feat(deadline): validate minimum Deadline version for secrets managem…

…ent (#573)
aws · Oct 21, 2021 · 6d5950e · 6d5950e
1 parent 7420f3c
commit 6d5950e
Show file tree

Hide file tree

Showing 5 changed files with 57 additions and 14 deletions.
diff --git a/packages/aws-rfdk/lib/deadline/lib/render-queue.ts b/packages/aws-rfdk/lib/deadline/lib/render-queue.ts
@@ -257,13 +257,6 @@ export class RenderQueue extends RenderQueueBase implements IGrantable {
  */
  private static readonly MINIMUM_LOAD_BALANCING_VERSION = new Version([10, 1, 10, 0]);
 
- // TODO: Update this with the version of Deadline that includes the changes for RFDK Secrets Management.
- // This is a temporary minimum version until this feature branch is merged
- /**
- * The minimum Deadline version required to enable Deadline Secrets Management on the Render Queue.
- */
- private static readonly MINIMUM_SECRETS_MANAGEMENT_VERSION = new Version([10, 1, 15, 0]);
-
  /**
  * Regular expression that validates a hostname (portion in front of the subdomain).
  */
@@ -471,8 +464,8 @@ export class RenderQueue extends RenderQueueBase implements IGrantable {
 
  if (props.repository.secretsManagementSettings.enabled) {
  const errors = [];
- if (props.version.isLessThan(RenderQueue.MINIMUM_SECRETS_MANAGEMENT_VERSION)) {
- errors.push(`The supplied Deadline version (${props.version.versionString}) is lower than the minimum required version: ${RenderQueue.MINIMUM_SECRETS_MANAGEMENT_VERSION.toString()}`);
+ if (props.version.isLessThan(Version.MINIMUM_SECRETS_MANAGEMENT_VERSION)) {
+ errors.push(`The supplied Deadline version (${props.version.versionString}) does not support Deadline Secrets Management in RFDK. Either upgrade Deadline to the minimum required version (${Version.MINIMUM_SECRETS_MANAGEMENT_VERSION.versionString}) or disable the feature in the Repository's construct properties.`);
  }
  if (props.repository.secretsManagementSettings.credentials === undefined) {
  errors.push('The Repository does not have Secrets Management credentials');

diff --git a/packages/aws-rfdk/lib/deadline/lib/repository.ts b/packages/aws-rfdk/lib/deadline/lib/repository.ts
@@ -77,6 +77,7 @@ import {
 
 import { DatabaseConnection } from './database-connection';
 import { IHost } from './host-ref';
+import { Version } from './version';
 import { VersionQuery } from './version-query';
 import { IVersion } from './version-ref';
 
@@ -596,10 +597,17 @@ export class Repository extends Construct implements IRepository {
 
  this.version = props.version;
 
+ const meetsMinSecretsVersion = !this.version.isLessThan(Version.MINIMUM_SECRETS_MANAGEMENT_VERSION);
+ const secretsManagementIsEnabled = props.secretsManagementSettings?.enabled ?? meetsMinSecretsVersion;
+
+ if (secretsManagementIsEnabled && !meetsMinSecretsVersion) {
+ throw new Error(`The supplied Deadline version (${props.version.versionString}) does not support Deadline Secrets Management in RFDK. Either upgrade Deadline to the minimum required version (${Version.MINIMUM_SECRETS_MANAGEMENT_VERSION.versionString}) or disable the feature in the Repository's construct properties.`);
+ }
+
  this.secretsManagementSettings = {
- enabled: props.secretsManagementSettings?.enabled ?? true,
+ enabled: secretsManagementIsEnabled,
  credentials: props.secretsManagementSettings?.credentials ??
- ((props.secretsManagementSettings?.enabled ?? true) ? new Secret( props.database?.databaseConstruct ? Stack.of(props.database?.databaseConstruct) : this, 'SMAdminUser', {
+ (secretsManagementIsEnabled ? new Secret( props.database?.databaseConstruct ? Stack.of(props.database?.databaseConstruct) : this, 'SMAdminUser', {
  description: 'Admin credentials for Deadline Secrets Management',
  generateSecretString: {
  excludeCharacters: '\"$&\'()/<>[\\]\`{|}',

diff --git a/packages/aws-rfdk/lib/deadline/lib/version.ts b/packages/aws-rfdk/lib/deadline/lib/version.ts
@@ -17,6 +17,11 @@ export class Version implements IPatchVersion {
  */
  public static readonly MINIMUM_SUPPORTED_DEADLINE_VERSION = new Version([10, 1, 9, 2]);
 
