feat(deadline): Added ability for RQ to configure client connections

Adds an internal class to the RenderQueue which configures a client instance or
ECS cluster to connect.

Updates UBLLicensing and WorkerFleet Constructs to use the new connection
methods.

examples/kitchen-sink/lib/index.ts

@@ -21,6 +21,9 @@ import {
   FileSystem,
   LifecyclePolicy,
 } from '@aws-cdk/aws-efs';
+import {
+  ApplicationProtocol,
+} from '@aws-cdk/aws-elasticloadbalancingv2';
 import {
   ManagedPolicy,
   ServicePrincipal,
@@ -42,15 +45,14 @@ import {
   Stack,
 } from '@aws-cdk/core';
 import {
-  ImportedAcmCertificate,
   MountableEfs,
   X509CertificatePem,
 } from 'aws-rfdk';
 import {
   DatabaseConnection,
+  RenderQueue,
   Repository,
   ThinkboxDockerRecipes,
-  RenderQueue,
 } from "aws-rfdk/deadline";
 
 import { config } from "./config";
@@ -211,9 +213,7 @@ export class KitchenSinkApp extends App {
       },
       signingCertificate: caCert,
     });
-    const rqCertAcm = new ImportedAcmCertificate(rqStack, 'RenderQueueACMImport', {
-      ...rqCertPem,
-    });
+
     /**
      * Create a render queue. This is the service that backs the REST API for clients connecting to the render farm.
      */
@@ -228,8 +228,9 @@ export class KitchenSinkApp extends App {
       },
       trafficEncryption: {
         externalTLS: {
-          certificate: rqCertAcm,
+          rfdkCertificate: rqCertPem,
         },
+        internalProtocol: ApplicationProtocol.HTTP,
       }
     });
 

packages/aws-rfdk/lib/core/lib/endpoint.ts

@@ -3,7 +3,12 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
-import { Port, Protocol } from '@aws-cdk/aws-ec2';
+import {
+  Connections,
+  IConnectable,
+  Port,
+  Protocol,
+} from '@aws-cdk/aws-ec2';
 import { ApplicationProtocol } from '@aws-cdk/aws-elasticloadbalancingv2';
 import { Token } from '@aws-cdk/core';
 
@@ -154,6 +159,16 @@ export interface ApplicationEndpointProps {
   readonly protocol?: ApplicationProtocol;
 }
 
+/**
+ * Properties for constructing an {@link ConnectableApplicationEndpoint}
+ */
+export interface ConnectableApplicationEndpointProps extends ApplicationEndpointProps {
+  /**
+   * The connection object of the application this endpoint is for.
+   */
+  readonly connections: Connections;
+}
+
 /**
  * An endpoint serving http or https for an application.
  */
@@ -177,3 +192,24 @@ export class ApplicationEndpoint extends Endpoint {
     this.applicationProtocol = props.protocol ?? ApplicationProtocol.HTTPS;
   }
 }
+
+/**
+ * An endpoint serving http or https for an application.
+ */
+export class ConnectableApplicationEndpoint extends ApplicationEndpoint implements IConnectable {
+
+  /**
+   * Allows specifying security group connections for the application.
+   */
+  public readonly connections: Connections;
+
+  /**
+   * Constructs a {@link ApplicationEndpoint} instance.
+   *
+   * @param props The properties for the application endpoint
+   */
+  constructor(props: ConnectableApplicationEndpointProps) {
+    super(props);
+    this.connections = props.connections;
+  }
+}

packages/aws-rfdk/lib/core/test/endpoint.test.ts

@@ -3,12 +3,24 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
-import { Protocol } from '@aws-cdk/aws-ec2';
+import { expect as expectCDK, haveResource } from '@aws-cdk/assert';
+import {
+  Connections,
+  IConnectable,
+  Port,
+  Protocol,
+  SecurityGroup,
+  Vpc,
+} from '@aws-cdk/aws-ec2';
 import { ApplicationProtocol } from '@aws-cdk/aws-elasticloadbalancingv2';
-import { Token } from '@aws-cdk/core';
+import {
+  Stack,
+  Token,
+} from '@aws-cdk/core';
 
 import {
   ApplicationEndpoint,
+  ConnectableApplicationEndpoint,
   Endpoint,
 } from '../lib';
 
