2024.04.02 (#39)

Signed-off-by: Mohjeet <85322972+Mohjeet@users.noreply.github.com>

CHANGELOG.md

@@ -1,6 +1,19 @@
 # Change Log
 This file is used to list changes made in each release of Research and Engineering Studio (RES).
 
+2024.04.02
+------
+
+**BUG FIXES**
+
+- Fixed a bug where RES Users were given the option to create FSx for Lustre file systems through the UI. RES only supports mounting existing file systems. To create an FSx for Lustre file system see https://docs.aws.amazon.com/fsx/latest/LustreGuide/getting-started.html#getting-started-step1
+- Resolved an issue with the IAMPermissionBoundary parameter that prevented the use of GovCloud ARNs.
+- Resolved an issue that caused failures when deleting a RES environment in GovCloud.
+- Resolved an issue preventing RES installation for accounts with GuardDuty Runtime Monitoring for AWS Fargate enabled.
+
+**ENHANCEMENTS**
+
+- Added support for onboarding FSx for Lustre file systems onto RHEL 9 kernel version 5.14.0-362*.
 
 2024.04.01
 ------

RES_VERSION.txt

@@ -1 +1 @@
-2024.04.01
+2024.04.02

source/idea/batteries_included/parameters/common.py

@@ -94,7 +94,7 @@ class CommonParameters(Base):
             id=CommonKey.IAM_PERMISSION_BOUNDARY,
             type="String",
             description="(Optional) You may provide an IAM permission boundary ARN that will be attached to all roles created in RES.",
-            allowed_pattern="^(?:arn:aws:iam::[0-9]{12}:policy/[A-Za-z0-9\-\_\+\=\,\.\@]{1,128})?$",
+            allowed_pattern="^(?:arn:(?:aws|aws-us-gov|aws-cn):iam::[0-9]{12}:policy/[A-Za-z0-9\-\_\+\=\,\.\@]{1,128})?$",
             constraint_description="The IAM permission boundary must be a valid ARN.",
         )
     )

source/idea/idea-administrator/src/ideaadministrator_meta/__init__.py

@@ -12,4 +12,4 @@
 # pkg config for soca-admin. no dependencies.
 
 __name__ = 'idea-administrator'
-__version__ = '2024.04.01'
+__version__ = '2024.04.02'

source/idea/idea-bootstrap/_templates/linux/fsx_lustre_client.jinja2

@@ -131,7 +131,7 @@ if [[ -z "$(rpm -qa lustre-client)" ]]; then
   kernel=$(uname -r)
   machine=$(uname -m)
   log_info "Found kernel version: $kernel running on: $machine"
-  if [[ $kernel == *"5.14.0-362.13"*$machine ]]; then
+  if [[ $kernel == *"5.14.0-362"*$machine ]]; then
     curl https://fsx-lustre-client-repo-public-keys.s3.amazonaws.com/fsx-rpm-public-key.asc -o /tmp/fsx-rpm-public-key.asc
     sudo rpm --import /tmp/fsx-rpm-public-key.asc
     sudo curl https://fsx-lustre-client-repo.s3.amazonaws.com/el/9/fsx-lustre-client.repo -o /etc/yum.repos.d/aws-fsx.repo
@@ -147,7 +147,7 @@ if [[ -z "$(rpm -qa lustre-client)" ]]; then
     sudo yum install -y kmod-lustre-client lustre-client
     set_reboot_required "FSx for Lustre client installed"
   else
-    log_error "Can't install FSx for Lustre client as kernel version $kernel isn't matching expected versions: (x86_64: 5.14.0-362.13, -70)!"
+    log_error "Can't install FSx for Lustre client as kernel version $kernel isn't matching expected versions: (x86_64: 5.14.0-362, -70)!"
   fi
 fi
 {%- endif %}

source/idea/idea-cluster-manager/src/ideaclustermanager/app/snapshots/helpers/apply_snapshots_config.py

@@ -22,7 +22,7 @@
 from typing import Dict, Type
 
 # This array should be updated each release to include the new RES version number
-RES_VERSION_IN_TOPOLOGICAL_ORDER = [RESVersion.v_2023_11, RESVersion.v_2024_01, RESVersion.v_2024_01_01, RESVersion.v_2024_04, RESVersion.v_2024_04_01]
+RES_VERSION_IN_TOPOLOGICAL_ORDER = [RESVersion.v_2023_11, RESVersion.v_2024_01, RESVersion.v_2024_01_01, RESVersion.v_2024_04, RESVersion.v_2024_04_01, RESVersion.v_2024_04_02]
 
 TABLE_TO_TABLE_KEYS_BY_VERSION: Dict[TableName, Dict[RESVersion, TableKeys]] = {
     TableName.CLUSTER_SETTINGS_TABLE_NAME: {

source/idea/idea-cluster-manager/src/ideaclustermanager_meta/__init__.py

@@ -10,4 +10,4 @@
 #  and limitations under the License.
 
