Merge branch 'develop' into 'main'

Merging hot-fix for ocsp issue on RES BI stack

See merge request mwvaughn/aws-hpc-recipes!172

Author: charlesg3

recipes/res/res_demo_env/assets/bi.yaml

@@ -35,9 +35,9 @@ Parameters:
     Type: String
     Default: ""
   EnvironmentName:
-    Description: (Optional) EnvironmentName must start with "res-"and should be less than or equal to 11 characters. Required to generate certificates.
+    Description: (Optional) EnvironmentName must start with "res-" without capital letters and should be less than or equal to 11 characters. Required to generate certificates.
     Type: String
-    AllowedPattern: ^$|^res-[A-Za-z\-\_0-9]{0,7}$
+    AllowedPattern: ^$|^res-[a-z\-\_0-9]{0,7}$
     Default: res-demo
   AdminPassword:
     Description: (Optional) Provide the Active Directory Administrator Account Password Directly or Resource ARN to Secret Containing Password.

recipes/res/res_demo_env/assets/res-demo-stack.yaml

@@ -27,8 +27,8 @@ Parameters:
     Description: Provide name of the RES Environment. Must be unique for your account and AWS Region.
     Type: String
     Default: res-demo
-    AllowedPattern: ^res-[A-Za-z\-\_0-9]{0,7}$
-    ConstraintDescription: EnvironmentName must start with "res-" and should be less than or equal to 11 characters.
+    AllowedPattern: ^res-[a-z\-\_0-9]{0,7}$
+    ConstraintDescription: EnvironmentName must start with "res-" without capital letters and should be less than or equal to 11 characters.
 
   AdministratorEmail:
     Type: String

recipes/res/res_demo_env/assets/res-sso-keycloak.yaml

@@ -21,8 +21,8 @@ Parameters:
     Description: Provide name of the RES Environment. Must be unique for your account and AWS Region.
     Type: String
     Default: res-demo
-    AllowedPattern: ^res-[A-Za-z\-\_0-9]{0,7}$
-    ConstraintDescription: EnvironmentName must start with "res-" and should be less than or equal to 11 characters.
+    AllowedPattern: ^res-[a-z\-\_0-9]{0,7}$
+    ConstraintDescription: EnvironmentName must start with "res-" without capital letters and should be less than or equal to 11 characters.
 
   Keypair:
     Description: EC2 Keypair to access management instance.

recipes/res/res_ready_ami/assets/imagebuilder-infrastructure.yaml

@@ -18,8 +18,8 @@ Parameters:
   EnvironmentName:
     Type: String
     Description: Provide name of the RES Environment. Must be unique for your account and AWS Region.
-    AllowedPattern: ^res-[A-Za-z\-\_0-9]{0,7}$
-    ConstraintDescription: EnvironmentName must start with "res-" and should be less than or equal to 11 characters.
+    AllowedPattern: ^res-[a-z\-\_0-9]{0,7}$
+    ConstraintDescription: EnvironmentName must start with "res-" without capital letters and should be less than or equal to 11 characters.
   VPC:
     Description: VPC where RES is deployed
     Type: 'AWS::EC2::VPC::Id'

recipes/security/public_certs/assets/main.yaml

@@ -168,7 +168,7 @@ Resources:
               cd acme.sh-$VERSION
               ./acme.sh --install
               ./acme.sh --set-default-ca --server letsencrypt
-              ./acme.sh --issue --dns dns_aws --ocsp-must-staple --keylength 4096  -d ${DomainName} -d "*.${DomainName}"
+              ./acme.sh --issue --dns dns_aws --keylength 4096  -d ${DomainName} -d "*.${DomainName}"
 
               CERTKEYFILE=$HOME/.acme.sh/${DomainName}/${DomainName}.key
               CERTCERFILE=$HOME/.acme.sh/${DomainName}/${DomainName}.cer
@@ -322,7 +322,7 @@ Resources:
                   cd acme.sh-$VERSION
                   ./acme.sh --install
                   ./acme.sh --set-default-ca --server letsencrypt
-                  ./acme.sh --issue --dns dns_aws --ocsp-must-staple --keylength 4096  -d ${DomainName} -d "*.${DomainName}"
+                  ./acme.sh --issue --dns dns_aws --keylength 4096  -d ${DomainName} -d "*.${DomainName}"
 
