Release 3.4.0 - 12/22/22-10:16am PST

Author: Kari Stromsland

doc_source/AdditionalPackages-v3.md

@@ -21,7 +21,7 @@ IntelSoftware:
 
 [Update policy: If this setting is changed, the update is not allowed.](using-pcluster-update-cluster-v3.md#update-policy-fail-v3)
 
-### `IntelSoftware` Properties<a name="AdditionalPackages-v3-IntelSoftware.properties"></a>
+### `IntelSoftware` properties<a name="AdditionalPackages-v3-IntelSoftware.properties"></a>
 
 `IntelHpcPlatform` \(**Optional**, `Boolean`\)  
 If `true`, indicates that the [End user license agreement](https://software.intel.com/en-us/articles/end-user-license-agreement) for Intel Parallel Studio is accepted\. This causes Intel Parallel Studio to be installed on the head node and shared with the compute nodes\. This adds several minutes to the time it takes the head node to bootstrap\. The `IntelHpcPlatform` setting is only supported on CentOS 7 \.  

doc_source/Build-v3.md

@@ -28,7 +28,7 @@ Build:
     Enabled: boolean
 ```
 
-## `Build` Properties<a name="Build-v3.properties"></a>
+## `Build` properties<a name="Build-v3.properties"></a>
 
 `InstanceType` \(**Required**, `String`\)  
 Specifies the instance type for the instance used to build the image\.
@@ -45,9 +45,9 @@ Specifies the list of security group IDs for the image\.
 
 ### `Imds`<a name="Build-v3-Imds"></a>
 
-#### `Imds` Properties<a name="Build-v3-Imds.properties"></a>
+#### `Imds` properties<a name="Build-v3-Imds.properties"></a>
 
-**\(Optional\)** Specifies the EC2 ImageBuilder build and test instance instance metadata service \(IMDS\) settings\.
+**\(Optional\)** Specifies the EC2 ImageBuilder build and test instance metadata service \(IMDS\) settings\.
 
 ```
 Imds:
@@ -65,7 +65,7 @@ Support for [`Imds`](#Build-v3-Imds) / [`ImdsSupport`](#yaml-build-image-Build-I
 
 ### `Iam`<a name="Build-v3-Iam"></a>
 
-#### `Iam` Properties<a name="Build-v3-Iam.properties"></a>
+#### `Iam` properties<a name="Build-v3-Iam.properties"></a>
 
 \(**Optional**\) Specifies the IAM resources for the image build\.
 
@@ -103,7 +103,7 @@ The ARN of the IAM policy to use as permissions boundary for all roles created b
 
 ### `Components`<a name="Build-v3-Components"></a>
 
-#### `Components` Properties<a name="Build-v3-Components.properties"></a>
+#### `Components` properties<a name="Build-v3-Components.properties"></a>
 
 \(**Optional**\) Specifies EC2 ImageBuilder components to use during the AMI build process in addition to the ones provided by default by AWS ParallelCluster\. Such components can be used to customize the AMI build process\. For more information, see [AWS ParallelCluster AMI customization](custom-ami-v3.md)\.
 
@@ -121,7 +121,7 @@ Specifies the value of the type\-value pair for the component\. When type is `ar
 
 ### `Tags`<a name="Build-v3-Tags"></a>
 
-#### `Tags` Properties<a name="Build-v3-Tags.properties"></a>
+#### `Tags` properties<a name="Build-v3-Tags.properties"></a>
 
 \(**Optional**\) Specifies the list of tags to be set in the resources used to build the AMI\.
 
@@ -139,7 +139,7 @@ Defines the value of the tag\.
 
 ### `UpdateOsPackages`<a name="Build-v3-UpdateOsPackages"></a>
 
-#### `UpdateOsPackages` Properties<a name="Build-v3-UpdateOsPackages.properties"></a>
+#### `UpdateOsPackages` properties<a name="Build-v3-UpdateOsPackages.properties"></a>
 
 \(**Optional**\) Specifies whether the operating system is updated before installing AWS ParallelCluster software stack\.
 

