anyscale 0.26.44__py3-none-any.whl → 0.26.46__py3-none-any.whl

anyscale/cloud_resource.py

@@ -15,12 +15,12 @@ from anyscale.aws_iam_policies import (
     get_anyscale_iam_permissions_ec2_restricted,
 )
 from anyscale.cli_logger import CloudSetupLogger
+from anyscale.client.openapi_client.models.aws_memory_db_cluster_config import (
+    AWSMemoryDBClusterConfig,
+)
 from anyscale.client.openapi_client.models.cloud_analytics_event_cloud_resource import (
     CloudAnalyticsEventCloudResource,
 )
-from anyscale.client.openapi_client.models.create_cloud_resource import (
-    CreateCloudResource,
-)
 from anyscale.client.openapi_client.models.subnet_id_with_availability_zone_aws import (
     SubnetIdWithAvailabilityZoneAWS,
 )
@@ -94,14 +94,14 @@ def log_resource_not_found_error(
 
 
 def verify_aws_vpc(
-    cloud_resource: CreateCloudResource,
+    aws_vpc_id: Optional[str],
     boto3_session: boto3.Session,
     logger: CloudSetupLogger,
     ignore_capacity_errors: bool = False,  # TODO: Probably don't do this forever. Its kinda hacky
     strict: bool = False,  # strict is currently unused # noqa: ARG001
 ) -> bool:
     logger.info("Verifying VPC ...")
-    if not cloud_resource.aws_vpc_id:
+    if not aws_vpc_id:
         logger.log_resource_error(
             CloudAnalyticsEventCloudResource.AWS_VPC,
             CloudSetupError.MISSING_CLOUD_RESOURCE_ID,
@@ -110,14 +110,14 @@ def verify_aws_vpc(
         return False
 
     ec2 = boto3_session.resource("ec2")
-    vpc = ec2.Vpc(cloud_resource.aws_vpc_id)
+    vpc = ec2.Vpc(aws_vpc_id)
 
     # Verify the VPC exists
     try:
         vpc.load()
     except ClientError as e:
         if e.response["Error"]["Code"] == "InvalidVpcID.NotFound":
-            log_resource_not_found_error("VPC", cloud_resource.aws_vpc_id, logger)
+            log_resource_not_found_error("VPC", aws_vpc_id, logger)
             return False
         else:
             logger.log_resource_exception(CloudAnalyticsEventCloudResource.AWS_VPC, e)
@@ -142,7 +142,8 @@ def _get_subnets_from_subnet_ids(
 
 
 def verify_aws_subnets(  # noqa: PLR0911, PLR0912
-    cloud_resource: CreateCloudResource,
+    aws_vpc_id: Optional[str],
+    aws_subnet_ids: List[str],
     region: str,
     is_private_network: bool,
     logger: CloudSetupLogger,
@@ -153,20 +154,11 @@ def verify_aws_subnets(  # noqa: PLR0911, PLR0912
 
     logger.info("Verifying subnets ...")
 
-    if not cloud_resource.aws_vpc_id:
+    if not aws_vpc_id:
         logger.error("Missing VPC ID.")
         return False
 
-    subnet_ids = []
-    if (
-        cloud_resource.aws_subnet_ids_with_availability_zones
-        and len(cloud_resource.aws_subnet_ids_with_availability_zones) > 0
-    ):
-        subnet_ids = [
-            subnet_id_with_az.subnet_id
-            for subnet_id_with_az in cloud_resource.aws_subnet_ids_with_availability_zones
-        ]
-    else:
+    if not aws_subnet_ids:
         logger.log_resource_error(
             CloudAnalyticsEventCloudResource.AWS_SUBNET,
             CloudSetupError.MISSING_CLOUD_RESOURCE_ID,
@@ -175,7 +167,7 @@ def verify_aws_subnets(  # noqa: PLR0911, PLR0912
         return False
 
