aws-samples
diff --git a/‎aws_emr_blog_v3/cloudformation/copy-artifacts-to-regional-s3bucket.template
Lines changed: 170 additions & 0 deletions b/‎aws_emr_blog_v3/cloudformation/copy-artifacts-to-regional-s3bucket.template
Lines changed: 170 additions & 0 deletions
diff --git a/‎aws_emr_blog_v3/cloudformation/ec2-win-ad.template
Lines changed: 27 additions & 0 deletions b/‎aws_emr_blog_v3/cloudformation/ec2-win-ad.template
Lines changed: 27 additions & 0 deletions
diff --git a/‎aws_emr_blog_v3/cloudformation/emr-template.template
Lines changed: 25 additions & 17 deletions b/‎aws_emr_blog_v3/cloudformation/emr-template.template
Lines changed: 25 additions & 17 deletions
diff --git a/‎aws_emr_blog_v3/cloudformation/ranger-server.template
Lines changed: 1 addition & 1 deletion b/‎aws_emr_blog_v3/cloudformation/ranger-server.template
Lines changed: 1 addition & 1 deletion
@@ -0,0 +1,170 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Copy S3 object to local S3 bucket
+
+Parameters:
+
+  S3BucketSources:
+    Type: String
+    Description: S3 bucket with source files
+    MaxLength: 63
+    MinLength: 3
+    Default: aws-bigdata-blog
+    AllowedValues: ["aws-bigdata-blog"]
+  S3SourcesPrefix:
+    Type: String
+    Description: S3 prefix with sources WITH ending slash
+    MaxLength: 63
+    MinLength: 3
+    Default: artifacts/aws-blog-emr-ranger
+    AllowedValues: ["artifacts/aws-blog-emr-ranger"]
+  ProjectVersion:
+    Default: 3.0
+    Description: Project version
+    Type: String
+    AllowedValues:
+      - 3.0
+      - beta
+  S3Objects:
+    Type: CommaDelimitedList
+    Description: S3 Object to be copied
+    Default: launch-cluster.zip, scripts/download-scripts.sh, scripts/remove-yum-package-name-validator.sh, scripts/configure_ranger_glue_support_with_bootstrap.sh, scripts/enable-glue-catalog-support.sh, scripts/create-hdfs-home-ba.sh, scripts/setup-trino-redshift-connector.sh
+
+Resources:
+
+  S3BucketRegionSources:
+    Type: AWS::S3::Bucket
+    Properties:
+      BucketEncryption:
+        ServerSideEncryptionConfiguration:
+          - ServerSideEncryptionByDefault:
+              SSEAlgorithm: AES256
+    DeletionPolicy: Delete
+
+  CopyZips:
+    Type: AWS::CloudFormation::CustomResource
+    DependsOn:
+      - S3BucketRegionSources
+    Properties:
+      ServiceToken: !GetAtt 'CopyZipsFunction.Arn'
+      DestBucket:  !Ref 'S3BucketRegionSources'
+      SourceBucket: !Ref 'S3BucketSources'
+      SourcePrefix: !Ref 'S3SourcesPrefix'
+      ProjectVersion: !Ref 'ProjectVersion'
+      Counter: "1"
+      Objects: !Ref S3Objects
+
+  CopyZipsRole:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service: lambda.amazonaws.com
+            Action: sts:AssumeRole
+      ManagedPolicyArns:
+        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
+      Path: /
+      Policies:
+        - PolicyName: lambda-copier
+          PolicyDocument:
+            Version: '2012-10-17'
+            Statement:
+              - Effect: Allow
+                Action:
+                  - s3:GetObject
+                  - s3:GetObjectTagging
+                Resource:
+                  - !Sub 'arn:aws:s3:::${S3BucketSources}/*'
+              - Effect: Allow
+                Action:
+                  - s3:ListBucket
+                Resource:
+                  - !Sub 'arn:aws:s3:::${S3BucketSources}'
+              - Effect: Allow
+                Action:
+                  - s3:ListBucket
+                Resource:
+                  - !Sub 'arn:aws:s3:::${S3BucketRegionSources}'
+              - Effect: Allow
+                Action:
+                  - s3:PutObject
+                  - s3:DeleteObject
+                  - s3:PutObjectTagging
+                Resource:
+                  - !Sub 'arn:aws:s3:::${S3BucketRegionSources}/*'
+
+  CopyZipsFunction:
+    Type: AWS::Lambda::Function
+    Properties:
+      FunctionName:  "CopyRangerArtifacts"
+      Description: Copies objects from a source S3 bucket to a destination
+      Handler: index.handler
+      Runtime: python3.9
+      Role: !GetAtt 'CopyZipsRole.Arn'
+      Timeout: 240
+      Code:
+        ZipFile: |
+          import json
+          import logging
+          import threading
+          import boto3
+          import cfnresponse
+
+          def copy_objects(source_bucket, dest_bucket, objects, prefix, project_version):
+              s3 = boto3.client('s3')
+              for o in objects:
+                  key =  prefix + '/' + project_version + '/' + o
+                  copy_source = {
+                      'Bucket': source_bucket,
+                      'Key': key
+                  }
+                  print('copy source_bucket:' + source_bucket + ' destination_bucket: '+ dest_bucket + '  key: ' + key)