+ /**
+ * The minimum Deadline version required to enable Deadline Secrets Management.
+ */
+ public static readonly MINIMUM_SECRETS_MANAGEMENT_VERSION = new Version([10, 1, 19, 0]);
+
  /**
  * This method parses the input string and returns the version object.
  *

diff --git a/packages/aws-rfdk/lib/deadline/test/render-queue.test.ts b/packages/aws-rfdk/lib/deadline/test/render-queue.test.ts
@@ -84,6 +84,7 @@ import {
  Repository,
  SecretsManagementRegistrationStatus,
  SecretsManagementRole,
+ Version,
  VersionQuery,
 } from '../lib';
 import { SecretsManagementIdentityRegistration } from '../lib/secrets-management';
@@ -2841,7 +2842,7 @@ describe('RenderQueue', () => {
 
  // THEN
  /* eslint-disable-next-line dot-notation */
- .toThrowError(`The supplied Deadline version (${oldVersion.versionString}) is lower than the minimum required version: ${RenderQueue['MINIMUM_SECRETS_MANAGEMENT_VERSION'].toString()}`);
+ .toThrowError(`The supplied Deadline version (${oldVersion.versionString}) does not support Deadline Secrets Management in RFDK. Either upgrade Deadline to the minimum required version (${Version.MINIMUM_SECRETS_MANAGEMENT_VERSION.versionString}) or disable the feature in the Repository's construct properties.`);
  });
 
  test('grants read permissions to secrets management credentials', () => {

diff --git a/packages/aws-rfdk/lib/deadline/test/repository.test.ts b/packages/aws-rfdk/lib/deadline/test/repository.test.ts
@@ -118,7 +118,7 @@ beforeEach(() => {
  }
  }
 
- version = new MockVersion([10,1,9,2]);
+ version = new MockVersion([10,1,19,4]);
 });
 
 test('can create two repositories', () => {
@@ -864,7 +864,7 @@ test('repository instance is created with correct installer path version', () =>
 
  // THEN
  const script = (repo.node.defaultChild as AutoScalingGroup).userData;
- expect(script.render()).toMatch(/10\.1\.9\.2/);
+ expect(script.render()).toEqual(expect.stringContaining(version.versionString));
 });
 
 test.each([
@@ -1240,6 +1240,42 @@ test('throws an error if supplied a MountableEfs with no Access Point', () => {
  expect(when).toThrow('When using EFS with the Repository, you must provide an EFS Access Point');
 });
 
+test('disable Secrets Management by default when Deadline version is old', () => {
+ // GIVEN
+ const newStack = new Stack(app, 'NewStack');
+ const oldVersion = new VersionQuery(newStack, 'OldDeadlineVersion', { version: '10.0.0.0' });
+
+ // WHEN
+ const repository = new Repository(newStack, 'Repo', {
+ vpc,
+ version: oldVersion,
+ });
+
+ // THEN
+ expect(repository.secretsManagementSettings.enabled).toBeFalsy();
+ expect(repository.secretsManagementSettings.credentials).toBeUndefined();
+});
+
+test('throws when Secrets Management is enabled but deadline version is too low', () => {
+ // GIVEN
+ const newStack = new Stack(app, 'NewStack');
+ const oldVersion = new VersionQuery(newStack, 'OldDeadlineVersion', { version: '10.0.0.0' });
+
+ // WHEN
+ function when() {
+ new Repository(newStack, 'Repo', {
+ version: oldVersion,
+ vpc,
+ secretsManagementSettings: {
+ enabled: true,
+ },
+ });
+ }
+
+ // THEN
+ expect(when).toThrow(`The supplied Deadline version (${oldVersion.versionString}) does not support Deadline Secrets Management in RFDK. Either upgrade Deadline to the minimum required version (${Version.MINIMUM_SECRETS_MANAGEMENT_VERSION.versionString}) or disable the feature in the Repository's construct properties.`);
+});
+
 test('imports repository settings', () => {
  // GIVEN
  const repositorySettings = new Asset(stack, 'RepositorySettingsAsset', {