     # We must have at least 2 subnets since services requires 2 different subnets to setup ALB.
-    if len(subnet_ids) < 2:
+    if len(aws_subnet_ids) < 2:
         logger.log_resource_error(
             CloudAnalyticsEventCloudResource.AWS_SUBNET, CloudSetupError.ONLY_ONE_SUBNET
         )
@@ -185,11 +177,11 @@ def verify_aws_subnets(  # noqa: PLR0911, PLR0912
         return False
 
     subnets = _get_subnets_from_subnet_ids(
-        subnet_ids=subnet_ids, region=region, logger=logger
+        subnet_ids=aws_subnet_ids, region=region, logger=logger
     )
     subnet_azs = set()
 
-    for subnet, subnet_id in zip(subnets, subnet_ids):
+    for subnet, subnet_id in zip(subnets, aws_subnet_ids):
         # Verify subnet exists
         if not subnet:
             log_resource_not_found_error("Subnet", subnet_id, logger)
@@ -205,13 +197,13 @@ def verify_aws_subnets(  # noqa: PLR0911, PLR0912
             return False
 
         # Verify that the subnet is in the provided VPC all of these are in the same VPC.
-        if subnet.vpc_id != cloud_resource.aws_vpc_id:
+        if subnet.vpc_id != aws_vpc_id:
             logger.log_resource_error(
                 CloudAnalyticsEventCloudResource.AWS_SUBNET,
                 CloudSetupError.SUBNET_NOT_IN_VPC,
             )
             logger.error(
-                f"The subnet {subnet_id} is not in a vpc of this cloud. The vpc of this subnet is {subnet.vpc_id} and the vpc of this cloud is {cloud_resource.aws_vpc_id}."
+                f"The subnet {subnet_id} is not in a vpc of this cloud. The vpc of this subnet is {subnet.vpc_id} and the vpc of this cloud is {aws_vpc_id}."
             )
             return False
 
@@ -243,9 +235,7 @@ def verify_aws_subnets(  # noqa: PLR0911, PLR0912
         )
         return False
 
-    logger.info(
-        f"Subnets {cloud_resource.aws_subnet_ids_with_availability_zones} verification succeeded."
-    )
+    logger.info(f"Subnets {aws_subnet_ids} verification succeeded.")
     return True
 
 
@@ -270,34 +260,28 @@ def associate_aws_subnets_with_azs(
     return subnet_ids_with_availability_zones
 
 
-def _get_roles_from_cloud_resource(
-    cloud_resource: CreateCloudResource,
-    boto3_session: boto3.Session,
-    logger: CloudSetupLogger,
-) -> Optional[List[Any]]:
+def _get_role_from_arn(
+    role_arn: str, boto3_session: boto3.Session, logger: CloudSetupLogger,
+) -> Any:
     iam = boto3_session.resource("iam")
-    roles = [
-        iam.Role(AwsRoleArn.from_string(role_arn).to_role_name())
-        for role_arn in cloud_resource.aws_iam_role_arns
-    ]
-    # Validate the roles exist.
+
+    # Validate the role exists.
     # `.load()` will throw an exception if the Role does not exist.
-    for role in roles:
-        try:
-            role.load()
-        except ClientError as e:
-            logger.log_resource_exception(
-                CloudAnalyticsEventCloudResource.AWS_IAM_ROLE, e
-            )
-            if e.response["Error"]["Code"] == "NoSuchEntity":
-                logger.error(f"Could not find role: {role.name}")
-                return None
-            raise e
-    return roles
+    try:
+        role = iam.Role(AwsRoleArn.from_string(role_arn).to_role_name())
+        role.load()
+        return role
+    except ClientError as e:
+        logger.log_resource_exception(CloudAnalyticsEventCloudResource.AWS_IAM_ROLE, e)
+        if e.response["Error"]["Code"] == "NoSuchEntity":
+            logger.error(f"Could not find role: {role.name if role else 'unknown'}")
+            return None
+        raise e
 
