Update RES templates

res/Makefile

@@ -0,0 +1,13 @@
+
+diff-base:
+	meld res-demo-original/bi.yaml res-demo-with-cidr/bi.yaml &
+	meld res-demo-original/keycloak.yaml res-demo-with-cidr/keycloak.yaml &
+	meld res-demo-original/res-sso-keycloak.yaml res-demo-with-cidr/res-sso-keycloak.yaml &
+	meld res-demo-original/res.ldif res-demo-with-cidr/res.ldif &
+
+diff-top:
+	meld res-demo-original/res-demo-stack.yaml res-demo-with-cidr/res-demo-stack.yaml &
+	meld res-demo-with-cidr/res-demo-stack.yaml res-demo-with-cidr/res-bi-only.yaml &
+	meld res-demo-with-cidr/res-demo-stack.yaml res-demo-with-cidr/res-only.yaml &
+
+diff: diff-base diff-top

res/download-res-templates.sh

@@ -7,8 +7,10 @@
 
 script_dir=$(dirname $(realpath $0))
 cd $script_dir
-aws s3 cp s3://aws-hpc-recipes/main/recipes/res/res_demo_env/assets/res-demo-stack.yaml res-demo-original/.
-aws s3 cp s3://aws-hpc-recipes/main/recipes/res/res_demo_env/assets/bi.yaml res-demo-original/.
-aws s3 cp s3://aws-hpc-recipes/main/recipes/net/hpc_large_scale/assets/main.yaml res-demo-original/networking.yaml
+aws s3 cp s3://aws-hpc-recipes/main/recipes/res/res_demo_env/assets/bi.yaml               res-demo-original/.
+aws s3 cp s3://aws-hpc-recipes/main/recipes/res/res_demo_env/assets/keycloak.yaml         res-demo-original/.
+aws s3 cp s3://aws-hpc-recipes/main/recipes/res/res_demo_env/assets/res-demo-stack.yaml   res-demo-original/.
+aws s3 cp s3://aws-hpc-recipes/main/recipes/res/res_demo_env/assets/res-sso-keycloak.yaml res-demo-original/.
+aws s3 cp s3://aws-hpc-recipes/main/recipes/net/hpc_large_scale/assets/main.yaml          res-demo-original/networking.yaml
 
 aws s3 cp s3://aws-hpc-recipes/main/recipes/res/res_demo_env/assets/res.ldif res-demo-original/.

res/res-demo-original/bi.yaml

@@ -36,21 +36,22 @@ Parameters:
   EnvironmentName:
     Description: (Optional) EnvironmentName must start with "res-"and should be less than or equal to 11 characters. Required to generate certificates.
     Type: String
-    AllowedPattern: ^res-[A-Za-z\-\_0-9]{0,7}$
+    AllowedPattern: ^$|^res-[A-Za-z\-\_0-9]{0,7}$
+
     Default: res-demo
   AdminPassword:
     Description: Provide the Active Directory Administrator Account Password Directly or Resource ARN to Secret Containing Password.
     Type: String
     MinLength: 8
     MaxLength: 2048
-    AllowedPattern: (arn:(aws(-cn|-us-gov)?):secretsmanager:(us(-gov)?|ap|ca|cn|eu|sa)-(central|(north|south)?(east|west)?)-\d:\d{12}:secret:[a-zA-Z0-9/_+=.@-]+)|(?=^.{8,64}$)((?=.*\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[^A-Za-z0-9\s])(?=.*[a-z])|(?=.*[^A-Za-z0-9\s])(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9\s]))^.*
+    AllowedPattern: (arn:(aws(-cn|-us-gov)?):secretsmanager:(us(-gov)?|ap|ca|cn|eu|il|sa)-(central|(north|south)?(east|west)?)-\d:\d{12}:secret:[a-zA-Z0-9/_+=.@-]+)|(?=^.{8,64}$)((?=.*\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[^A-Za-z0-9\s])(?=.*[a-z])|(?=.*[^A-Za-z0-9\s])(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9\s]))^.*
     NoEcho: true
   ServiceAccountPassword:
     Description: Provide the Active Directory Service Account Password Directly or Resource ARN to Secret Containing Password.
     Type: String
     MinLength: 8
     MaxLength: 2048
-    AllowedPattern: (arn:(aws(-cn|-us-gov)?):secretsmanager:(us(-gov)?|ap|ca|cn|eu|sa)-(central|(north|south)?(east|west)?)-\d:\d{12}:secret:[a-zA-Z0-9/_+=.@-]+)|(?=^.{8,64}$)((?=.*\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[^A-Za-z0-9\s])(?=.*[a-z])|(?=.*[^A-Za-z0-9\s])(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9\s]))^.*
+    AllowedPattern: (arn:(aws(-cn|-us-gov)?):secretsmanager:(us(-gov)?|ap|ca|cn|eu|il|sa)-(central|(north|south)?(east|west)?)-\d:\d{12}:secret:[a-zA-Z0-9/_+=.@-]+)|(?=^.{8,64}$)((?=.*\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[^A-Za-z0-9\s])(?=.*[a-z])|(?=.*[^A-Za-z0-9\s])(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9\s]))^.*
     NoEcho: true
   LDIFS3Path:
     Description: (Optional) An S3 Path (without the s3://) to an LDIF file that will be used during stack creation.
@@ -482,7 +483,7 @@ Resources:
                     response_data['Message'] = 'Resource creation successful!'
                     physical_resource_id = create_physical_resource_id()
 
