Thheinen/efs accesspoints (#6381)

* Add EFS access point support (aws-parallelcluster#2337)
* Rename new setting, Add changelog, Fix style, fix some tests
* Added tests for EFS Access Points
* Improved unit test for access point
* Access point requires TLS
https://docs.aws.amazon.com/efs/latest/ug/efs-access-points.html#mount-with-access-point
* Updated snapshot to included AccessPointId
* Ignored Flake8 too-long-line

---------

Signed-off-by: Thomas Heinen <[email protected]>
Co-authored-by: Thomas Heinen <[email protected]>
Co-authored-by: Ryan Anderson <[email protected]>

Author: 3 people

CHANGELOG.md

@@ -10,6 +10,7 @@ CHANGELOG
 - Add support for ap-southeast-3 region.
 - Add security groups to login node network load balancer.
 - Add `AllowedIps` configuration for login nodes.
+- Add new configuration `SharedStorage/EfsSettings/AccessPointId` to specify an optional EFS access point for a mount
 - Allow multiple login node pools.
 
 **BUG FIXES**

cli/src/pcluster/aws/efs.py

@@ -80,3 +80,14 @@ def describe_file_system(self, efs_fs_id):
         :return: the mount_target_ids
         """
         return self._client.describe_file_systems(FileSystemId=efs_fs_id)
+
+    @AWSExceptionHandler.handle_client_exception
+    @Cache.cached
+    def describe_access_point(self, access_point_id):
+        """
+        Describe access point attributes for the given EFS access point id.
+
+        :param efaccess_point_ids_ap_id: EFS access point Id
+        :return: the access_point details
+        """
+        return self._client.describe_access_points(AccessPointId=access_point_id)

cli/src/pcluster/config/cluster_config.py

@@ -149,7 +149,7 @@
     PlacementGroupCapacityTypeValidator,
     PlacementGroupNamingValidator,
 )
-from pcluster.validators.efs_validators import EfsMountOptionsValidator
+from pcluster.validators.efs_validators import EfsAccessPointOptionsValidator, EfsMountOptionsValidator
 from pcluster.validators.feature_validators import FeatureRegionValidator
 from pcluster.validators.fsx_validators import (
     FsxAutoImportValidator,
@@ -371,6 +371,7 @@ def __init__(
         deletion_policy: str = None,
         encryption_in_transit: bool = None,
         iam_authorization: bool = None,
+        access_point_id: str = None,
     ):
         super().__init__()
         self.mount_dir = Resource.init_param(mount_dir)
@@ -387,6 +388,7 @@ def __init__(
         )
         self.encryption_in_transit = Resource.init_param(encryption_in_transit, default=False)
         self.iam_authorization = Resource.init_param(iam_authorization, default=False)
+        self.access_point_id = Resource.init_param(access_point_id)
 
     def _register_validators(self, context: ValidatorContext = None):  # noqa: D102 #pylint: disable=unused-argument
         self._register_validator(SharedStorageNameValidator, name=self.name)
@@ -400,6 +402,12 @@ def _register_validators(self, context: ValidatorContext = None):  # noqa: D102
             iam_authorization=self.iam_authorization,
             name=self.name,
         )
+        self._register_validator(
+            EfsAccessPointOptionsValidator,
+            access_point_id=self.access_point_id,
+            file_system_id=self.file_system_id,
+            encryption_in_transit=self.encryption_in_transit,
+        )
 
 
 class BaseSharedFsx(Resource):

cli/src/pcluster/schemas/cluster_schema.py

@@ -321,6 +321,9 @@ class EfsSettingsSchema(BaseSchema):
     deletion_policy = fields.Str(
         validate=validate.OneOf(DELETION_POLICIES), metadata={"update_policy": UpdatePolicy.SUPPORTED}
     )
+    access_point_id = fields.Str(
+        validate=validate.Regexp(r"^fsap-[0-9a-z]{17}$"), metadata={"update_policy": UpdatePolicy.UNSUPPORTED}
+    )
     encryption_in_transit = fields.Bool(metadata={"update_policy": UpdatePolicy.UNSUPPORTED})
     iam_authorization = fields.Bool(metadata={"update_policy": UpdatePolicy.UNSUPPORTED})
 
