in installer/resources/src/cdk_construct.py [0:0]
def secretsmanager(self):
"""
Store SOCA configuration in a Secret Manager's Secret.
Scheduler/Compute Nodes have the permission to read the secret
"""
solution_metrics_lambda = aws_lambda.Function(self,
f"{user_specified_variables.cluster_id}-SolutionMetricsLambda",
function_name=f"{user_specified_variables.cluster_id}-Metrics",
description="Send SOCA anonymous Metrics to AWS",
memory_size=128, role=self.soca_resources["solution_metrics_lambda_role"],
timeout=core.Duration.minutes(3),
runtime=aws_lambda.Runtime.PYTHON_3_7,
log_retention=logs.RetentionDays.INFINITE,
handler="SolutionMetricsLambda.lambda_handler",
code=aws_lambda.Code.asset("../functions/SolutionMetricsLambda"))
public_subnets = []
private_subnets = []
for pub_sub in self.soca_resources["vpc"].public_subnets:
public_subnets.append(pub_sub.subnet_id)
for priv_sub in self.soca_resources["vpc"].private_subnets:
private_subnets.append(priv_sub.subnet_id)
secret = {"VpcId": self.soca_resources["vpc"].vpc_id,
"PublicSubnets": public_subnets,
"PrivateSubnets": private_subnets,
"SchedulerPrivateIP": self.soca_resources["scheduler_instance"].instance_private_ip,
"SchedulerPrivateDnsName": self.soca_resources["scheduler_instance"].instance_private_dns_name,
"SchedulerInstanceId": self.soca_resources["scheduler_instance"].instance_id,
"SchedulerSecurityGroup": self.soca_resources["scheduler_sg"].security_group_id,
"ComputeNodeSecurityGroup": self.soca_resources["compute_node_sg"].security_group_id,
"SchedulerIAMRoleArn": self.soca_resources["scheduler_role"].role_arn,
"SpotFleetIAMRoleArn": self.soca_resources["spot_fleet_role"].role_arn,
"SchedulerIAMRole": self.soca_resources["scheduler_role"].role_name,
"ComputeNodeIAMRoleArn": self.soca_resources["compute_node_role"].role_arn,
"ComputeNodeIAMRole": self.soca_resources["compute_node_role"].role_name,
"ComputeNodeInstanceProfileArn": f"arn:{core.Aws.PARTITION}:iam::{core.Aws.ACCOUNT_ID}:instance-profile/{self.soca_resources['compute_node_instance_profile'].ref}",
"ClusterId": user_specified_variables.cluster_id,
"Version": install_props.Config.version,
"S3Bucket": user_specified_variables.bucket,
"SSHKeyPair": user_specified_variables.ssh_keypair,
"CustomAMI": self.soca_resources["ami_id"],
"LoadBalancerDNSName": self.soca_resources["alb"].load_balancer_dns_name,
"LoadBalancerArn": self.soca_resources["alb"].load_balancer_arn,
"BaseOS": user_specified_variables.base_os,
"S3InstallFolder": user_specified_variables.cluster_id,
"SchedulerIP": self.soca_resources["scheduler_eip"].ref if install_props.Config.entry_points_subnets.lower() == "public" else self.soca_resources["scheduler_instance"].instance_private_ip,
"SolutionMetricsLambda": solution_metrics_lambda.function_arn,
"DefaultMetricCollection": "true",
"AuthProvider": install_props.Config.directoryservice.provider,
"FileSystemDataProvider": install_props.Config.storage.data.provider if not user_specified_variables.fs_data_provider else user_specified_variables.fs_data_provider,
"FileSystemData": f"{self.soca_resources['fs_data'].ref}.{endpoints_suffix[install_props.Config.storage.data.provider]}" if not user_specified_variables.fs_data else f"{user_specified_variables.fs_data}.{endpoints_suffix[install_props.Config.storage.data.provider]}",
"FileSystemAppsProvider": install_props.Config.storage.apps.provider if not user_specified_variables.fs_apps_provider else user_specified_variables.fs_apps_provider,
"FileSystemApps": f"{self.soca_resources['fs_apps'].ref}.{endpoints_suffix[install_props.Config.storage.apps.provider]}" if not user_specified_variables.fs_apps else f"{user_specified_variables.fs_apps}.{endpoints_suffix[install_props.Config.storage.apps.provider]}"
}
# ES configuration
if not user_specified_variables.es_endpoint:
secret["ESDomainEndpoint"] = self.soca_resources["es_domain"].domain_endpoint
else:
secret["ESDomainEndpoint"] = user_specified_variables.es_endpoint
# LDAP configuration
if not user_specified_variables.ldap_host:
secret["ExistingLDAP"] = False
else:
secret["ExistingLDAP"] = user_specified_variables.ldap_host
if not user_specified_variables.directory_service_id:
if install_props.Config.directoryservice.provider == "activedirectory":
secret["DSDirectoryId"] = self.soca_resources["directory_service"].ref
secret["DSDomainName"] = install_props.Config.directoryservice.activedirectory.name
secret["DSDomainBase"] = f"dc={',dc='.join(secret['DSDomainName'].split('.'))}".lower()
secret["DSDomainNetbios"] = install_props.Config.directoryservice.activedirectory.short_name.upper()
secret["DSDomainAdminUsername"] = self.soca_resources["ds_domain_admin"]
secret["DSDomainAdminPassword"] = self.soca_resources["ds_domain_admin_password"]
secret["DSServiceAccountUsername"] = "false"
secret["DSServiceAccountPassword"] = "false"
secret["DSResetLambdaFunctionArn"] = self.soca_resources["reset_ds_lambda"].function_arn
else:
# OpenLDAP
secret["LdapName"] = install_props.Config.directoryservice.openldap.name
secret["LdapBase"] = f"dc={',dc='.join(secret['LdapName'].split('.'))}".lower()
secret["LdapHost"] = self.soca_resources["scheduler_instance"].instance_private_dns_name
else:
secret["DSDirectoryId"] = user_specified_variables.directory_service_id
secret["DSDomainName"] = user_specified_variables.directory_service_name
secret["DSDomainBase"] = f"dc={',dc='.join(secret['DSDomainName'].split('.'))}".lower()
secret["DSDomainNetbios"] = user_specified_variables.directory_service_shortname.upper()
secret["DSDomainAdminUsername"] = user_specified_variables.directory_service_user
secret["DSDomainAdminPassword"] = user_specified_variables.directory_service_user_password
secret["DSServiceAccountUsername"] = "false"
secret["DSServiceAccountPassword"] = "false"
self.soca_resources["soca_config"] = secretsmanager.CfnSecret(self, "SOCASecretManagerSecret",
description=f"Store SOCA configuration for cluster {user_specified_variables.cluster_id}",
kms_key_id=None if install_props.Config.secretsmanager.kms_key_id is False else install_props.Config.secretsmanager.kms_key_id,
name=user_specified_variables.cluster_id,
secret_string=json.dumps(secret))
# Create IAM policy and attach it to both Scheduler and Compute Nodes group
secret_manager_statement = iam.PolicyStatement(actions=["secretsmanager:GetSecretValue"], effect=iam.Effect.ALLOW, resources=[self.soca_resources["soca_config"].ref])
self.soca_resources["scheduler_role"].attach_inline_policy(iam.Policy(self, "AttachSecretManagerPolicyToScheduler", statements=[secret_manager_statement]))
self.soca_resources["compute_node_role"].attach_inline_policy(iam.Policy(self, "AttachSecretManagerPolicyToComputeNode", statements=[secret_manager_statement]))