Merge pull request #344 from aws/bump/0.27.0

chore(release): 0.27.0

Author: jusiskin

.github/workflows/ci.yml

@@ -23,7 +23,7 @@ jobs:
     steps:
     - uses: actions/checkout@v2
     - name: Use Node.js ${{ matrix.node-version }}
-      uses: actions/[email protected].4
+      uses: actions/[email protected].5
       with:
         node-version: ${{ matrix.node-version }}
     - run: yarn global add typescript

CHANGELOG.md

@@ -2,6 +2,38 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [0.27.0](https://github.com/aws/aws-rfdk/compare/v0.26.0...v0.27.0) (2021-03-12)
+
+
+### Supported CDK Version
+
+* [1.91.0](https://github.com/aws/aws-cdk/releases/tag/v1.91.0)
+
+
+### Officially Supported Deadline Versions
+
+* [10.1.9.2 to 10.1.14.4](https://docs.thinkboxsoftware.com/products/deadline/10.1/1_User%20Manual/manual/release-notes.html)
+
+
+### Security Notice
+
+RFDK version 0.27.x and later include security enhancements.  We recommend you upgrade RFDK and Deadline to further restrict the permissions required for RFDK & Deadline to function. Please upgrade the version of RFDK used in your CDK application to 0.27.x, and configure your application to deploy Deadline 10.1.14.x or later to resolve the issue. 
+
+If you have an existing deployment that was built with RFDK versions 0.26.x or earlier, you will need to upgrade to RFDK 0.27.x and Deadline 10.1.14.x or later before June 10, 2021 @ 1:00PM PST/ 3:00PM CST/ 4:00PM EST. Failure to upgrade by the above date may result in disruptions to your render farm. If you have any questions, please contact AWS Thinkbox Customer Support at https://support.thinkboxsoftware.com/.
+
+### ⚠ BREAKING CHANGES
+
+- If your application provides an EFS file-system to a Repository construct, it must now also pass an
+  [EFS Access Point](https://docs.aws.amazon.com/efs/latest/ug/efs-access-points.html). See the [RFDK 0.27.x upgrade documentation](https://github.com/aws/aws-rfdk/blob/v0.27.0/packages/aws-rfdk/docs/upgrade/upgrading-0.27.md)
+  for details.
+
+### Features
+
+* **core:** make cloudwatch agent install optional ([#338](https://github.com/aws/aws-rfdk/issues/338)) ([ac052ea](https://github.com/aws/aws-rfdk/commit/ac052ea67ab90e8c6ac18af71a950b20c68a24f1))
+* **core:** add ability to use EFS access points ([#339](https://github.com/aws/aws-rfdk/issues/339)) ([544496c](https://github.com/aws/aws-rfdk/commit/544496cb67b3880fc187716a33ebeca595c108d7))
+* **deadline:** add ability to use EFS access points ([#339](https://github.com/aws/aws-rfdk/issues/339)) ([544496c](https://github.com/aws/aws-rfdk/commit/544496cb67b3880fc187716a33ebeca595c108d7))
+
+
 ## [0.26.0](https://github.com/aws/aws-rfdk/compare/v0.25.0...v0.26.0) (2021-03-01)
 
 

THIRD-PARTY

@@ -101,7 +101,7 @@ def main():
     # ------------------------------
     service_props = service_tier.ServiceTierProps(
         database=storage.database,
-        file_system=storage.file_system,
+        mountable_file_system=storage.mountable_file_system,
         vpc=network.vpc,
         ubl_certs_secret_arn=config.ubl_certificate_secret_arn,
         ubl_licenses=config.ubl_licenses,

examples/deadline/All-In-AWS-Infrastructure-Basic/python/package/app.py

@@ -32,10 +32,10 @@ def __init__(self):
         # to pin to. Some examples of pinned version values are "10", "10.1", or "10.1.12"
         self.deadline_version: Optional[str] = None
 
-        # A map of regions to Deadline Client Linux AMIs. As an example, the Linux Deadline 10.1.12.1 AMI ID
-        # from us-west-2 is filled in. It can be used as-is, added to, or replaced. Ideally the version here
-        #  should match the one used for staging the render queue and usage based licensing recipes.
-        self.deadline_client_linux_ami_map: Mapping[str, str] = {'us-west-2': 'ami-039f0c1faba28b015'}
+        # A map of regions to Deadline Client Linux AMIs. As an example, the Linux Deadline 10.1.13.2 AMI ID
+        # from us-west-2 is filled in. It can be used as-is, added to, or replaced. Ideally the version here should match the version of
+        # Deadline used in any connected Deadline constructs.
+        self.deadline_client_linux_ami_map: Mapping[str, str] = {'us-west-2': 'ami-0237f13ce87af168e'}
 
