diff --git a/packages/@aws-cdk/aws-eks/README.md b/packages/@aws-cdk/aws-eks/README.md index 57b8d64fe1b66..d1b62a5c8a37f 100644 --- a/packages/@aws-cdk/aws-eks/README.md +++ b/packages/@aws-cdk/aws-eks/README.md @@ -433,6 +433,8 @@ new eks.Cluster(this, 'HelloEKS', { }); ``` +> Note: Isolated VPCs (i.e with no internet access) are not currently supported. See https://github.com/aws/aws-cdk/issues/12171 + If you do not specify a VPC, one will be created on your behalf, which you can then access via `cluster.vpc`. The cluster VPC will be associated to any EKS managed capacity (i.e Managed Node Groups and Fargate Profiles). If you allocate self managed capacity, you can specify which subnets should the auto-scaling group use: @@ -444,8 +446,7 @@ cluster.addAutoScalingGroupCapacity('nodes', { }); ``` -In addition to the cluster and the capacity, there are two additional components you might want to -provision within a VPC. +There are two additional components you might want to provision within the VPC. #### Kubectl Handler @@ -459,7 +460,18 @@ If the endpoint does not expose private access (via `EndpointAccess.PUBLIC`) **o #### Cluster Handler -The `ClusterHandler` is a Lambda function responsible to interact the EKS API in order to control the cluster lifecycle. At the moment, this function cannot be provisioned inside the VPC. See [Attach all Lambda Function to a VPC](https://github.com/aws/aws-cdk/issues/9509) for more details. +The `ClusterHandler` is a Lambda function responsible to interact with the EKS API in order to control the cluster lifecycle. To provision this function inside the VPC, set the `placeClusterHandlerInVpc` property to `true`. This will place the function inside the private subnets of the VPC based on the selection strategy specified in the [`vpcSubnets`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-eks.Cluster.html#vpcsubnetsspan-classapi-icon-api-icon-experimental-titlethis-api-element-is-experimental-it-may-change-without-noticespan) property. + +You can configure the environment of this function by specifying it at cluster instantiation. For example, this can be useful in order to configure an http proxy: + +```ts +const cluster = new eks.Cluster(this, 'hello-eks', { + version: eks.KubernetesVersion.V1_18, + clusterHandlerEnvironment: { + 'http_proxy': 'http://proxy.myproxy.com' + } +}); +``` ### Kubectl Support @@ -1122,6 +1134,5 @@ Kubernetes [endpoint access](#endpoint-access), you must also specify: ## Known Issues and Limitations * [One cluster per stack](https://github.com/aws/aws-cdk/issues/10073) -* [Object pruning](https://github.com/aws/aws-cdk/issues/10495) * [Service Account dependencies](https://github.com/aws/aws-cdk/issues/9910) -* [Attach all Lambda Functions to VPC](https://github.com/aws/aws-cdk/issues/9509) +* [Support isolated VPCs](https://github.com/aws/aws-cdk/issues/12171) diff --git a/packages/@aws-cdk/aws-eks/lib/cluster-resource-provider.ts b/packages/@aws-cdk/aws-eks/lib/cluster-resource-provider.ts index fa5da2d80807e..12839a3ee6044 100644 --- a/packages/@aws-cdk/aws-eks/lib/cluster-resource-provider.ts +++ b/packages/@aws-cdk/aws-eks/lib/cluster-resource-provider.ts @@ -1,4 +1,5 @@ import * as path from 'path'; +import * as ec2 from '@aws-cdk/aws-ec2'; import * as iam from '@aws-cdk/aws-iam'; import * as lambda from '@aws-cdk/aws-lambda'; import { Duration, NestedStack, Stack } from '@aws-cdk/core'; @@ -17,6 +18,21 @@ export interface ClusterResourceProviderProps { * The IAM role