[Develop] Introduce Global Cleanup IAM Role for ParallelCluster Build-Image #6912
Conversation
* Introduce ensure_cleanup_role() with revision tagging and idempotent creation / update logic. * Modify image_operations_controller to invoke ensure_cleanup_role when Build/Iam/CleanupLambdaRole is not provided and to fail fast on permission errors. * Refactor imagebuilder_stack to remove all per-stack cleanup-role logic and wire Lambda to the global role by default. * Update constants (role prefix / expected revision tag key & value).
IAM / cleanup role ------------------ * IamClient – add create_role, attach_role_policy, put_role_policy, tag_role * ensure_cleanup_role * switch from raw boto3 to AWSApi.instance().iam * 4-step safe update sequence documented, now only after the inline policy succeeds, set or bump the revision tag. * inline-policy builder now receives partition * Lambda VPCAccess managed policy is attached only when LambdaFunctionsVpcConfig exists in the config Tests & utils ------------- * deleted legacy test_imagebuilder_lambda_execution_role. * fixed the failing tests * added new unit tests to cover the new logic * update existing integration test to test the build-image stack can be fully self deleted
hehe7318
changed the title
hehe7318
changed the title
hehe7318
added
the
skip-bad-url-suffix-check
CHANGELOG.md
Outdated
| @@ -13,6 +13,7 @@ CHANGELOG | |||
|
|
|||
| **BUG FIXES** | |||
| - Fix an issue where Security Group validation failed when a rule contained both IPv4 ranges (IpRanges) and security group references (UserIdGroupPairs). | |||
| - Fix a bug that caused build-image CloudFormation stacks fail to delete after images are successfully built. | |||
There was a problem hiding this comment.
after images are successfully built.it fails despite the outcome of the build image. even if the build-image fails, the stack is not able to get auto-deletedfail to deleteI'd say fail to auto-delete. Otherwise it may seem that the user cannot even delete the stack manually.
There was a problem hiding this comment.
Done. Moved it to CHANGES.
- Introduce default global build-image cleanup IAM versioning roles to prevent build-image CloudFormation stacks from failing to be automatically deleted after images are either successfully built or fail to build.
| # If LambdaFunctionsVpcConfig exists in the config, attach the AWS-managed LambdaVPCAccess policy | ||
| has_lambda_functions_vpc_config = cfg_dict.get("DeploymentSettings", {}).get("LambdaFunctionsVpcConfig") |
There was a problem hiding this comment.
Why do we need the lambda function vpc configuraitons?
There was a problem hiding this comment.
See
aws-parallelcluster/cli/src/pcluster/templates/imagebuilder_stack.py
Lines 741 to 742 in 6d4e24d
The cleanup role needs the AWSLambdaVPCAccessExecutionRole when LambdaFunctionsVpcConfig exists in the config.
There was a problem hiding this comment.
Makes sense, thank you.
Nitpick: we need this line only if the user is using the default role, so you can move the line into the if branch below.
| raw_cfg_str = build_image_request_content["imageConfiguration"] | ||
| cfg_dict = yaml.safe_load(raw_cfg_str) or {} | ||
| # If CleanupLambdaRole exists in the config, skip ensure_cleanup_role | ||
| has_custom_cleanup_role = cfg_dict.get("Build", {}).get("Iam", {}).get("CleanupLambdaRole") |
There was a problem hiding this comment.
[CodeStyle] Encapsulate the logic to check whether a custom role is set into a dedicated function and unit test it independently.
There was a problem hiding this comment.
I don't think it's necessary. It's a common dig logic and the logic to test if it can correctly dig is already include in the unit test test_enable_cleanup_role_call_and_vpc_flag.
| if not has_custom_cleanup_role: | ||
| try: | ||
| account_id = AWSApi.instance().sts.get_account_id() | ||
| ensure_cleanup_role( |
There was a problem hiding this comment.
[CodeStyle] ensure_cleanup_role is a bit vague name for this function.
The name should reflect that iwe are talking about the default cleanup role and what cleanup role we are talking about
There was a problem hiding this comment.
Done, modified to ensure_default_build_image_stack_cleanup_role
| except AWSClientError as e: | ||
| if e.error_code in ("AccessDenied", "AccessDeniedException", "UnauthorizedOperation"): | ||
| raise BadRequestException( | ||
| "Current principal lacks permissions to create or update the ParallelCluster build-image " |
There was a problem hiding this comment.
[Design] Why do we need to update the role>? Didn't we agreed on having versioned roles specifically to not update the policy?
There was a problem hiding this comment.
Reached an agreement yesterday. Done. Changed the logic to create roles with revision in their name.
| "Action": "sts:AssumeRole", | ||
| "Condition": { | ||
| "ArnLike": { | ||
| "aws:SourceArn": f"arn:{partition}:lambda:*:{account_id}:function:ParallelClusterImage-*" |
There was a problem hiding this comment.
[Security] This condition allows every function in the stack to assume this role, but we want only a specific function to be able to. Can we use a more specific name?
There was a problem hiding this comment.
