Merge pull request #610 from awslabs/develop

1.6.1 develop to master merge

CHANGELOG.rst

@@ -2,6 +2,10 @@
 CHANGELOG
 =========
 
+1.6.1
+=====
+* Fix a bug in `cfncluster configure` introduced in 1.6.0
+
 1.6.0
 =====
 * Refactor scaling up to take into account the number of pending/requested jobs/slots and instance slots.

README.rst

@@ -108,9 +108,9 @@ Changes
 
 CfnCluster 1.6 IAM Change
 =========================
-Between CfnCluster 1.5.3 and 1.6.0 we made a change to the CfnClusterInstancePolicy that adds “s3:GetObject” permissions
+Between CfnCluster 1.5.4 and 1.6.0 we made a change to the CfnClusterInstancePolicy that adds “s3:GetObject” permissions
 on objects in <REGION>-cfncluster bucket, "autoscaling:SetDesiredCapacity", "autoscaling:DescribeTags" permissions and
-"cloudformation:DescribeStacks" permissions on <REGION>:<ACCOUNT_NAME>:<STACK_NAME>.
+"cloudformation:DescribeStacks" permissions on <REGION>:<ACCOUNT_ID>:stack/cfncluster-*.
 
 If you’re using a custom policy (e.g. you specify "ec2_iam_role" in your config) be sure it includes this new permission. See https://cfncluster.readthedocs.io/en/latest/iam.html
 

cli/cfncluster/cfnconfig.py

@@ -153,7 +153,7 @@ def __init__(self, args):
                 print("ERROR: key_name set in [%s] section but not defined." % self.__cluster_section)
                 sys.exit(1)
             if self.__sanity_check:
-                config_sanity.check_resource(self.region, self.args.cluster_name, self.aws_access_key_id, self.aws_secret_access_key,
+                config_sanity.check_resource(self.region, self.aws_access_key_id, self.aws_secret_access_key,
                                              'EC2KeyPair', self.key_name)
         except configparser.NoOptionError:
             print("ERROR: Missing key_name option in [%s] section." % self.__cluster_section)
@@ -173,7 +173,7 @@ def __init__(self, args):
                         print("ERROR: template_url set in [%s] section but not defined." % self.__cluster_section)
                         sys.exit(1)
                     if self.__sanity_check:
-                        config_sanity.check_resource(self.region, self.args.cluster_name, self.aws_access_key_id, self.aws_secret_access_key,
+                        config_sanity.check_resource(self.region, self.aws_access_key_id, self.aws_secret_access_key,
                                                      'URL', self.template_url)
                 except configparser.NoOptionError:
                     if self.region == 'us-gov-west-1':
@@ -208,7 +208,7 @@ def __init__(self, args):
                                                     % (key, self.__vpc_section))
                     sys.exit(1)
                 if self.__sanity_check and self.__vpc_options.get(key)[1] is not None:
-                    config_sanity.check_resource(self.region, self.args.cluster_name, self.aws_access_key_id, self.aws_secret_access_key,
+                    config_sanity.check_resource(self.region, self.aws_access_key_id, self.aws_secret_access_key,
                                                 self.__vpc_options.get(key)[1],__temp__)
                 self.parameters.append((self.__vpc_options.get(key)[0],__temp__))
             except configparser.NoOptionError:
@@ -245,7 +245,7 @@ def __init__(self, args):
                                                     % (key, self.__cluster_section))
                     sys.exit(1)
                 if self.__sanity_check and self.__cluster_options.get(key)[1] is not None:
-                    config_sanity.check_resource(self.region, self.args.cluster_name, self.aws_access_key_id, self.aws_secret_access_key,
+                    config_sanity.check_resource(self.region, self.aws_access_key_id, self.aws_secret_access_key,
                                                 self.__cluster_options.get(key)[1],__temp__)
                 self.parameters.append((self.__cluster_options.get(key)[0],__temp__))
             except configparser.NoOptionError:
@@ -294,7 +294,7 @@ def __init__(self, args):
                                                     % (key, self.__ebs_section))
                             sys.exit(1)
                         if self.__sanity_check and self.__ebs_options.get(key)[1] is not None:
-                            config_sanity.check_resource(self.region, self.args.cluster_name, self.aws_access_key_id, self.aws_secret_access_key,
+                            config_sanity.check_resource(self.region, self.aws_access_key_id, self.aws_secret_access_key,
                                                 self.__ebs_options.get(key)[1],__temp__)
                         self.parameters.append((self.__ebs_options.get(key)[0],__temp__))
                     except configparser.NoOptionError:
@@ -326,7 +326,7 @@ def __init__(self, args):
                                                     % (key, self.__scaling_section))
                             sys.exit(1)
                         if self.__sanity_check and self.__scaling_options.get(key)[1] is not None:
-                            config_sanity.check_resource(self.region, self.args.cluster_name, self.aws_access_key_id, self.aws_secret_access_key,
+                            config_sanity.check_resource(self.region, self.aws_access_key_id, self.aws_secret_access_key,
                                                 self.__scaling_options.get(key)[1],__temp__)
                         self.parameters.append((self.__scaling_options.get(key)[0],__temp__))
                     except configparser.NoOptionError:

cli/cfncluster/config_sanity.py

@@ -25,7 +25,8 @@ def get_partition(region):
         return 'aws-us-gov'
     return 'aws'
 
