Merge pull request #157 from cfs-energy-internal/3.1.2

IDEA Release 3.1.2
cfs-energy · May 19, 2024 · 5e7ffc8 · 5e7ffc8
2 parents 94f55be + 1fcabe6
commit 5e7ffc8
Show file tree

Hide file tree

Showing 94 changed files with 1,111 additions and 769 deletions.
diff --git a/IDEA_VERSION.txt b/IDEA_VERSION.txt
@@ -1 +1 @@
-3.1.1
+3.1.2
diff --git a/deployment/ecr/idea-administrator/Dockerfile b/deployment/ecr/idea-administrator/Dockerfile
diff --git a/deployment/integrated-digital-engineering-on-aws.template b/deployment/integrated-digital-engineering-on-aws.template
diff --git a/idea-admin-windows.ps1 b/idea-admin-windows.ps1
@@ -38,7 +38,7 @@ function Verify-Command($type,$message,$command) {
 $IDEADevMode = if ($Env:IDEA_DEV_MODE) {$Env:IDEA_DEV_MODE} else {""}
 $VirtualEnv = if ($Env:VIRTUAL_ENV) {$Env:VIRTUAL_ENV} else {""}
 $ScriptDir = $PSScriptRoot
-$IDEARevision = if ($Env:IDEA_REVISION) {$Env:IDEA_REVISION} else {"v3.1.1"}
+$IDEARevision = if ($Env:IDEA_REVISION) {$Env:IDEA_REVISION} else {"v3.1.2"}
 $IDEADockerRepo = "public.ecr.aws/g8j8s8q8"
 $DocumentationError = "https://ide-on-aws.com"
 $AWSProfile = if ($Env:AWS_PROFILE) {$Env:AWS_PROFILE} else {"default"}

diff --git a/idea-admin.sh b/idea-admin.sh
@@ -28,7 +28,7 @@
 # * IDEA_DEV_MODE - Set to "true" if you are working with IDEA sources
 
 SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
-IDEA_REVISION=${IDEA_REVISION:-"v3.1.1"}
+IDEA_REVISION=${IDEA_REVISION:-"v3.1.2"}
 IDEA_DOCKER_REPO=${IDEA_DOCKER_REPO:-"public.ecr.aws/g8j8s8q8/idea-administrator"}
 IDEA_ECR_CREDS_RESET=${IDEA_ECR_CREDS_RESET:-"true"}
 IDEA_ADMIN_AWS_CREDENTIAL_PROVIDER=${IDEA_ADMIN_AWS_CREDENTIAL_PROVIDER:=""}
@@ -117,9 +117,9 @@ if [[ $? -ne 0 ]]; then
 fi
 
 # Launch installer
-${DOCKER_BIN} run --rm -it -v ${HOME}/.idea/clusters:/root/.idea/clusters \
-              -e IDEA_ADMIN_AWS_CREDENTIAL_PROVIDER=${IDEA_ADMIN_AWS_CREDENTIAL_PROVIDER} \
-              -e IDEA_ADMIN_ENABLE_CDK_NAG_SCAN=${IDEA_ADMIN_ENABLE_CDK_NAG_SCAN} \
-              -v ~/.aws:/root/.aws ${IDEA_DOCKER_REPO}:${IDEA_REVISION} \
-              idea-admin ${@}
+${DOCKER_BIN} run --rm -it -v "${HOME}/.idea/clusters:/root/.idea/clusters" \
+              -e IDEA_ADMIN_AWS_CREDENTIAL_PROVIDER="${IDEA_ADMIN_AWS_CREDENTIAL_PROVIDER}" \
+              -e IDEA_ADMIN_ENABLE_CDK_NAG_SCAN="${IDEA_ADMIN_ENABLE_CDK_NAG_SCAN}" \
+              -v ~/.aws:/root/.aws "${IDEA_DOCKER_REPO}:${IDEA_REVISION}" \
+              idea-admin "${@}"
 
diff --git a/requirements/idea-cluster-manager.in b/requirements/idea-cluster-manager.in
@@ -1,5 +1,5 @@
 -r idea-sdk.in
 supervisor
-sanic=22.3.2
+sanic==22.3.2
 python-ldap
 ldappool
diff --git a/source/idea/idea-administrator/resources/config/templates/analytics/settings.yml b/source/idea/idea-administrator/resources/config/templates/analytics/settings.yml
@@ -14,6 +14,7 @@ opensearch:
     slow_index_log_enabled: true # Log Amazon OpenSearch Service audit logs to this log group
     slow_search_log_enabled: true # Specify if slow search logging should be set up.
   {%- endif %}
+  kms_key_id: {{ kms_key_id if kms_key_id else '~' }} # Specify your own CMK to encrypt OpenSearch domain. If set to ~ encryption will be managed by the default AWS key
   default_number_of_shards: 2
   default_number_of_replicas: 1
 