@@ -331,7 +334,12 @@ def validate_file_system_id_ignored_parameters(self, data, **kwargs):
         messages = []
         if data.get("file_system_id") is not None:
             for key in data:
-                if key is not None and key not in ["encryption_in_transit", "iam_authorization", "file_system_id"]:
+                if key is not None and key not in [
+                    "encryption_in_transit",
+                    "iam_authorization",
+                    "file_system_id",
+                    "access_point_id",
+                ]:
                     messages.append(EFS_MESSAGES["errors"]["ignored_param_with_efs_fs_id"].format(efs_param=key))
             if messages:
                 raise ValidationError(message=messages)

cli/src/pcluster/templates/cluster_stack.py

@@ -1108,6 +1108,7 @@ def _add_efs_storage(self, id: str, shared_efs: SharedEfs):
             shared_efs.encryption_in_transit
         )
         self.shared_storage_attributes[SharedStorageType.EFS]["IamAuthorizations"].append(shared_efs.iam_authorization)
+        self.shared_storage_attributes[SharedStorageType.EFS]["AccessPointIds"].append(shared_efs.access_point_id)
 
         return efs_id
 
@@ -1287,6 +1288,10 @@ def _add_head_node(self):
                     "efs_iam_authorizations": to_comma_separated_string(
                         self.shared_storage_attributes[SharedStorageType.EFS]["IamAuthorizations"], use_lower_case=True
                     ),
+                    "efs_access_point_ids": to_comma_separated_string(
+                        self.shared_storage_attributes[SharedStorageType.EFS]["AccessPointIds"],
+                        use_lower_case=True,
+                    ),
                     "fsx_fs_ids": get_shared_storage_ids_by_type(self.shared_storage_infos, SharedStorageType.FSX),
                     "fsx_mount_names": to_comma_separated_string(
                         self.shared_storage_attributes[SharedStorageType.FSX]["MountNames"]

cli/src/pcluster/templates/login_nodes_stack.py

@@ -240,6 +240,10 @@ def _add_login_nodes_pool_launch_template(self):
                         self._shared_storage_attributes[SharedStorageType.EFS]["IamAuthorizations"],
                         use_lower_case=True,
                     ),
+                    "efs_access_point_ids": to_comma_separated_string(
+                        self._shared_storage_attributes[SharedStorageType.EFS]["AccessPointIds"],
+                        use_lower_case=True,
+                    ),
                     "enable_intel_hpc_platform": "true" if self._config.is_intel_hpc_platform_enabled else "false",
                     "ephemeral_dir": DEFAULT_EPHEMERAL_DIR,
                     "fsx_fs_ids": get_shared_storage_ids_by_type(self._shared_storage_infos, SharedStorageType.FSX),

cli/src/pcluster/templates/queues_stack.py

@@ -335,6 +335,10 @@ def _add_compute_resource_launch_template(
                         self._shared_storage_attributes[SharedStorageType.EFS]["IamAuthorizations"],
                         use_lower_case=True,
                     ),
+                    "efs_access_point_ids": to_comma_separated_string(
+                        self._shared_storage_attributes[SharedStorageType.EFS]["AccessPointIds"],
+                        use_lower_case=True,
+                    ),
                     "fsx_fs_ids": get_shared_storage_ids_by_type(self._shared_storage_infos, SharedStorageType.FSX),
                     "fsx_mount_names": to_comma_separated_string(
                         self._shared_storage_attributes[SharedStorageType.FSX]["MountNames"]

cli/src/pcluster/validators/efs_validators.py

@@ -25,3 +25,28 @@ def _validate(self, encryption_in_transit: bool, iam_authorization: bool, name:
                 f"Please either disable IAM authorization or enable encryption in-transit for file system {name}",
                 FailureLevel.ERROR,
             )
+
+
+class EfsAccessPointOptionsValidator(Validator):
+    """
+    EFS Mount Options validator.
+
+    IAM Authorization requires Encryption in Transit.
+    """
+
+    def _validate(self, access_point_id: str, file_system_id: str, encryption_in_transit: bool):
+
+        if access_point_id and not file_system_id:
+            self._add_failure(
+                "An access point can only be specified when using an existing EFS file system. "
+                f"Please either remove the access point id {access_point_id} "
+                "or provide the file system id for the access point",
+                FailureLevel.ERROR,
+            )
+
+        if access_point_id and not encryption_in_transit:
+            self._add_failure(
+                "An access point can only be specified when encryption in transit is enabled. "
+                f"Please either remove the access point id {access_point_id} or enable encryption in transit.",
+                FailureLevel.ERROR,
+            )

