NetApp · kcantrel · Feb 6, 2025 · Feb 3, 2025 · Feb 5, 2025 · Feb 5, 2025
@@ -0,0 +1,120 @@
+# NetApp FSxN Third Party CloudFormation Extensions Examples
+
+## Overview
+This repository contains example CloudFormation templates that use the NetApp FSxN Third Party CloudFormation Extensions.
+
+It also contains shell scripts that can be used to get you started quickly, as well as some shell
+scripts that allow you to deploy these examples with the AWS CLI.
+
+And, as a bonus, there is one Python script that can be used to create a clone of an existing FSx for NetApp ONTAP volume.
+
+## Prerequisites
+### Get a Preview Key
+- The first thing you need to do before you can use any of the NetApp FSxN Third Party CloudFormation Extensions is obtain a `preview key`.
+You can get one of those by sending an email to [Ng-fsx-cloudformation@netapp.com](mailto:Ng-fsx-cloudformation@netapp.com) requesting one.
+
+## Getting Started
+Once you have the preview key, you are ready to activate the extensions and start using them.
+
+### Step 1 Create an IAM role
+You need to create an IAM role that the extensions will assume to create and/or modify resources on your behalf.
+The following is a CloudFormation template that you can use to create the role:
+```
+AWSTemplateFormatVersion: "2010-09-09"
+Description: >
+  This CloudFormation template creates a role assumed by CloudFormation
+  during CRUDL operations to mutate resources on your behalf.
+
+Resources:
+  ExecutionRole:
+    Type: AWS::IAM::Role
+    Properties:
+      MaxSessionDuration: 8400
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service: resources.cloudformation.amazonaws.com
+            Action: sts:AssumeRole
+      Path: "/"
+      Policies:
+        - PolicyName: ResourceTypePolicy
+          PolicyDocument:
+            Version: '2012-10-17'
+            Statement:
+              - Effect: Allow
+                Action:
+                  - "fsx:DescribeFileSystems"
+                  - "lambda:InvokeFunction"
+                  - "secretsmanager:GetSecretValue"
+                Resource: "*"
+Outputs:
+  ExecutionRoleArn:
+    Value:
+      Fn::GetAtt: ExecutionRole.Arn
+```
+You can use the above template to create the role by running the following command:
+```
+aws cloudformation create-stack --stack-name create_execution_role_for_NetApp_CF_extensions --template-body file://<path-to-template> --capabilities CAPABILITY_NAMED_IAM
+```
+
+### Step 2: Activate the Extensions
+The next step is to activate all the extension. You can do that by running the `activate_extensions`
+script found in the `scripts` directory in this repository.
+```
+./activate_extensions -r <aws-region> -p <preview-key> -a <role-arn>
+```
+Where:
+- `<aws-region>` is the AWS region you want to activate the extensions in.
+- `<preview-key>` is the preview key you obtained from NetApp.
+- `<role-arn>` is the ARN of the role that the extensions will assume to create resources.
+
+### Step 3: Deploy a Workload Factory Link
+Before you can use any of the FSxN extensions you must have a Workload Factory Link deployed.
+If you don't already have one, you can either deploy one via the [Workload Factory console](https://console.workloads.netapp.com),
+or you can create one by using the `NetApp::FSxN::Link::MODULE` CloudFormation module, which is part of the third party extensions.
+To make deploying the Workload Factory Link easy you can use the `deploy_link` script found in the `scripts` directory in this repository.
+It invokes the `NetApp::FSxN::Link::Module` module with the appropriate parameters and will output the ARN
+of the Workload Factory Link Lambda function that will be used in all of the CloudFormation templates that use these FSxN extensions.
+
+Here is the synopsis of how to use the `deploy_link` script:
+```
+./deploy_link -r <aws-region> -s <subnet-id>,<subnet-id> -g <security-group-id>,<security-group-id> -n <link_name>
+```
+Where:
+- `<aws-region>` is the AWS region you want to activate the extensions in.
+- `<subnet-id>,<subnet-id>` are the subnet(s) you want to deploy the link in. No spaces between the subnet IDs.
+Only one is required, but is recommended to have at least two. These subnets must have access to the FSxN management endpoint.
+- `<security-group-id>,<security-group-id>` are the security group that will be attached to the Lambda Link function.
+No spaces between the security group IDs. Only one is required.
+- `<link_name>` is the name you want to give the link. It is also used as the name assigned to the link Lambda function.
+
+Once you have done this, you are ready to start using the examples in this repository.
