From ce23892b81c671f21d228046f49563298168122e Mon Sep 17 00:00:00 2001 From: Tim Nguyen Date: Tue, 31 Aug 2021 12:20:57 -0400 Subject: [PATCH 1/2] fix:Add AppStream param to envPollHandler error and allow Sagemaker instance access to Sagemaker API Endpoint --- .../parts/accounts/AwsAccountUpdateContent.js | 26 +++++++++++---- .../src/templates/onboard-account.cfn.yml | 33 +++++++++++++++++++ .../sagemaker-notebook-instance.cfn.yml | 8 ++++- .../backend/config/infra/functions.yml | 1 + .../config/infra/cloudformation.yml | 1 + 5 files changed, 61 insertions(+), 8 deletions(-) diff --git a/addons/addon-base-raas-ui/packages/base-raas-ui/src/parts/accounts/AwsAccountUpdateContent.js b/addons/addon-base-raas-ui/packages/base-raas-ui/src/parts/accounts/AwsAccountUpdateContent.js index 760dc69ee8..84ed1fd32f 100644 --- a/addons/addon-base-raas-ui/packages/base-raas-ui/src/parts/accounts/AwsAccountUpdateContent.js +++ b/addons/addon-base-raas-ui/packages/base-raas-ui/src/parts/accounts/AwsAccountUpdateContent.js @@ -124,10 +124,16 @@ class AwsAccountUpdateContent extends React.Component { }; render() { + const { isUpdateStep } = this.getStep(); let shouldDisableDoneButton = this.shouldShowWarning && !this.warningAcknowledged; if (isAppStreamEnabled) { - shouldDisableDoneButton = - shouldDisableDoneButton || !this.accessAppStreamAcknowledged || !this.startedAppStreamFleetAcknowledged; + // No acknowledgements is necessary if we're just updating the preexisting AppStream account + if (isUpdateStep) { + shouldDisableDoneButton = false; + } else { + shouldDisableDoneButton = + shouldDisableDoneButton || !this.accessAppStreamAcknowledged || !this.startedAppStreamFleetAcknowledged; + } } return ( @@ -202,15 +208,21 @@ class AwsAccountUpdateContent extends React.Component { ); } - renderSteps() { + getStep() { // We need to determine if this is for creating the stack or updating the stack const form = this.form; const stackInfo = this.stackInfo; const { hasUpdateStackUrl } = stackInfo; const field = form.$('createOrUpdate'); - const update = field.value === 'update'; + const isUpdateStep = field.value === 'update'; const hasAdminAccess = form.$('managed').value === 'admin'; + return { isUpdateStep, hasAdminAccess, hasUpdateStackUrl, field }; + } + + renderSteps() { + const { isUpdateStep, hasAdminAccess, hasUpdateStackUrl, field } = this.getStep(); + return ( <>
@@ -219,9 +231,9 @@ class AwsAccountUpdateContent extends React.Component { {hasUpdateStackUrl && }
- {!update && hasAdminAccess && this.renderCreateSteps()} - {update && hasAdminAccess && this.renderUpdateSteps()} - {!hasAdminAccess && this.renderEmailTemplate(update)} + {!isUpdateStep && hasAdminAccess && this.renderCreateSteps()} + {isUpdateStep && hasAdminAccess && this.renderUpdateSteps()} + {!hasAdminAccess && this.renderEmailTemplate(isUpdateStep)} ); } diff --git a/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/onboard-account.cfn.yml b/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/onboard-account.cfn.yml index ea859c3622..9d3a318516 100644 --- a/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/onboard-account.cfn.yml +++ b/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/onboard-account.cfn.yml @@ -160,7 +160,9 @@ Resources: - ec2:DescribeInstances - ec2:DescribeSecurityGroups - ec2:RevokeSecurityGroupIngress +# - ec2:RevokeSecurityGroupEgress - ec2:AuthorizeSecurityGroupIngress +# - ec2:AuthorizeSecurityGroupEgress - ec2-instance-connect:SendSSHPublicKey Resource: '*' - PolicyName: cfn-access @@ -689,6 +691,30 @@ Resources: - !Ref SageMakerSecurityGroup VpcId: !Ref VPC + SagemakerApiEndpoint: + Type: 'AWS::EC2::VPCEndpoint' + Condition: isAppStream + Properties: + SubnetIds: + - !Ref PrivateWorkspaceSubnet + VpcEndpointType: Interface + PrivateDnsEnabled: true + ServiceName: !Sub "com.amazonaws.