                   CERTKEYFILE=$HOME/.acme.sh/${DomainName}/${DomainName}.key
                   CERTCERFILE=$HOME/.acme.sh/${DomainName}/${DomainName}.cer

recipes/storage/efs_simple/assets/main.yaml

@@ -141,15 +141,13 @@ Resources:
 
   EfsSecurityGroupInboundRule:
     Type: 'AWS::EC2::SecurityGroupIngress'
+    Condition: CreateSecurityGroup
     Properties:
       IpProtocol: tcp
       Description: Allow incoming traffic to EFS from members of security group
       FromPort: 2049
       ToPort: 2049
-      GroupId: !If 
-          - CreateSecurityGroup
-          - !Ref EfsSecurityGroup
-          - !GetAtt SecurityGroupLookup.GroupId
+      GroupId: !Ref EfsSecurityGroup
       SourceSecurityGroupId: !Ref EfsClientSecurityGroup
 
   EfsClientSecurityGroupOutboundRule:
@@ -203,6 +201,7 @@ Resources:
     Condition: UseExistingSecurityGroup
     Properties:
       ServiceToken: !GetAtt SecurityGroupLookupFunction.Arn
+      ServiceTimeout: 60
       VpcId: !Ref VpcId
       GroupName: !Ref SecurityGroupName
 
@@ -232,6 +231,7 @@ Resources:
     Type: AWS::Lambda::Function
     Condition: UseExistingSecurityGroup
     Properties:
+      Timeout: 60
       Runtime: python3.9
       Handler: index.handler
       Role: !GetAtt SecurityGroupLookupRole.Arn

recipes/storage/fsx_lustre/assets/scratch.yaml

@@ -61,12 +61,12 @@ Conditions:
 Resources:
 
   LustreServersSG:
-      Type: AWS::EC2::SecurityGroup
-      Condition: CreateSecurityGroup
-      Properties:
-        GroupDescription: 'Allows traffic to FSx for Lustre filesystem'
-        GroupName: !Sub '${AWS::StackName}-fsxl-security-group'
-        VpcId: !Ref VpcId
+    Type: AWS::EC2::SecurityGroup
+    Condition: CreateSecurityGroup
+    Properties:
+      GroupDescription: 'Allows traffic to FSx for Lustre filesystem'
+      GroupName: !Sub '${AWS::StackName}-fsxl-security-group'
+      VpcId: !Ref VpcId
 
   LustreClientsSG:
     Type: AWS::EC2::SecurityGroup
@@ -87,16 +87,14 @@ Resources:
 
   LustreClientsSGxxFROMxxLustreServersSG988:
     Type: AWS::EC2::SecurityGroupIngress
+    Condition: CreateSecurityGroup
     Properties:
       IpProtocol: tcp
       Description: Allows Lustre traffic on port 988 between Amazon FSx for Lustre file servers and Lustre clients
       FromPort: 988
       ToPort: 988
       GroupId: !Ref LustreClientsSG
-      SourceSecurityGroupId: !If 
-          - CreateSecurityGroup
-          - !Ref LustreServersSG
-          - !GetAtt SecurityGroupLookup.GroupId
+      SourceSecurityGroupId: !Ref LustreServersSG
 
   LustreClientsSGfromLustreClients1021:
     Type: AWS::EC2::SecurityGroupIngress
@@ -110,16 +108,14 @@ Resources:
 
   LustreClientsSGxxFROMxxLustreServersSG1021:
     Type: AWS::EC2::SecurityGroupIngress
+    Condition: CreateSecurityGroup
     Properties:
       IpProtocol: tcp
       Description: Allows Lustre traffic on ports 1021-23 between Amazon FSx for Lustre file servers and Lustre clients
       FromPort: 1021
       ToPort: 1023
       GroupId: !Ref LustreClientsSG
-      SourceSecurityGroupId: !If 
-          - CreateSecurityGroup
-          - !Ref LustreServersSG
-          - !GetAtt SecurityGroupLookup.GroupId
+      SourceSecurityGroupId: !Ref LustreServersSG
 
