Merge branch 'master' into lambda-provided-execution-role-policy

.github/ISSUE_TEMPLATE.md

@@ -25,6 +25,7 @@ falling prey to the [X/Y problem][2]!
 
   - **CDK CLI Version:** <!-- Output of `cdk version` -->
   - **Module Version:** <!-- Version of the module in question -->
+  - **Node.js Version:** <!-- Version of Node.js (run the command `node -v`) -->
   - **OS:** <!-- [all | Windows 10 | OSX Mojave | Ubuntu | etc... ] -->
   - **Language:** <!-- [all | TypeScript | Java | Python ] etc... ] -->
 

CHANGELOG.md

@@ -2,6 +2,24 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [1.41.0](https://github.com/aws/aws-cdk/compare/v1.40.0...v1.41.0) (2020-05-21)
+
+
+### Features
+
+* **cloudtrail:** create cloudwatch event without needing to create a Trail ([#8076](https://github.com/aws/aws-cdk/issues/8076)) ([0567a23](https://github.com/aws/aws-cdk/commit/0567a2360ac713e3171c9a82767611174dadb6c6)), closes [#6716](https://github.com/aws/aws-cdk/issues/6716)
+* **cognito:** user pool - case sensitivity for sign in ([460394f](https://github.com/aws/aws-cdk/commit/460394f3dc4737cee80504d6c8ef106ecc3b67d5)), closes [#7988](https://github.com/aws/aws-cdk/issues/7988) [#7235](https://github.com/aws/aws-cdk/issues/7235)
+* **core:** CfnJson enables intrinsics in hash keys ([#8099](https://github.com/aws/aws-cdk/issues/8099)) ([195cd40](https://github.com/aws/aws-cdk/commit/195cd405d9f0869875de2ec78661aee3af2c7c7d)), closes [#8084](https://github.com/aws/aws-cdk/issues/8084)
+* **secretsmanager:** adds grantWrite to Secret ([#7858](https://github.com/aws/aws-cdk/issues/7858)) ([3fed84b](https://github.com/aws/aws-cdk/commit/3fed84ba9eec3f53c662966e366aa629209b7bf5))
+* **sns:** add support for subscription DLQ in SNS ([383cdb8](https://github.com/aws/aws-cdk/commit/383cdb86effeafdf5d0767ed379b16b3d78a933b))
+* **stepfunctions:** new service integration classes for Lambda, SNS, and SQS ([#7946](https://github.com/aws/aws-cdk/issues/7946)) ([c038848](https://github.com/aws/aws-cdk/commit/c0388483524832ca7863de4ee9c472b8ab39de8e)), closes [#6715](https://github.com/aws/aws-cdk/issues/6715) [#6489](https://github.com/aws/aws-cdk/issues/6489)
+
+
+### Bug Fixes
+
+* **apigateway:** contextAccountId in AccessLogField incorrectly resolves to requestId ([7b89e80](https://github.com/aws/aws-cdk/commit/7b89e805c716fa73d41cc97fcb728634e7a59136)), closes [#7952](https://github.com/aws/aws-cdk/issues/7952) [#7951](https://github.com/aws/aws-cdk/issues/7951)
+* **autoscaling:** add noDevice as a volume type ([#7253](https://github.com/aws/aws-cdk/issues/7253)) ([751958b](https://github.com/aws/aws-cdk/commit/751958b69225fdfc52622781c618f5a77f881fb6)), closes [#7242](https://github.com/aws/aws-cdk/issues/7242)
+
 ## [1.40.0](https://github.com/aws/aws-cdk/compare/v1.39.0...v1.40.0) (2020-05-20)
 
 

lerna.json

@@ -10,5 +10,5 @@
     "tools/*"
   ],
   "rejectCycles": "true",
-  "version": "1.40.0"
+  "version": "1.41.0"
 }

