Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[aws-eks] Expose Security Group created by EKS cluster #8236

Closed
1 of 2 tasks
Tracked by #6491
eduardomourar opened this issue May 27, 2020 · 0 comments · Fixed by #8317
Closed
1 of 2 tasks
Tracked by #6491

[aws-eks] Expose Security Group created by EKS cluster #8236

eduardomourar opened this issue May 27, 2020 · 0 comments · Fixed by #8317
Assignees
@eladb @iliapolo
Labels
@aws-cdk/aws-eks Related to Amazon Elastic Kubernetes Service effort/small Small work item – less than a day of effort feature-request A feature should be added or improved.

Comments

@eduardomourar
Copy link
Contributor

As described by EKS security groups considerations documentation, the cluster automatically creates a security group where every node is assigned. Based on documentation here, it is being exposed by CloudFormation as a resource attribute.

Unfortunately, CDK does not expose the ClusterSecurityGroupId neither with custom resource (when kubectl enabled) nor with native CloudFormation resource.

Use Case

This feature is needed if you need to explicit allow traffic to/from another security group.

Proposed Solution

I have not been able to find a workaround whenever running the custom resource that creates the EKS cluster. But I will work on a PR that will have the EKS Cluster construct expose ClusterSecurityGroupId and EncryptionConfigKeyArn attributes for both custom resource and CloudFormation option.

Environment

  • CLI Version : 1.38.0
  • Framework Version: 1.38.0
  • OS : MacOS
  • Language : TypeScript
  • 👋 I may be able to implement this feature request
  • ⚠️ This feature might incur a breaking change

This is a 🚀 Feature Request
@eduardomourar eduardomourar added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels May 27, 2020
@eduardomourar eduardomourar changed the title Expose Security Group created during EKS cluster creation Expose Security Group created by EKS cluster May 27, 2020
@SomayaB SomayaB added the @aws-cdk/aws-eks Related to Amazon Elastic Kubernetes Service label May 27, 2020
@eladb eladb added the effort/small Small work item – less than a day of effort label Jun 1, 2020
@ccfife ccfife mentioned this issue Jun 1, 2020
Closed
19 tasks
@eduardomourar eduardomourar mentioned this issue Jun 2, 2020
Merged
@SomayaB SomayaB added in-progress This issue is being actively worked on. and removed needs-triage This issue or PR still needs to be triaged. labels Jun 2, 2020
@mergify mergify bot closed this as completed in #8317 Jun 10, 2020
mergify bot pushed a commit that referenced this issue Jun 10, 2020
@eduardomourar
feat(eks): expose cluster security group and encryption configuration (
03e85eb 
…#8317)

This PR will have the EKS Cluster construct expose [**ClusterSecurityGroupId**](https://docs.aws.amazon.com/eks/latest/APIReference/API_VpcConfigResponse.html#AmazonEKS-Type-VpcConfigResponse-clusterSecurityGroupId) (ID of Security group that was created by Amazon EKS for the cluster) and [**EncryptionConfigKeyArn**](https://docs.aws.amazon.com/eks/latest/APIReference/API_Provider.html#AmazonEKS-Type-Provider-keyArn) (ARN of the customer master key used in the encryption configuration for the cluster) attributes for both custom resource and native CloudFormation option.

This also fixes #8276 in the following way: if a custom resource returns an attribute with an "undefined" value, CFN will fail with a "vendor response doesn't contain key" error. To avoid this, we return empty strings in case an attribute is undefined. This is also true for when adding new attributes, in which case updating to the new version will fail on previously deployed clusters with the same error. To mitigate this (and fix #8276 along the way), we add a fake property called "AttributesRevision" with a number that needs to be manually incremented every time new attributes are introduced. This will cause old clusters to be updated and the new attributes returned.

Closes #8236 



----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@iliapolo iliapolo changed the title Expose Security Group created by EKS cluster [aws-eks] Expose Security Group created by EKS cluster Aug 16, 2020
@iliapolo iliapolo removed the in-progress This issue is being actively worked on. label Aug 16, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@eladb eladb

@iliapolo iliapolo

Labels
@aws-cdk/aws-eks Related to Amazon Elastic Kubernetes Service effort/small Small work item – less than a day of effort feature-request A feature should be added or improved.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(eks): expose cluster security group and encryption configuration eduardomourar/aws-cdk
4 participants
@eladb @iliapolo @eduardomourar @SomayaB