 
 def verify_aws_iam_roles(  # noqa: PLR0911, PLR0912
-    cloud_resource: CreateCloudResource,
+    control_plane_role: Optional[str],
+    data_plane_role: Optional[str],
     boto3_session: boto3.Session,
     anyscale_aws_account: str,
     logger: CloudSetupLogger,
@@ -307,33 +291,38 @@ def verify_aws_iam_roles(  # noqa: PLR0911, PLR0912
 ) -> bool:
 
     logger.info("Verifying IAM roles ...")
-    if not cloud_resource.aws_iam_role_arns:
+    if not control_plane_role:
+        logger.log_resource_error(
+            CloudAnalyticsEventCloudResource.AWS_IAM_ROLE,
+            CloudSetupError.MISSING_CLOUD_RESOURCE_ID,
+        )
+        logger.error("Missing Anyscale IAM role.")
+        return False
+    if not data_plane_role:
         logger.log_resource_error(
             CloudAnalyticsEventCloudResource.AWS_IAM_ROLE,
             CloudSetupError.MISSING_CLOUD_RESOURCE_ID,
         )
-        logger.error("Missing IAM role arns.")
+        logger.error("Missing Cluster Node IAM role.")
         return False
-    accounts = [
+    accounts = {
         AwsRoleArn.from_string(role).account_id
-        for role in cloud_resource.aws_iam_role_arns
-    ]
-    if len(set(accounts)) != 1:
+        for role in [control_plane_role, data_plane_role]
+    }
+    if len(accounts) != 1:
         logger.log_resource_error(
             CloudAnalyticsEventCloudResource.AWS_IAM_ROLE,
             CloudSetupError.IAM_ROLE_ACCOUNT_MISMATCH,
         )
         logger.error(
-            f"All IAM roles must be in the same AWS account: {cloud_resource.aws_iam_role_arns}"
+            f"All IAM roles must be in the same AWS account: {control_plane_role}, {data_plane_role}"
         )
         return False
 
-    roles = _get_roles_from_cloud_resource(cloud_resource, boto3_session, logger)
-    if roles is None:
-        return False
-
     # verifying control plane role: anyscale iam role
-    anyscale_iam_role = roles[0]
+    anyscale_iam_role = _get_role_from_arn(control_plane_role, boto3_session, logger)
+    if not anyscale_iam_role:
+        return False
     assume_role_policy_document = anyscale_iam_role.assume_role_policy_document
     if not contains_control_plane_role(
         assume_role_policy_document=assume_role_policy_document,
@@ -391,7 +380,9 @@ def verify_aws_iam_roles(  # noqa: PLR0911, PLR0912
             return False
 
     # verifying data plane role: ray autoscaler role
-    cluster_node_role = roles[1]
+    cluster_node_role = _get_role_from_arn(data_plane_role, boto3_session, logger)
+    if not cluster_node_role:
+        return False
     assume_role_policy_document = cluster_node_role.assume_role_policy_document
     if not verify_data_plane_role_assume_role_policy(
         assume_role_policy_document=assume_role_policy_document,
@@ -431,7 +422,9 @@ def verify_aws_iam_roles(  # noqa: PLR0911, PLR0912
         )
         return False
 
-    logger.info(f"IAM roles {cloud_resource.aws_iam_role_arns} verification succeeded.")
+    logger.info(
+        f"IAM roles {control_plane_role}, {data_plane_role} verification succeeded."
+    )
     return True
 
 
@@ -453,13 +446,13 @@ def is_internal_communication_allowed(
 
 
 def verify_aws_security_groups(  # noqa: PLR0912, PLR0911
-    cloud_resource: CreateCloudResource,
+    aws_security_group_ids: Optional[List[str]],
     boto3_session: boto3.Session,
     logger: CloudSetupLogger,
     strict: bool = False,
 ) -> bool:
     logger.info("Verifying security groups ...")
-    if not cloud_resource.aws_security_groups:
+    if not aws_security_group_ids:
         logger.log_resource_error(
             CloudAnalyticsEventCloudResource.AWS_SECURITY_GROUP,
             CloudSetupError.MISSING_CLOUD_RESOURCE_ID,
@@ -469,9 +462,7 @@ def verify_aws_security_groups(  # noqa: PLR0912, PLR0911
 
     ec2 = boto3_session.resource("ec2")
 
