[Permissions] Add new stack parameter 'AdditionalPoliciesPCAPI' to add custom permissions for the ParallelCluster API Lambda role, on top of the default ones.

gmarciani · gmarciani · commit 7b55daa6931a · 2025-03-05T10:51:25.000-05:00
diff --git a/infrastructure/environments/demo-cfn-create-args.yaml b/infrastructure/environments/demo-cfn-create-args.yaml
@@ -26,6 +26,8 @@ Parameters:
 #    ParameterValue: "subnet-xxxxxxxxxx,subnet-xxxxxxxxxx,subnet-xxxxxxxxxx"
 #  - ParameterKey: LambdaSecurityGroupIds
 #    ParameterValue: sg-xxxxxxxxxx
+#  - ParameterKey: AdditionalPoliciesPCAPI
+#    ParameterValue: arn:aws:iam::xxxxxxxxxx:policy/xxxxxxxxxx
 #  - ParameterKey: PermissionsBoundaryPolicy
 #    ParameterValue: arn:aws:iam::xxxxxxxxxx:policy/xxxxxxxxxx
 #  - ParameterKey: PermissionsBoundaryPolicyPCAPI
diff --git a/infrastructure/environments/demo-cfn-update-args.yaml b/infrastructure/environments/demo-cfn-update-args.yaml
@@ -26,6 +26,8 @@ Parameters:
     UsePreviousValue: true
   - ParameterKey: LambdaSecurityGroupIds
     UsePreviousValue: true
+  - ParameterKey: AdditionalPoliciesPCAPI
+    UsePreviousValue: true
   - ParameterKey: PermissionsBoundaryPolicy
     UsePreviousValue: true
   - ParameterKey: PermissionsBoundaryPolicyPCAPI
diff --git a/infrastructure/parallelcluster-ui.yaml b/infrastructure/parallelcluster-ui.yaml
@@ -57,6 +57,13 @@ Parameters:
     Description: 'ARN of the IAM policy to use as permissions boundary for every IAM role created by ParallelCluster API infrastructure. [ParallelCluster >= 3.8.0]'
     Default: ''
     AllowedPattern: "^(arn:.*:iam::.*:policy\\/([a-zA-Z0-9_-]+))|()$"
+  AdditionalPoliciesPCAPI:
+    Type: String
+    Description: |
+      (OPTIONAL) ARN of the additional IAM policy to be attached to the default execution role for the ParallelCluster Lambda function. 
+      Only one policy can be specified.
+    Default: ''
+    AllowedPattern: "^(arn:.*:iam::.*:policy\\/([a-zA-Z0-9_-]+))|()$"
   IAMRoleAndPolicyPrefix:
     Type: String
     Description: 'Prefix applied to the name of every IAM role and policy (max length: 10). [ParallelCluster >= 3.8.0]'
@@ -113,6 +120,7 @@ Metadata:
       - Label:
           default: (Optional) Permissions
         Parameters:
+          - AdditionalPoliciesPCAPI
           - IAMRoleAndPolicyPrefix
           - PermissionsBoundaryPolicy
           - PermissionsBoundaryPolicyPCAPI
@@ -169,6 +177,7 @@ Conditions:
   UseIAMRoleAndPolicyPrefix: !Not [!Equals [!Ref IAMRoleAndPolicyPrefix, '']]
   UseCustomDomain: !Not [!Equals [!Ref CustomDomain, '']]
   UseCognitoCustomDomain: !Not [!Equals [!Ref CognitoCustomDomain, '']]
+  UseAdditionalPoliciesPCAPI: !Not [!Equals [!Ref AdditionalPoliciesPCAPI, '']]
 
 Mappings:
   ParallelClusterUI:
@@ -204,6 +213,7 @@ Resources:
       Parameters:
         PermissionsBoundaryPolicy: !If [ UsePermissionBoundaryPCAPI, !Ref PermissionsBoundaryPolicyPCAPI, !Ref AWS::NoValue ]
         IAMRoleAndPolicyPrefix: !If [ UseIAMRoleAndPolicyPrefix, !Ref IAMRoleAndPolicyPrefix, !Ref AWS::NoValue ]
+        ParallelClusterFunctionAdditionalPolicies: !If [ UseAdditionalPoliciesPCAPI, !Ref AdditionalPoliciesPCAPI, !Ref AWS::NoValue ]
         ApiDefinitionS3Uri: !Sub s3://${AWS::Region}-aws-parallelcluster/parallelcluster/${Version}/api/ParallelCluster.openapi.yaml
         CreateApiUserRole: False
         EnableIamAdminAccess: True