+
+| File | Description |
+|------|-------------|
+|create_clone.yaml|Creates a clone of an existing FSx for NetApp ONTAP volume.|
+|create_export.yaml|Creates an export policy for an FSx for NetApp ONTAP file system.|
+|create_sm_with_peering.yaml|Creates a SnapMirror relationship with a specified source volume. It will also establish the vserver and cluster peering relationships.|
+|create_sm_without_peering.yaml|Creates a SnapMirror relationship with a specified source volume. It assumes that there is already a peering relationship between the source and destination clusters and vservers.|
+|create_snapshot.yaml|Creates a snapshot of an FSx for NetApp ONTAP volume.|
+|create_volume.yaml|Creates an FSx for NetApp ONTAP volume.|
+
+Note that there is a script, in the `scripts` directory, for each of these CloudFormation templates that can be used to deploy them via the AWS CLI.
+
+## Author Information
+
+This repository is maintained by the contributors listed on [GitHub](https://github.com/NetApp/FSx-ONTAP-samples-scripts/graphs/contributors).
+
+## License
+
+Licensed under the Apache License, Version 2.0 (the "License").
+
+You may obtain a copy of the License at [apache.org/licenses/LICENSE-2.0](http://www.apache.org/licenses/LICENSE-2.0).
+
+Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an _"AS IS"_ basis, without WARRANTIES or conditions of any kind, either express or implied.
+
+See the License for the specific language governing permissions and limitations under the License.
+
+© 2025 NetApp, Inc. All Rights Reserved.
@@ -0,0 +1,58 @@
+Description: "Create a clone of a FSx for ONTAP volume."
+
+Parameters:
+  FileSystemId:
+    Description: "The File System ID."
+    Type: String
+
+  SecretArn:
+    Description: "The Secret ARN."
+    Type: String
+
+  SecretKey:
+    Description: "The key to use within the AWS secret."
+    Default: "password"
+    Type: String
+
+  LinkArn:
+    Description: "The ARN to the Lambda link function."
+    Type: String
+
+  SvmName:
+    Description: "The name of the SVM that hold the parent volume."
+    Type: String
+
+  CloneVolumeName:
+    Description: "The desired name for the cloned volume."
+    Type: String
+
+  ParentVolumeName:
+    Description: "The name of the parent volume."
+    Type: String
+
+  IsCloned:
+    Description: "Set to false, during an update, to split the clone from its parent."
+    Type: String
+    Default: "true"
+
+Resources:
+  CloneVolume:
+    Type: "NetApp::FSxN::Volume"
+
+    Properties:
+      FsxAdminPasswordSource:
+        Secret:
+          SecretArn: !Ref SecretArn
+          SecretKey: !Ref SecretKey
+      FileSystemId: !Ref FileSystemId
+      LinkArn: !Ref LinkArn
+      SVM:
+        Name: !Ref SvmName
+      Name: !Ref CloneVolumeName
+
+      Clone:
+        ParentSVM:
+          Name: !Ref SvmName
+        ParentVolume:
+          Name: !Ref ParentVolumeName
+        IsCloned: !Ref IsCloned
@@ -0,0 +1,61 @@
+Description: "Create an export policy for an FSx for ONTAP file system.."
+
+Parameters:
+  FileSystemId:
+    Description: "The File System ID."
+    Type: String
+
+  SecretArn:
+    Description: "The Secret ARN."
+    Type: String
+
+  SecretKey:
+    Description: "The key within the AWS secret that holds the password."
+    Default: "password"
+    Type: String
+
+  LinkArn:
+    Description: "The ARN to the Lambda link function."
+    Type: String
+
+  SvmName:
+    Description: "The SVM Name."
+    Type: String
+
+  PolicyName:
+    Description: "The Desired Export Policy Name."
+    Type: String
+
+  MatchCidr:
+    Description: "The IP CIDR to match."
+    Type: String
+
+  Protocols:
+    Description: "The protocols to allow."
+    Type: CommaDelimitedList
+
+Resources:
+  ExportPolicy:
+    Type: "NetApp::FSxN::ExportPolicy"
+
+    Properties:
+      FsxAdminPasswordSource:
+        Secret:
+          SecretArn: !Ref SecretArn
+          SecretKey: !Ref SecretKey
+      FileSystemId: !Ref FileSystemId
+      LinkArn: !Ref LinkArn
+      SVM:
+        Name: !Ref SvmName
+      Name: !Ref PolicyName
+      Rules:
+        - AllowSuid: true
+          Clients:
+            - Match: !Ref MatchCidr
+          Protocols: !Ref Protocols
+          RoRule:
+            - any
+          RwRule:
+            - any
+          Superuser:
+            - any
@@ -0,0 +1,148 @@
+Description: "Create a SM relationship between two volumes. Includes peering the clusters and vservers. It assumes the destination volume does not exist and will create it."
+
+Parameters:
+  SourceLinkArn:
+    Description: "The ARN to the Lambda link function."