 __name__ = 'idea-cluster-manager'
-__version__ = '2024.04.01'
+__version__ = '2024.04.02'

source/idea/idea-cluster-manager/webapp/.env

@@ -1,4 +1,4 @@
 REACT_APP_IDEA_HTTP_ENDPOINT="http://localhost:8080"
 REACT_APP_IDEA_ALB_ENDPOINT="http://localhost:8080"
 REACT_APP_IDEA_HTTP_API_SUFFIX="/api/v1"
-REACT_APP_IDEA_RELEASE_VERSION="2024.04.01"
+REACT_APP_IDEA_RELEASE_VERSION="2024.04.02"

source/idea/idea-cluster-manager/webapp/package.json

@@ -1,6 +1,6 @@
 {
-  "name": "web-portal",
-  "version": "2024.04.01",
+  "name": "web-portal", 
+  "version": "2024.04.02", 
   "private": true,
   "dependencies": {
     "@cloudscape-design/components": "^3.0.82",

source/idea/idea-cluster-manager/webapp/src/pages/cluster-admin/filesystem.tsx

@@ -734,10 +734,6 @@ class FileSystems extends Component<FileSystemProps, FileSystemState> {
                     title: "FSX NetApp ONTAP",
                     value: Constants.SHARED_STORAGE_PROVIDER_FSX_NETAPP_ONTAP,
                 },
-                {
-                    title: "FSX LUSTRE",
-                    value: Constants.SHARED_STORAGE_PROVIDER_FSX_LUSTRE,
-                },
             ];
         };
         return (

source/idea/idea-data-model/src/ideadatamodel/snapshots/snapshot_model.py

@@ -76,3 +76,4 @@ class RESVersion(str, Enum):
     v_2024_01_01 = "2024.01.01"
     v_2024_04 = "2024.04"
     v_2024_04_01 = "2024.04.01"
+    v_2024_04_02 = "2024.04.02"

source/idea/idea-data-model/src/ideadatamodel_meta/__init__.py

@@ -10,4 +10,4 @@
 #  and limitations under the License.
 
 __name__ = 'idea-data-model'
-__version__ = '2024.04.01'
+__version__ = '2024.04.02'

source/idea/idea-sdk/src/ideasdk_meta/__init__.py

@@ -12,4 +12,4 @@
 # pkgconfig for soca-sdk. no dependencies # noqa
 
 __name__ = 'idea-sdk'
-__version__ = '2024.04.01'
+__version__ = '2024.04.02'

source/idea/idea-virtual-desktop-controller/src/ideavirtualdesktopcontroller_meta/__init__.py

@@ -10,4 +10,4 @@
 #  and limitations under the License.
 
 __name__ = 'idea-virtual-desktop-controller'
-__version__ = '2024.04.01'
+__version__ = '2024.04.02'

source/idea/infrastructure/install/installer.py

@@ -19,7 +19,7 @@
 from idea.infrastructure.install.parameters.parameters import RESParameters
 
 INSTALLER_ECR_REPO_NAME_SUFFIX = "-installer-ecr"
-LAMBDA_RUNTIME = lambda_.Runtime.PYTHON_3_9
+LAMBDA_RUNTIME = lambda_.Runtime.PYTHON_3_11
 
 
 class LambdaCodeParams(TypedDict):

source/idea/infrastructure/install/parameters/common.py

@@ -93,7 +93,7 @@ class CommonParameters(Base):
             id=CommonKey.IAM_PERMISSION_BOUNDARY,
             type="String",
             description="(Optional) You may provide an IAM permission boundary ARN that will be attached to all roles created in RES.",
-            allowed_pattern="^(?:arn:aws:iam::[0-9]{12}:policy/[A-Za-z0-9\-\_\+\=\,\.\@]{1,128})?$",
+            allowed_pattern="^(?:arn:(?:aws|aws-us-gov|aws-cn):iam::[0-9]{12}:policy/[A-Za-z0-9\-\_\+\=\,\.\@]{1,128})?$",
             constraint_description="The IAM permission boundary must be a valid ARN.",
         )
     )

source/idea/infrastructure/install/permissions.py

@@ -26,6 +26,9 @@ def __init__(
         self.pipeline_role.add_to_policy(statement=self.get_cloudformation_access())
         self.pipeline_role.add_to_policy(statement=self.get_dynamodb_access())
         self.pipeline_role.add_to_policy(statement=self.get_ecr_access())
+        self.pipeline_role.add_to_policy(
+            statement=self.get_ecs_task_execution_ecr_access()
+        )
         self.pipeline_role.add_to_policy(
             statement=self.get_ecr_authorizationtoken_access()
         )
@@ -114,6 +117,19 @@ def get_ecr_access(self) -> iam.PolicyStatement:
             actions=["ecr:*"],
         )
 
+    def get_ecs_task_execution_ecr_access(self) -> iam.PolicyStatement:
+        return iam.PolicyStatement(
+            effect=iam.Effect.ALLOW,
+            resources=[
+                f"arn:{aws_cdk.Aws.PARTITION}:ecr:{aws_cdk.Aws.REGION}:*:repository/aws-guardduty-agent-fargate"
+            ],
+            actions=[
+                "ecr:BatchCheckLayerAvailability",
+                "ecr:GetDownloadUrlForLayer",
+                "ecr:BatchGetImage",
+            ],
+        )
+
     def get_ecr_authorizationtoken_access(self) -> iam.PolicyStatement:
         return iam.PolicyStatement(
             effect=iam.Effect.ALLOW,

source/tests/unit/infrastructure/install/test_installer.py

@@ -20,7 +20,7 @@ def test_installer_event_handler_lambda_creation(
         props={
             "Properties": {
                 "Description": "Lambda to handle the CFN custom resource events",
-                "Runtime": "python3.9",
+                "Runtime": "python3.11",
                 "Handler": "handlers.handle_custom_resource_lifecycle_event",
                 "Environment": {
                     "Variables": {
@@ -48,7 +48,7 @@ def test_installer_wait_condition_lambda_creation(
         props={
             "Properties": {
                 "Description": "Lambda to send response using the wait condition callback",
-                "Runtime": "python3.9",
+                "Runtime": "python3.11",
                 "Handler": "handlers.send_wait_condition_response",
             }
         },