-    aws_security_group_ids = cloud_resource.aws_security_groups
     anyscale_security_groups = []
-
     for anyscale_security_group_id in aws_security_group_ids:
         anyscale_security_group = ec2.SecurityGroup(anyscale_security_group_id)
         try:
@@ -558,14 +549,16 @@ def verify_aws_security_groups(  # noqa: PLR0912, PLR0911
 
 
 def verify_aws_s3(  # noqa: PLR0911, PLR0912
-    cloud_resource: CreateCloudResource,
+    aws_s3_id: Optional[str],
+    control_plane_role: Optional[str],
+    data_plane_role: Optional[str],
     boto3_session: boto3.Session,
     region: str,
     logger: CloudSetupLogger,
     strict: bool = False,
 ) -> bool:
     logger.info("Verifying S3 ...")
-    if not cloud_resource.aws_s3_id:
+    if not aws_s3_id:
         logger.log_resource_error(
             CloudAnalyticsEventCloudResource.AWS_S3_BUCKET,
             CloudSetupError.MISSING_CLOUD_RESOURCE_ID,
@@ -574,13 +567,13 @@ def verify_aws_s3(  # noqa: PLR0911, PLR0912
         return False
 
     s3 = boto3_session.resource("s3")
-    bucket_name = cloud_resource.aws_s3_id.split(":")[-1]
+    bucket_name = aws_s3_id.split(":")[-1]
     s3_bucket = s3.Bucket(bucket_name)
 
     # Check for the existence of `creation_date` because this incurs a `list_bucket` call.
     # Calling `.load()` WILL NOT ERROR in cases where the caller does not have access to the bucket.
     if s3_bucket.creation_date is None:
-        log_resource_not_found_error("S3 bucket", cloud_resource.aws_s3_id, logger)
+        log_resource_not_found_error("S3 bucket", aws_s3_id, logger)
         return False
 
     has_correct_cors_rule = False
@@ -653,24 +646,25 @@ def verify_aws_s3(  # noqa: PLR0911, PLR0912
         if strict:
             return False
 
-    roles = _get_roles_from_cloud_resource(cloud_resource, boto3_session, logger)
-    if roles is None:
+    if not control_plane_role or not data_plane_role:
         return False
 
-    if not verify_s3_access(boto3_session, s3_bucket, roles[0], logger):
+    role = _get_role_from_arn(control_plane_role, boto3_session, logger)
+    if not verify_s3_access(boto3_session, s3_bucket, role, logger):
         logger.warning(
-            f"S3 Bucket {bucket_name} does not appear to have correct permissions for the Anyscale Control Plane role {roles[0].name}"
+            f"S3 Bucket {bucket_name} does not appear to have correct permissions for the Anyscale Control Plane role {role.name}"
         )
         if strict:
             return False
 
-    if not verify_s3_access(boto3_session, s3_bucket, roles[1], logger):
+    role = _get_role_from_arn(data_plane_role, boto3_session, logger)
+    if not verify_s3_access(boto3_session, s3_bucket, role, logger):
         logger.warning(
-            f"S3 Bucket {bucket_name} does not appear to have correct permissions for the Data Plane role {roles[1].name}"
+            f"S3 Bucket {bucket_name} does not appear to have correct permissions for the Data Plane role {role.name}"
         )
         if strict:
             return False
-    logger.info(f"S3 {cloud_resource.aws_s3_id} verification succeeded.")
+    logger.info(f"S3 {aws_s3_id} verification succeeded.")
     return True
 
