[Efs encryption][Draft] Support HeadNode Efs SharedStorage Encryption (#6914)

* [Efs Encryption] Add HeadNode/SharedStorageSettings/Encrypted

* [Efs Encryption] Update SharedStorageEfsSettingsEncryptedValidator to check that SharedStorageEfsSettings can only be used when SharedStorageType is specified as Efs

* [Efs Encryption] Add unit tests for SharedStorageEfsSettingsEncryptedValidator's behavior and registration

* [Efs Encryption] Fix parameter name in cluster_schema.py

* [Efs Encryption] Fix parameter naming

* [Efs Encryption] Add more test cases in `test_shared_storage_efs_settings_validator`

* [Efs Encryption] Update the comments of `SharedStorageEfsSettings` and `SharedStorageEfsSettingsSchema` class to make them clearer.

* [Efs Encryption] Move SharedStorageType Enum from cluster_config.py to common.py.

* [Efs Encryption] Change hardcoded ShareStorageType to an enum in the validator and unit test

* [Efs Encryption] Fix format issues

* [Efs Encryption] Move the addition of internal EFS shared storage away from _add_resources to decrease complexity

* [Efs Encryption] Add SharedStorageEfsSettings section to the test_cluster_config_limits unit test

* [Efs Encryption] Fix SharedStorageEfsSettingsValidator type issue

* [Efs Encryption] Add id for unit tests of shared_storage_efs_settings_validator

* [Efs Encryption] Remove setting default value of encrypted in cluster_stack.py

* [Efs Encryption] Cover case where shared_storage_efs_settings is injected in test_slurm_all_validators_are_called

* [Efs Encryption] Add unit test to verify EFS encryption in cluster stack

* [Efs Encryption] Fix format issues

* [Efs Encryption] Rename unit test for clarity

* [Efs Encryption] Update test_internal_efs to verify that the internal shared efs is correctly encrypted

* [Efs Encryption] Remove the unencrypted Efs shared storage test case from integration test

* [Efs Encryption] Simplify the SharedStorageEfsSettingsValidator error message

* [Efs Encryption] Simplify the SharedStorageEfsSettingsValidator error message

* [Efs Encryption] Fix format issues

* [Efs Encryption] Update CHANGELOG.md

* [Efs Encryption] Update CHANGELOG.md

---------

Co-authored-by: Himani Anil Deshpande <[email protected]>

Author: Allenz5

CHANGELOG.md

@@ -10,6 +10,7 @@ CHANGELOG
 - Support DCV on Amazon Linux 2023.
 - Upgrade Python runtime used by Lambda functions to python3.12 (from python3.9).
 - Remove `berkshelf`. All cookbooks are local and do not need `berkshelf` dependency management.
+- Add the configuration parameter `HeadNode/SharedStorageEfsSettings/Encrypted` to enable encryption on the EFS file system used for the head node internal shared storage.
 
 **BUG FIXES**
 - Fix an issue where Security Group validation failed when a rule contained both IPv4 ranges (IpRanges) and security group references (UserIdGroupPairs).

cli/src/pcluster/config/cluster_config.py

@@ -33,6 +33,7 @@
 from pcluster.config.common import Imds as TopLevelImds
 from pcluster.config.common import (
     Resource,
+    SharedStorageType,
 )
 from pcluster.constants import (
     CIDR_ALL_IPS,
@@ -114,6 +115,7 @@
     SchedulerValidator,
     SharedEbsPerformanceBottleNeckValidator,
     SharedFileCacheNotHomeValidator,
+    SharedStorageEfsSettingsValidator,
     SharedStorageMountDirValidator,
     SharedStorageNameValidator,
     UnmanagedFsxMultiAzValidator,
@@ -291,15 +293,6 @@ def __init__(self, root_volume: RootVolume = None, ephemeral_volume: EphemeralVo
         self.ephemeral_volume = ephemeral_volume
 
 
-class SharedStorageType(Enum):
-    """Define storage types to be used as shared storage."""
-
-    EBS = "ebs"
-    RAID = "raid"
-    EFS = "efs"
-    FSX = "fsx"
-
-
 class SharedEbs(Ebs):
     """Represent a shared EBS, inherits from both _SharedStorage and Ebs classes."""
 
@@ -851,6 +844,14 @@ def __init__(self, allowed_ips: str = None, **kwargs):
         self.allowed_ips = Resource.init_param(allowed_ips)
 
 
+class SharedStorageEfsSettings(Resource):
+    """Represent the settings of Efs shared storage used by HeadNode."""
+
+    def __init__(self, encrypted: bool = False):
+        super().__init__()
+        self.encrypted = encrypted
+
+
 class Dcv(Resource):
     """Represent the DCV configuration."""
 
