@ -957,7 +957,7 @@ Resources:
     Properties:
       Name: !Sub
         - ParallelClusterImageBuilderInfrastructureConfiguration-${Version}-${StackIdSuffix}
-        - { Version: !Join ['_', !Split ['.', !FindInMap [ParallelCluster, Constants, Version]]], StackIdSuffix: !Select [2, !Split ['/', !Ref AWS::StackId]] }
+        - { Version: !Join ['_', !Split ['.', !FindInMap [ParallelCluster, Constants, Version]]], StackIdSuffix: !Select [2, !Split ['/', !Ref 'AWS::StackId']] }
       InstanceProfileName: !Ref ImageBuilderInstanceProfile
       TerminateInstanceOnFailure: true
       SnsTopicArn: !Ref EcrImageBuilderSNSTopic
@@ -968,7 +968,7 @@ Resources:
     Properties:
       RepositoryName: !Sub
         - 'aws-parallelcluster-${StackIdSuffix}'
-        - { StackIdSuffix: !Select [2, !Split ['/', !Ref AWS::StackId]] }
+        - { StackIdSuffix: !Select [2, !Split ['/', !Ref 'AWS::StackId']] }
       Tags:
         - Key: 'parallelcluster:version'
           Value: !FindInMap [ParallelCluster, Constants, Version]
@@ -982,7 +982,7 @@ Resources:
       ContainerType: DOCKER
       Name: !Sub
         - 'ImportPublicEcrImage-${Version}-${StackIdSuffix}'
-        - { Version: !Join ['_', !Split ['.', !FindInMap [ParallelCluster, Constants, Version]]], StackIdSuffix: !Select [2, !Split ['/', !Ref AWS::StackId]] }
+        - { Version: !Join ['_', !Split ['.', !FindInMap [ParallelCluster, Constants, Version]]], StackIdSuffix: !Select [2, !Split ['/', !Ref 'AWS::StackId']] }
       Version: !FindInMap [ParallelCluster, Constants, Version]
       ParentImage: !Ref PublicEcrImageUri
       PlatformOverride: Linux
@@ -1008,7 +1008,7 @@ Resources:
     Properties:
       Name: !Sub
         - 'EcrImagePipeline-${Version}-${StackIdSuffix}'
-        - { Version: !Join ['_', !Split ['.', !FindInMap [ParallelCluster, Constants, Version]]], StackIdSuffix: !Select [2, !Split ['/', !Ref AWS::StackId]] }
+        - { Version: !Join ['_', !Split ['.', !FindInMap [ParallelCluster, Constants, Version]]], StackIdSuffix: !Select [2, !Split ['/', !Ref 'AWS::StackId']] }
       Status: ENABLED
       ContainerRecipeArn: !Ref EcrImageRecipe
       InfrastructureConfigurationArn: !Ref InfrastructureConfiguration
@@ -1220,7 +1220,7 @@ Resources:
                   - imagebuilder:DeleteImage
                 Resource: !Sub
                   - arn:${AWS::Partition}:imagebuilder:${Region}:${AWS::AccountId}:image/*${StackIdSuffix}*
-                  - { StackIdSuffix: !Select [2, !Split ['/', !Ref AWS::StackId]] }
+                  - { StackIdSuffix: !Select [2, !Split ['/', !Ref 'AWS::StackId']] }
 
   EcrImagesRemover:
     Condition: DoNotUseCustomEcrImageUri

From 7c34e7b0b4eebac123965f3d6ad3d4114213e187 Mon Sep 17 00:00:00 2001
From: Francesco De Martino <fdm@amazon.com>
Date: Thu, 19 Aug 2021 14:50:57 +0200
Subject: [PATCH 2/3] [integ-tests] fix check for template url in
 cfn_stacks_factory