+    Type: String
+
+  SourceSecretArn:
+    Description: "The Secret ARN that holds the source fsxadmin password."
+    Type: String
+
+  SourceSecretKey:
+    Description: "The key to use within the AWS secret that holds the faxadmin password."
+    Default: "password"
+    Type: String
+
+  SourceFileSystemId:
+    Description: "The File System ID of the source volume."
+    Type: String
+
+  SourceSvmName:
+    Description: "The SVM name that holds the source volume."
+    Type: String
+
+  SourceVolumeName:
+    Description: "The name of the source volume."
+    Type: String
+
+  DestinationLinkArn:
+    Description: "The ARN to the Lambda link function that manages the destination FSxN file system."
+    Type: String
+
+  DestinationSecretArn:
+    Description: "The Secret ARN that holds the destination fsxadmin password."
+    Type: String
+
+  DestinationSecretKey:
+    Description: "The key to use within the AWS secret that holds the destination fsxadmin password."
+    Default: "password"
+    Type: String
+
+  DestinationFileSystemId:
+    Description: "The File System ID of the destination file system."
+    Type: String
+
+  DestinationSvmName:
+    Description: "The name of the SVM that holds the destination volume."
+    Type: String
+
+  DestinationVolumeName:
+    Description: "The name of the destination volume."
+    Type: String
+
+  DestinationAggregate:
+    Description: "The aggregate to use when creating the destination volume."
+    Type: CommaDelimitedList
+    Default: "aggr1"
+
+  Policy:
+    Description: "The SnapMirror policy to use."
+    Type: String
+    Default: "MirrorAllSnapshots"
+
+  Reverse:
+    Description: "Reverse the relationship. Can be set to 'true' during an CloudFormation update to reverse the relationship."
+    Type: String
+    Default: "false"
+
+Resources:
+  SnapMirrorRelationship:
+    Type: "NetApp::FSxN::SnapMirror"
+
+    DependsOn: "SvmPeerRelations"
+    Properties:
+      FsxAdminPasswordSource:
+        Secret:
+          SecretArn: !Ref SourceSecretArn
+          SecretKey: !Ref SourceSecretKey
+      FileSystemId: !Ref SourceFileSystemId
+      LinkArn: !Ref SourceLinkArn
+
+      FsxnDestinationInfo:
+        FsxAdminPasswordSource:
+          Secret:
+            SecretArn: !Ref DestinationSecretArn
+            SecretKey: !Ref DestinationSecretKey
+        FileSystemId: !Ref DestinationFileSystemId
+        LinkArn: !Ref DestinationLinkArn
+
+      SnapMirrorSourceEndpoint:
+        SVM:
+          Name: !Ref SourceSvmName
+        Volume: !Ref SourceVolumeName
+
+      SnapMirrorEndpoint:
+        SVM:
+          Name: !Ref DestinationSvmName
+        Volume: !Ref DestinationVolumeName
+
+      SnapMirrorDestinationCreation:
+        Aggregates: !Ref DestinationAggregate
+
+      Policy: !Ref Policy
+      Reverse: !Ref Reverse
+
+  ClusterPeerRelations:
+    Type: "NetApp::FSxN::ClusterPeer"
+
+    Properties:
+      FsxAdminPasswordSource:
+        Secret:
+          SecretArn: !Ref SourceSecretArn
+          SecretKey: !Ref SourceSecretKey
+      FileSystemId: !Ref SourceFileSystemId
+      LinkArn: !Ref SourceLinkArn
+
+      FsxnDestinationInfo:
+        FsxAdminPasswordSource:
+          Secret:
+            SecretArn: !Ref DestinationSecretArn
+            SecretKey: !Ref DestinationSecretKey
+        FileSystemId: !Ref DestinationFileSystemId
+        LinkArn: !Ref DestinationLinkArn
+
+  SvmPeerRelations:
+    Type: "NetApp::FSxN::SvmPeer"
+
+    DependsOn: "ClusterPeerRelations"
+    Properties:
+      FsxAdminPasswordSource:
+        Secret:
+          SecretArn: !Ref SourceSecretArn
+          SecretKey: !Ref SourceSecretKey
+      FileSystemId: !Ref SourceFileSystemId
+      LinkArn: !Ref SourceLinkArn
+
+      FsxnDestinationInfo:
+        FsxAdminPasswordSource:
+          Secret:
+            SecretArn: !Ref DestinationSecretArn
+            SecretKey: !Ref DestinationSecretKey
+        FileSystemId: !Ref DestinationFileSystemId
+        LinkArn: !Ref DestinationLinkArn
+
+      PeerSvmName: !Ref DestinationSvmName
+      SVM:
+        Name: !Ref SourceSvmName
+      Applications: ["snapmirror"]