Add the SSM Managed Instance Policy to the networking bastion instanc…

…e used in tests (#5540) This will ensure that it reports the host status to the SSM Association Doc Signed-off-by: <[email protected]> (cherry picked from commit d9faaab)
aws · Nov 30, 2023 · 183c236 · 183c236
1 parent 8603bc0
commit 183c236
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 5 deletions.
diff --git a/tests/integration-tests/cfn_stacks_factory.py b/tests/integration-tests/cfn_stacks_factory.py
@@ -80,6 +80,8 @@ def __init__(self, default_az_id: str = None, az_ids: list = None, **kwargs):
         self.az_override = None
         self.__public_subnet_ids = None
         self.__private_subnet_ids = None
+        if "CAPABILITY_NAMED_IAM" not in self.capabilities:
+            self.capabilities.append("CAPABILITY_NAMED_IAM")
 
     def set_az_override(self, az_override):
         """Sets the az_id to override the default AZ used to pick the subnets."""

diff --git a/tests/integration-tests/network_template_builder.py b/tests/integration-tests/network_template_builder.py
@@ -27,6 +27,7 @@
     VPCEndpoint,
     VPCGatewayAttachment,
 )
+from troposphere.iam import InstanceProfile, Role
 
 TAGS_PREFIX = "ParallelCluster"
 BASTION_INSTANCE_TYPE = "c5.large"
@@ -280,6 +281,25 @@ def __build_vpc_endpoints(self, subnet_id, route_table_ids):
                 )
             )
 
+    def __bastion_instance_profile(self):
+        instance_role = Role(
+            "BastionNetworkingRole",
+            ManagedPolicyArns=["arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"],
+            AssumeRolePolicyDocument={
+                "Version": "2012-10-17",
+                "Statement": [
+                    {"Effect": "Allow", "Principal": {"Service": "ec2.amazonaws.com"}, "Action": "sts:AssumeRole"}
+                ],
+            },
+        )
+        self.__template.add_resource(instance_role)
+        instance_profile = InstanceProfile(
+            "BastionInstanceProfile",
+            Roles=[Ref(instance_role)],
+        )
+        self.__template.add_resource(instance_profile)
+        return instance_profile
+
     def __build_bastion_instance(self, bastion_subnet_id):
         bastion_sg = ec2.SecurityGroup(
             "NetworkingTestBastionSG",
@@ -294,11 +314,18 @@ def __build_bastion_instance(self, bastion_subnet_id):
             ],
             VpcId=Ref(self.__vpc),
         )
-        launch_template = ec2.LaunchTemplate.from_dict(
-            "LaunchTemplateIMDSv2",
-            {
-                "LaunchTemplateData": {"MetadataOptions": {"HttpTokens": "required", "HttpEndpoint": "enabled"}},
-            },
+        instance_profile = self.__bastion_instance_profile()
+        launch_template = ec2.LaunchTemplate(
+            "NetworkingBastionLaunchTemplate",
+            LaunchTemplateData=ec2.LaunchTemplateData(
+                MetadataOptions=ec2.MetadataOptions(
+                    HttpTokens="required",
+                    HttpEndpoint="enabled",
+                ),
+                IamInstanceProfile=ec2.IamInstanceProfile(
+                    Arn=GetAtt(instance_profile, "Arn"),
+                ),
+            ),
         )
         self.__template.add_resource(launch_template)
         instance = ec2.Instance(