 
@@ -694,81 +688,69 @@ def _get_network_interfaces_from_mount_targets(
 
 
 def verify_aws_efs(  # noqa: PLR0911, PLR0912, C901
-    cloud_resource: CreateCloudResource,
+    aws_efs_id: Optional[str],
+    aws_efs_mount_target_ips: Optional[List[str]],
+    aws_subnet_ids: List[str],
+    aws_security_groups: Optional[List[str]],
     boto3_session: boto3.Session,
     logger: CloudSetupLogger,
     strict: bool = False,
 ) -> bool:
     logger.info("Verifying EFS ...")
-    if not cloud_resource.aws_efs_id:
+    if not aws_efs_id:
         logger.log_resource_error(
             CloudAnalyticsEventCloudResource.AWS_EFS,
             CloudSetupError.MISSING_CLOUD_RESOURCE_ID,
         )
         logger.error("Missing EFS ID.")
         return False
-    subnet_ids = []
-    if (
-        cloud_resource.aws_subnet_ids_with_availability_zones
-        and len(cloud_resource.aws_subnet_ids_with_availability_zones) > 0
-    ):
-        subnet_ids = [
-            subnet_id_with_az.subnet_id
-            for subnet_id_with_az in cloud_resource.aws_subnet_ids_with_availability_zones
-        ]
-    else:
+    if not aws_subnet_ids:
         logger.error("Missing subnet IDs.")
         return False
-    if not cloud_resource.aws_security_groups:
+    if not aws_security_groups:
         logger.error("Missing security group IDs.")
         return False
 
     client = boto3_session.client("efs")
     try:
-        file_systems_response = client.describe_file_systems(
-            FileSystemId=cloud_resource.aws_efs_id
-        )
+        file_systems_response = client.describe_file_systems(FileSystemId=aws_efs_id)
     except ClientError as e:
         if e.response["Error"]["Code"] == "FileSystemNotFound":
-            log_resource_not_found_error("EFS", cloud_resource.aws_efs_id, logger)
+            log_resource_not_found_error("EFS", aws_efs_id, logger)
             return False
         else:
             logger.log_resource_exception(CloudAnalyticsEventCloudResource.AWS_EFS, e)
         raise e
 
     if len(file_systems_response.get("FileSystems", [])) == 0:
-        log_resource_not_found_error("EFS", cloud_resource.aws_efs_id, logger)
+        log_resource_not_found_error("EFS", aws_efs_id, logger)
         return False
 
     # verify that there is a mount target for each subnet and security group
-    mount_targets_response = client.describe_mount_targets(
-        FileSystemId=cloud_resource.aws_efs_id
-    )
+    mount_targets_response = client.describe_mount_targets(FileSystemId=aws_efs_id)
     mount_targets = mount_targets_response.get("MountTargets")
     if not mount_targets:
         logger.log_resource_error(
             CloudAnalyticsEventCloudResource.AWS_EFS,
             CloudSetupError.MOUNT_TARGET_NOT_FOUND,
         )
-        logger.error(
-            f"EFS with id {cloud_resource.aws_efs_id} does not contain mount targets."
-        )
+        logger.error(f"EFS with id {aws_efs_id} does not contain mount targets.")
         return False
 
     # verify the mount target ID stored in our database is still valid
     mount_target_ips = [mount_target["IpAddress"] for mount_target in mount_targets]
-    if cloud_resource.aws_efs_mount_target_ip and (
-        cloud_resource.aws_efs_mount_target_ip not in mount_target_ips
+    if aws_efs_mount_target_ips and any(
+        ip not in mount_target_ips for ip in aws_efs_mount_target_ips
     ):
         logger.log_resource_error(
             CloudAnalyticsEventCloudResource.AWS_EFS,
             CloudSetupError.INVALID_MOUNT_TARGET,
         )
         logger.error(
-            f"Mount target registered with the cloud no longer exists. EFS ID: {cloud_resource.aws_efs_id} IP address: {cloud_resource.aws_efs_mount_target_ip}. Please make sure you have the correct AWS credentials set. If the EFS mount target has been deleted, please recreate the cloud or contact Anyscale for support."
+            f"Mount target registered with the cloud no longer exists. EFS ID: {aws_efs_id} IP address: {aws_efs_mount_target_ips}. Please make sure you have the correct AWS credentials set. If the EFS mount target has been deleted, please recreate the cloud or contact Anyscale for support."
         )
         logger.error(
-            f"Valid mount target IPs for EFS ID {cloud_resource.aws_efs_id} are {mount_target_ips}. "
+            f"Valid mount target IPs for EFS ID {aws_efs_id} are {mount_target_ips}. "
             "If this happens during cloud edit, ensure that: "
             "1) If only editing aws_efs_mount_target_ip, it belongs to the existing EFS ID. "
             "2) If editing both efs_id and efs_mount_target_ip, the new IP is a valid target for the new efs_id."
@@ -779,7 +761,7 @@ def verify_aws_efs(  # noqa: PLR0911, PLR0912, C901
         mount_targets_response, boto3_session, logger
     )
 