to assume in order to interact with the cluster. */ readonly adminRole: iam.IRole; + + /** + * The VPC to provision the functions in. + */ + readonly vpc?: ec2.IVpc; + + /** + * The subnets to place the functions in. + */ + readonly subnets?: ec2.ISubnet[]; + + /** + * Environment to add to the handler. + */ + readonly environment?: { [key: string]: string }; } /** @@ -46,8 +62,11 @@ export class ClusterResourceProvider extends NestedStack { code: lambda.Code.fromAsset(HANDLER_DIR), description: 'onEvent handler for EKS cluster resource provider', runtime: HANDLER_RUNTIME, + environment: props.environment, handler: 'index.onEvent', timeout: Duration.minutes(1), + vpc: props.subnets ? props.vpc : undefined, + vpcSubnets: props.subnets ? { subnets: props.subnets } : undefined, }); const isComplete = new lambda.Function(this, 'IsCompleteHandler', { @@ -56,6 +75,8 @@ export class ClusterResourceProvider extends NestedStack { runtime: HANDLER_RUNTIME, handler: 'index.isComplete', timeout: Duration.minutes(1), + vpc: props.subnets ? props.vpc : undefined, + vpcSubnets: props.subnets ? { subnets: props.subnets } : undefined, }); this.provider = new cr.Provider(this, 'Provider', { @@ -63,6 +84,8 @@ export class ClusterResourceProvider extends NestedStack { isCompleteHandler: isComplete, totalTimeout: Duration.hours(1), queryInterval: Duration.minutes(1), + vpc: props.subnets ? props.vpc : undefined, + vpcSubnets: props.subnets ? { subnets: props.subnets } : undefined, }); props.adminRole.grant(onEvent.role!, 'sts:AssumeRole'); diff --git a/packages/@aws-cdk/aws-eks/lib/cluster-resource.ts b/packages/@aws-cdk/aws-eks/lib/cluster-resource.ts index 788210c987dbe..5d89741026aa9 100644 --- a/packages/@aws-cdk/aws-eks/lib/cluster-resource.ts +++ b/packages/@aws-cdk/aws-eks/lib/cluster-resource.ts @@ -21,6 +21,8 @@ export interface ClusterResourceProps { readonly endpointPublicAccess: boolean; readonly publicAccessCidrs?: string[]; readonly vpc: ec2.IVpc; + readonly environment?: { [key: string]: string }; + readonly subnets?: ec2.ISubnet[]; readonly secretsEncryptionKey?: kms.IKey; } @@ -57,6 +59,9 @@ export class ClusterResource extends CoreConstruct { const provider = ClusterResourceProvider.getOrCreate(this, { adminRole: this.adminRole, + subnets: props.subnets, + vpc: props.vpc, + environment: props.environment, }); const resource = new CustomResource(this, 'Resource', { diff --git a/packages/@aws-cdk/aws-eks/lib/cluster.ts b/packages/@aws-cdk/aws-eks/lib/cluster.ts index d497a854bb8c7..5697493aad3cb 100644 --- a/packages/@aws-cdk/aws-eks/lib/cluster.ts +++ b/packages/@aws-cdk/aws-eks/lib/cluster.ts @@ -428,6 +428,13 @@ export interface ClusterOptions extends CommonClusterOptions { */ readonly kubectlEnvironment?: { [key: string]: string }; + /** + * Custom environment variables when interacting with the EKS endpoint to manage the cluster lifecycle. + * + * @default - No environment variables. + */ + readonly clusterHandlerEnvironment?: { [key: string]: string }; + /** * An AWS Lambda Layer which includes `kubectl`, Helm and the AWS CLI. * @@ -468,6 +475,14 @@ export interface ClusterOptions extends CommonClusterOptions { * @default true */ readonly prune?: boolean; + + /** + * If set to true, the cluster handler functions will be placed in the private subnets + * of the cluster vpc, subject to the `vpcSubnets` selection strategy. + * + * @default false + */ + readonly placeClusterHandlerInVpc?: boolean; } /** @@ -859,7 +874,6 @@ export class Cluster