Merge pull request #559 from jericht/merge_mainline_feature_sm

chore: Merge branch 'mainline' into merge_mainline_feature_sm

integ/components/deadline/common/scripts/bastion/utils/configure-deadline.sh

@@ -21,10 +21,10 @@ if [ -d "$CERT" ]; then
 
   # Set up client connection settings for TLS by altering ini file with deadlinecommand
   sudo $DEADLINE/deadlinecommand SetIniFileSetting ProxyUseSSL True
+  sudo $DEADLINE/deadlinecommand SetIniFileSetting ConnectionType Remote
   sudo $DEADLINE/deadlinecommand SetIniFileSetting ProxySSLCA "$CERT/ca-cert.crt"
   sudo $DEADLINE/deadlinecommand SetIniFileSetting ClientSSLAuthentication NotRequired
-  # Set Deadline to use repository connection validated by TLS; ChangeRepositorySkipValidation is a workaround that saves the values without testing them
-  sudo $DEADLINE/deadlinecommand ChangeRepositorySkipValidation Proxy $ENDPOINT "$CERT/ca-cert.crt" >/dev/null
+  sudo $DEADLINE/deadlinecommand SetIniFileSetting ProxyRoot $ENDPOINT
 
 else
   # Non-TLS connections can connect to the repository directly

integ/components/deadline/deadline_01_repository/test/deadline_01_repository.test.ts

@@ -187,7 +187,18 @@ describe.each(testCases)('Deadline Repository tests (%s)', (_, id) => {
        * Input:           Output from command to print contents of repository.ini delivered via SSM command
        * Expected result: Contents of repository.ini matches a regex string indicating the correct version number
       **********************************************************************************************************/
-      var regex = new RegExp('\\[DeadlineRepository\\]\nVersion=' + deadlineVersion);
+      let expectedVersion: string;
+      switch (deadlineVersion) {
+        // Special case for Deadline 10.1.18.5 since it appears as 10.1.18.4 due to known issues in Deadline's build pipeline
+        case '10.1.18.5':
+          expectedVersion = '10.1.18.4';
+          break;
+
+        default:
+          expectedVersion = deadlineVersion!;
+          break;
+      }
+      const regex = new RegExp('\\[DeadlineRepository\\]\nVersion=' + expectedVersion.replace('.', '\\.'));
       expect(output).toEqual(expect.stringMatching(regex));
     });
   });

package.json

@@ -110,6 +110,10 @@
   "resolutions-hosted-git-info": "transitive dep from conventional-changelog-cli@2.1.1 and lerna@4.0.0. hosted-git-info v3.0.0 - v3.0.7 contain a security vulnerability. It is safe to remove/update overrides as long as we stay out of the vulnerable window",
   "resolutions-parse-url": "transitive dep from lerna@4.0.0. normalize-url < 4.5.1 have a security vulnerability.",
   "resolutions-meow": "transitive dep from lerna@4.0.0 and standard-version@9.3.0. trim-newlines < 3.0.1 has security vulnerabilities and meow < 10.0.0 uses the vulnerable trim-newlines.",
+  "resolutions-pacote": "transative dep from lerna@4.0.0. @npmcli/git < 2.0.8 has a sec vuln and this is a dependency of pacote.",
+  "resolutions-@babel/core": "trans dep of nyc@15.1.0. path-parse < 1.0.7 has sec vuln and @babel/core@7.11.6 uses a vulnerable version",
+  "resolutions-node-gyp": "transitive dep from lerna@4.0.0. tar < 6.1.2 has sec vuln and node-gyp@7.1.2 is on tar@4.4.13. This old version of tar cannot be substituted by >= 6.1.2.",
+  "resolutions-tar": "transative dep from lerna@4.0.0. tar < 6.1.2 has security vulnerabilities and there are multiple packages in lerna pulling it in",
   "resolutions": {
     "netmask": "^2.0.1",
     "pac-resolver": "^4.2.0",
@@ -121,7 +125,11 @@
     "normalize-url": ">=4.5.1",
     "parse-url": ">=5.0.3",
     "meow": ">=10.0.0",
-    "trim-newlines": ">=3.0.1"
+    "trim-newlines": ">=3.0.1",
+    "pacote": ">=11.3.5",
+    "@babel/core": ">=7.15.0",
+    "node-gyp": ">=8.2.0",
+    "tar": ">=6.1.2"
   },
   "workspaces": {
     "packages": [

packages/aws-rfdk/lib/deadline/scripts/bash/installDeadlineRepository.sh

@@ -6,6 +6,7 @@
 # exit when any command fails
 set -xeuo pipefail
 
+MIN_DEADLINE_VERSION_REPO_NO_ROOT="10.1.18"
 USAGE="Usage: $0 -i <installer-s3-path> -p <local-installer-path> -v <deadline-version>
 
 This script downloads the deadline repository installer and executes it.
@@ -137,6 +138,7 @@ else
   echo "Secrets management is not enabled."
 fi
 