         # A secret (in binary form) in SecretsManager that stores the UBL certificates in a .zip file.
         self.ubl_certificate_secret_arn: str =\

examples/deadline/All-In-AWS-Infrastructure-Basic/python/package/config.py

@@ -30,7 +30,7 @@
 
 from aws_rfdk import (
     DistinguishedName,
-    IMountableLinuxFilesystem,
+    MountableEfs,
     SessionManagerHelper,
     X509CertificatePem
 )
@@ -58,8 +58,8 @@ class ServiceTierProps(StackProps):
     vpc: IVpc
     # The database to connect to.
     database: DatabaseConnection
-    # The file system to install Deadline Repository to.
-    file_system: IMountableLinuxFilesystem
+    # The file-system to install Deadline Repository to.
+    mountable_file_system: MountableEfs
     # The ARN of the secret containing the UBL certificates .zip file (in binary form).
     ubl_certs_secret_arn: typing.Optional[str]
     # The UBL licenses to configure
@@ -109,9 +109,9 @@ def __init__(self, scope: Construct, stack_id: str, *, props: ServiceTierProps,
             ]
         )
 
-        # Granting the bastion access to the file system mount for convenience.
-        # This can also safely be removed.
-        props.file_system.mount_to_linux_instance(
+        # Mounting the root of the EFS file-system to the bastion access for convenience.
+        # This can safely be removed.
+        MountableEfs(self, filesystem=props.mountable_file_system.file_system).mount_to_linux_instance(
             self.bastion.instance,
             location='/mnt/efs'
         )
@@ -127,8 +127,9 @@ def __init__(self, scope: Construct, stack_id: str, *, props: ServiceTierProps,
             'Repository',
             vpc=props.vpc,
             database=props.database,
-            file_system=props.file_system,
+            file_system=props.mountable_file_system,
             repository_installation_timeout=Duration.minutes(20),
+            repository_installation_prefix='/',
             version=self.version
         )
 

examples/deadline/All-In-AWS-Infrastructure-Basic/python/package/lib/service_tier.py

@@ -25,7 +25,10 @@
     SubnetType
 )
 from aws_cdk.aws_efs import (
+    AccessPoint,
+    Acl,
     FileSystem,
+    PosixUser
 )
 from aws_cdk.aws_route53 import (
     IPrivateHostedZone
@@ -75,20 +78,54 @@ def __init__(self, scope: Construct, stack_id: str, *, props: StorageTierProps,
         :param kwargs: Any kwargs that need to be passed on to the parent class.
         """
         super().__init__(scope, stack_id, **kwargs)
-        # The file system to use (e.g. to install Deadline Repository onto).
-        self.file_system = MountableEfs(
+
+        # The file-system to use (e.g. to install Deadline Repository onto).
+        file_system = FileSystem(
+            self,
+            'EfsFileSystem',
+            vpc=props.vpc,
+            encrypted=True,
+            # TODO - Evaluate this removal policy for your own needs. This is set to DESTROY to
+            # cleanly remove everything when this stack is destroyed. If you would like to ensure
+            # that your data is not accidentally deleted, you should modify this value.
+            removal_policy=RemovalPolicy.DESTROY
+        )
+
+        # Create an EFS access point that is used to grant the Repository and RenderQueue with write access to the
+        # Deadline Repository directory in the EFS file-system.
+        access_point = AccessPoint(
             self,
-            filesystem=FileSystem(
-                self,
-                'EfsFileSystem',
-                vpc=props.vpc,
-                # TODO - Evaluate this removal policy for your own needs. This is set to DESTROY to
-                # cleanly remove everything when this stack is destroyed. If you would like to ensure
-                # that your data is not accidentally deleted, you should modify this value.
-                removal_policy=RemovalPolicy.DESTROY
+            'AccessPoint',
+            file_system=file_system,
+
+            # The AccessPoint will create the directory (denoted by the path property below) if it doesn't exist with
+            # the owning UID/GID set as specified here. These should be set up to grant read and write access to the
+            # UID/GID configured in the "poxis_user" property below.
+            create_acl=Acl(
+                owner_uid='10000',
+                owner_gid='10000',
+                permissions='750',
+            ),
+
+            # When you mount the EFS via the access point, the mount will be rooted at this path in the EFS file-system
+            path='/DeadlineRepository',
+
+            # TODO - When you mount the EFS via the access point, all file-system operations will be performed using
+            # these UID/GID values instead of those from the user on the system where the EFS is mounted. If you intend
+            # to use the same EFS file-system for other purposes (e.g. render assets, plug-in storage), you may want to
+            # evaluate the UID/GID permissions based on your requirements.
+            posix_user=PosixUser(
+                uid='10000',
+                gid='10000'
             )
         )
 