Signed-off-by: Francesco De Martino <fdm@amazon.com>
---
 tests/integration-tests/cfn_stacks_factory.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/integration-tests/cfn_stacks_factory.py b/tests/integration-tests/cfn_stacks_factory.py
index 758aa95ab4..e5373c6af0 100644
--- a/tests/integration-tests/cfn_stacks_factory.py
+++ b/tests/integration-tests/cfn_stacks_factory.py
@@ -77,7 +77,7 @@ def create_stack(self, stack):
             raise ValueError("Stack {0} already exists in region {1}".format(name, region))
 
         logging.info("Creating stack {0} in region {1}".format(name, region))
-        is_template_url = stack.template.startswith("s3://")
+        is_template_url = stack.template.startswith("https://")
         with aws_credential_provider(region, self.__credentials):
             try:
                 cfn_client = boto3.client("cloudformation", region_name=region)

From 6a73fb04f29e7c994440876c072dd33e62dac2c6 Mon Sep 17 00:00:00 2001
From: Francesco De Martino <fdm@amazon.com>
Date: Thu, 19 Aug 2021 15:18:37 +0200
Subject: [PATCH 3/3] [iam] Add both ec2 service identifiers in PassRole policy

For some APIs such as AddRoleToInstanceProfile the PassedToService needs to
be ec2.amazonaws.com also in China.

Signed-off-by: Francesco De Martino <fdm@amazon.com>
---
 api/infrastructure/parallelcluster-api.yaml | 6 ++++--
 tests/iam_policies/user-role.cfn.yaml       | 9 ++++++---
 2 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/api/infrastructure/parallelcluster-api.yaml b/api/infrastructure/parallelcluster-api.yaml
index 20992e6935..b83771fa70 100644
--- a/api/infrastructure/parallelcluster-api.yaml
+++ b/api/infrastructure/parallelcluster-api.yaml
@@ -581,7 +581,8 @@ Resources:
               StringEqualsIfExists:
                 iam:PassedToService:
                   - lambda.amazonaws.com
-                  - !Sub ec2.${AWS::URLSuffix}
+                  - ec2.amazonaws.com
+                  - ec2.amazonaws.com.cn
                   - spotfleet.amazonaws.com
             Sid: IamPassRole
           - Action:
@@ -700,7 +701,8 @@ Resources:
               StringEquals:
                 iam:PassedToService:
                   - lambda.amazonaws.com
-                  - !Sub 'ec2.${AWS::URLSuffix}'
+                  - ec2.amazonaws.com
+                  - ec2.amazonaws.com.cn
           - Sid: CloudWatch
             Effect: Allow
             Action:
diff --git a/tests/iam_policies/user-role.cfn.yaml b/tests/iam_policies/user-role.cfn.yaml
index 0305d1b873..f94140b599 100644
--- a/tests/iam_policies/user-role.cfn.yaml
+++ b/tests/iam_policies/user-role.cfn.yaml
@@ -337,7 +337,8 @@ Resources:
               StringEqualsIfExists:
                 iam:PassedToService:
                   - lambda.amazonaws.com
-                  - !Sub ec2.${AWS::URLSuffix}
+                  - ec2.amazonaws.com
+                  - ec2.amazonaws.com.cn
                   - spotfleet.amazonaws.com
             Sid: IamPassRole
           - Action:
@@ -456,7 +457,8 @@ Resources:
               StringEquals:
                 iam:PassedToService:
                   - lambda.amazonaws.com
-                  - !Sub 'ec2.${AWS::URLSuffix}'
+                  - ec2.amazonaws.com
+                  - ec2.amazonaws.com.cn
           - Sid: CloudWatch
             Effect: Allow
             Action:
@@ -764,7 +766,8 @@ Resources:
             Condition:
               StringEquals:
                 iam:PassedToService:
-                  - !Sub ec2.${AWS::URLSuffix}
+                  - ec2.amazonaws.com
+                  - ec2.amazonaws.com.cn
           - Action:
               - ec2:DescribeInstances
               - ec2:DescribeInstanceStatus