Remove dangling IAM policies resources when CustomLambdaRole is specified in cfn custom resource

hanwen-cluster · hanwen-pcluste · commit 1305d9a0b887 · 2023-07-20T06:22:32.000-07:00
Signed-off-by: Hanwen &lt;hanwenli@amazon.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -26,6 +26,7 @@ CHANGELOG
 
 **BUG FIXES**
 - Add validation to `ScaledownIdletime` value, to prevent setting a value lower than `-1`.
+- Fix issue causing dangling IAM policies to be created when creating ParallelCluster CloudFormation custom resource provider with `CustomLambdaRole`.
 
 3.6.1
 ------
diff --git a/cloudformation/custom_resource/cluster.yaml b/cloudformation/custom_resource/cluster.yaml
@@ -68,6 +68,7 @@ Resources:
       LogGroupName: !Sub /aws/lambda/${PclusterCfnFunction}
 
   EventsPolicy:
+    Condition: UsePCPolicies
     Type: AWS::IAM::ManagedPolicy
     Properties:
       PolicyDocument:
@@ -82,6 +83,7 @@ Resources:
               - events:RemoveTargets
             Resource: !Sub arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:rule/*
   S3Policy:
+    Condition: UsePCPolicies
     Type: AWS::IAM::ManagedPolicy
     Properties:
       PolicyDocument:
diff --git a/tests/integration-tests/tests/custom_resource/test_cluster_custom_resource.py b/tests/integration-tests/tests/custom_resource/test_cluster_custom_resource.py
@@ -319,15 +319,27 @@ def test_cluster_create_with_custom_policies(
 ):
     """Create a custom resource provider with a custom role and create a cluster to validate it."""
     parameters = {"CustomBucket": resource_bucket, stack_param: resource_bucket_policies.cfn_outputs[cfn_output]}
+    provider_stack_name = generate_stack_name(
+        "integ-test-custom-resource-provider", request.config.getoption("stackname_suffix")
+    )
     custom_resource_gen = cluster_custom_resource_provider_generator(
         cfn_stacks_factory,
         region,
-        generate_stack_name("integ-test-custom-resource-provider", request.config.getoption("stackname_suffix")),
+        provider_stack_name,
         parameters,
         cluster_custom_resource_provider_template,
     )
     service_token = next(custom_resource_gen)
 
+    if stack_param == "CustomLambdaRole":
+        logging.info("Checking no IAM resources are created when CustomLambdaRole is specified")
+        resources = boto3.client("cloudformation").describe_stack_resources(StackName=provider_stack_name)[
+            "StackResources"
+        ]
+        for resource in resources:
+            resource_type = resource["ResourceType"]
+            assert_that(resource_type).does_not_contain("AWS::IAM::")
+
     stack = cluster_custom_resource_factory(pcluster_config_reader(), service_token=service_token)
     cluster_name = _stack_parameter(stack, "ClusterName")
     cluster = pc().list_clusters(query=f"clusters[?clusterName=='{cluster_name}']|[0]")