packages/@aws-cdk/aws-eks/README.md

@@ -548,8 +548,6 @@ cluster.addResource('mypod', {
 });
 ```
 
-> Warning: Currently there are no condition set on the IAM Role which results that there are no restrictions on other pods to assume the role. This will be improved in the near future. 
-
 ### Roadmap
 
 - [ ] AutoScaling (combine EC2 and Kubernetes scaling)

packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/cluster.ts

@@ -199,6 +199,7 @@ export class ClusterResourceHandler extends ResourceHandler {
           Arn: cluster.arn,
           CertificateAuthorityData: cluster.certificateAuthority?.data,
           OpenIdConnectIssuerUrl: cluster.identity?.oidc?.issuer,
+          OpenIdConnectIssuer: cluster.identity?.oidc?.issuer?.substring(8), // Strips off https:// from the issuer url
         },
       };
     }

packages/@aws-cdk/aws-eks/lib/cluster-resource.ts

@@ -19,6 +19,7 @@ export class ClusterResource extends Construct {
   public readonly attrArn: string;
   public readonly attrCertificateAuthorityData: string;
   public readonly attrOpenIdConnectIssuerUrl: string;
+  public readonly attrOpenIdConnectIssuer: string;
   public readonly ref: string;
 
   /**
@@ -126,6 +127,7 @@ export class ClusterResource extends Construct {
     this.attrArn = Token.asString(resource.getAtt('Arn'));
     this.attrCertificateAuthorityData = Token.asString(resource.getAtt('CertificateAuthorityData'));
     this.attrOpenIdConnectIssuerUrl = Token.asString(resource.getAtt('OpenIdConnectIssuerUrl'));
+    this.attrOpenIdConnectIssuer = Token.asString(resource.getAtt('OpenIdConnectIssuer'));
   }
 
   /**

packages/@aws-cdk/aws-eks/lib/cluster.ts

@@ -510,8 +510,6 @@ export class Cluster extends Resource implements ICluster {
    * @param options options for creating a new nodegroup
    */
   public addNodegroup(id: string, options?: NodegroupOptions): Nodegroup {
-    // initialize the awsAuth for this cluster
-    this._awsAuth = this._awsAuth ?? this.awsAuth;
     return new Nodegroup(this, `Nodegroup${id}`, {
       cluster: this,
       ...options,
@@ -635,6 +633,21 @@ export class Cluster extends Resource implements ICluster {
     return this._clusterResource.attrOpenIdConnectIssuerUrl;
   }
 
+  /**
+   * If this cluster is kubectl-enabled, returns the OpenID Connect issuer.
+   * This is because the values is only be retrieved by the API and not exposed
+   * by CloudFormation. If this cluster is not kubectl-enabled (i.e. uses the
+   * stock `CfnCluster`), this is `undefined`.
+   * @attribute
+   */
+  public get clusterOpenIdConnectIssuer(): string {
+    if (!this._clusterResource) {
+      throw new Error('unable to obtain OpenID Connect issuer. Cluster must be kubectl-enabled');
+    }
+
+    return this._clusterResource.attrOpenIdConnectIssuer;
+  }
+
   /**
    * An `OpenIdConnectProvider` resource associated with this cluster, and which can be used
    * to link this cluster to AWS IAM.
@@ -708,7 +721,7 @@ export class Cluster extends Resource implements ICluster {
    * @param id the id of this service account
    * @param options service account options
    */
-  public addServiceAccount(id: string, options: ServiceAccountOptions) {
+  public addServiceAccount(id: string, options: ServiceAccountOptions = { }) {
     return new ServiceAccount(this, id, {
       ...options,
       cluster: this,

packages/@aws-cdk/aws-eks/lib/service-account.ts

@@ -1,5 +1,5 @@
 import { AddToPrincipalPolicyResult, IPrincipal, IRole, OpenIdConnectPrincipal, PolicyStatement, PrincipalPolicyFragment, Role  } from '@aws-cdk/aws-iam';
-import { Construct } from '@aws-cdk/core';
+import { CfnJson, Construct  } from '@aws-cdk/core';
 import { Cluster } from './cluster';
 
 /**
@@ -34,7 +34,6 @@ export interface ServiceAccountProps extends ServiceAccountOptions {
  * Service Account
  */
 export class ServiceAccount extends Construct implements IPrincipal {
-
   /**
    * The role which is linked to the service account.
    */
@@ -61,9 +60,19 @@ export class ServiceAccount extends Construct implements IPrincipal {
     this.serviceAccountName = props.name ?? this.node.uniqueId.toLowerCase();
     this.serviceAccountNamespace = props.namespace ?? 'default';
 
-    this.role = new Role(this, 'Role', {
-      assumedBy: new OpenIdConnectPrincipal(cluster.openIdConnectProvider),
+    /* Add conditions to the role to improve security. This prevents other pods in the same namespace to assume the role.
+    * See documentation: https://docs.aws.amazon.com/eks/latest/userguide/create-service-account-iam-policy-and-role.html
+    */
+    const conditions = new CfnJson(this, 'ConditionJson', {
+      value: {
+        [`${cluster.clusterOpenIdConnectIssuer}:aud`]: 'sts.amazonaws.com',
+        [`${cluster.clusterOpenIdConnectIssuer}:sub`]: `system:serviceaccount:${this.serviceAccountNamespace}:${this.serviceAccountName}`,
+      },
+    });
+    const principal = new OpenIdConnectPrincipal(cluster.openIdConnectProvider).withConditions({
+      StringEquals: conditions,
     });
+    this.role = new Role(this, 'Role', { assumedBy: principal });
 
     this.assumeRoleAction = this.role.assumeRoleAction;
     this.grantPrincipal = this.role.grantPrincipal;