@@ -25,3 +26,4 @@ opensearch:
 kinesis:
   shard_count: 2
   stream_mode: PROVISIONED
+  kms_key_id: {{ kms_key_id if kms_key_id else '~' }} # Specify your own CMK to encrypt Kinesis stream. If set to ~ encryption will be managed by the default AWS key
diff --git a/source/idea/idea-administrator/resources/config/templates/cluster/settings.yml b/source/idea/idea-administrator/resources/config/templates/cluster/settings.yml
@@ -88,6 +88,10 @@ network:
   # https_proxy expected format is http://<hostname>:<port>
   https_proxy: ""
   no_proxy: "127.0.0.1,169.254.169.254,localhost,{{ aws_region }}.local,{{ aws_region }}.vpce.{{ aws_dns_suffix }},s3.{{ aws_region }}.{{ aws_dns_suffix }},s3.dualstack.{{ aws_region }}.{{ aws_dns_suffix }},dynamodb.{{ aws_region }}.{{ aws_dns_suffix }},{{ aws_region }}.es.{{ aws_dns_suffix }},sqs.{{ aws_region }}.{{ aws_dns_suffix }},ec2.{{ aws_region }}.{{ aws_dns_suffix }},secretsmanager.{{ aws_region }}.{{ aws_dns_suffix }},sns.{{ aws_region }}.{{ aws_dns_suffix }},cloudformation.{{ aws_region }}.{{ aws_dns_suffix }},elasticloadbalancing.{{ aws_region }}.{{ aws_dns_suffix }},monitoring.{{ aws_region }}.{{ aws_dns_suffix }},logs.{{ aws_region }}.{{ aws_dns_suffix }},ssm.{{ aws_region }}.{{ aws_dns_suffix }},application-autoscaling.{{ aws_region }}.{{ aws_dns_suffix }},events.{{ aws_region }}.{{ aws_dns_suffix }},kinesis.{{ aws_region }}.{{ aws_dns_suffix }},{{ aws_region }}.elb.{{ aws_dns_suffix }},autoscaling.{{ aws_region }}.{{ aws_dns_suffix }}"
+  {%- else %}
+  # https_proxy expected format is http://<hostname>:<port>
+  https_proxy: ""
+  no_proxy: "127.0.0.1,169.254.169.254,localhost,{{ aws_region }}.local,{{ aws_region }}.elb.{{ aws_dns_suffix }},{{ aws_region }}.es.{{ aws_dns_suffix }}"
   {%- endif %}
 
 # AWS Key Management Service
@@ -97,22 +101,27 @@ kms:
 
 # Configure cluster-wide AWS Secrets Manager settings below
 secretsmanager:
-  kms_key_id: {{ kms_key_id if kms_key_id else '~' }} # Specify your own CMK to encrypt your Secret manager. If set to ~ encryption will be managed by the default AWS key
+  kms_key_id: {{ kms_key_id if kms_key_id else '~' }} # Specify your own CMK to encrypt Secrets Manager secrets. If set to ~ encryption will be managed by the default AWS key
 
 # Configure cluster-wide SQS settings below
+# The customer managed key for Amazon SQS queues must have a policy statement that grants Amazon SNS service-principal access
+# Consult the documentation at: https://docs.aws.amazon.com/sns/latest/dg/sns-enable-encryption-for-topic-sqs-queue-subscriptions.html
 sqs:
   kms_key_id: {{ kms_key_id if kms_key_id else '~' }} # Specify your own CMK to encrypt SQS queues. If set to ~ encryption will be managed by the default AWS key
 
 # Configure cluster-wide SNS settings below
 sns:
-  kms_key_id: {{ kms_key_id if kms_key_id else '~' }} # Specify your own CMK to encrypt SNS topic. If set to ~ encryption will be managed by the default AWS key
+  kms_key_id: {{ kms_key_id if kms_key_id else '~' }} # Specify your own CMK to encrypt SNS topics. If set to ~ encryption will be managed by the default AWS key
 
 # Configure cluster-wide DynamoDB settings below.
 dynamodb:
-  # this configuration is not supported and used at the moment.
-  # customizations are required to enable DDB encryption at rest.
+  # Note: Dynamodb <cluster-name>.vdc.dcv-broker.* tables are encrypted with DynamoDB service key
   kms_key_id: {{ kms_key_id if kms_key_id else '~' }} # Specify your own CMK to encrypt DynamoDB tables. If set to ~ encryption will be managed by the default AWS key
 
+# Configure cluster-wide EBS settings below
+ebs:
+  kms_key_id: {{ kms_key_id if kms_key_id else '~' }} # Specify your own CMK to encrypt EBS volumes. If set to ~ encryption will be managed by the default AWS key
+
 solution:
   # Enable to disable IDEA Anonymous Metric Collection.
   # Refer to def build_metrics() on source/idea/idea-scheduler/src/ideascheduler/app/provisioning/job_provisioner/cloudformation_stack_builder.py for a list of metric being sent
@@ -178,7 +187,7 @@ backups:
   # existing backup vault is not supported.
   backup_vault:
 
-    # Specify your own CMK to encrypt your Secret manager. If set to ~ encryption will be managed by the default AWS key
+    # Specify your own CMK to encrypt backup vault. If set to ~ encryption will be managed by the default AWS key
     kms_key_id: {{ kms_key_id if kms_key_id else '~' }}
 
     # The removal policy to apply to the vault.