Thheinen/efs accesspoints (#2783)

* Add EFS access point support (aws-parallelcluster#2337)
* Added configs for access points

Signed-off-by: Thomas Heinen <[email protected]>


---------

Signed-off-by: Thomas Heinen <[email protected]>
Co-authored-by: Thomas Heinen <[email protected]>

Author: mapk-amazon

CHANGELOG.md

@@ -9,6 +9,7 @@ This file is used to list changes made in each version of the AWS ParallelCluste
 **ENHANCEMENTS**
 - Allow custom actions on login nodes.
 - Allow DCV connection on login nodes.
+- Add new attribute `efs_access_point_ids` to specify optional EFS access points for the mounts
 
 **BUG FIXES**
 - Fix EFA kmod installation with RHEL 8.10 or newer.

cookbooks/aws-parallelcluster-environment/attributes/environment.rb

@@ -37,6 +37,7 @@
 default['cluster']['efs_fs_ids'] = ''
 default['cluster']['efs_encryption_in_transits'] = ''
 default['cluster']['efs_iam_authorizations'] = ''
+default['cluster']['efs_access_point_ids'] = ''
 default['cluster']['fsx_shared_dirs'] = ''
 default['cluster']['fsx_fs_ids'] = ''
 default['cluster']['fsx_dns_names'] = ''

cookbooks/aws-parallelcluster-environment/recipes/config/efs.rb

@@ -15,6 +15,7 @@
 id_array = node['cluster']['efs_fs_ids'].split(',')
 encryption_array = node['cluster']['efs_encryption_in_transits'].split(',')
 iam_array = node['cluster']['efs_iam_authorizations'].split(',')
+access_point_id_array = node['cluster']['efs_access_point_ids'].split(',')
 
 # Identify the previously mounted filesystems and remove them from the set of filesystems to mount
 shared_dir_array.each_with_index do |dir, index|
@@ -23,6 +24,7 @@
   id_array.delete_at(index)
   encryption_array.delete_at(index)
   iam_array.delete_at(index)
+  access_point_id_array.delete_at(index)
 end
 
 # Mount EFS directories with the efs resource
@@ -31,6 +33,7 @@
   efs_fs_id_array id_array
   efs_encryption_in_transit_array encryption_array
   efs_iam_authorization_array iam_array
+  efs_access_point_id_array access_point_id_array
   action :mount
   not_if { shared_dir_array.empty? }
 end

cookbooks/aws-parallelcluster-environment/recipes/config/mount_home.rb

@@ -61,6 +61,7 @@
         efs_encryption_in_transit_array [node['cluster']['efs_encryption_in_transits'].split(',')[index]]
         efs_iam_authorization_array [node['cluster']['efs_iam_authorizations'].split(',')[index]]
         efs_mount_point_array ['/home']
+        efs_access_point_id [node['cluster']['efs_access_point_ids'].split(',')[index]]
         action :mount
       end
       break
@@ -73,6 +74,7 @@
         efs_fs_id_array [node['cluster']['efs_fs_ids'].split(',')[index]]
         efs_encryption_in_transit_array [node['cluster']['efs_encryption_in_transits'].split(',')[index]]
         efs_iam_authorization_array [node['cluster']['efs_iam_authorizations'].split(',')[index]]
+        efs_access_point_id [node['cluster']['efs_access_point_ids'].split(',')[index]]
         action :mount
       end
       break

cookbooks/aws-parallelcluster-environment/resources/efs/partial/_mount_umount.rb

@@ -18,6 +18,7 @@
 property :efs_fs_id_array, Array, required: %i(mount unmount)
 property :efs_encryption_in_transit_array, Array, required: false
 property :efs_iam_authorization_array, Array, required: false
+property :efs_access_point_id_array, Array, required: false
 # This is the mount point on the EFS itself, as opposed to the local system directory, defaults to "/"
 property :efs_mount_point_array, Array, required: false
 property :efs_unmount_forced_array, Array, required: false
@@ -28,19 +29,23 @@
   efs_fs_id_array = new_resource.efs_fs_id_array.dup
   efs_encryption_in_transit_array = new_resource.efs_encryption_in_transit_array.dup
   efs_iam_authorization_array = new_resource.efs_iam_authorization_array.dup
+  efs_access_point_id_array = new_resource.efs_access_point_id_array.dup
   efs_mount_point_array = new_resource.efs_mount_point_array.dup
 
   efs_fs_id_array.each_with_index do |efs_fs_id, index|
     efs_shared_dir = efs_shared_dir_array[index]
     efs_encryption_in_transit = efs_encryption_in_transit_array[index] unless efs_encryption_in_transit_array.nil?
     efs_iam_authorization = efs_iam_authorization_array[index] unless efs_iam_authorization_array.nil?
+    efs_access_point_id = efs_access_point_id_array[index] unless efs_access_point_id_array.nil?
 
     # Path needs to be fully qualified, for example "shared/temp" becomes "/shared/temp"
     efs_shared_dir = "/#{efs_shared_dir}" unless efs_shared_dir.start_with?('/')
 
     # See reference of mount options: https://docs.aws.amazon.com/efs/latest/ug/automount-with-efs-mount-helper.html
     mount_options = "_netdev,noresvport"
-    if efs_encryption_in_transit == "true"
+    if efs_access_point_id
+      mount_options = "iam,tls,access_point=#{efs_access_point_id}"
+    elsif efs_encryption_in_transit == "true"
       mount_options += ",tls"
       if efs_iam_authorization == "true"
         mount_options += ",iam"

cookbooks/aws-parallelcluster-environment/templates/shared_storages/shared_storages_data.erb

@@ -19,12 +19,14 @@ raid:
 <% efs_shared_dir_array = node['cluster']['efs_shared_dirs'].split(',') -%>
 <% efs_encryption_in_transit_array = node['cluster']['efs_encryption_in_transits'].split(',') -%>
 <% efs_iam_authorization_array = node['cluster']['efs_iam_authorizations'].split(',') -%>
+<% efs_access_point_id_array = node['cluster']['efs_access_point_ids'].split(',') -%>
 efs:
 <% efs_fs_ids_array.each_with_index do |efs_fs_id, index| -%>
   - efs_fs_id: <%= efs_fs_id %>
     mount_dir: <%= efs_shared_dir_array[index] %>
     efs_encryption_in_transit: <%= efs_encryption_in_transit_array[index] %>
     efs_iam_authorization: <%= efs_iam_authorization_array[index] %>
+    efs_access_point_id: <%= efs_access_point_id_array[index] %>
 <% end -%>
 <%# FSX %>
 <% fsx_fs_id_array = node['cluster']['fsx_fs_ids'].split(',') -%>