doc_source/DeploymentSettings-build-image-v3.md

@@ -0,0 +1,42 @@
+# `DeploymentSettings` section<a name="DeploymentSettings-build-image-v3"></a>
+
+**\(Optional\)** Specifies the deployment settings configuration\.
+
+```
+DeploymentSettings:
+  LambdaFunctionsVpcConfig:
+    SecurityGroupIds
+      - string
+    SubnetIds
+      - string
+```
+
+## `DeploymentSettings` properties<a name="DeploymentSettings-build-image-v3.properties"></a>
+
+### `LambdaFunctionsVpcConfig`<a name="DeploymentSettings-build-image-v3-LambdaFunctionsVpcConfig"></a>
+
+**\(Optional\)** Specifies the AWS Lambda functions VPC configurations\. For more information, see [AWS Lambda VPC configuration in AWS ParallelCluster](lambda-vpc-v3.md)\.
+
+```
+LambdaFunctionsVpcConfig:
+  SecurityGroupIds
+    - string
+  SubnetIds
+    - string
+```
+
+#### `LambdaFunctionsVpcConfig properties`<a name="DeploymentSettings-build-image-v3-LambdaFunctionsVpcConfig.properties"></a>
+
+`SecurityGroupIds` \(**Required**, `[String]`\)  
+The list of Amazon VPC security group IDs that are attached to the Lambda functions\.  
+[Update policy: If this setting is changed, the update is not allowed.](using-pcluster-update-cluster-v3.md#update-policy-fail-v3)
+
+`SubnetIds` \(**Required**, `[String]`\)  
+The list of subnet IDs that are attached to the Lambda functions\.  
+[Update policy: If this setting is changed, the update is not allowed.](using-pcluster-update-cluster-v3.md#update-policy-fail-v3)
+
+**Note**  
+The subnets and security groups must be in the same VPC\.
+
+**Note**  
+`DeploymentSettings` is added starting with AWS ParallelCluster version 3\.4\.0\.

doc_source/DeploymentSettings-cluster-v3.md

@@ -0,0 +1,42 @@
+# `DeploymentSettings` section<a name="DeploymentSettings-cluster-v3"></a>
+
+**\(Optional\)** Specifies the deployment settings configuration\.
+
+```
+DeploymentSettings:
+  LambdaFunctionsVpcConfig:
+    SecurityGroupIds
+      - string
+    SubnetIds
+      - string
+```
+
+## `DeploymentSettings` properties<a name="DeploymentSettings-cluster-v3.properties"></a>
+
+### `LambdaFunctionsVpcConfig`<a name="DeploymentSettings-cluster-v3-LambdaFunctionsVpcConfig"></a>
+
+**\(Optional\)** Specifies the AWS Lambda functions VPC configurations\. For more information, see [AWS Lambda VPC configuration in AWS ParallelCluster](lambda-vpc-v3.md)\.
+
+```
+LambdaFunctionsVpcConfig:
+  SecurityGroupIds
+    - string
+  SubnetIds
+    - string
+```
+
+#### `LambdaFunctionsVpcConfig properties`<a name="DeploymentSettings-cluster-v3-LambdaFunctionsVpcConfig.properties"></a>
+
+`SecurityGroupIds` \(**Required**, `[String]`\)  
+The list of Amazon VPC security group IDs that are attached to the Lambda functions\.  
+[Update policy: If this setting is changed, the update is not allowed.](using-pcluster-update-cluster-v3.md#update-policy-fail-v3)
+
+`SubnetIds` \(**Required**, `[String]`\)  
+The list of subnet IDs that are attached to the Lambda functions\.  
+[Update policy: If this setting is changed, the update is not allowed.](using-pcluster-update-cluster-v3.md#update-policy-fail-v3)
+
+**Note**  
+The subnets and security groups must be in the same VPC\.
+
+**Note**  
+`DeploymentSettings` is added starting with AWS ParallelCluster version 3\.4\.0\.

doc_source/DirectoryService-v3.md

@@ -24,7 +24,7 @@ DirectoryService:
 
 [Update policy: The compute fleet must be stopped for this setting to be changed for an update.](using-pcluster-update-cluster-v3.md#update-policy-compute-fleet-v3)
 
-## `DirectoryService` Properties<a name="DirectoryService-v3.properties"></a>
+## `DirectoryService` properties<a name="DirectoryService-v3.properties"></a>
 