+        self.mountable_file_system = MountableEfs(
+            self,
+            filesystem=file_system,
+            access_point=access_point
+        )
+
         # The database to connect Deadline to.
         self.database: Optional[DatabaseConnection] = None
 

examples/deadline/All-In-AWS-Infrastructure-Basic/python/package/lib/storage_tier.py

@@ -18,7 +18,7 @@
 
     install_requires=[
         "aws-cdk.core==1.91.0",
-        "aws-rfdk==0.26.0"
+        "aws-rfdk==0.27.0"
     ],
 
     python_requires=">=3.7",

examples/deadline/All-In-AWS-Infrastructure-Basic/python/setup.py

@@ -98,7 +98,7 @@ if (config.deployMongoDB) {
 const service = new ServiceTier(app, 'ServiceTier', {
   env,
   database: storage.database,
-  fileSystem: storage.fileSystem,
+  mountableFileSystem: storage.mountableFileSystem,
   vpc: network.vpc,
   deadlineVersion: config.deadlineVersion,
   ublCertsSecretArn: config.ublCertificatesSecretArn,

examples/deadline/All-In-AWS-Infrastructure-Basic/ts/bin/app.ts

@@ -31,11 +31,11 @@ class AppConfig {
   public readonly deadlineVersion?: string;
 
   /**
-   * A map of regions to Deadline Client Linux AMIs. As an example, the Linux Deadline 10.1.12.1 AMI ID from us-west-2
-   * is filled in. It can be used as-is, added to, or replaced. Ideally the version here should match the one in
-   * package.json used for staging the render queue and usage based licensing recipes.
+   * A map of regions to Deadline Client Linux AMIs. As an example, the Linux Deadline 10.1.13.2 AMI ID from us-west-2
+   * is filled in. It can be used as-is, added to, or replaced. Ideally the version here should match the version of
+   * Deadline used in any connected Deadline constructs.
    */
-  public readonly deadlineClientLinuxAmiMap: Record<string, string> = {['us-west-2']: 'ami-039f0c1faba28b015'};
+  public readonly deadlineClientLinuxAmiMap: Record<string, string> = {['us-west-2']: 'ami-0237f13ce87af168e'};
 
   /**
    * (Optional) A secret (in binary form) in SecretsManager that stores the UBL certificates in a .zip file.

examples/deadline/All-In-AWS-Infrastructure-Basic/ts/bin/config.ts

@@ -17,7 +17,7 @@ import {
 } from '@aws-cdk/aws-route53';
 import * as cdk from '@aws-cdk/core';
 import {
-  IMountableLinuxFilesystem,
+  MountableEfs,
   X509CertificatePem,
 } from 'aws-rfdk';
 import {
@@ -33,7 +33,6 @@ import {
 import {
   Secret,
 } from '@aws-cdk/aws-secretsmanager';
-import { Duration } from '@aws-cdk/core';
 import { SessionManagerHelper } from 'aws-rfdk/lib/core';
 
 /**
@@ -51,9 +50,9 @@ export interface ServiceTierProps extends cdk.StackProps {
   readonly database: DatabaseConnection;
 
   /**
-   * The file system to install Deadline Repository to.
+   * The file-system to install Deadline Repository to.
    */
-  readonly fileSystem: IMountableLinuxFilesystem;
+  readonly mountableFileSystem: MountableEfs;
 
   /**
    * Our self-signed root CA certificate for the internal endpoints in the farm.
@@ -136,11 +135,15 @@ export class ServiceTier extends cdk.Stack {
         volume: BlockDeviceVolume.ebs(50, {
           encrypted: true,
         })},
-      ]
+      ],
     });
-    // Granting the bastion access to the file system mount for convenience
+    props.database.allowConnectionsFrom(this.bastion);
+
+    // Granting the bastion access to the entire EFS file-system.
     // This can also be safely removed
-    props.fileSystem.mountToLinuxInstance(this.bastion.instance, {
+    new MountableEfs(this, {
+      filesystem: props.mountableFileSystem.fileSystem,
+    }).mountToLinuxInstance(this.bastion.instance, {
       location: '/mnt/efs',
     });
 
