AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: AWS ParallelCluster serverless API
Globals:
Function:
Timeout: 900
Resources:
ParallelClusterFunction:
Type: AWS::Serverless::Function
Properties:
CodeUri: parallelcluster_function/
Handler: function.lambda_handler
Runtime: python3.7
Policies:
- Statement:
- Sid: EC2Describe
Effect: Allow
Action:
- ec2:DescribeKeyPairs
- ec2:DescribeRegions
- ec2:DescribeVpcs
- ec2:DescribeSubnets
- ec2:DescribeSecurityGroups
- ec2:DescribePlacementGroups
- ec2:DescribeImages
- ec2:DescribeInstances
- ec2:DescribeInstanceStatus
- ec2:DescribeSnapshots
- ec2:DescribeVolumes
- ec2:DescribeVpcAttribute
- ec2:DescribeAddresses
- ec2:CreateTags
- ec2:DescribeNetworkInterfaces
- ec2:DescribeAvailabilityZones
Resource: '*'
- Sid: NetworkingEasyConfig
Effect: Allow
Action:
- ec2:CreateVpc
- ec2:ModifyVpcAttribute
- ec2:DescribeNatGateways
- ec2:CreateNatGateway
- ec2:DescribeInternetGateways
- ec2:CreateInternetGateway
- ec2:AttachInternetGateway
- ec2:DescribeRouteTables
- ec2:CreateRouteTable
- ec2:AssociateRouteTable
- ec2:CreateSubnet
- ec2:ModifySubnetAttribute
Resource: '*'
- Sid: EC2Modify
Effect: Allow
Action:
- ec2:CreateVolume
- ec2:RunInstances
- ec2:AllocateAddress
- ec2:AssociateAddress
- ec2:AttachNetworkInterface
- ec2:AuthorizeSecurityGroupEgress
- ec2:AuthorizeSecurityGroupIngress
- ec2:CreateNetworkInterface
- ec2:CreateSecurityGroup
- ec2:ModifyVolumeAttribute
- ec2:ModifyNetworkInterfaceAttribute
- ec2:DeleteNetworkInterface
- ec2:DeleteVolume
- ec2:TerminateInstances
- ec2:DeleteSecurityGroup
- ec2:DisassociateAddress
- ec2:RevokeSecurityGroupIngress
- ec2:RevokeSecurityGroupEgress
- ec2:ReleaseAddress
- ec2:CreatePlacementGroup
- ec2:DeletePlacementGroup
Resource: '*'
- Sid: AutoScalingDescribe
Effect: Allow
Action:
- autoscaling:DescribeAutoScalingGroups
- autoscaling:DescribeAutoScalingInstances
Resource: '*'
- Sid: AutoScalingModify
Effect: Allow
Action:
- autoscaling:CreateAutoScalingGroup
- ec2:CreateLaunchTemplate
- ec2:ModifyLaunchTemplate
- ec2:DeleteLaunchTemplate
- ec2:DescribeLaunchTemplates
- ec2:DescribeLaunchTemplateVersions
- autoscaling:PutNotificationConfiguration
- autoscaling:UpdateAutoScalingGroup
- autoscaling:PutScalingPolicy
- autoscaling:DescribeScalingActivities
- autoscaling:DeleteAutoScalingGroup
- autoscaling:DeletePolicy
- autoscaling:DisableMetricsCollection
- autoscaling:EnableMetricsCollection
Resource: '*'
- Sid: DynamoDBDescribe
Effect: Allow
Action:
- dynamodb:DescribeTable
Resource: '*'
- Sid: DynamoDBModify
Effect: Allow
Action:
- dynamodb:CreateTable
- dynamodb:DeleteTable
- dynamodb:TagResource
Resource: '*'
- Sid: SQSDescribe
Effect: Allow
Action:
- sqs:GetQueueAttributes
Resource: '*'
- Sid: SQSModify
Effect: Allow
Action:
- sqs:CreateQueue
- sqs:SetQueueAttributes
- sqs:DeleteQueue
- sqs:TagQueue
Resource: '*'
- Sid: SNSDescribe
Effect: Allow
Action:
- sns:ListTopics
- sns:GetTopicAttributes
Resource: '*'
- Sid: SNSModify
Effect: Allow
Action:
- sns:CreateTopic
- sns:Subscribe
- sns:DeleteTopic
Resource: '*'
- Sid: CloudFormationDescribe
Effect: Allow
Action:
- cloudformation:DescribeStackEvents
- cloudformation:DescribeStackResource
- cloudformation:DescribeStackResources
- cloudformation:DescribeStacks
- cloudformation:ListStacks
- cloudformation:GetTemplate
Resource: '*'
- Sid: CloudFormationModify
Effect: Allow
Action:
- cloudformation:CreateStack
- cloudformation:DeleteStack
- cloudformation:UpdateStack
Resource: '*'
- Sid: S3ParallelClusterReadOnly
Effect: Allow
Action:
- s3:Get*
- s3:List*
Resource: 'arn:aws:s3:::*-aws-parallelcluster*'
- Sid: IAMModify
Effect: Allow
Action:
- iam:PassRole
- iam:CreateRole
- iam:CreateServiceLinkedRole
- iam:DeleteRole
- iam:GetRole
- iam:TagRole
- iam:SimulatePrincipalPolicy
Resource:
- arn:aws:iam::<AWS ACCOUNT ID>:role/parallelcluster*
- arn:aws:iam::<AWS ACCOUNT ID>:role/aws-service-role/*
- Sid: IAMCreateInstanceProfile
Effect: Allow
Action:
- iam:CreateInstanceProfile
- iam:DeleteInstanceProfile
Resource: 'arn:aws:iam::<AWS ACCOUNT ID>:instance-profile/*'
- Sid: IAMInstanceProfile
Effect: Allow
Action:
- iam:AddRoleToInstanceProfile
- iam:RemoveRoleFromInstanceProfile
- iam:GetRolePolicy
- iam:GetPolicy
- iam:AttachRolePolicy
- iam:DetachRolePolicy
- iam:PutRolePolicy
- iam:DeleteRolePolicy
Resource: '*'
- Sid: EFSDescribe
Effect: Allow
Action:
- elasticfilesystem:DescribeMountTargets
- elasticfilesystem:DescribeMountTargetSecurityGroups
- ec2:DescribeNetworkInterfaceAttribute
Resource: '*'
- Sid: SSMDescribe
Effect: Allow
Action:
- ssm:GetParametersByPath
Resource: '*'
- Sid: FSx
Effect: Allow
Action:
- fsx:*
Resource: '*'
- Sid: EFS
Effect: Allow
Action:
- elasticfilesystem:*
Resource: '*'
- Sid: CloudWatchLogs
Effect: Allow
Action:
- logs:DeleteLogGroup
- logs:PutRetentionPolicy
- logs:DescribeLogGroups
- logs:CreateLogGroup
Resource: '*'
Events:
pCluster:
Type: Api
Properties:
Path: /pcluster
Method: any
Outputs:
ParallelClusterApi:
Description: "API Gateway endpoint URL for Prod stage for ParallelCluster function"
Value: !Sub "https://${ServerlessRestApi}.execute-api.${AWS::Region}.amazonaws.com/Prod/pcluster/"