 **Note**  
 If you plan to use AWS ParallelCluster in a single subnet with no internet access, see [AWS ParallelCluster in a single subnet with no internet access](network-configuration-v3.md#aws-parallelcluster-in-a-single-public-subnet-no-internet-v3) for additional requirements\.
@@ -55,7 +55,7 @@ Use LDAP over TLS/SSL \(LDAPS\) to avoid transmission of passwords and other sen
 `PasswordSecretArn` \(**Required**, `String`\)  
 The Amazon Resource Name \(ARN\) of the AWS Secrets Manager secret that contains the `DomainReadOnlyUser` plaintext password\. The content of the secret corresponds to SSSD\-LDAP parameter that's called `ldap_default_authtok`\.  
 The LDAP client uses the password to authenticate to the AD domain as a `DomainReadOnlyUser` when requesting identity information\.  
-If the user has the permission to [https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DescribeSecret.html](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DescribeSecret.html), `PasswordSecretArn` is validated\. `PasswordSecretArn` is valid if the specified secret exists\. If the user IAM policy doesn't include `DescribeSecret`, `PasswordSecretArn` isn't validated and a warning message is displayed\. For more information, see [Base user policy required to invoke AWS ParallelCluster features](iam-roles-in-parallelcluster-v3.md#iam-roles-in-parallelcluster-v3-base-user-policy)\.  
+If the user has the permission to [https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DescribeSecret.html](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DescribeSecret.html), `PasswordSecretArn` is validated\. `PasswordSecretArn` is valid if the specified secret exists\. If the user IAM policy doesn't include `DescribeSecret`, `PasswordSecretArn` isn't validated and a warning message is displayed\. For more information, see [Base AWS ParallelCluster` pcluster` user policy](iam-roles-in-parallelcluster-v3.md#iam-roles-in-parallelcluster-v3-base-user-policy)\.  
 When the value of the secret changes, the cluster *isn't* automatically updated\. To update the cluster for the new secret value, you must stop the compute fleet with the [`pcluster update-compute-fleet`](pcluster.update-compute-fleet-v3.md) command and then run the following command from within the head node\.  
 
 ```

doc_source/HeadNode-v3.md

@@ -10,10 +10,8 @@ HeadNode:
     ElasticIp: string/boolean
     SecurityGroups:
       - string
-      - string
     AdditionalSecurityGroups:
       - string
-      - string
     Proxy:
       HttpProxyAddress: string
   DisableSimultaneousMultithreading: boolean
@@ -39,11 +37,13 @@ HeadNode:
       Script: string
       Args:
         - string
-        - string
     OnNodeConfigured:
       Script: string
       Args:
         - string
+    OnNodeUpdated:
+      Script: string
+      Args:
         - string
   Iam:
     InstanceRole: string
@@ -65,6 +65,8 @@ HeadNode:
 `InstanceType` \(**Required**, `String`\)  
 Specifies the instance type for the head node\.  
 Specifies the Amazon EC2 instance type that's used for the head node\. The architecture of the instance type must be the same as the architecture used for the AWS Batch [`InstanceType`](Scheduling-v3.md#yaml-Scheduling-AwsBatchQueues-ComputeResources-InstanceTypes) or Slurm [`InstanceType`](Scheduling-v3.md#yaml-Scheduling-SlurmQueues-ComputeResources-InstanceType) setting\.  
+AWS ParallelCluster doesn't support the following instance types for the `HeadNode` setting\.  
++ hpc6id
 If you define a p4d instance type or another instance type that has multiple network interfaces or a network interface card, you must set [`ElasticIp`](#yaml-HeadNode-Networking-ElasticIp) to `true` to provide public access\. AWS public IPs can only be assigned to instances launched with a single network interface\. For this case, we recommend that you use a [NAT gateway](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html) to provide public access to the cluster compute nodes\. For more information, see [Assign a public IPv4 address during instance launch](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html#public-ip-addresses) in the *Amazon EC2 User Guide for Linux Instances*\.  
 [Update policy: If this setting is changed, the update is not allowed.](using-pcluster-update-cluster-v3.md#update-policy-fail-v3)
 
@@ -83,10 +85,8 @@ Networking:
   ElasticIp: string/boolean
   SecurityGroups:
     - string
-    - string
   AdditionalSecurityGroups:
     - string
-    - string
   Proxy:
     HttpProxyAddress: string
 ```
@@ -136,7 +136,7 @@ Ssh:
 
 [Update policy: This setting can be changed during an update.](using-pcluster-update-cluster-v3.md#update-policy-setting-supported-v3)
 
-### `Ssh` Properties<a name="HeadNode-v3-Ssh.properties"></a>
+### `Ssh` properties<a name="HeadNode-v3-Ssh.properties"></a>
 