-def check_resource(region, cluster_name, aws_access_key_id, aws_secret_access_key, resource_type,resource_value):
+
+def check_resource(region, aws_access_key_id, aws_secret_access_key, resource_type, resource_value):
 
     # Loop over all supported resource checks
     # EC2 KeyPair
@@ -56,7 +57,7 @@ def check_resource(region, cluster_name, aws_access_key_id, aws_secret_access_ke
                         (['sqs:SendMessage', 'sqs:ReceiveMessage', 'sqs:ChangeMessageVisibility', 'sqs:DeleteMessage', 'sqs:GetQueueUrl'], "arn:%s:sqs:%s:%s:cfncluster-*" % (partition, region, accountid)),
                         (['autoscaling:DescribeAutoScalingGroups', 'autoscaling:TerminateInstanceInAutoScalingGroup', 'autoscaling:SetDesiredCapacity', 'autoscaling:DescribeTags', 'autoScaling:UpdateAutoScalingGroup'], "*"),
                         (['dynamodb:PutItem', 'dynamodb:Query', 'dynamodb:GetItem', 'dynamodb:DeleteItem', 'dynamodb:DescribeTable'], "arn:%s:dynamodb:%s:%s:table/cfncluster-*" % (partition, region, accountid)),
-                        (['cloudformation:DescribeStacks'], "arn:%s:cloudformation:%s:%s:stack/cfncluster-%s/*" % (partition, region, accountid, cluster_name)),
+                        (['cloudformation:DescribeStacks'], "arn:%s:cloudformation:%s:%s:stack/cfncluster-*" % (partition, region, accountid)),
                         (['s3:GetObject'], "arn:%s:s3:::%s-cfncluster/*" % (partition, region)),
                         (['sqs:ListQueues'], "*"),
                         (['logs:*'], "arn:%s:logs:*:*:*" % partition)]

cli/setup.py

@@ -20,7 +20,7 @@ def read(fname):
     return open(os.path.join(os.path.dirname(__file__), fname)).read()
 
 console_scripts = ['cfncluster = cfncluster.cli:main']
-version = "1.6.0"
+version = "1.6.1"
 requires = ['boto3>=1.7.33', 'awscli>=1.11.175', 'future>=0.16.0']
 
 if sys.version_info[:2] == (2, 6):

cloudformation/cfncluster.cfn.json

@@ -1710,7 +1710,7 @@
     },
     "CfnClusterVersions": {
       "default": {
-        "cfncluster": "cfncluster-1.6.0",
+        "cfncluster": "cfncluster-1.6.1",
         "cookbook": "cfncluster-cookbook-1.6.0",
         "chef": "14.2.0",
         "ridley": "5.1.1",
@@ -1952,11 +1952,7 @@
                       {
                         "Ref": "AWS::AccountId"
                       },
-                      ":stack/",
-                      {
-                        "Ref": "AWS::StackName"
-                      },
-                      "/*"
+                      ":stack/cfncluster-*"
                     ]
                   ]
                 }

docs/source/conf.py

@@ -52,7 +52,7 @@
 # The short X.Y version.
 version = '1.6'
 # The full version, including alpha/beta/rc tags.
-release = '1.6.0'
+release = '1.6.1'
 
 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.

docs/source/iam.rst

@@ -4,7 +4,7 @@ IAM in CfnCluster
 ========================
 
 .. warning::
-    Between CfnCluster 1.5.3 and 1.6.0 we added a change to the `CfnClusterInstancePolicy` that adds “s3:GetObject” permissions on objects in <REGION>-cfncluster bucket and cloudformation:DescribeStacks" permissions on <REGION>:<ACCOUNT_NAME>:<STACK_NAME>
+    Between CfnCluster 1.5.4 and 1.6.0 we added a change to the `CfnClusterInstancePolicy` that adds “s3:GetObject” permissions on objects in <REGION>-cfncluster bucket and cloudformation:DescribeStacks" permissions on <REGION>:<ACCOUNT_ID>:stack/cfncluster-*
     If you're using a custom policy (e.g. you specify "ec2_iam_role" in your config) be sure it includes this new permission.
 
     Between CfnCluster 1.4.2 and 1.5.0 we added a change to the `CfnClusterInstancePolicy` that adds "ec2:DescribeVolumes" permissions. If you're using a custom policy (e.g. you specify "ec2_iam_role" in your config) be sure it includes this new permission.
@@ -107,6 +107,16 @@ CfnClusterInstancePolicy
               "Sid": "S3GetObj",
               "Effect": "Allow"
           },
+          {
+              "Resource": [
+                  "arn:aws:cloudformation:<REGION>:<AWS ACCOUNT ID>:stack/cfncluster-*"
+              ],
+              "Action": [
+                  "cloudformation:DescribeStacks"
+              ],
+              "Sid": "CloudFormationDescribe",
+              "Effect": "Allow"
+          },
           {
               "Resource": [
                   "*"