Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[aws-eks] Construct Library custom resources can't be used within vpc #9509

Closed
2 tasks
oleksii-boiko-ua opened this issue Aug 7, 2020 · 5 comments · Fixed by #10200
Closed
2 tasks

[aws-eks] Construct Library custom resources can't be used within vpc #9509

oleksii-boiko-ua opened this issue Aug 7, 2020 · 5 comments · Fixed by #10200
Assignees
@iliapolo
Labels
@aws-cdk/aws-eks Related to Amazon Elastic Kubernetes Service effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p1
Milestone
[GA] @aws-cdk/aws...

Comments

@oleksii-boiko-ua
Copy link

When we use construct library, it creates lambda functions which are not inside vpc, i would like to have this ability to define it

Use Case

We have strict policy in our company to have all lambda functions attached to the vpc

Proposed Solution

Other

  • 👋 I may be able to implement this feature request
  • ⚠️ This feature might incur a breaking change

This is a 🚀 Feature Request
@oleksii-boiko-ua oleksii-boiko-ua added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Aug 7, 2020
@SomayaB SomayaB changed the title [Amazon EKS Construct Library] can't be used within vpc [EKS] can't be used within vpc Aug 8, 2020
@github-actions github-actions bot added the @aws-cdk/aws-eks Related to Amazon Elastic Kubernetes Service label Aug 8, 2020
@oleksii-boiko-ua
Copy link
Author

oleksii-boiko-ua commented Aug 8, 2020
edited
Loading

Sorry maybe i was not precise. Not sure why topic was changed as it relates not only to eks but to all custom resources of AWS CDK. For example, I want to create eks cluster with kubectl_enabled=True, code:

    # Control plane
    self.cluster = aws_eks.Cluster(
        scope=self,
        id='cluster',
        cluster_name="cluster-" + environment,
        kubectl_enabled=True
        default_capacity=0,
        vpc=vpc,
        vpc_subnets=[aws_ec2.SubnetSelection(subnets=[subnet_a_eks, subnet_b_eks, subnet_c_eks])],
        version=cluster_version,
        security_group=eks_control_plane_sg,
        role=eks_control_plane_role,
    )

AWS CDK is going to create custom resources(lambda functions) to interact with cluster but this lambda functions are not going to be inside vpc. And we can't use it. We need way to redefine this functions. The main problem that most of enterprise companies will face same problem eventually as most of them use lambda function only within vpc. also would be nice to be able to define proxy for lambda functions as aws doesn't have vpc endpoints for all api's

@oleksii-boiko-ua
Copy link
Author

oleksii-boiko-ua commented Aug 8, 2020
edited
Loading

I also created ticket to AWS Premiums Support (Case ID 7252363561). this issue blocks us to use AWS CDK for our huge infrastructure

@oleksii-boiko-ua
Copy link
Author

also by not allowing to set kubectl_enabled=False(we don't want rely on deprecated code you proposed), we lose ability even to test without all that nice features that construct provides

@oleksii-boiko-ua oleksii-boiko-ua changed the title [EKS] can't be used within vpc [EKS] Construct Library] can't be used within vpc Aug 8, 2020
@oleksii-boiko-ua oleksii-boiko-ua changed the title [EKS] Construct Library] can't be used within vpc [EKS] Construct Library can't be used within vpc Aug 8, 2020
@oleksii-boiko-ua oleksii-boiko-ua changed the title [EKS] Construct Library can't be used within vpc [EKS] Construct Library custom resources can't be used within vpc Aug 8, 2020
@eladb eladb assigned iliapolo and unassigned eladb Aug 10, 2020
@iliapolo iliapolo added effort/medium Medium work item – several days of effort p1 and removed needs-triage This issue or PR still needs to be triaged. labels Aug 16, 2020
@iliapolo iliapolo changed the title [EKS] Construct Library custom resources can't be used within vpc [aws-eks] Construct Library custom resources can't be used within vpc Aug 16, 2020
@iliapolo iliapolo added this to the EKS Dev Preview milestone Aug 18, 2020
@iliapolo iliapolo added the in-progress This issue is being actively worked on. label Sep 5, 2020
@iliapolo iliapolo mentioned this issue Sep 5, 2020
Merged
@iliapolo iliapolo removed the in-progress This issue is being actively worked on. label Sep 13, 2020
@iliapolo iliapolo removed this from the EKS Dev Preview milestone Sep 15, 2020
@iliapolo
Copy link
Contributor

This PR has a PoC implementation for this ability, we made sure supporting can work without requiring cluster replacement.

Therefore it is no longer scheduled for the upcoming milestone, but will be considered for the next one.

@iliapolo iliapolo added this to the [GA] @aws-cdk/aws-eks milestone Oct 4, 2020
@mergify mergify bot closed this as completed in #10200 Dec 21, 2020
mergify bot pushed a commit that referenced this issue Dec 21, 2020
@iliapolo
feat(eks): connect all custom resources to the cluster VPC (#10200)
eaa8222 
Allow all our lambda handlers to be provisioned inside the cluster VPC.

The `KubectlProvider` handlers were already placed inside the VPC is they could have, the missing was to include the `ClusterHandler`. This is now possible via the `placeClusterHandlerInVpc` (names are welcome) property.

Default value remains `false` because if the VPC happens to be isolated (i.e no outbound internet access) this would break the deployment. (See #12171)

Closes #9509 

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

flochaz pushed a commit to flochaz/aws-cdk that referenced this issue Jan 5, 2021
@iliapolo @flochaz
feat(eks): connect all custom resources to the cluster VPC (aws#10200)
e35d2f4 
Allow all our lambda handlers to be provisioned inside the cluster VPC.

The `KubectlProvider` handlers were already placed inside the VPC is they could have, the missing was to include the `ClusterHandler`. This is now possible via the `placeClusterHandlerInVpc` (names are welcome) property.

Default value remains `false` because if the VPC happens to be isolated (i.e no outbound internet access) this would break the deployment. (See aws#12171)

Closes aws#9509 

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@iliapolo iliapolo

Labels
@aws-cdk/aws-eks Related to Amazon Elastic Kubernetes Service effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p1
Projects
None yet
Milestone
[GA] @aws-cdk/aws-eks
Development

Successfully merging a pull request may close this issue.

feat(eks): connect all custom resources to the cluster VPC aws/aws-cdk
3 participants
@eladb @iliapolo @oleksii-boiko-ua