 `KeyName` \(**Optional**, `String`\)  
 Names an existing Amazon EC2 key pair to enable SSH access to the head node\.  
@@ -165,7 +165,7 @@ LocalStorage:
 
 [Update policy: This setting can be changed during an update.](using-pcluster-update-cluster-v3.md#update-policy-setting-supported-v3)
 
-### `LocalStorage` Properties<a name="HeadNode-v3-LocalStorage.properties"></a>
+### `LocalStorage` properties<a name="HeadNode-v3-LocalStorage.properties"></a>
 
 `RootVolume` \(**Required**\)  
 Specifies the root volume storage for the head node\.  
@@ -271,16 +271,16 @@ CustomActions:
     Script: string
     Args:
       - string
-      - string
   OnNodeConfigured:
     Script: string
     Args:
       - string
-      - string
+   OnNodeUpdated:
+   Script: string
+   Args:
+     - string
 ```
 
-[Update policy: If this setting is changed, the update is not allowed.](using-pcluster-update-cluster-v3.md#update-policy-fail-v3)
-
 ### `CustomActions` properties<a name="HeadNode-v3-CustomActions.properties"></a>
 
 `OnNodeStart` \(**Optional**, `String`\)  
@@ -289,16 +289,25 @@ Specifies a script to run on the head node before any node deployment bootstrap
 Specifies the file to use\. The file path can start with `https://` or `s3://`\.  
 `Args` \(**Optional**, `[String]`\)  
 List of arguments to pass to the script\.
+[Update policy: If this setting is changed, the update is not allowed.](using-pcluster-update-cluster-v3.md#update-policy-fail-v3)
 
 `OnNodeConfigured` \(**Optional**, `String`\)  
 Specifies a script to run on the head node after the node bootstrap actions are complete\. For more information, see [Custom bootstrap actions](custom-bootstrap-actions-v3.md)\.    
 `Script` \(**Required**, `String`\)  
 Specifies the file to use\. The file path can start with `https://` or `s3://`\.  
 `Args` \(**Optional**, `[String]`\)  
 List of arguments to pass to the script\.
-
 [Update policy: If this setting is changed, the update is not allowed.](using-pcluster-update-cluster-v3.md#update-policy-fail-v3)
 
+`OnNodeUpdated` \(**Optional**, `String`\)  
+Specifies a script to run on the head node after node update actions are complete\. For more information, see [Custom bootstrap actions](custom-bootstrap-actions-v3.md)\.    
+`Script` \(**Required**, `String`\)  
+Specifies the file to use\. The file path can start with `https://` or `s3://`\.  
+`Args` \(**Optional**, `[String]`\)  
+List of arguments to pass to the script\.
+[Update policy: This setting can be changed during an update.](using-pcluster-update-cluster-v3.md#update-policy-setting-supported-v3)  
+`OnNodeUpdated` is added starting with AWS ParallelCluster 3\.4\.0\.
+
 ## `Iam`<a name="HeadNode-v3-Iam"></a>
 
 **\(Optional\)** Specifies either an instance role or an instance profile to use on the head node to override the default instance role or instance profile for the cluster\.
@@ -378,7 +387,7 @@ Imds:
 
 [Update policy: If this setting is changed, the update is not allowed.](using-pcluster-update-cluster-v3.md#update-policy-fail-v3)
 
-### `Imds` Properties<a name="HeadNode-v3-Imds.properties"></a>
+### `Imds` properties<a name="HeadNode-v3-Imds.properties"></a>
 
 `Secured` \(**Optional**, `Boolean`\)  
 If `true`, restricts access to the head node's IMDS \(and the instance profile credentials\) to a subset of superusers\.  
@@ -413,7 +422,7 @@ Image:
 
 [Update policy: If this setting is changed, the update is not allowed.](using-pcluster-update-cluster-v3.md#update-policy-fail-v3)
 
-### `Image` Properties<a name="HeadNode-v3-Image.properties"></a>
+### `Image` properties<a name="HeadNode-v3-Image.properties"></a>
 
 `CustomAmi` \(**Optional**, `String`\)  
 Specifies the ID of a custom AMI to use for the head node instead of the default AMI\. For more information, see [AWS ParallelCluster AMI customization](custom-ami-v3.md)\.  

doc_source/Iam-v3.md

@@ -7,11 +7,12 @@ Iam:
   Roles:
     LambdaFunctionsRole: string
   PermissionsBoundary: string
+  ResourcePrefix: string
 ```
 
