Add GetFunction and GetPolicy permissions to the build image cleanup role (#7087)

* Add GetFunction and GetPolicy permissions to the build image cleanup role

* Increase pcluster build image cleanup role revision number

* Update CHANGELOG

* Add unit test for actions in CleanupRole policy

* Fix linter errors

Author: hgreebe

CHANGELOG.md

@@ -11,6 +11,7 @@ CHANGELOG
 
 **BUG FIXES**
 - Reduce EFA installation time for Ubuntu by ~20 minutes by only holding kernel packages for the installed kernel.
+- Add GetFunction and GetPolicy permissions to PClusterBuildImageCleanupRole to prevent AccessDenied errors during build image stack deletion.
 
 3.14.1
 ------

cli/src/pcluster/constants.py

@@ -343,7 +343,7 @@ class Operation(Enum):
 
 PCLUSTER_BUILD_IMAGE_CLEANUP_ROLE_PREFIX = "PClusterBuildImageCleanupRole"
 # Tag key & expected revision (increment when policy widens)
-PCLUSTER_BUILD_IMAGE_CLEANUP_ROLE_REVISION = 1
+PCLUSTER_BUILD_IMAGE_CLEANUP_ROLE_REVISION = 2
 PCLUSTER_BUILD_IMAGE_CLEANUP_ROLE_BOOTSTRAP_TAG_KEY = "parallelcluster:build-image-cleanup-role-bootstrapped"
 
 P6E_GB200 = "p6e-gb200"

cli/src/pcluster/imagebuilder_utils.py

@@ -140,7 +140,12 @@ def _expected_inline_policy(account_id: str, partition: str):
                 {"Action": "ec2:CreateTags", "Resource": f"arn:{partition}:ec2:*::image/*", "Effect": "Allow"},
                 {"Action": "tag:TagResources", "Resource": "*", "Effect": "Allow"},
                 {
-                    "Action": ["lambda:DeleteFunction", "lambda:RemovePermission"],
+                    "Action": [
+                        "lambda:DeleteFunction",
+                        "lambda:RemovePermission",
+                        "lambda:GetFunction",
+                        "lambda:GetPolicy",
+                    ],
                     "Resource": f"arn:{partition}:lambda:*:{account_id}:function:ParallelClusterImage-*",
                     "Effect": "Allow",
                 },

cli/tests/pcluster/cli/test_build_image.py

@@ -283,26 +283,42 @@ def test_ensure_default_build_image_stack_cleanup_role_permission_denied(self, a
         aws_api_mock.iam.tag_role.assert_not_called()
 
     @pytest.mark.parametrize(
-        "account_id, partition",
+        "account_id, partition, actions",
         [
-            ("123456789012", "aws"),
-            ("000000000000", "aws-us-gov"),
+            (
+                "123456789012",
+                "aws",
+                ["lambda:DeleteFunction", "lambda:RemovePermission", "lambda:GetFunction", "lambda:GetPolicy"],
+            ),
+            (
+                "000000000000",
+                "aws-us-gov",
+                ["lambda:DeleteFunction", "lambda:RemovePermission", "lambda:GetFunction", "lambda:GetPolicy"],
+            ),
         ],
     )
-    def test_expected_inline_policy_dynamic_fields(self, account_id, partition):
+    def test_expected_inline_policy_dynamic_fields(self, account_id, partition, actions):
         raw = _expected_inline_policy(account_id, partition)
         policy = json.loads(raw)
         assert policy["Version"] == "2012-10-17"
         assert len(policy["Statement"]) == 13
         for statement in policy["Statement"]:
             resources = statement["Resource"]
+            action = statement["Action"]
+            action = action if isinstance(action, list) else [action]
+            for act in action:
+                if act in actions:
+                    actions.remove(act)
+
             resources = resources if isinstance(resources, list) else [resources]
             for res in resources:
                 if res == "*":
                     continue
                 assert f"arn:{partition}" in res
                 if not res == f"arn:{partition}:ec2:*::image/*":
                     assert f":{account_id}:" in res
+        if len(actions) != 0:
+            raise AssertionError(f"Actions {actions} are not in the policy")
 
     def _build_args(self, args):
         args = [[k, v] if v is not None else [k] for k, v in args.items()]