   LustreClientsSGtoLustreClients988:
     Type: AWS::EC2::SecurityGroupEgress
@@ -133,19 +129,18 @@ Resources:
 
   LustreClientsSGtopclusterLustreServersSG:
     Type: AWS::EC2::SecurityGroupEgress
+    Condition: CreateSecurityGroup
     Properties:
       IpProtocol: tcp
       Description: Allow Lustre traffic on port 988 between Amazon FSx for Lustre file servers and Lustre clients
       FromPort: 988
       ToPort: 988
       GroupId: !Ref LustreClientsSG
-      DestinationSecurityGroupId: !If 
-          - CreateSecurityGroup
-          - !Ref LustreServersSG
-          - !GetAtt SecurityGroupLookup.GroupId
+      DestinationSecurityGroupId: !Ref LustreServersSG
 
   LustreClientsSGtoLustreClients1021:
     Type: AWS::EC2::SecurityGroupEgress
+    Condition: CreateSecurityGroup
     Properties:
       IpProtocol: tcp
       Description: Allows Lustre traffic on ports 1021-23 between Amazon FSx for Lustre clients
@@ -156,16 +151,14 @@ Resources:
 
   LustreClientsSGtoLustreServersSG:
     Type: AWS::EC2::SecurityGroupEgress
+    Condition: CreateSecurityGroup
     Properties:
       IpProtocol: tcp
       Description: Allows Lustre traffic on ports 1021-23 between Amazon FSx for Lustre file servers and Lustre clients
       FromPort: 1021
       ToPort: 1023
       GroupId: !Ref LustreClientsSG
-      DestinationSecurityGroupId: !If 
-          - CreateSecurityGroup
-          - !Ref LustreServersSG
-          - !GetAtt SecurityGroupLookup.GroupId
+      DestinationSecurityGroupId: !Ref LustreServersSG
 
   FSxLFilesystem:
     Type: AWS::FSx::FileSystem
@@ -196,6 +189,7 @@ Resources:
     Condition: UseExistingSecurityGroup
     Properties:
       ServiceToken: !GetAtt SecurityGroupLookupFunction.Arn
+      ServiceTimeout: 60
       VpcId: !Ref VpcId
       GroupName: !Ref SecurityGroupName
 
@@ -225,6 +219,7 @@ Resources:
     Type: AWS::Lambda::Function
     Condition: UseExistingSecurityGroup
     Properties:
+      Timeout: 60
       Runtime: python3.9
       Handler: index.handler
       Role: !GetAtt SecurityGroupLookupRole.Arn