 [Update policy: This setting can be changed during an update.](using-pcluster-update-cluster-v3.md#update-policy-setting-supported-v3)
 
-## `Iam` Properties<a name="Iam-v3.properties"></a>
+## `Iam` properties<a name="Iam-v3.properties"></a>
 
 `PermissionsBoundary` \(**Optional**, `String`\)  
 The ARN of the IAM policy to use as permissions boundary for all roles created by AWS ParallelCluster\. For more information, see [Permissions boundaries for IAM entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide*\. The format is `arn:${Partition}:iam::${Account}:policy/${PolicyName}`\.  
@@ -22,4 +23,39 @@ Specifies settings for the IAM roles used by the cluster\.
 [Update policy: This setting can be changed during an update.](using-pcluster-update-cluster-v3.md#update-policy-setting-supported-v3)    
 `LambdaFunctionsRole` \(**Optional**, `String`\)  
 The ARN of the IAM role to use for AWS Lambda\. This overrides the default role attached to all Lambda functions backing AWS CloudFormation custom resources\. Lambda needs to be configured as the principal allowed to assume the role\. This will not override the role of Lambda functions used for AWS Batch\. The format is `arn:${Partition}:iam::${Account}:role/${RoleName}`\.  
-[Update policy: This setting can be changed during an update.](using-pcluster-update-cluster-v3.md#update-policy-setting-supported-v3)
+[Update policy: This setting can be changed during an update.](using-pcluster-update-cluster-v3.md#update-policy-setting-supported-v3)
+
+`ResourcePrefix` \(**Optional**\)  
+Specifies a path or name prefix for IAM resources that are created by AWS ParallelCluster\.  
+The resource prefix must follow the [naming rules specified by IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html):  
++ A name can contain up to 30 characters\.
++ A name can only be a string with no slash \(`/`\) characters\.
++ A path can be up to 512 characters\.
++ A path must start and end with a slash \(`/`\)\. It can contain multiple slashes \(`/`\) between the start and end slashes \(`/`\)\.
++ You can combine the path and name `/path/name`\.
+Specify a name\.  
+
+```
+Iam:
+  ResourcePrefix: my-prefix
+```
+Specify a path\.  
+
+```
+Iam:
+  ResourcePrefix: /org/dept/team/project/user/
+```
+Specify a path and name\.  
+
+```
+Iam:
+  ResourcePrefix: /org/dept/team/project/user/my-prefix
+```
+If you specify `/my-prefix`, an error is returned\.  
+
+```
+Iam:
+  ResourcePrefix: /my-prefix
+```
+A configuration error is returned\. A path must have two `/`s\. A prefix by itself can't have `/`s\.  
+[Update policy: If this setting is changed, the update is not allowed.](using-pcluster-update-cluster-v3.md#update-policy-fail-v3)

doc_source/Image-v3.md

@@ -8,11 +8,11 @@ Image:
   CustomAmi: string
 ```
 
-## `Image` Properties<a name="Image-v3.properties"></a>
+## `Image` properties<a name="Image-v3.properties"></a>
 
 `Os` \(**Required**, `String`\)  
 Specifies the operating system to use for the cluster\. The supported values are `alinux2`, `centos7`, `ubuntu1804`, and `ubuntu2004`\.  
-Other than the specific Regions mentioned in the following table that don't support `centos7`\. All other AWS commercial Regions support all of the following operating systems\.      
+Other than the specific AWS Regions mentioned in the following table that don't support `centos7`\. All other AWS commercial Regions support all of the following operating systems\.      
 [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/parallelcluster/latest/ug/Image-v3.html)
 [Update policy: If this setting is changed, the update is not allowed.](using-pcluster-update-cluster-v3.md#update-policy-fail-v3)
 

doc_source/Imds-cluster-v3.md

@@ -7,7 +7,7 @@ Imds:
   ImdsSupport: string
 ```
 
-## `Imds` Properties<a name="Imds-cluster-v3.properties"></a>
+## `Imds` properties<a name="Imds-cluster-v3.properties"></a>
 
 `ImdsSupport` \(**Optional**, `String`\)  
 Specifies which IMDS versions are supported in the cluster nodes\. Supported values are `v1.0` and `v2.0`\. The default value is `v1.0`\.