@@ -183,3 +195,32 @@ describe('ApplicationEndpoint', () => {
     expect(endpoint.applicationProtocol).toBe(protocol);
   });
 });
+
+describe('ConnectableApplicationEndpoint', () => {
+  test('Is connectable', () => {
+    // WHEN
+    const stack = new Stack();
+    const vpc = new Vpc(stack, 'VPC');
+    const sg1 = new SecurityGroup(stack, 'SomeSecurityGroup', { vpc, allowAllOutbound: false });
+    const somethingConnectable = new SomethingConnectable(new Connections({ securityGroups: [sg1] }));
+
+    const securityGroup = SecurityGroup.fromSecurityGroupId(stack, 'ImportedSG', 'sg-12345');
+
+    const endpoint = new ConnectableApplicationEndpoint({
+      address: '127.0.0.1',
+      port: 80,
+      connections: new Connections({securityGroups: [securityGroup]}),
+    });
+
+    // WHEN
+    somethingConnectable.connections.allowTo(endpoint, Port.tcp(80), 'Connecting to endpoint');
+
+    // THEN
+    expectCDK(stack).to(haveResource('AWS::EC2::SecurityGroupIngress'));
+  });
+});
+
+class SomethingConnectable implements IConnectable {
+  constructor(public readonly connections: Connections) {
+  }
+}

packages/aws-rfdk/lib/deadline/lib/render-queue-ref.ts

@@ -17,11 +17,21 @@ import {
 import {
   ApplicationProtocol,
 } from '@aws-cdk/aws-elasticloadbalancingv2';
+import {
+  IGrantable,
+} from '@aws-cdk/aws-iam';
 import {
   IPrivateHostedZone,
 } from '@aws-cdk/aws-route53';
+import {
+  ISecret,
+} from '@aws-cdk/aws-secretsmanager';
 import { Duration } from '@aws-cdk/core';
-import { LogGroupFactoryProps } from '../../core';
+import {
+  IX509CertificatePem,
+  LogGroupFactoryProps,
+} from '../../core';
+import { IHost } from './host-ref';
 import { IRepository } from './repository';
 import { IVersion } from './version-ref';
 
@@ -112,12 +122,36 @@ export interface RenderQueueHealthCheckConfiguration {
 
 /**
  * Properties for configuring external TLS connections between the Render Queue and Deadline clients.
+ *
+ * You must provide one of the following combinations of properties:
+ *  -  acmCertificate ({@link @aws-cdk/aws-certificatemanager#ICertificate}) representing a certificate in ACM and
+ *     acmCertificateChain ({@link @aws-cdk/aws-secretsmanager#ISecret}) containing the Certificate chain of the acmCertificate.
+ *  -  rfdkCertificate ({@link IX509CertificatePem}) Representing all of the properties of the certificate.
+ *
+ * In both cases the certificate chain **must** include only the CA certificates PEM file due to a known limitation in Deadline.
  */
 export interface RenderQueueExternalTLSProps {
   /**
    * The ACM certificate that will be used for establishing incoming external TLS connections to the RenderQueue.
+   * @default If  not provided then the rfdkCertificate must be provided.
    */
-  readonly certificate: ICertificate;
+  readonly acmCertificate?: ICertificate;
+
+  /**
+   * The secret containing the cert chain of the provided acmCert.
+   *
+   * This certifiate chain **must** include only the CA Certificates PEM file.
+   *
+   * @default If an acmCertificate was provided then this must be provided, otherwise this is ignored.
+   */
+  readonly acmCertificateChain?: ISecret;
+
+  /**
+   * The parameters for an X509 Certificate that will be imported into ACM then used by the RenderQueue.
+   *
+   * @default If not provided then an acmCertificate and acmCertificateChain must be provided.
+   */
+  readonly rfdkCertificate?: IX509CertificatePem;
 }
 
 /**
@@ -228,4 +262,31 @@ export interface RenderQueueProps {
    * @default - LogGroup will be created with all properties' default values and a prefix of "/renderfarm/".
    */
   readonly logGroupProps?: LogGroupFactoryProps;
+}
+
+/**
+ * Properties that need to be provided in order to connect an ECS service to a Render Queue
+ */
+export interface ECSConnectOptions {
+  /**
+   * The set of hosts that will be hosting the containers.
+   *
+   * This can be AutoScalingGroups that make up the capacity of an Amazon ECS cluster, or individual instances.
+   */
+  readonly hosts: IHost[];
+
+  /**
+   * The task definitions Role that needs permissions.
+   */
+  readonly grantee: IGrantable;
+}
+
+/**
+ * Properties that need to be provided in order to connect instances to a Render Queue
+ */
+export interface InstanceConnectOptions {
+  /**
+   * The Instance/UserData which will directly connect to the Repository
+   */
+  readonly host: IHost;
 }