fix(aws-batch): Support omitting ComputeEnvironment security groups so that they can be specified in Launch Template

packages/@aws-cdk/aws-batch/README.md

@@ -187,6 +187,42 @@ const myComputeEnv = new batch.ComputeEnvironment(this, 'ComputeEnv', {
 });
 ```
 
+Note that if your launch template explicitly specifies network interfaces,
+for example to use an Elastic Fabric Adapter, you must explicitly tell CDK not to
+auto-create security groups in the `ComputeEnvironment` construct. Instead, you must
+define them in the Launch Template. For example:
+
+```ts
+declare const vpc: ec2.Vpc;
+
+const efaSecurityGroup = new ec2.SecurityGroup(this, 'EFASecurityGroup', {
+ vpc,
+});
+
+const launchTemplateEFA = new ec2.CfnLaunchTemplate(this, 'LaunchTemplate', {
+ launchTemplateName: 'LaunchTemplateName',
+ launchTemplateData: {
+ networkInterfaces: [{
+ deviceIndex: 0,
+ subnetId: vpc.privateSubnets[0].subnetId,
+ interfaceType: 'efa',
+ groups: [efaSecurityGroup.securityGroupId],
+ }],
+ },
+});
+
+const computeEnvironmentEFA = new batch.ComputeEnvironment(this, 'EFAComputeEnv', {
+ managed: true,
+ computeResources: {
+ securityGroups: batch.ComputeEnvironmentSecurityGroups.NONE,
+ vpc,
+ launchTemplate: {
+ launchTemplateName: launchTemplateEFA.launchTemplateName as string,
+ },
+ },
+});
+```
+
 ### Importing an existing Compute Environment
 
 To import an existing batch compute environment, call `ComputeEnvironment.fromComputeEnvironmentArn()`.

packages/@aws-cdk/aws-batch/lib/compute-environment.ts

@@ -33,6 +33,25 @@ export enum ComputeResourceType {
  */
  FARGATE_SPOT = 'FARGATE_SPOT',
 }
+/**
+ * Flag to determine whether or not the ComputeEnvironment should
+ * autocreate Security Groups.
+ */
+export enum ComputeEnvironmentSecurityGroups {
+ /**
+ * The Compute Environment will not create any security groups
+ *
+ * This is needed if you are instead assigning security groups
+ * to network interfaces defined in a launch template
+ */
+ NONE = 'NONE',
+ /**
+ * The Compute Environment will create security groups if none
+ * are explicity specified
+ * to network interfaces defined in a launch template
+ */
+ AUTOMATIC = 'AUTOMATIC',
+}
 
 /**
  * Properties for how to prepare compute resources
@@ -142,7 +161,7 @@ export interface ComputeResources {
  *
  * @default - AWS default security group.
  */
- readonly securityGroups?: ec2.ISecurityGroup[];
+ readonly securityGroups?: ec2.ISecurityGroup[] | ComputeEnvironmentSecurityGroups;
 
  /**
  * The VPC network that all compute resources will be connected to.
@@ -584,25 +603,31 @@ export class ComputeEnvironment extends Resource implements IComputeEnvironment,
  return instanceTypes.map((type: ec2.InstanceType) => type.toString());
  }
 
- private buildConnections(vpc?: ec2.IVpc, securityGroups?:ec2.ISecurityGroup[]): ec2.Connections {
+ private buildConnections(vpc?: ec2.IVpc, securityGroups?:ec2.ISecurityGroup[] | ComputeEnvironmentSecurityGroups ): ec2.Connections {
 
  if (vpc === undefined) {
  return new ec2.Connections({});
  }
 
- if (securityGroups === undefined) {
+ if (securityGroups === undefined ||
+ securityGroups === ComputeEnvironmentSecurityGroups.AUTOMATIC) {
  return new ec2.Connections({
  securityGroups: [
  new ec2.SecurityGroup(this, 'Resource-Security-Group', { vpc }),
  ],
  });
  }
 
+ if (securityGroups === ComputeEnvironmentSecurityGroups.NONE) {
+ return new ec2.Connections({});
+ }
+
  return new ec2.Connections({ securityGroups });
  };
 
  private getSecurityGroupIds(): string[] | undefined {
- if (this.connections === undefined) {
+ if (this.connections === undefined ||
+ this.connections.securityGroups.length < 1) {
  return undefined;
  }
 

packages/@aws-cdk/aws-batch/test/batch-with-efa.integ.snapshot/BatchWithEFATestDefaultTestDeployAssertDAD33663.template.json

@@ -0,0 +1 @@
+{}