From 3fd32c909ead513842cb0609931ef0685f8b1ec6 Mon Sep 17 00:00:00 2001
From: Himani Anil Deshpande <himanidp@amazon.com>
Date: Thu, 20 Feb 2025 15:29:16 -0500
Subject: [PATCH] Use disable_services.rb recipe to disable dynamic services we
 want using DevSettings

* Update changelog
---
 CHANGELOG.md                                      |  1 +
 .../recipes/install/disable_services.rb           |  9 +++++++++
 .../spec/unit/recipes/disable_services_spec.rb    | 15 ++++++++++++++-
 3 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index bfaef50d9c..3dc45d1d90 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,7 @@ This file is used to list changes made in each version of the AWS ParallelCluste
 ------
 **ENHANCEMENTS**
 - Add support for Ubuntu24.
+- Disable unused services like cups and wpa_supplicant from Official ParallelCluster AMIs to improve security.
 
 **CHANGES**
 - On Ubuntu 22.04, install the Nvidia driver with the same compiler version used to compile the kernel.
diff --git a/cookbooks/aws-parallelcluster-platform/recipes/install/disable_services.rb b/cookbooks/aws-parallelcluster-platform/recipes/install/disable_services.rb
index 2fb63dd0a7..f2d9dd7727 100644
--- a/cookbooks/aws-parallelcluster-platform/recipes/install/disable_services.rb
+++ b/cookbooks/aws-parallelcluster-platform/recipes/install/disable_services.rb
@@ -27,3 +27,12 @@
 service 'log4j-cve-2021-44228-hotpatch' do
   action %i(disable stop mask)
 end unless on_docker?
+
+# Disable services if node['cluster']['disable_services'] is provided
+if node['cluster']['disable_services']
+  node['cluster']['disable_services'].split().each do |service_name|
+    service service_name do
+      action %i(disable stop mask)
+    end unless on_docker?
+  end
+end
diff --git a/cookbooks/aws-parallelcluster-platform/spec/unit/recipes/disable_services_spec.rb b/cookbooks/aws-parallelcluster-platform/spec/unit/recipes/disable_services_spec.rb
index 96d0043d78..26835bdd15 100644
--- a/cookbooks/aws-parallelcluster-platform/spec/unit/recipes/disable_services_spec.rb
+++ b/cookbooks/aws-parallelcluster-platform/spec/unit/recipes/disable_services_spec.rb
@@ -1,10 +1,15 @@
 require 'spec_helper'
 
+DISABLE_SERVICE_NAME = 'service_name1 service_name_2'.freeze
+
 describe 'aws-parallelcluster-platform::disable_services' do
   for_all_oses do |platform, version|
     context "on #{platform}#{version}" do
       cached(:chef_run) do
-        runner(platform: platform, version: version).converge(described_recipe)
+        runner = ChefSpec::Runner.new do |node|
+          node.override['cluster']['disable_services'] = DISABLE_SERVICE_NAME
+        end
+        runner.converge(described_recipe)
       end
 
       it 'disables DLAMI multi eni helper' do
@@ -18,6 +23,14 @@
         is_expected.to stop_service('log4j-cve-2021-44228-hotpatch')
         is_expected.to mask_service('log4j-cve-2021-44228-hotpatch')
       end
+
+      DISABLE_SERVICE_NAME.split().each do |service_name|
+        it "disables #{service_name}" do
+          is_expected.to disable_service(service_name)
+          is_expected.to stop_service(service_name)
+          is_expected.to mask_service(service_name)
+        end
+      end
     end
   end
 end