No we can't, the delete stack lambda function is named like "ParallelClusterImage-15a09820-6274-11f0-8162-0e903a4ee48d".
| try: | ||
| resp = iam.get_role(role_name=role_name) | ||
| tags = {t["Key"]: t["Value"] for t in resp["Role"].get("Tags", [])} | ||
| current_revision = int(tags.get(CLEANUP_ROLE_REVISION_TAG_KEY, 0)) |
There was a problem hiding this comment.
why not using the revision number specified in PCLUSTER_BUILD_IMAGE_CLEANUP_ROLE_EXPECTED_REVISION?
There was a problem hiding this comment.
In my approach, create role with tag=0. And the expected revision is 1. So that it can enter the if else block if current_revision < PCLUSTER_BUILD_IMAGE_CLEANUP_ROLE_EXPECTED_REVISION to update the policy.
See my function description, in this approach, it can prevent tag updated but policy not match the expectation.
There was a problem hiding this comment.
No longer applicable. But the logic didn't change.
| current_revision = int(tags.get(CLEANUP_ROLE_REVISION_TAG_KEY, 0)) | ||
| except AWSClientError as e: | ||
| if e.error_code == "NoSuchEntity": | ||
| logging.info("Creating global cleanup role %s", role_name) |
There was a problem hiding this comment.
Specify that we are creating it because it does not exists. May sound obvious but since this is a critical resource better to specify why we take some decisions
| current_revision = 0 | ||
| else: | ||
| raise e | ||
| # (re)attach AWSLambdaVPCAccessExecutionRole |
There was a problem hiding this comment.
Synced yesterday. It's idempotent
| iam.attach_role_policy(role_name, cleanup_role_basic_managed_policy) | ||
|
|
||
| # Put (or overwrite) inline policy | ||
| iam.put_role_policy( |
There was a problem hiding this comment.
[Design] Do we have a way to avoid policy updates? I thought that by using versioned roles we could do that.
There was a problem hiding this comment.
Yes, we have, and it has been applied. See if current_revision < PCLUSTER_BUILD_IMAGE_CLEANUP_ROLE_EXPECTED_REVISION: and the function description for details.
There was a problem hiding this comment.
Changed to have revision in the role name and do not update the role.
…a new role when revision number bumps and never update the old role. Scope down the inline policy.
hehe7318
removed
the
skip-bad-url-suffix-check
| @@ -10,6 +10,7 @@ CHANGELOG | |||
| - Support DCV on Amazon Linux 2023. | |||
| - Upgrade Python runtime used by Lambda functions to python3.12 (from python3.9). | |||
| - Remove `berkshelf`. All cookbooks are local and do not need `berkshelf` dependency management. | |||
| - Introduce default global build-image cleanup IAM versioning roles to prevent build-image CloudFormation stacks from failing to be automatically deleted after images are either successfully built or fail to build. | |||
There was a problem hiding this comment.
We should capture the following details in the changelog entry:
- the role is long-living (not bound to the stack lifecycle) and it is meant to persist the stack deletion.
- the role name: since the role is meant to persist it's important to communicate its name so that users do not think it is a left over when they see it.
- Since this is a long lasting issue in pcluster, it may be good to link the issue we are solving.
The fact that the role is versioned is an implementation details, more than something related to the user experience, so we can skip that detail.
The build-image command now deploys a global role that is used to automatically delete the build-image stack after images either succeed or fail the build. The role is meant to exists even after the stack has been deleted. This is to prevent build-image stack deletion failures, reported in https://github.com/aws/aws-parallelcluster/issues/5914
Not: since the changelog entry is long, use multilines to write it.
| # If LambdaFunctionsVpcConfig exists in the config, attach the AWS-managed LambdaVPCAccess policy | ||
| has_lambda_functions_vpc_config = cfg_dict.get("DeploymentSettings", {}).get("LambdaFunctionsVpcConfig") |
There was a problem hiding this comment.
Makes sense, thank you.
Nitpick: we need this line only if the user is using the default role, so you can move the line into the if branch below.
|
|
||
| if not has_custom_cleanup_role: | ||
| try: | ||
| account_id = AWSApi.instance().sts.get_account_id() |
There was a problem hiding this comment.
if this sts call fails, we would return an error message saying that the principal is missing the permissions to create/update the role. Make sure to add sts permissions to our documentation
| """Return the role name including a revision number.""" | ||
| hashed_account_id = generate_string_hash(account_id) | ||
| return ( | ||
| f"{PCLUSTER_BUILD_IMAGE_CLEANUP_ROLE_PREFIX}-{hashed_account_id}" |
There was a problem hiding this comment.
This role is supposed to not be deleted or modified by the user.
What about adding a DO-NOT-DELETE suffix in the role name?
This is a standard approach, that we also adopted for the S3 bucket, which has a similar lifecycle.
What about PClusterBuildImageCleanupRole-v{revision}-{hash}-do-not-delete?
If it is too long, we can use PClusterImageCleanupRole-v{revision}-{hash}-do-not-delete.
Description of changes
Tests
References
Checklist
developadd the branch name as prefix in the PR title (e.g.[release-3.6]).Please review the guidelines for contributing and Pull Request Instructions.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.