+INSTALL_AS_NON_ROOT_CMD=""
 if [[ -n "${DEADLINE_REPOSITORY_OWNER+x}" ]]; then
   if [[ ! "$DEADLINE_REPOSITORY_OWNER" =~ ^[0-9]+(:[0-9]+)?$ ]]; then
     echo "ERROR: Deadline Repository owner is invalid: ${DEADLINE_REPOSITORY_OWNER}"
@@ -164,15 +166,26 @@ if [[ -n "${DEADLINE_REPOSITORY_OWNER+x}" ]]; then
     # Create the user
     useradd deadline-rcs-user -u $REPOSITORY_OWNER_UID -g $REPOSITORY_OWNER_GID
   fi
+
+  # Determine whether we can run the installer as the user that will own the repository
+  VERSION_COMPONENTS=(${DEADLINE_REPOSITORY_VERSION//./ })
+  MIN_VERSION_COMPONENTS=(${MIN_DEADLINE_VERSION_REPO_NO_ROOT//./ })
+  if !([[ ${VERSION_COMPONENTS[0]} -lt ${MIN_VERSION_COMPONENTS[0]} ]] || \
+       [[ ${VERSION_COMPONENTS[1]} -lt ${MIN_VERSION_COMPONENTS[1]} ]] || \
+       [[ ${VERSION_COMPONENTS[2]} -lt ${MIN_VERSION_COMPONENTS[2]} ]])
+  then
+    echo "Deadline Repository installer will be run as UID=$REPOSITORY_OWNER_UID"
+    INSTALL_AS_NON_ROOT_CMD="sudo -u #$REPOSITORY_OWNER_UID"
+  fi
 fi
 
 # The syntax ${array[@]+"${array[@]}"} is a way to get around the expansion of an empty array raising an unbound variable error since this script
 # sets the "u" shell option above. This is a use of the ${parameter+word} shell expansion. If the value of "parameter" is unset, nothing will be
 # substituted in its place. If "parameter" is set, then the value of "word" is used, which is the expansion of the populated array.
 # Since bash treats the expansion of an empty array as an unset variable, we can use this pattern expand the array only if it is populated.
-$REPO_INSTALLER --mode unattended --setpermissions false --prefix "$PREFIX" --installmongodb false --backuprepo false ${REPO_ARGS[@]+"${REPO_ARGS[@]}"}
+$INSTALL_AS_NON_ROOT_CMD $REPO_INSTALLER --mode unattended --setpermissions false --prefix "$PREFIX" --installmongodb false --backuprepo false ${REPO_ARGS[@]+"${REPO_ARGS[@]}"}
 
-if [[ -n "${REPOSITORY_OWNER_UID+x}" ]]; then
+if [[ -z "$INSTALL_AS_NON_ROOT_CMD" ]] && [[ -n "${REPOSITORY_OWNER_UID+x}" ]]; then
   echo "Changing ownership of Deadline Repository files to UID=$REPOSITORY_OWNER_UID GID=$REPOSITORY_OWNER_GID"
   sudo chown -R "$REPOSITORY_OWNER_UID:$REPOSITORY_OWNER_GID" "$PREFIX"
 fi

packages/aws-rfdk/lib/deadline/scripts/python/client-rq-connection.py

@@ -144,7 +144,7 @@ def configure_deadline( config ):
 
     else:
         print("Configuring Deadline to connect to the Render Queue using HTTPS Traffic")
-        call_deadline_command(['SetIniFileSetting','ProxyUseSSL','True'])
+        call_deadline_command(['SetIniFileSetting', 'ProxyUseSSL', 'True'])
 
         try:
             os.makedirs(CERT_DIR)
@@ -172,10 +172,8 @@ def configure_deadline( config ):
             # Validate Deadline connection
             print("Testing Deadline connection...")
             stdout.flush()
-            try:
-                call_deadline_command(['GetRepositoryVersion'])
-            except Exception as e:
-                print('Deadline connection error: %s' % e)
+            call_deadline_command(['GetRepositoryVersion'])
+
             print("Deadline connection configured correctly")
         else:
             """
@@ -199,9 +197,8 @@ def configure_deadline( config ):
                 repo_args.append(passphrase)
 
             change_repo_results = call_deadline_command(repo_args)
-            if change_repo_results.startswith('Deadline configuration error:'):
-                print(change_repo_results)
-                raise Exception(change_repo_results)
+            print('Running: %s\nResult: %s' % (repo_args, change_repo_results))
+
 
 def call_deadline_command(arguments):
     """

packages/aws-rfdk/lib/deadline/test/asset-constants.ts

@@ -51,8 +51,8 @@ export const REPO_DC_ASSET = {
 };
 
 export const RQ_CONNECTION_ASSET = {
-  Bucket: 'AssetParametersb378c2efaef674bc39b85562be77f98e03a2f367ff21e04b39c7986e532bec59S3Bucket9B034A91',
-  Key: 'AssetParametersb378c2efaef674bc39b85562be77f98e03a2f367ff21e04b39c7986e532bec59S3VersionKey0BBE496C',
+  Bucket: 'AssetParametersb61797635329f0b0ec0b710b31d49f0e41c1936849266d8a9aed82e1616c9077S3Bucket4D5EEE4A',
+  Key: 'AssetParametersb61797635329f0b0ec0b710b31d49f0e41c1936849266d8a9aed82e1616c9077S3VersionKey9B7B46A0',
 };
 
 export function linuxCloudWatchScriptBoilerplate(scriptParams: string) {