recipes/storage/fsx_ontap/assets/main.yaml

@@ -15,8 +15,8 @@ Metadata:
         Parameters:
           - VpcId
           - SubnetId
-          - ClientIpCidr
           - SecurityGroupName
+          - ClientIpCidr
           - KmsKeyId
       - Label:
           default: File System Options
@@ -48,16 +48,16 @@ Parameters:
   SubnetId:
     Type: AWS::EC2::Subnet::Id
     Description: Subnet ID where the file system will be created (must be in same VPC).
-  ClientIpCidr:
-    Description: CIDR block controlling incoming NFS and/or SMB traffic to FSx file system.
-    Default: ""
-    Type: String
-    AllowedPattern: ^((\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}))?$
-    ConstraintDescription: ClientIP must be a valid IP or network range of the form x.x.x.x/x. specify your IP/NETMASK (e.g x.x.x/32 or x.x.x.x/24 for subnet range)
   SecurityGroupName:
     Type: String
     Description: (Optional) An existing security group to associate to the file system (must be in same VPC). If none is provided, a new security group will be created.
     Default: ""
+  ClientIpCidr:
+    Type: String
+    Description: (Optional) If no existing security group is provided, then provide a CIDR block controlling incoming NFS and/or SMB traffic to FSx file system.
+    Default: ""
+    AllowedPattern: ^$|^((\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}))?$
+    ConstraintDescription: ClientIP must be a valid IP or network range of the form x.x.x.x/x. specify your IP/NETMASK (e.g x.x.x/32 or x.x.x.x/24 for subnet range)
   KmsKeyId:
     Type: String
     Description: (Optional) An existing ID of the AWS Key Management Service (AWS KMS) key used to encrypt Amazon FSx file system data. If none is provided, the default aws/fsx encryption key will be used.
@@ -84,9 +84,9 @@ Parameters:
   OntapHAPairs:
     Type: Number
     Description: Number of high-availability (HA) pairs of file servers will power your file system. Default is set to 1 HA pair.
-    ConstraintDescription: "Minimum: 1 HA pair"
     Default: 1
     MinValue: 1
+    ConstraintDescription: "Minimum: 1 HA pair"
   OntapDiskIopsMode:
     Type: String
     Description: Specifies whether the file system is using the AUTOMATIC setting of SSD IOPS of 3 IOPS per GB of storage capacity, or if it is using a USER_PROVISIONED value. Default is set to AUTOMATIC.
@@ -97,15 +97,15 @@ Parameters:
   OntapDiskIops:
     Type: Number
     Description: Total number of SSD IOPS provisioned for the file system if using USER_PROVISIONED for file system's disk IOPS. Default is set to 3,072 SSD IOPS.
-    ConstraintDescription: "Minimum: 3,072 SSD IOPS"
     Default: 3072
     MinValue: 3072
+    ConstraintDescription: "Minimum: 3,072 SSD IOPS"
   OntapThroughputCapacity:
     Type: Number
     Description: Throughput capacity for the file system (MBps). Default is set to 384 MBps.
-    ConstraintDescription: "Minimum: 384 MBps"
     Default: 384
     MinValue: 384
+    ConstraintDescription: "Minimum: 384 MBps"
   OntapSecurityStyle:
     Type: String
     Description: Security style of the file system's volumes. Default is set to UNIX.
@@ -117,9 +117,9 @@ Parameters:
   OntapVolumeJunctionPath:
     Type: String
     Description: The location in the storage virtual machine's namespace where the non-root volume is mounted. Default is set to /vol1.
-    ConstraintDescription: "Must start with /"
     Default: "/vol1"
     AllowedPattern: "^/[a-zA-Z0-9-_/]+$"
+    ConstraintDescription: "Must start with /"
   EnableActiveDirectory:
     Type: String
     Description: Enable file system to join an Active Directory. Required for Windows SMB clients to mount file system. Default is set to false.
@@ -138,9 +138,9 @@ Parameters:
   ServiceAccountCredentialsSecretArn:
     Type: String
     Description: Directory Service Root (Service Account) Credentials Secret ARN. The username and password for the Active Directory ServiceAccount user formatted as a username:password key/value pair.
-    ConstraintDescription: "Secret name can be 512 characters long and may include letters, numbers, and the following characters: /_+=.@-."
-    AllowedPattern: ^$|^(?:arn:(?:aws|aws-us-gov|aws-cn):secretsmanager:[a-z0-9-]+:[0-9]{12}:secret:[A-Za-z0-9\-\_\+\=\/\.\@]{1,519})?$
     Default: ""
+    AllowedPattern: ^$|^(?:arn:(?:aws|aws-us-gov|aws-cn):secretsmanager:[a-z0-9-]+:[0-9]{12}:secret:[A-Za-z0-9\-\_\+\=\/\.\@]{1,519})?$
+    ConstraintDescription: "Secret name can be 512 characters long and may include letters, numbers, and the following characters: /_+=.@-."
   ComputersOU:
     Type: String
     Description: Organization Unit (OU) for compute and storage servers in the Active Directory.
@@ -170,6 +170,11 @@ Conditions:
     - !Condition CreateCIFSShare
 
 Rules:
+  RequireSecurityGroupRule:
+    RuleCondition: !Equals [!Ref SecurityGroupName, ""]
+    Assertions:
+      - Assert: !Not [!Equals [!Ref ClientIpCidr, ""]]
+        AssertDescription: If a SecurityGroupName is not provided, a valid ClientIpCidr must be provided.
   ActiveDirectoryParametersRule:
     RuleCondition: !Equals [!Ref EnableActiveDirectory, "true"]
     Assertions: