fix(aws-batch): Support omitting ComputeEnvironment security groups s…

…o that they can be specified in Launch Template (#21579)

HPC Batch applications frequently require Elastic Fabric Adapters for low-latency networking.  Currently, the `ComputeEnvironment` construct always automatically defines a set of `SecurityGroupIds` in the CloudFormation it generates, and this prevents the stack deploying if the LaunchTemplate contains network interface definitions; Batch does not allow SecurityGroups at the `ComputeEnvironment` level if there are network interfaces defined in the `CfnLaunchTemplate`.

Since we do not currently have support for network interfaces this PR adds a new boolean property in `launchTemplate` called `useNetworkInterfaceSecurityGroups`. When this is enabled we will assume that security groups are being provided by the launch template.

A long term solution may be to:
- Add support for network interfaces in the L2 ec2.LaunchTemplate construct.
- Update the batch.ComputeEnvironment construct to take a ILaunchTemplate instead of the name/id.
- Check the ILaunchTemplate for whether the ComputeEnvironment needs to create any security groups.

closes #21577 

----

### All Submissions:

* [yes] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [no] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [yes] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [yes] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

packages/@aws-cdk/aws-batch/README.md

@@ -187,6 +187,43 @@ const myComputeEnv = new batch.ComputeEnvironment(this, 'ComputeEnv', {
 });
 ```
 
+Note that if your launch template explicitly specifies network interfaces,
+for example to use an Elastic Fabric Adapter, you must use those security groups rather
+than allow the `ComputeEnvironment` to define them. This is done by setting
+`useNetworkInterfaceSecurityGroups` in the launch template property of the environment.
+For example:
+
+```ts
+declare const vpc: ec2.Vpc;
+
+const efaSecurityGroup = new ec2.SecurityGroup(this, 'EFASecurityGroup', {
+ vpc,
+});
+
+const launchTemplateEFA = new ec2.CfnLaunchTemplate(this, 'LaunchTemplate', {
+ launchTemplateName: 'LaunchTemplateName',
+ launchTemplateData: {
+ networkInterfaces: [{
+ deviceIndex: 0,
+ subnetId: vpc.privateSubnets[0].subnetId,
+ interfaceType: 'efa',
+ groups: [efaSecurityGroup.securityGroupId],
+ }],
+ },
+});
+
+const computeEnvironmentEFA = new batch.ComputeEnvironment(this, 'EFAComputeEnv', {
+ managed: true,
+ computeResources: {
+ vpc,
+ launchTemplate: {
+ launchTemplateName: launchTemplateEFA.launchTemplateName as string,
+ useNetworkInterfaceSecurityGroups: true,
+ },
+ },
+});
+```
+
 ### Importing an existing Compute Environment
 
 To import an existing batch compute environment, call `ComputeEnvironment.fromComputeEnvironmentArn()`.

packages/@aws-cdk/aws-batch/lib/compute-environment.ts

@@ -83,6 +83,19 @@ export interface LaunchTemplateSpecification {
  * @default - the default version of the launch template
  */
  readonly version?: string;
+ /**
+ * Use security groups defined in the launch template network interfaces
+ *
+ * In some cases, such as specifying Elastic Fabric Adapters,
+ * network interfaces must be used to specify security groups. This
+ * parameter tells the Compute Environment construct that this is your
+ * intention, and stops it from creating its own security groups. This
+ * parameter is mutually exclusive with securityGroups in the Compute
+ * Environment
+ *
+ * @default - false
+ */
+ readonly useNetworkInterfaceSecurityGroups?: boolean;
 }
 
 /**
@@ -138,9 +151,11 @@ export interface ComputeResources {
  readonly instanceTypes?: ec2.InstanceType[];
 
  /**