-                    secretsmanager_arn_regex_pattern = r"(arn:(aws(-cn|-us-gov)?):secretsmanager:(us(-gov)?|ap|ca|cn|eu|sa)-(central|(north|south)?(east|west)?)-\d:\d{12}:secret:[a-zA-Z0-9/_+=.@-]+)"
+                    secretsmanager_arn_regex_pattern = r"(arn:(aws(-cn|-us-gov)?):secretsmanager:(us(-gov)?|ap|ca|cn|eu|il|sa)-(central|(north|south)?(east|west)?)-\d:\d{12}:secret:[a-zA-Z0-9/_+=.@-]+)"
                     admin_arn_match = re.search(secretsmanager_arn_regex_pattern, admin_password)
                     service_account_arn_match = re.search(secretsmanager_arn_regex_pattern, service_account_password)
 
@@ -547,10 +548,8 @@ Outputs:
     Value: !Sub
       - dc=${dc}
       - { dc: !Join [",dc=", !Split [".", !If [ SubDomainNotProvided, !Ref DomainName, !Join [ ".", [ !Ref SubDomain, !Ref DomainName] ] ] ]] }
-  ServiceAccountUsername:
-    Value: ServiceAccount
-  ServiceAccountPasswordSecretArn:
-    Value: !GetAtt [ DirectoryService, Outputs.PasswordSecretArn ]
+  ServiceAccountCredentialsSecretArn:
+    Value: !GetAtt [ DirectoryService, Outputs.CredentialsSecretArn ]
   ServiceAccountUserDN:
     Description: The Distinguished Name (DN) of the ServiceAccount user in your Active Directory
     Value: !Sub
@@ -568,11 +567,6 @@ Outputs:
     Value: !Sub
       - OU=Users,OU=RES,OU=${ou},DC=${dc}
       - { dc: !Join [",DC=", !Split [".", !If [ SubDomainNotProvided, !Ref DomainName, !Join [ ".", [ !Ref SubDomain, !Ref DomainName]]]]], ou:  !GetAtt [ DirectoryService, Outputs.DomainShortName ]}
-  SudoersOU:
-    Description: The OU for users who should have sudoers permission across all projects. The value provided here is based off of a supplied LDIF file.
-    Value: !Sub
-      - OU=Users,OU=RES,OU=${ou},DC=${dc}
-      - { dc: !Join [",DC=", !Split [".", !If [ SubDomainNotProvided, !Ref DomainName, !Join [ ".", [ !Ref SubDomain, !Ref DomainName]]]]], ou:  !GetAtt [ DirectoryService, Outputs.DomainShortName ]}
   ComputersOU:
     Description: The OU for computers that join the AD. The value provided here is based off of a supplied LDIF file.
     Value: !Sub