Using CloudFormation Cluster in Turbot

CloudFormation cluster (CfnCluster) is a framework that deploys and maintains high performance computing clusters on Amazon Web Services (AWS). Developed by AWS, CfnCluster facilitates both quick start proof of concepts (POCs) and production deployments. CfnCluster supports many different types of clustered applications and can easily be extended to support different frameworks.

This guide provides information for teams wishing to run CfnCluster within Turbot’s guardrails.

Enabling AWS Services in Turbot

CfnCluster uses a wide range of AWS Services, all orchestrated through CloudFormation. Please ensure the full range of AWS Services are enabled as Turbot Apps, including:

  • CloudFormation
  • CloudWatch
  • DynamoDB
  • EC2:
    • EC2 instances
    • Autoscaling
    • EBS
  • IAM
  • SNS
  • SQS
  • KMS (optional - required if using encryption for EBS volumes)
  • S3 (optional - used by CloudFormation only)

IAM Access and CfnCluster

CfnCluster requires the use of two separate roles / users:

  • CfnClusterUser - Used by the CfnCluster scripts to run CloudFormation and create resources.
  • CfnClusterInstance - Used by CfnCluster EC2 nodes.

Per the IAM Guardrails, Turbot will lockdown users and roles in AWS to the permissions available by policy in that AWS account.

Turbot recommends the following setup for CfnCluster:

  1. Create an IAM Role (e.g. CfnClusterUser) that is used for the CfnCluster launcher EC2 instance. This Role should be granted the CfnClusterUserPolicy as defined in the CfnCluster IAM documentation. Turbot will automatically add Lockdown policies to this IAM role, but does not impact it’s operation since it’s permission requirements are within Turbot guardrail limits.

  2. Create an IAM Role (e.g. CfnClusterInstance) that is used by CfnCluster for the EC2 nodes it creates. By default, CfnCluster will automatically create this role through CloudFormation (i.e. RootRole), but in Turbot we recommend creating it manually first and specifying the role in CfnCluster options. This is specifically because Turbot will add Lockdown policies to the policy, and then CfnCluster will fail to delete the CloudFormation stack because the IAM Role deletion fails because it has unexpected policies attached to it. Creating the role manually keeps it out of CloudFormation, avoiding this conflicting condition. This role should be granted the CfnClusterInstancePolicy as defined in the CfnCluster IAM documentation.

Turbot Options required for CfnCluster

If your environment requires the use of CfnCluster to create IAM Roles, then ensure that the user has the right to take IAM actions in AWS. For non-owners, this means AWS > Restrict IAM to Owners must be Disabled.

AMIs, Operating System & User Management

CfnCluster has two types of instances that get run in the VPC:

  • Launcher instance - Human login to use cfncluster commands. Uses the CfnClusterUser role.
  • Cluster instances - Managed by CfnCluster. Use the CfnClusterInstance role.

Turbot recommends the use of your standard Linux AMI for the launcher instance, including Turbot managed Linux.

For Cluster instances, CfnCluster has it’s own AMI to use. This should be combined with a custom EC2 SSH key pair. Do not use the turbot SSH key pair for this instance as Turbot hardening and user management may interfere with the CfnCluster instances.

Note that the CfnCluster AMI will need to be added to the EC2 list of Current AMIs in Turbot to ensure it can be launched in the environment.

Setting up cfncluster

The CfnCluster launcher can run a standard Turbot Linux OS with hardening and user management. Simply start a Linux instance with the turbot SSH key pair and the CfnClusterUser IAM Role described above.

After logging into the launcher instance, install CfnCluster:

sudo yum install -y epel-release
sudo yum install -y python-pip
sudo pip install cfncluster
cfncluster configure

Example CfnCluster config file

Here is an example CfnCluster configuration file. It is available in ~/.cfncluster/config on the CfnCluster launch instance.

[aws]
aws_region_name = us-east-1

[cluster demo]
vpc_settings = demovpc
# Use a custom EC2 SSH key pair. The turbot pair causes configuration of the instance
# leading to signal failures during CloudFormation setup (perhaps a reboot or similar?).
key_name = nathan-aba-us-east-1
# Use a custom IAM Role rather than creating in CfnCluster. Turbot automatically
# adds lockdown policies to the role, so deletion through CloudFormation fails
# since it is not aware of those policies. Using a custom role avoids that problem.
ec2_iam_role = CfnClusterInstance

[vpc demovpc]
vpc_id = vpc-74b7ba11
master_subnet_id = subnet-bbacf0cc
# Do not assign public IPs in a private subnet
use_public_ips = false
# Use the default security group instead of creating one
vpc_security_group_id = sg-d69f72b1
# Add the WebDMZ security group for ganglia access
additional_sg = sg-46c57d21

[global]
update_check = true
sanity_check = true
cluster_template = demo
Was this article helpful?
0 out of 0 found this helpful