Add test for build image in isolated env

Switch proxy to al2023

Fix allowlist

Author: hgreebe

tests/integration-tests/configs/develop.yaml

@@ -174,6 +174,11 @@ test-suites:
         - regions: ["ca-central-1"]
           instances: {{ common.INSTANCES_DEFAULT_X86 }}
           oss: ["alinux2"]
+    test_createami.py::test_build_image_no_internet:
+      dimensions:
+        - regions: ["eu-west-1"]
+          instances: {{ common.INSTANCES_DEFAULT_X86 }}
+          oss: [{{ OS_X86_1 }}]
   custom_resource:
     test_cluster_custom_resource.py::test_cluster_create:
       dimensions:

tests/integration-tests/tests/createami/test_createami.py

@@ -12,6 +12,7 @@
 import datetime
 import json
 import logging
+import os
 import re
 import tarfile
 import tempfile
@@ -51,6 +52,52 @@ class ImageNotFound(Exception):
     pass
 
 
+@pytest.fixture(scope="class")
+def no_internet_proxy_stack(region, request, cfn_stacks_factory):
+    """Deploy a VPC with a proxy that only allows OS repo access and VPC endpoints for AWS services."""
+    proxy_template_path = os.path.join(os.path.dirname(__file__), "test_createami", "test_build_image_no_internet", "proxy_stack.yaml")
+    with open(proxy_template_path) as f:
+        template = f.read()
+
+    stack = CfnStack(
+        name=generate_stack_name("integ-tests-build-image-no-internet", request.config.getoption("stackname_suffix")),
+        region=region,
+        template=template,
+        parameters=[{"ParameterKey": "Keypair", "ParameterValue": request.config.getoption("key_name")}],
+        capabilities=["CAPABILITY_IAM"],
+    )
+    cfn_stacks_factory.create_stack(stack)
+    yield stack
+    if not request.config.getoption("no_delete"):
+        cfn_stacks_factory.delete_stack(stack.name, region)
+
+
+@pytest.mark.usefixtures("instance")
+def test_build_image_no_internet(
+    region,
+    os,
+    instance,
+    pcluster_config_reader,
+    architecture,
+    no_internet_proxy_stack,
+    images_factory,
+    request,
+):
+    """Test build image in a private subnet with no internet access, only VPC endpoints and a proxy for OS repos."""
+    base_ami = retrieve_latest_ami(region, os, architecture=architecture)
+
+    image_id = generate_stack_name("integ-tests-build-image-no-internet", request.config.getoption("stackname_suffix"))
+    image_config = pcluster_config_reader(
+        config_file="image.config.yaml",
+        parent_image=base_ami,
+        subnet_id=no_internet_proxy_stack.cfn_outputs["PrivateSubnetId"],
+        security_group_id=no_internet_proxy_stack.cfn_outputs["DefaultSecurityGroupId"],
+    )
+
+    image = images_factory(image_id, image_config, region)
+    _test_build_image_success(image)
+
+
 @pytest.mark.usefixtures("instance")
 def test_invalid_config(
     region,

tests/integration-tests/tests/createami/test_createami/test_build_image_no_internet/image.config.yaml

@@ -0,0 +1,14 @@
+Image:
+    RootVolume:
+        Size: 200
+        Encrypted: True
+
+Build:
+    InstanceType: {{ instance }}
+    ParentImage: {{ parent_image }}
+    SecurityGroupIds:
+        - {{ security_group_id }}
+    SubnetId: {{ subnet_id }}
+
+DevSettings:
+    TerminateInstanceOnFailure: True