Scope down permissions

Author: hgreebe

api/PclusterApiHandler.py

@@ -33,6 +33,7 @@
 AUTH_PATH = os.getenv("AUTH_PATH")
 API_BASE_URL = os.getenv("API_BASE_URL")
 API_VERSION = sorted(os.getenv("API_VERSION", "3.1.0").strip().split(","), key=lambda x: [-int(n) for n in x.split('.')])
+# Default version must be highest version so that it can be used for read operations due to backwards compatibility
 DEFAULT_API_VERSION = API_VERSION[0]
 API_USER_ROLE = os.getenv("API_USER_ROLE")
 OIDC_PROVIDER = os.getenv("OIDC_PROVIDER")

infrastructure/environments/demo-cfn-create-args.yaml

@@ -3,7 +3,7 @@ Parameters:
   - ParameterKey: AdminUserEmail
     ParameterValue: [email protected]
   - ParameterKey: Version
-    ParameterValue: 3.13.0,3.11.0
+    ParameterValue: 3.11.0,3.13.0
   - ParameterKey: InfrastructureBucket
     ParameterValue: BUCKET_URL_PLACEHOLDER
   - ParameterKey: PublicEcrImageUri

infrastructure/environments/demo-cfn-update-args.yaml

@@ -3,7 +3,7 @@ Parameters:
   - ParameterKey: AdminUserEmail
     UsePreviousValue: true
   - ParameterKey: Version
-    ParameterValue: 3.12.0,3.11.0,3.9.0
+    ParameterValue: 3.11.0,3.12.0,3.9.0
   - ParameterKey: InfrastructureBucket
     ParameterValue: BUCKET_URL_PLACEHOLDER
   - ParameterKey: PublicEcrImageUri

infrastructure/parallelcluster-ui.yaml

@@ -36,7 +36,7 @@ Parameters:
     Description: Version of AWS ParallelCluster to deploy.
     Type: String
     AllowedPattern: "^([0-9]+)\\.([0-9]+)\\.([0-9]+)(,([0-9]+)\\.([0-9]+)\\.([0-9]+))*$"
-    ConstraintDescription: Please specify a valid ParallelCluster version.
+    ConstraintDescription: Please specify a comma separated list of valid ParallelCluster versions.
   ImageBuilderVpcId:
     Description: (Optional) Select the VPC to use for building the container images. If not selected, default VPC will be used.
     Type: String
@@ -240,7 +240,15 @@ Resources:
           import os
           import re
           import time
-        
+          
+          def get_partition(region):
+            if region.startswith('us-gov-'):
+              return 'aws-us-gov'
+            elif region.startswith('cn-'):
+              return 'aws-cn'
+            else:
+              return 'aws'
+      
           def handler(event, context):
             response_data = {}
             response_status = cfnresponse.SUCCESS
@@ -255,7 +263,13 @@ Resources:
               if event['RequestType'] in ['Create', 'Update']:
                 response_data["Message"] = "Resource creation successful!"
                 cfn = boto3.client('cloudformation')
+          
+                sts_client = boto3.client('sts')
+                caller_identity = sts_client.get_caller_identity()
+                account_id = caller_identity['Account']
+
                 result = ""
+                api_gateway_arns = []
 
                 api_id = event['ResourceProperties'].get('ApiGatewayRestApiId')
                 print(f"ApiGatewayRestApiId: {api_id}")
@@ -304,23 +318,28 @@ Resources:
                                           if output['OutputKey'] == 'ParallelClusterApiInvokeUrl':
                                               # Construct the result string
                                               result = f"{result}{version}={output['OutputValue']},"
-                                              print(f"Version={version}, ApiURL={output['OutputValue']}")
+          
+                                              parsed_url = urlparse(output['OutputValue']).hostname.split('.')[0]
+                                              api_gateway_arns.append(f"arn:{get_partition(os.environ['AWS_REGION'])}:execute-api:{os.environ['AWS_REGION']}:{account_id}/{parsed_url}/*/*")
+                                              print(f"API arn: {parsed_url}")          
+          
+                                              print(f"Version={version}, ApiURL={output['OutputValue']}, ")
                                               break
 
                         except Exception as e:
                             print(f"Error processing stack {stack['StackName']}: {str(e)}")
                             continue
                 print(f"Result: {result}")
 
-                response_data = {"ApiVersionMapping": result}
+                response_data = {"ApiVersionMapping": result, "ApiArns":  ','.join(api_gateway_arns)}
                 cfnresponse.send(event, context,  cfnresponse.SUCCESS, response_data)
 
             except Exception as e:
               response_status = cfnresponse.FAILED
               reason = "Failed {}: {}".format(event["RequestType"], e)
 
       Timeout: 300
-      MemorySize: 128
+      MemorySize: 256
 
   ApiVersionMapFunctionRole:
     Type: AWS::IAM::Role
@@ -996,6 +1015,7 @@ Resources:
         - { ApiGateway: !Ref ApiGatewayRestApi }
 
   ParallelClusterApiGatewayInvoke:
+    DependsOn: ApiVersionMap
     Type: AWS::IAM::ManagedPolicy
     Properties:
       ManagedPolicyName: !Sub
@@ -1007,7 +1027,7 @@ Resources:
           - Action:
               - execute-api:Invoke
             Effect: Allow
-            Resource: !Sub "arn:${AWS::Partition}:execute-api:${AWS::Region}:${AWS::AccountId}:*/*/*"
+            Resource: !Split [",", !GetAtt ApiVersionMap.ApiArns]
 
   CognitoPolicy:
     Type: AWS::IAM::ManagedPolicy