${AWS::Region}.sagemaker.api" + VpcId: !Ref VPC + SecurityGroupIds: + - !Ref SagemakerApiEndpointSecurityGroup + + SagemakerApiEndpointSecurityGroup: + Type: AWS::EC2::SecurityGroup + Condition: isAppStream + Properties: + GroupDescription: 'Sagemaker Api Endpoint Security Group for interface endpoint' + GroupName: 'Sagemaker-API-SG' + VpcId: !Ref VPC + SecurityGroupIngress: + - SourceSecurityGroupId: !GetAtt VPC.DefaultSecurityGroup + IpProtocol: '-1' + SageMakerSecurityGroup: Type: AWS::EC2::SecurityGroup Condition: isAppStream @@ -866,3 +892,10 @@ Outputs: Value: !Ref SagemakerNotebookEndpoint Export: Name: !Join ['', [Ref: Namespace, '-SageMakerVPCE']] + + SageMakerApiSG: + Description: SageMaker API SG + Condition: isAppStream + Value: !Ref SagemakerApiEndpointSecurityGroup + Export: + Name: !Join ['', [Ref: Namespace, '-SageMakerApiSecurityGroup']] diff --git a/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/service-catalog/sagemaker-notebook-instance.cfn.yml b/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/service-catalog/sagemaker-notebook-instance.cfn.yml index 4ebd05df6e..5f79c1790a 100644 --- a/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/service-catalog/sagemaker-notebook-instance.cfn.yml +++ b/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/service-catalog/sagemaker-notebook-instance.cfn.yml @@ -68,7 +68,13 @@ Resources: FromPort: 443 ToPort: 443 CidrIp: !Ref AccessFromCIDRBlock - + SecurityGroupEgress: + - !If + - AppStreamEnabled + - DestinationSecurityGroupId: + Fn::ImportValue: !Sub "${SolutionNamespace}-SageMakerApiSecurityGroup" + IpProtocol: '-1' + - !Ref "AWS::NoValue" PreSignedURLBoundary: Type: AWS::IAM::ManagedPolicy Condition: AppStreamEnabled diff --git a/main/solution/backend/config/infra/functions.yml b/main/solution/backend/config/infra/functions.yml index 0ac50a909b..c493b6bc48 100644 --- a/main/solution/backend/config/infra/functions.yml +++ b/main/solution/backend/config/infra/functions.yml @@ -37,6 +37,7 @@ envStatusPollHandler: description: 'Invokes the lambda function that polls and synchronize environment status.' environment: APP_CUSTOM_USER_AGENT: ${self:custom.settings.customUserAgent} + APP_IS_APP_STREAM_ENABLED: ${self:custom.settings.isAppStreamEnabled} dataSourceReachabilityHandler: handler: src/lambdas/data-source-reachability/handler.handler diff --git a/main/solution/post-deployment/config/infra/cloudformation.yml b/main/solution/post-deployment/config/infra/cloudformation.yml index 705ed37ff6..d83204e911 100644 --- a/main/solution/post-deployment/config/infra/cloudformation.yml +++ b/main/solution/post-deployment/config/infra/cloudformation.yml @@ -335,6 +335,7 @@ Resources: - Effect: Allow Action: - ec2:AuthorizeSecurityGroupIngress + - ec2:AuthorizeSecurityGroupEgress - ec2:RevokeSecurityGroupEgress - ec2:CreateSecurityGroup - ec2:DeleteSecurityGroup From 0845a1b9a081e7f5d7d5d41f94646b9887352ceb Mon Sep 17 00:00:00 2001 From: Tim Nguyen Date: Tue, 31 Aug 2021 13:54:47 -0400 Subject: [PATCH 2/2] Remove commented out code --- .../src/templates/onboard-account.cfn.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/onboard-account.cfn.yml b/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/onboard-account.cfn.yml index 9d3a318516..08afe62966 100644 --- a/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/onboard-account.cfn.yml +++ b/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/onboard-account.cfn.yml @@ -160,9 +160,7 @@ Resources: - ec2:DescribeInstances - ec2:DescribeSecurityGroups - ec2:RevokeSecurityGroupIngress -# - ec2:RevokeSecurityGroupEgress - ec2:AuthorizeSecurityGroupIngress -# - ec2:AuthorizeSecurityGroupEgress - ec2-instance-connect:SendSSHPublicKey Resource: '*' - PolicyName: cfn-access