@@ -1434,6 +1435,7 @@ def __init__(
         disable_simultaneous_multithreading: bool = None,
         local_storage: LocalStorage = None,
         shared_storage_type: str = None,
+        shared_storage_efs_settings: SharedStorageEfsSettings = None,
         dcv: Dcv = None,
         custom_actions: CustomActions = None,
         iam: Iam = None,
@@ -1452,6 +1454,7 @@ def __init__(
             shared_storage_type,
             default="Ebs",
         )
+        self.shared_storage_efs_settings = shared_storage_efs_settings
         self.dcv = dcv
         self.custom_actions = custom_actions
         self.iam = iam or Iam(implied=True)
@@ -1461,6 +1464,11 @@ def __init__(
 
     def _register_validators(self, context: ValidatorContext = None):  # noqa: D102 #pylint: disable=unused-argument
         self._register_validator(InstanceTypeValidator, instance_type=self.instance_type)
+        self._register_validator(
+            SharedStorageEfsSettingsValidator,
+            shared_storage_type=self.shared_storage_type,
+            shared_storage_efs_settings=self.shared_storage_efs_settings,
+        )
 
     @property
     def architecture(self) -> str:

cli/src/pcluster/config/common.py

@@ -434,3 +434,12 @@ def dump_json(self):
         attribute_json = {"cluster": self._cluster_attributes}
         attribute_json.update(self._extra_attributes)
         return json.dumps(attribute_json, sort_keys=True)
+
+
+class SharedStorageType(Enum):
+    """Define storage types to be used as shared storage."""
+
+    EBS = "ebs"
+    RAID = "raid"
+    EFS = "efs"
+    FSX = "fsx"

cli/src/pcluster/schemas/cluster_schema.py

@@ -85,6 +85,7 @@
     SharedEbs,
     SharedEfs,
     SharedFsxLustre,
+    SharedStorageEfsSettings,
     SlurmClusterConfig,
     SlurmComputeResource,
     SlurmComputeResourceNetworking,
@@ -792,6 +793,17 @@ def make_resource(self, data, **kwargs):
         return HeadNodeSsh(**data)
 
 
+class SharedStorageEfsSettingsSchema(BaseSchema):
+    """Represent the schema of SharedStorageEfsSettings for the HeadNode."""
+
+    encrypted = fields.Bool(metadata={"update_policy": UpdatePolicy.UNSUPPORTED})
+
+    @post_load
+    def make_resource(self, data, **kwargs):
+        """Generate resource."""
+        return SharedStorageEfsSettings(**data)
+
+
 class DcvSchema(BaseSchema):
     """Represent the schema of DCV."""
 
@@ -1363,6 +1375,9 @@ class HeadNodeSchema(BaseSchema):
         metadata={"update_policy": UpdatePolicy.UNSUPPORTED},
         validate=validate.OneOf(["Ebs", "Efs"]),
     )
+    shared_storage_efs_settings = fields.Nested(
+        SharedStorageEfsSettingsSchema, metadata={"update_policy": UpdatePolicy.UNSUPPORTED}
+    )
     dcv = fields.Nested(DcvSchema, metadata={"update_policy": UpdatePolicy.UNSUPPORTED})
     custom_actions = fields.Nested(HeadNodeCustomActionsSchema, metadata={"update_policy": UpdatePolicy.IGNORED})
     iam = fields.Nested(HeadNodeIamSchema, metadata={"update_policy": UpdatePolicy.SUPPORTED})

cli/src/pcluster/templates/awsbatch_builder.py

@@ -22,7 +22,8 @@
 from aws_cdk.aws_ec2 import CfnSecurityGroup
 from aws_cdk.core import CfnOutput, CfnResource, Construct, Fn, Stack
 