cli/src/pcluster3_config_converter/pcluster3_config_converter.py

@@ -296,6 +296,7 @@ def convert_efs_settings(self, section_name):
                 ("efs_kms_key_id", "KmsKeyId"),
                 ("provisioned_throughput", "ProvisionedThroughput", "getint"),
                 ("throughput_mode", "ThroughputMode"),
+                ("access_point_id", "AccessPointId"),
             ]
             efs_section, efs_dict, _section_label = self.convert_storage_base(
                 "efs", efs_label.strip(), additional_items

cli/tests/pcluster/templates/test_cluster_stack/test_cluster_config_limits/slurm.full_config.snapshot.yaml

@@ -3888,6 +3888,7 @@ SharedStorage:
   Name: nameebs4
   StorageType: Ebs
 - EfsSettings:
+    AccessPointId: null
     DeletionPolicy: Delete
     Encrypted: false
     EncryptionInTransit: false
@@ -3901,6 +3902,7 @@ SharedStorage:
   Name: efs0
   StorageType: Efs
 - EfsSettings:
+    AccessPointId: null
     DeletionPolicy: null
     Encrypted: false
     EncryptionInTransit: false
@@ -3914,6 +3916,7 @@ SharedStorage:
   Name: existing-efs10
   StorageType: Efs
 - EfsSettings:
+    AccessPointId: null
     DeletionPolicy: null
     Encrypted: false
     EncryptionInTransit: false
@@ -3927,6 +3930,7 @@ SharedStorage:
   Name: existing-efs11
   StorageType: Efs
 - EfsSettings:
+    AccessPointId: null
     DeletionPolicy: null
     Encrypted: false
     EncryptionInTransit: false
@@ -3940,6 +3944,7 @@ SharedStorage:
   Name: existing-efs12
   StorageType: Efs
 - EfsSettings:
+    AccessPointId: null
     DeletionPolicy: null
     Encrypted: false
     EncryptionInTransit: false
@@ -3953,6 +3958,7 @@ SharedStorage:
   Name: existing-efs13
   StorageType: Efs
 - EfsSettings:
+    AccessPointId: null
     DeletionPolicy: null
     Encrypted: false
     EncryptionInTransit: false
@@ -3966,6 +3972,7 @@ SharedStorage:
   Name: existing-efs14
   StorageType: Efs
 - EfsSettings:
+    AccessPointId: null
     DeletionPolicy: null
     Encrypted: false
     EncryptionInTransit: false
@@ -3979,6 +3986,7 @@ SharedStorage:
   Name: existing-efs15
   StorageType: Efs
 - EfsSettings:
+    AccessPointId: null
     DeletionPolicy: null
     Encrypted: false
     EncryptionInTransit: false
@@ -3992,6 +4000,7 @@ SharedStorage:
   Name: existing-efs16
   StorageType: Efs
 - EfsSettings:
+    AccessPointId: null
     DeletionPolicy: null
     Encrypted: false
     EncryptionInTransit: false
@@ -4005,6 +4014,7 @@ SharedStorage:
   Name: existing-efs17
   StorageType: Efs
 - EfsSettings:
+    AccessPointId: null
     DeletionPolicy: null
     Encrypted: false
     EncryptionInTransit: false
@@ -4018,6 +4028,7 @@ SharedStorage:
   Name: existing-efs18
   StorageType: Efs
 - EfsSettings:
+    AccessPointId: null
     DeletionPolicy: null
     Encrypted: false
     EncryptionInTransit: false
@@ -4031,6 +4042,7 @@ SharedStorage:
   Name: existing-efs19
   StorageType: Efs
 - EfsSettings:
+    AccessPointId: null
     DeletionPolicy: null
     Encrypted: false
     EncryptionInTransit: false
@@ -4044,6 +4056,7 @@ SharedStorage:
   Name: existing-efs20
   StorageType: Efs
 - EfsSettings:
+    AccessPointId: null
     DeletionPolicy: null
     Encrypted: false
     EncryptionInTransit: false
@@ -4057,6 +4070,7 @@ SharedStorage:
   Name: existing-efs21
   StorageType: Efs
 - EfsSettings:
+    AccessPointId: null
     DeletionPolicy: null
     Encrypted: false
     EncryptionInTransit: false
@@ -4070,6 +4084,7 @@ SharedStorage:
   Name: existing-efs22
   StorageType: Efs
 - EfsSettings:
+    AccessPointId: null
     DeletionPolicy: null
     Encrypted: false
     EncryptionInTransit: false
@@ -4083,6 +4098,7 @@ SharedStorage:
   Name: existing-efs23
   StorageType: Efs
 - EfsSettings:
+    AccessPointId: null
     DeletionPolicy: null
     Encrypted: false
     EncryptionInTransit: false
@@ -4096,6 +4112,7 @@ SharedStorage:
   Name: existing-efs24
   StorageType: Efs
 - EfsSettings:
+    AccessPointId: null
     DeletionPolicy: null
     Encrypted: false
     EncryptionInTransit: false
@@ -4109,6 +4126,7 @@ SharedStorage:
   Name: existing-efs25
   StorageType: Efs
 - EfsSettings:
+    AccessPointId: null
     DeletionPolicy: null
     Encrypted: false
     EncryptionInTransit: false
@@ -4122,6 +4140,7 @@ SharedStorage:
   Name: existing-efs26
   StorageType: Efs
 - EfsSettings:
+    AccessPointId: null
     DeletionPolicy: null
     Encrypted: false
     EncryptionInTransit: false
@@ -4135,6 +4154,7 @@ SharedStorage:
   Name: existing-efs27
   StorageType: Efs
 - EfsSettings:
+    AccessPointId: null
     DeletionPolicy: null
     Encrypted: false
     EncryptionInTransit: false
@@ -4148,6 +4168,7 @@ SharedStorage:
   Name: existing-efs28
   StorageType: Efs
 - EfsSettings:
+    AccessPointId: null
     DeletionPolicy: null
     Encrypted: false
     EncryptionInTransit: false