+                  s3.copy_object(CopySource=copy_source, Bucket=dest_bucket, Key=key)
+
+          def delete_objects(bucket, objects, prefix, project_version):
+              s3 = boto3.client('s3')
+              objects = {'Objects': [{'Key':  prefix + '/' + project_version + '/' + o} for o in objects]}
+              s3.delete_objects(Bucket=bucket, Delete=objects)
+              s3_list_response = s3.list_objects_v2(Bucket=bucket, Prefix=prefix + '/' + project_version + '/emr-tls/')
+              if 'Contents' in s3_list_response:
+                for object in s3_list_response['Contents']:
+                    print('Deleting', object['Key'])
+                    s3.delete_object(Bucket=bucket, Key=object['Key'])
+
+          def timeout(event, context):
+              logging.error('Execution is about to time out, sending failure response to CloudFormation')
+              cfnresponse.send(event, context, cfnresponse.FAILED, {}, None)
+
+          def handler(event, context):
+              # make sure we send a failure to CloudFormation if the function is going to timeout
+              timer = threading.Timer((context.get_remaining_time_in_millis() / 1000.00) - 0.5, timeout, args=[event, context])
+              timer.start()
+
+              print('Received event:  %s' % json.dumps(event))
+              status = cfnresponse.SUCCESS
+              try:
+                  source_bucket = event['ResourceProperties']['SourceBucket']
+                  source_prefix = event['ResourceProperties']['SourcePrefix']
+                  project_version = event['ResourceProperties']['ProjectVersion']
+                  dest_bucket = event['ResourceProperties']['DestBucket']
+                  if source_bucket == dest_bucket:
+                    return
+                  objects = event['ResourceProperties']['Objects']
+                  if event['RequestType'] == 'Delete':
+                      delete_objects(dest_bucket,  objects, source_prefix, project_version)
+                  else:
+                      copy_objects(source_bucket, dest_bucket,  objects, source_prefix, project_version)
+              except Exception as e:
+                  logging.error('Exception: %s' % e, exc_info=True)
+                  status = cfnresponse.FAILED
+              finally:
+                  timer.cancel()
+                  cfnresponse.send(event, context, status, {}, None)
+
+Outputs:
+
+  RegionalS3Bucket:
+    Description:  Regional S3 bucket with artifacts required by the EMR cluster. This bucket can be reused as the 'S3Bucket' value for future EMR cluster stacks
+    Value: !Ref S3BucketRegionSources
@@ -290,6 +290,28 @@ Resources:
                   - !Ref 'DefaultADUserPassword'
                   - "' -Force)\n"
                   - "Enable-ADAccount -Identity \"analyst2\"\n"
+                  - "New-ADUser -Name \"tina\" -OtherAttributes @{'title'=\"tina\";'mail'=\"tina@"
+                  - !Ref 'DomainDNSName'
+                  - "\"}\n"
+                  - "Enable-ADAccount -Identity \"tina\"\n"
+                  - "Set-ADAccountPassword -Identity 'tina' -Reset -NewPassword (ConvertTo-SecureString -AsPlainText '"
+                  - !Ref 'DefaultADUserPassword'
+                  - "' -Force)\n"
+                  - "Enable-ADAccount -Identity \"tina\"\n"
+                  - "New-ADUser -Name \"alex\" -OtherAttributes @{'title'=\"alex\";'mail'=\"alex@"
+                  - !Ref 'DomainDNSName'
+                  - "\"}\n"
+                  - "Enable-ADAccount -Identity \"alex\"\n"
+                  - "Set-ADAccountPassword -Identity 'alex' -Reset -NewPassword (ConvertTo-SecureString -AsPlainText '"
+                  - !Ref 'DefaultADUserPassword'
+                  - "' -Force)\n"
+                  - "Enable-ADAccount -Identity \"alex\"\n"
+                  - "$domain='"
+                  - !Ref 'DomainDNSName'
+                  - "'\n"
+                  - "Get-ADUser -Filter * -SearchBase ('DC={0},DC={1}'  -f $domain.split(\".\")[0],$domain.split(\".\")[1]) -Properties userPrincipalName | foreach { Set-ADUser $_ -UserPrincipalName (\"{0}@{1}\" -f $_.name,$domain)}\n"
+                  - "New-ADGroup -Name \"DataScience\" -SamAccountName DataScience -GroupCategory Security -GroupScope Global -DisplayName \"DataScience\" -Path ('CN=Users,DC={0},DC={1}' -f $domain.split(\".\")[0],$domain.split(\".\")[1]) -Description \"Members of this group have access to data science resources and data sets\"\n"
+                  - "Add-ADGroupMember -Identity \"DataScience\" -Members alex,tina \n"
           services:
             windows:
               cfn-hup:
@@ -491,3 +513,8 @@ Outputs:
   ADDomainJoinUser:
     Description: The DomainAdminUser
     Value: !Ref 'DomainAdminUser'
+  ADSecurityGroupID:
+    Description: AD security group ID.