-from pcluster.config.cluster_config import AwsBatchClusterConfig, CapacityType, SharedStorageType
+from pcluster.config.cluster_config import AwsBatchClusterConfig, CapacityType
+from pcluster.config.common import SharedStorageType
 from pcluster.constants import AWSBATCH_CLI_REQUIREMENTS, CW_LOG_GROUP_NAME_PREFIX, IAM_ROLE_PATH
 from pcluster.models.s3_bucket import S3Bucket
 from pcluster.templates.cdk_builder_utils import (

cli/src/pcluster/templates/cdk_builder_utils.py

@@ -29,11 +29,11 @@
     BaseQueue,
     HeadNode,
     LoginNodesPool,
-    SharedStorageType,
     SlurmClusterConfig,
     SlurmComputeResource,
     SlurmQueue,
 )
+from pcluster.config.common import SharedStorageType
 from pcluster.constants import (
     COOKBOOK_PACKAGES_VERSIONS,
     CW_LOGS_RETENTION_DAYS_DEFAULT,

cli/src/pcluster/templates/cluster_stack.py

@@ -53,10 +53,9 @@
     SharedEbs,
     SharedEfs,
     SharedFsxLustre,
-    SharedStorageType,
     SlurmClusterConfig,
 )
-from pcluster.config.common import DefaultUserHomeType
+from pcluster.config.common import DefaultUserHomeType, SharedStorageType
 from pcluster.constants import (
     ALL_PORTS_RANGE,
     CW_ALARM_DATAPOINTS_TO_ALARM_DEFAULT,
@@ -264,12 +263,9 @@ def _add_resources(self):
         # Add the internal use shared storage to the stack
         # This FS will be mounted, the shared dirs will be added,
         # then it will be unmounted and the shared dirs will be
-        # mounted.  We need to create the additional mount points first.
+        # mounted. We need to create the additional mount points first.
         if self.config.head_node.shared_storage_type.lower() == SharedStorageType.EFS.value:
-            internal_efs_storage_shared = SharedEfs(
-                mount_dir="/opt/parallelcluster/init_shared", name="internal_pcluster_shared", throughput_mode="elastic"
-            )
-            self._add_shared_storage(internal_efs_storage_shared)
+            self._add_internal_efs_shared_storage()
 
         # Add user configured shared storage
         if self.config.shared_storage:
@@ -335,6 +331,19 @@ def _add_resources(self):
                 head_node_alarms=self.head_node_alarms,
             )
 
+    def _add_internal_efs_shared_storage(self):
+        if self.config.head_node.shared_storage_efs_settings:
+            encrypted = self.config.head_node.shared_storage_efs_settings.encrypted
+        else:
+            encrypted = None
+        internal_efs_storage_shared = SharedEfs(
+            mount_dir="/opt/parallelcluster/init_shared",
+            name="internal_pcluster_shared",
+            throughput_mode="elastic",
+            encrypted=encrypted,
+        )
+        self._add_shared_storage(internal_efs_storage_shared)
+
     def _cw_metric_head_node(
         self, namespace, metric_name, statistic="Maximum", period_seconds=CW_ALARM_PERIOD_DEFAULT, extra_dimensions=None
     ):

cli/src/pcluster/templates/cw_dashboard_builder.py

@@ -17,7 +17,8 @@
 from aws_cdk.aws_cloudwatch import IAlarm
 from aws_cdk.core import Construct, Duration, Stack
 
-from pcluster.config.cluster_config import BaseClusterConfig, ExistingFileCache, SharedFsxLustre, SharedStorageType
+from pcluster.config.cluster_config import BaseClusterConfig, ExistingFileCache, SharedFsxLustre
+from pcluster.config.common import SharedStorageType
 from pcluster.constants import Feature
 from pcluster.utils import is_feature_supported
 

cli/src/pcluster/templates/login_nodes_stack.py

@@ -8,8 +8,8 @@
 from aws_cdk.core import CfnTag, Construct, Fn, NestedStack, Stack, Tags
 
 from pcluster.aws.aws_api import AWSApi
-from pcluster.config.cluster_config import LoginNodesPool, SharedStorageType, SlurmClusterConfig
-from pcluster.config.common import DefaultUserHomeType
+from pcluster.config.cluster_config import LoginNodesPool, SlurmClusterConfig
+from pcluster.config.common import DefaultUserHomeType, SharedStorageType
 from pcluster.constants import (
     DEFAULT_EPHEMERAL_DIR,
     NODE_BOOTSTRAP_TIMEOUT,

cli/src/pcluster/templates/queues_stack.py

@@ -7,8 +7,8 @@
 from constructs import Construct
 
 from pcluster.aws.aws_api import AWSApi
-from pcluster.config.cluster_config import SharedStorageType, SlurmClusterConfig, SlurmComputeResource, SlurmQueue
-from pcluster.config.common import DefaultUserHomeType
+from pcluster.config.cluster_config import SlurmClusterConfig, SlurmComputeResource, SlurmQueue
+from pcluster.config.common import DefaultUserHomeType, SharedStorageType
 from pcluster.constants import (
     DEFAULT_EPHEMERAL_DIR,
     NODE_BOOTSTRAP_TIMEOUT,