- * The EC2 security group(s) associated with instances launched in the compute environment.
+ * Up to 5 EC2 security group(s) associated with instances launched in the compute environment.
+ *
+ * This parameter is mutually exclusive with launchTemplate.useNetworkInterfaceSecurityGroups
  *
- * @default - AWS default security group.
+ * @default - Create a single default security group.
  */
  readonly securityGroups?: ec2.ISecurityGroup[];
 
@@ -375,7 +390,9 @@ export class ComputeEnvironment extends Resource implements IComputeEnvironment,
  const spotFleetRole = this.getSpotFleetRole(props);
  let computeResources: CfnComputeEnvironment.ComputeResourcesProperty | undefined;
 
- this.connections = this.buildConnections(props.computeResources?.vpc, props.computeResources?.securityGroups);
+ const useLaunchTemplateNetworkInterface = props.computeResources?.launchTemplate?.useNetworkInterfaceSecurityGroups ? true : false;
+
+ this.connections = this.buildConnections(useLaunchTemplateNetworkInterface, props.computeResources?.vpc, props.computeResources?.securityGroups);
 
  // Only allow compute resources to be set when using MANAGED type
  if (props.computeResources && this.isManaged(props)) {
@@ -388,7 +405,7 @@ export class ComputeEnvironment extends Resource implements IComputeEnvironment,
  launchTemplate: props.computeResources.launchTemplate,
  maxvCpus: props.computeResources.maxvCpus || 256,
  placementGroup: props.computeResources.placementGroup,
- securityGroupIds: this.getSecurityGroupIds(),
+ securityGroupIds: this.getSecurityGroupIds(useLaunchTemplateNetworkInterface),
  spotIamFleetRole: spotFleetRole?.roleArn,
  subnets: props.computeResources.vpc.selectSubnets(props.computeResources.vpcSubnets).subnetIds,
  tags: props.computeResources.computeResourcesTags,
@@ -547,6 +564,12 @@ export class ComputeEnvironment extends Resource implements IComputeEnvironment,
  throw new Error('You must specify either the launch template ID or launch template name in the request.');
  }
 
+ // useNetworkInterfaceSecurityGroups cannot have securityGroups defined
+ if (props.computeResources.launchTemplate?.useNetworkInterfaceSecurityGroups &&
+ props.computeResources.securityGroups ) {
+ throw new Error('securityGroups cannot be specified if launchTemplate useNetworkInterfaceSecurityGroups is active');
+ }
+
  // Setting a bid percentage is only allowed on SPOT resources +
  // Cannot use SPOT_CAPACITY_OPTIMIZED when using ON_DEMAND
  if (props.computeResources.type === ComputeResourceType.ON_DEMAND) {
@@ -584,9 +607,9 @@ export class ComputeEnvironment extends Resource implements IComputeEnvironment,
  return instanceTypes.map((type: ec2.InstanceType) => type.toString());
  }
 
- private buildConnections(vpc?: ec2.IVpc, securityGroups?:ec2.ISecurityGroup[]): ec2.Connections {
+ private buildConnections(useLaunchTemplateNetworkInterface: boolean, vpc?: ec2.IVpc, securityGroups?:ec2.ISecurityGroup[]): ec2.Connections {
 
- if (vpc === undefined) {
+ if (vpc === undefined || useLaunchTemplateNetworkInterface ) {
  return new ec2.Connections({});
  }
 
@@ -597,12 +620,12 @@ export class ComputeEnvironment extends Resource implements IComputeEnvironment,
  ],
  });
  }
-
  return new ec2.Connections({ securityGroups });
  };
 
- private getSecurityGroupIds(): string[] | undefined {
- if (this.connections === undefined) {
+ private getSecurityGroupIds(useLaunchTemplateInterface: boolean): string[] | undefined {
+ if (this.connections === undefined ||
+ useLaunchTemplateInterface ) {
  return undefined;
  }
 

packages/@aws-cdk/aws-batch/test/batch-with-efa.integ.snapshot/BatchWithEFATestDefaultTestDeployAssertDAD33663.template.json

@@ -0,0 +1 @@
+{}