-    expected_security_group_id = cloud_resource.aws_security_groups[0]
+    expected_security_group_id = aws_security_groups[0]
 
     # Condition 1: No matching network interface in EFS mount targets for a subnet.
     # - 1.1: EFS has mount targets in other subnets.
@@ -792,7 +774,7 @@ def verify_aws_efs(  # noqa: PLR0911, PLR0912, C901
     # - 2.2: Network interface lacks a registered security group but has another security group.
     #   If configured correctly, subnet can still communicate with EFS. (warning)
     # --------------------------------------------------------------------------------------------------------------
-    for subnet_id in subnet_ids:
+    for subnet_id in aws_subnet_ids:
         contains_subnet_id = False
         contains_registered_security_group = False
         for network_interface in network_interfaces:
@@ -809,45 +791,39 @@ def verify_aws_efs(  # noqa: PLR0911, PLR0912, C901
         if not contains_subnet_id:
             # condition 1.1.
             logger.warning(
-                f"EFS with id {cloud_resource.aws_efs_id} does not contain a mount target with the subnet {subnet_id}, which might introduce cross AZ networking cost."
+                f"EFS with id {aws_efs_id} does not contain a mount target with the subnet {subnet_id}, which might introduce cross AZ networking cost."
             )
             if strict:
                 return False
         elif not contains_registered_security_group:
             # condition 2.2.
             logger.warning(
-                f"EFS with id {cloud_resource.aws_efs_id} does not contain a mount target with the subnet {subnet_id} and security group id {cloud_resource.aws_security_groups[0]}. This misconfiguration might pose security risks and incur connection issues, preventing the EFS from working as expected."
+                f"EFS with id {aws_efs_id} does not contain a mount target with the subnet {subnet_id} and security group id {aws_security_groups[0]}. This misconfiguration might pose security risks and incur connection issues, preventing the EFS from working as expected."
             )
             if strict:
                 return False
     try:
-        backup_policy_response = client.describe_backup_policy(
-            FileSystemId=cloud_resource.aws_efs_id
-        )
+        backup_policy_response = client.describe_backup_policy(FileSystemId=aws_efs_id)
         backup_policy_status = backup_policy_response.get("BackupPolicy", {}).get(
             "Status", ""
         )
         if backup_policy_status != "ENABLED":
-            logger.warning(
-                f"EFS {cloud_resource.aws_efs_id} backup policy is not enabled."
-            )
+            logger.warning(f"EFS {aws_efs_id} backup policy is not enabled.")
             if strict:
                 return False
     except ClientError as e:
         if e.response["Error"]["Code"] == "PolicyNotFound":
-            logger.warning(f"EFS {cloud_resource.aws_efs_id} backup policy not found.")
+            logger.warning(f"EFS {aws_efs_id} backup policy not found.")
             if strict:
                 return False
         else:
             raise e
 
     # Verify efs policy
-    if not _verify_aws_efs_policy(
-        boto3_session, cloud_resource.aws_efs_id, logger, strict
-    ):
+    if not _verify_aws_efs_policy(boto3_session, aws_efs_id, logger, strict):
         return False
 
-    logger.info(f"EFS {cloud_resource.aws_efs_id} verification succeeded.")
+    logger.info(f"EFS {aws_efs_id} verification succeeded.")
     return True
 