@@ -152,8 +155,9 @@ export class ServiceTier extends cdk.Stack {
       vpc: props.vpc,
       version: this.version,
       database: props.database,
-      fileSystem: props.fileSystem,
-      repositoryInstallationTimeout: Duration.minutes(20),
+      fileSystem: props.mountableFileSystem,
+      repositoryInstallationTimeout: cdk.Duration.minutes(20),
+      repositoryInstallationPrefix: "/",
     });
 
     const images = new ThinkboxDockerImages(this, 'Images', {

examples/deadline/All-In-AWS-Infrastructure-Basic/ts/lib/service-tier.ts

@@ -10,11 +10,13 @@ import {
 } from '@aws-cdk/aws-ec2';
 import * as cdk from '@aws-cdk/core';
 import { DatabaseCluster } from '@aws-cdk/aws-docdb';
-import { FileSystem } from '@aws-cdk/aws-efs';
+import {
+  AccessPoint,
+  FileSystem,
+} from '@aws-cdk/aws-efs';
 import { IPrivateHostedZone } from '@aws-cdk/aws-route53';
 import { RemovalPolicy, Duration } from '@aws-cdk/core';
 import {
-  IMountableLinuxFilesystem,
   MongoDbInstance,
   MongoDbPostInstallSetup,
   MongoDbSsplLicenseAcceptance,
@@ -45,9 +47,9 @@ export interface StorageTierProps extends cdk.StackProps {
  */
 export abstract class StorageTier extends cdk.Stack {
   /**
-   * The file system to use (e.g. to install Deadline Repository onto).
+   * The mountable file-system to use for the Deadline Repository
    */
-  public readonly fileSystem: IMountableLinuxFilesystem;
+  public readonly mountableFileSystem: MountableEfs;
 
   /**
    * The database to connect Deadline to.
@@ -63,15 +65,45 @@ export abstract class StorageTier extends cdk.Stack {
   constructor(scope: cdk.Construct, id: string, props: StorageTierProps) {
     super(scope, id, props);
 
-    this.fileSystem = new MountableEfs(this, {
-      filesystem: new FileSystem(this, 'EfsFileSystem', {
-        vpc: props.vpc,
-        encrypted: true,
-        // TODO - Evaluate this removal policy for your own needs. This is set to DESTROY to
-        // cleanly remove everything when this stack is destroyed. If you would like to ensure
-        // that your data is not accidentally deleted, you should modify this value.
-        removalPolicy: RemovalPolicy.DESTROY,
-      }),
+    const fileSystem = new FileSystem(this, 'EfsFileSystem', {
+      vpc: props.vpc,
+      encrypted: true,
+      // TODO - Evaluate this removal policy for your own needs. This is set to DESTROY to
+      // cleanly remove everything when this stack is destroyed. If you would like to ensure
+      // that your data is not accidentally deleted, you should modify this value.
+      removalPolicy: RemovalPolicy.DESTROY,
+    });
+
+    // Create an EFS access point that is used to grant the Repository and RenderQueue with write access to the Deadline
+    // Repository directory in the EFS file-system.
+    const accessPoint = new AccessPoint(this, 'AccessPoint', {
+      fileSystem,
+
+      // The AccessPoint will create the directory (denoted by the "path" property below) if it doesn't exist with the
+      // owning UID/GID set as specified here. These should be set up to grant read and write access to the UID/GID
+      // configured in the "poxisUser" property below.
+      createAcl: {
+        ownerGid: '10000',
+        ownerUid: '10000',
+        permissions: '750',
+      },
+
+      // When you mount the EFS via the access point, the mount will be rooted at this path in the EFS file-system
+      path: '/DeadlineRepository',
+
+      // TODO - When you mount the EFS via the access point, all file-system operations will be performed using these
+      // UID/GID values instead of those from the user on the system where the EFS is mounted. If you intend to use the
+      // same EFS file-system for other purposes (e.g. render assets, plug-in storage), you may want to evaluate the
+      // UID/GID permissions based on your requirements.
+      posixUser: {
+        uid: '10000',
+        gid: '10000',
+      },
+    });
+
+    this.mountableFileSystem = new MountableEfs(this, {
+      filesystem: fileSystem,
+      accessPoint,
     });
   }
 }

examples/deadline/All-In-AWS-Infrastructure-Basic/ts/lib/storage-tier.ts

@@ -1,6 +1,6 @@
 {
   "name": "all-in-farm-basic",
-  "version": "0.26.0",
+  "version": "0.27.0",
   "bin": {
     "app": "bin/app.js"
   },
@@ -21,7 +21,7 @@
   },
   "dependencies": {
     "@aws-cdk/core": "1.91.0",
-    "aws-rfdk": "0.26.0",
+    "aws-rfdk": "0.27.0",
     "source-map-support": "^0.5.19"
   }
 }

examples/deadline/All-In-AWS-Infrastructure-Basic/ts/package.json

@@ -18,7 +18,7 @@
 
     install_requires=[
         "aws-cdk.core==1.91.0",
-        "aws-rfdk==0.26.0"
+        "aws-rfdk==0.27.0"
     ],
 
     python_requires=">=3.7",