+    Value: !Ref SecurityGroup
+    Export:
+      Name: !Sub ${AWS::StackName}-ADSecurityGroupID
@@ -247,6 +247,7 @@ Parameters:
       - emr-6.3.0
       - emr-6.4.0
       - emr-6.7.0
+      - emr-6.8.0
     Description: Release label for the EMR cluster
   AppsEMR:
     Description: 'Comma separated list of applications to install on the cluster e.g., '
@@ -365,6 +366,11 @@ Parameters:
     Default: false
     Type: String
     AllowedValues: [ true, false ]
+  InstallRangerHDFSPlugin:
+    Description: Flag to control if the Ranger HDFS plugin will be added
+    Default: false
+    Type: String
+    AllowedValues: [ true, false ]
 Conditions:
   USEastRegion: !Equals [ !Ref 'AWS::Region', "us-east-1" ]
   EnableKerberos: !Equals [true, !Ref EnableKerberos]
@@ -449,6 +455,23 @@ Resources:
         - arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforEC2Role
         - arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
         - arn:aws:iam::aws:policy/CloudWatchFullAccess
+  AllowSecretsRetrievalPolicy:
+    Type: 'AWS::IAM::Policy'
+    DependsOn: EmrEc2Role
+    Properties:
+      PolicyName: AllowSecretsRetrievalPolicy
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action:
+              - secretsmanager:GetSecretValue
+              - secretsmanager:ListSecrets
+              - secretsmanager:DescribeSecret
+            Resource:
+              - !Join [ '', [ 'arn:aws:secretsmanager:', !Ref "AWS::Region", ':', !Ref "AWS::AccountId", ':secret:emr/ranger*' ] ]
+      Roles:
+        - !Ref EmrEc2Role
   DataAccessRoleARN:
     Type: AWS::IAM::Role
     Properties:
@@ -497,22 +520,6 @@ Resources:
               - !GetAtt 'DataAccessRoleARN.Arn'
       Roles:
         - !Ref EmrEc2Role
-
-  AllowSecretsRetrievalPolicy:
-    Type: 'AWS::IAM::Policy'
-    Properties:
-      PolicyName: AllowSecretsRetrieval
-      PolicyDocument:
-        Version: 2012-10-17
-        Statement:
-          - Effect: Allow
-            Action:
-              - secretsmanager:GetSecretValue
-            Resource:
-              - !Join ['', ['arn:aws:secretsmanager:', !Ref "AWS::Region", ':', !Ref "AWS::AccountId", ':secret:', !Ref RangerAgentKeySecretName, '*']]
-              - !Join ['', ['arn:aws:secretsmanager:', !Ref "AWS::Region", ':', !Ref "AWS::AccountId", ':secret:', !Ref RangerServerCertSecretName, '*']]
-      Roles:
-        - !Ref EmrEc2Role
   EMRInstanceProfile:
     Type: AWS::IAM::InstanceProfile
     Properties:
@@ -563,7 +570,7 @@ Resources:
           InTransitEncryptionConfiguration:
             TLSCertificateConfiguration:
               CertificateProviderType: PEM
-              S3Object: !Join ['', ["s3://", !Ref S3ArtifactBucket, "/", !Ref S3ArtifactKey, "/", !Ref ProjectVersion, "/emr-tls/", "emr-certs-certs.zip"]]
+              S3Object: !Join ['', ["s3://", !Ref S3Bucket, "/", !Ref S3Key, "/", !Ref ProjectVersion, "/emr-tls/", "emr-certs-certs.zip"]]
   LaunchEMRClusterFunction:
     Type: AWS::Lambda::Function
     DependsOn: LambdaExecutionRole
@@ -636,6 +643,7 @@ Resources:
       DefaultDomain: !If [ USEastRegion, 'EC2.INTERNAL', 'COMPUTE.INTERNAL' ]
       EnableIcebergSupport: !Ref EnableIcebergSupport
       EnableGlueSupport: !Ref EnableGlueSupport
+      InstallRangerHDFSPlugin: !Ref InstallRangerHDFSPlugin
   emrCreateWaitHandle:
     Type: AWS::CloudFormation::WaitConditionHandle
     Properties: {}