 
@@ -892,13 +868,13 @@ def _verify_aws_efs_policy(
 
 
 def verify_aws_cloudformation_stack(
-    cloud_resource: CreateCloudResource,
+    aws_cloudformation_stack_id: Optional[str],
     boto3_session: boto3.Session,
     logger: CloudSetupLogger,
     strict: bool = False,  # strict is currently unused # noqa: ARG001
 ) -> bool:
     logger.info("Verifying CloudFormation stack ...")
-    if not cloud_resource.aws_cloudformation_stack_id:
+    if not aws_cloudformation_stack_id:
         logger.log_resource_error(
             CloudAnalyticsEventCloudResource.AWS_CLOUDFORMATION,
             CloudSetupError.MISSING_CLOUD_RESOURCE_ID,
@@ -907,15 +883,13 @@ def verify_aws_cloudformation_stack(
         return False
 
     cloudformation = boto3_session.resource("cloudformation")
-    stack = cloudformation.Stack(cloud_resource.aws_cloudformation_stack_id)
+    stack = cloudformation.Stack(aws_cloudformation_stack_id)
     try:
         stack.load()
     except ClientError as e:
         if e.response["Error"]["Code"] == "ValidationError":
             log_resource_not_found_error(
-                "CloudFormation stack",
-                cloud_resource.aws_cloudformation_stack_id,
-                logger,
+                "CloudFormation stack", aws_cloudformation_stack_id, logger,
             )
             return False
         else:
@@ -925,20 +899,23 @@ def verify_aws_cloudformation_stack(
         raise e
 
     logger.info(
-        f"CloudFormation stack {cloud_resource.aws_cloudformation_stack_id} verification succeeded."
+        f"CloudFormation stack {aws_cloudformation_stack_id} verification succeeded."
     )
     return True
 
 
 def verify_aws_memorydb_cluster(  # noqa: PLR0911, PLR0912
-    cloud_resource: CreateCloudResource,
+    memorydb_cluster_config: Optional[AWSMemoryDBClusterConfig],
+    aws_security_groups: List[str],
+    aws_vpc_id: str,
+    aws_subnet_ids: List[str],
     boto3_session: boto3.Session,
     logger: CloudSetupLogger,
     strict: bool = False,  # strict is currently unused # noqa: ARG001
 ) -> bool:
     """Verify that the MemoryDB cluster exists and is in the available state."""
     logger.info("Verifying MemoryDB ...")
-    if not cloud_resource.memorydb_cluster_config:
+    if not memorydb_cluster_config:
         logger.log_resource_error(
             CloudAnalyticsEventCloudResource.AWS_MEMORYDB,
             CloudSetupError.MISSING_CLOUD_RESOURCE_ID,
@@ -949,12 +926,12 @@ def verify_aws_memorydb_cluster(  # noqa: PLR0911, PLR0912
     client = boto3_session.client("memorydb")
     try:
         response = client.describe_clusters(
-            ClusterName=cloud_resource.memorydb_cluster_config.id.split("/")[-1],
+            ClusterName=memorydb_cluster_config.id.split("/")[-1],
             ShowShardDetails=True,
         )
         if not response.get("Clusters"):
             log_resource_not_found_error(
-                "MemoryDB cluster", cloud_resource.memorydb_cluster_config.id, logger
+                "MemoryDB cluster", memorydb_cluster_config.id, logger
             )
             return False
 
