[policies] Return the Arn of ParallelClusterLambdaRole in output of policies substack (aws#4847)

* `[policies]` Return the Arn of the UserRole in the output of the policies substack.

* `[policies]` Return a Lambda role to be specific on its use case.

Author: charlesg3

cloudformation/policies/parallelcluster-policies.yaml

@@ -78,8 +78,8 @@ Outputs:
     Condition: EnableFSxS3AccessCondition
     Value: !Ref ParallelClusterFSxS3AccessPolicy
 
-  ParallelClusterUserRole:
-    Value: !Ref ParallelClusterUserRole
+  ParallelClusterLambdaRoleArn:
+    Value: !GetAtt ParallelClusterLambdaRole.Arn
 
   DefaultParallelClusterIamAdminPolicy:
     Condition: EnableIamPolicy
@@ -111,7 +111,7 @@ Resources:
     Condition: EnableIamPolicy
     Properties:
       Roles:
-        - !Ref ParallelClusterUserRole
+        - !Ref ParallelClusterLambdaRole
       PolicyDocument:
         Version: '2012-10-17'
         Statement:
@@ -175,7 +175,7 @@ Resources:
             Sid: IamPolicy
 
 
-  ParallelClusterUserRole:
+  ParallelClusterLambdaRole:
     Type: AWS::IAM::Role
     Properties:
       AssumeRolePolicyDocument:
@@ -185,6 +185,9 @@ Resources:
             Principal:
               Service: lambda.amazonaws.com
       ManagedPolicyArns:
+        # Required for Lambda logging and XRay
+        - !Sub arn:${AWS::Partition}:iam::aws:policy/AWSXRayDaemonWriteAccess
+        - !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
         # Required to run ParallelCluster functionalities
         - !Ref ParallelClusterClusterPolicy
         - !If
@@ -307,7 +310,7 @@ Resources:
             Effect: Allow
             Sid: EnableFSxS3Access
       Roles:
-        - !Ref ParallelClusterUserRole
+        - !Ref ParallelClusterLambdaRole
 
   ParallelClusterClusterPolicy:
     Type: AWS::IAM::ManagedPolicy

cloudformation/tests/test_policies.py

@@ -89,22 +89,31 @@ def test_match_api():
     for key in policies["Resources"].keys():
         drop_keys = {"Condition"}
 
-        source_key = {"ParallelClusterFSxS3AccessPolicy": "FSxS3AccessPolicy"}.get(key, key)
+        source_key = {
+            "ParallelClusterFSxS3AccessPolicy": "FSxS3AccessPolicy",
+            "ParallelClusterLambdaRole": "ParallelClusterUserRole",
+        }.get(key, key)
+
         source_dict = {k: v for k, v in source["Resources"][source_key].items() if k not in drop_keys}
         dest_dict = {k: v for k, v in policies["Resources"][key].items() if k not in drop_keys}
 
-        if key == "ParallelClusterUserRole":
-            source_dict["Properties"]["ManagedPolicyArns"] = source_dict["Properties"]["ManagedPolicyArns"][2:]
+        if key == "ParallelClusterLambdaRole":
 
             def remove_batch_if(arn):
-                return arn if "Ref" in arn else arn["Fn::If"][1]
+                return arn if ("Ref" in arn or "Fn::Sub" in arn) else arn["Fn::If"][1]
 
             dest_dict["Properties"]["ManagedPolicyArns"] = list(
                 map(remove_batch_if, dest_dict["Properties"]["ManagedPolicyArns"])
             )
 
+        # Rename UserRole to LambdaRole, ignore policy name mismatch
         if key == "ParallelClusterFSxS3AccessPolicy":
+            source_dict["Properties"]["Roles"][0]["Ref"] = "ParallelClusterLambdaRole"
             del source_dict["Properties"]["PolicyName"]
             del dest_dict["Properties"]["PolicyName"]
 
+        # Rename UserRole to LambdaRole
+        if key == "DefaultParallelClusterIamAdminPolicy":
+            source_dict["Properties"]["Roles"][0]["Ref"] = "ParallelClusterLambdaRole"
+
         assert_that(dest_dict).is_equal_to(source_dict)