cli/tests/pcluster/templates/test_cluster_stack/test_head_node_dna_json/head_node_default.dna.json

@@ -20,6 +20,7 @@
     "efs_fs_ids": "",
     "efs_iam_authorizations": "",
     "efs_shared_dirs": "",
+    "efs_access_point_ids": "",
     "enable_intel_hpc_platform": "false",
     "ephemeral_dir": "/scratch",
     "fsx_dns_names": "",

cli/tests/pcluster/templates/test_login_nodes_stack/test_login_nodes_dna_json/dna-1.json

@@ -22,6 +22,7 @@
     "efs_fs_ids": "",
     "efs_iam_authorizations": "",
     "efs_shared_dirs": "",
+    "efs_access_point_ids": "",
     "enable_intel_hpc_platform": "false",
     "ephemeral_dir": "/scratch",
     "fsx_dns_names": "",

cli/tests/pcluster/templates/test_login_nodes_stack/test_login_nodes_dna_json/dna-2.json

@@ -22,6 +22,7 @@
     "efs_fs_ids": "",
     "efs_iam_authorizations": "",
     "efs_shared_dirs": "",
+    "efs_access_point_ids": "",
     "enable_intel_hpc_platform": "false",
     "ephemeral_dir": "/scratch",
     "fsx_dns_names": "",

cli/tests/pcluster/templates/test_queues_stack/test_compute_nodes_dna_json/dna-1.json

@@ -20,6 +20,7 @@
     "efs_fs_ids": "",
     "efs_iam_authorizations": "",
     "efs_shared_dirs": "",
+    "efs_access_point_ids": "",
     "enable_efa": "NONE",
     "enable_efa_gdr": "NONE",
     "enable_intel_hpc_platform": "false",

cli/tests/pcluster/templates/test_queues_stack/test_compute_nodes_dna_json/dna-2.json

@@ -20,6 +20,7 @@
     "efs_fs_ids": "",
     "efs_iam_authorizations": "",
     "efs_shared_dirs": "",
+    "efs_access_point_ids": "",
     "enable_efa": "NONE",
     "enable_efa_gdr": "NONE",
     "enable_intel_hpc_platform": "false",