@@ -962,9 +939,9 @@ def verify_aws_memorydb_cluster(  # noqa: PLR0911, PLR0912
         security_group_id = response["Clusters"][0].get(
             "SecurityGroups", [{"SecurityGroupId": "NOT_SPECIFIED"}]
         )[0]["SecurityGroupId"]
-        if security_group_id != cloud_resource.aws_security_groups[0]:
+        if security_group_id != aws_security_groups[0]:
             logger.warning(
-                f"MemoryDB cluster {cloud_resource.memorydb_cluster_config.id} has security group {security_group_id} that is not the same as the cloud's security group {cloud_resource.aws_security_groups[0]}."
+                f"MemoryDB cluster {memorydb_cluster_config.id} has security group {security_group_id} that is not the same as the cloud's security group {aws_security_groups[0]}."
             )
             if strict:
                 return False
@@ -973,25 +950,18 @@ def verify_aws_memorydb_cluster(  # noqa: PLR0911, PLR0912
         subnet_group_response = client.describe_subnet_groups(
             SubnetGroupName=response["Clusters"][0]["SubnetGroupName"]
         )
-        if (
-            subnet_group_response["SubnetGroups"][0]["VpcId"]
-            != cloud_resource.aws_vpc_id
-        ):
+        if subnet_group_response["SubnetGroups"][0]["VpcId"] != aws_vpc_id:
             logger.warning(
-                f"MemoryDB cluster {cloud_resource.memorydb_cluster_config.id} is not in the same VPC as the cloud."
+                f"MemoryDB cluster {memorydb_cluster_config.id} is not in the same VPC as the cloud."
             )
             if strict:
                 return False
 
         # verify that the subnet group has the subset of subnets that the cloud has
-        subnet_ids = [
-            subnet.subnet_id
-            for subnet in cloud_resource.aws_subnet_ids_with_availability_zones
-        ]
         for subnet in subnet_group_response["SubnetGroups"][0]["Subnets"]:
-            if subnet["Identifier"] not in subnet_ids:
+            if subnet["Identifier"] not in aws_subnet_ids:
                 logger.warning(
-                    f"MemoryDB cluster {cloud_resource.memorydb_cluster_config.id} has subnet {subnet['Identifier']} that is not one of the subnets in the cloud."
+                    f"MemoryDB cluster {memorydb_cluster_config.id} has subnet {subnet['Identifier']} that is not one of the subnets in the cloud."
                 )
                 if strict:
                     return False
@@ -1003,7 +973,7 @@ def verify_aws_memorydb_cluster(  # noqa: PLR0911, PLR0912
         for param in parameter_response["Parameters"]:
             if param["Name"] == "maxmemory-policy" and param["Value"] != "allkeys-lru":
                 logger.warning(
-                    f"MemoryDB cluster {cloud_resource.memorydb_cluster_config.id} should have parameter group with maxmemory-policy set to allkeys-lru instead of {param['Value']}."
+                    f"MemoryDB cluster {memorydb_cluster_config.id} should have parameter group with maxmemory-policy set to allkeys-lru instead of {param['Value']}."
                 )
                 if strict:
                     return False
@@ -1011,7 +981,7 @@ def verify_aws_memorydb_cluster(  # noqa: PLR0911, PLR0912
         # verify TLS is enabled
         if not response["Clusters"][0]["TLSEnabled"]:
             logger.error(
-                f"MemoryDB cluster {cloud_resource.memorydb_cluster_config.id} has TLS disabled. Please create a memorydb cluster with TLS enabled."
+                f"MemoryDB cluster {memorydb_cluster_config.id} has TLS disabled. Please create a memorydb cluster with TLS enabled."
             )
             return False
 
@@ -1019,14 +989,14 @@ def verify_aws_memorydb_cluster(  # noqa: PLR0911, PLR0912
         for shard in response["Clusters"][0]["Shards"]:
             if len(shard["Nodes"]) < 2:
                 logger.error(
-                    f"MemoryDB cluster {cloud_resource.memorydb_cluster_config.id} has shard {shard['Name']} with less than 2 nodes. This is not enough for high availability. Please make sure each shard has at least 2 nodes."
+                    f"MemoryDB cluster {memorydb_cluster_config.id} has shard {shard['Name']} with less than 2 nodes. This is not enough for high availability. Please make sure each shard has at least 2 nodes."
                 )
                 return False
 
     except ClientError as e:
         logger.log_resource_exception(CloudAnalyticsEventCloudResource.AWS_MEMORYDB, e)
         raise ClickException(
-            f"Failed to verify MemoryDB cluster {cloud_resource.memorydb_cluster_config.id}.\nError: {e}"
+            f"Failed to verify MemoryDB cluster {memorydb_cluster_config.id}.\nError: {e}"
         )
 
     return True