extends ClusterBase { /** * Custom environment variables when running `kubectl` against this cluster. - * @default - no additional environment variables */ public readonly kubectlEnvironment?: { [key: string]: string }; @@ -1020,8 +1034,15 @@ export class Cluster extends ClusterBase { throw new Error('Vpc must contain private subnets when public endpoint access is restricted'); } + const placeClusterHandlerInVpc = props.placeClusterHandlerInVpc ?? false; + + if (placeClusterHandlerInVpc && privateSubents.length === 0) { + throw new Error('Cannot place cluster handler in the VPC since no private subnets could be selected'); + } + const resource = this._clusterResource = new ClusterResource(this, 'Resource', { name: this.physicalName, + environment: props.clusterHandlerEnvironment, roleArn: this.role.roleArn, version: props.version.version, resourcesVpcConfig: { @@ -1041,6 +1062,7 @@ export class Cluster extends ClusterBase { publicAccessCidrs: this.endpointAccess._config.publicCidrs, secretsEncryptionKey: props.secretsEncryptionKey, vpc: this.vpc, + subnets: placeClusterHandlerInVpc ? privateSubents : undefined, }); if (this.endpointAccess._config.privateAccess && privateSubents.length !== 0) { diff --git a/packages/@aws-cdk/aws-eks/lib/kubectl-provider.ts b/packages/@aws-cdk/aws-eks/lib/kubectl-provider.ts index 4cf2d254099f6..359eb79b970a5 100644 --- a/packages/@aws-cdk/aws-eks/lib/kubectl-provider.ts +++ b/packages/@aws-cdk/aws-eks/lib/kubectl-provider.ts @@ -97,6 +97,8 @@ export class KubectlProvider extends NestedStack { const provider = new cr.Provider(this, 'Provider', { onEventHandler: handler, + vpc: cluster.kubectlPrivateSubnets ? cluster.vpc : undefined, + vpcSubnets: cluster.kubectlPrivateSubnets ? { subnets: cluster.kubectlPrivateSubnets } : undefined, }); this.serviceToken = provider.serviceToken; diff --git a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster-handlers-vpc.expected.json b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster-handlers-vpc.expected.json new file mode 100644 index 0000000000000..64485db691f5b --- /dev/null +++ b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster-handlers-vpc.expected.json @@ -0,0 +1,1394 @@ +{ + "Resources": { + "EksAllHandlersInVpcStackDefaultVpcBE11D4AE": { + "Type": "AWS::EC2::VPC", + "Properties": { + "CidrBlock": "10.0.0.0/16", + "EnableDnsHostnames": true, + "EnableDnsSupport": true, + "InstanceTenancy": "default", + "Tags": [ + { + "Key": "Name", + "Value": "aws-cdk-eks-handlers-in-vpc-test/EksAllHandlersInVpcStack/DefaultVpc" + } + ] + } + }, + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet1SubnetEA05A5C7": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "CidrBlock": "10.0.0.0/19", + "VpcId": { + "Ref": "EksAllHandlersInVpcStackDefaultVpcBE11D4AE" + }, + "AvailabilityZone": "test-region-1a", + "MapPublicIpOnLaunch": true, + "Tags": [ + { + "Key": "aws-cdk:subnet-name", + "Value": "Public" + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Public" + }, + { + "Key": "kubernetes.io/role/elb", + "Value": "1" + }, + { + "Key": "Name", + "Value": "aws-cdk-eks-handlers-in-vpc-test/EksAllHandlersInVpcStack/DefaultVpc/PublicSubnet1" + } + ] + } + }, + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet1RouteTable183714C5": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "VpcId": { + "Ref": "EksAllHandlersInVpcStackDefaultVpcBE11D4AE" + }, + "Tags": [ + { + "Key": "kubernetes.io/role/elb", + "Value": "1" + }, + { + "Key": "Name", + "Value": "aws-cdk-eks-handlers-in-vpc-test/EksAllHandlersInVpcStack/DefaultVpc/PublicSubnet1" + } + ] + } + }, + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet1RouteTableAssociation1012ACB8": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "EksAllHandlersInVpcStackDefaultVpcPublicSubnet1RouteTable183714C5" + }, + "SubnetId": { + "Ref": "EksAllHandlersInVpcStackDefaultVpcPublicSubnet1SubnetEA05A5C7" + } + } + }, + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet1DefaultRoute8E294BC5": { + "Type": "AWS::EC2::Route", + "Properties": { + "RouteTableId": { + "Ref": "EksAllHandlersInVpcStackDefaultVpcPublicSubnet1RouteTable183714C5" + }, + "DestinationCidrBlock": "0.0.0.0/0", + "GatewayId": { + "Ref": "EksAllHandlersInVpcStackDefaultVpcIGW916D42F1" + } + }, + "DependsOn": [ + "EksAllHandlersInVpcStackDefaultVpcVPCGW5DC3BDB4" + ] + }, + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet1EIP9380B54C": { + "Type": "AWS::EC2::EIP", + "Properties": { + "Domain": "vpc", + "Tags": [ + { + "Key": "kubernetes.io/role/elb", + "Value": "1" + }, + { + "Key": "Name", + "Value": "aws-cdk-eks-handlers-in-vpc-test/EksAllHandlersInVpcStack/DefaultVpc/PublicSubnet1" + } + ] + } + }, + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet1NATGatewayFD57AC6C": { + "Type": "AWS::EC2::NatGateway", + "Properties": { + "AllocationId": { + "Fn::GetAtt": [ + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet1EIP9380B54C", + "AllocationId" + ] + }, + "SubnetId": { + "Ref": "EksAllHandlersInVpcStackDefaultVpcPublicSubnet1SubnetEA05A5C7" + }, + "Tags": [ + { + "Key": "kubernetes.io/role/elb", + "Value": "1" + }, + { + "Key": "Name", + "Value": "aws-cdk-eks-handlers-in-vpc-test/EksAllHandlersInVpcStack/DefaultVpc/PublicSubnet1" + } + ] + } + }, + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet2Subnet8A9F7D50": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "CidrBlock": "10.0.32.0/19", + "VpcId": { + "Ref": "EksAllHandlersInVpcStackDefaultVpcBE11D4AE" + }, + "AvailabilityZone": "test-region-1b", + "MapPublicIpOnLaunch": true, + "Tags": [ + { + "Key": "aws-cdk:subnet-name", + "Value": "Public" + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Public" + }, + { + "Key": "kubernetes.io/role/elb", + "Value": "1" + }, + { + "Key": "Name", + "Value": "aws-cdk-eks-handlers-in-vpc-test/EksAllHandlersInVpcStack/DefaultVpc/PublicSubnet2" + } + ] + } + }, + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet2RouteTableE4762B74": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "VpcId": { + "Ref": "EksAllHandlersInVpcStackDefaultVpcBE11D4AE" + }, + "Tags": [ + { + "Key": "kubernetes.io/role/elb", + "Value": "1" + }, + { + "Key": "Name", + "Value": "aws-cdk-eks-handlers-in-vpc-test/EksAllHandlersInVpcStack/DefaultVpc/PublicSubnet2" + } + ] + } + }, + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet2RouteTableAssociation5DFA3BFD": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "EksAllHandlersInVpcStackDefaultVpcPublicSubnet2RouteTableE4762B74" + }, + "SubnetId": { + "Ref": "EksAllHandlersInVpcStackDefaultVpcPublicSubnet2Subnet8A9F7D50" + } + } + }, + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet2DefaultRouteC7B27F81": { + "Type": "AWS::EC2::Route", + "Properties": { + "RouteTableId": { + "Ref": "EksAllHandlersInVpcStackDefaultVpcPublicSubnet2RouteTableE4762B74" + }, + "DestinationCidrBlock": "0.0.0.0/0", + "GatewayId": { + "Ref": "EksAllHandlersInVpcStackDefaultVpcIGW916D42F1" + } + }, + "DependsOn": [ + "EksAllHandlersInVpcStackDefaultVpcVPCGW5DC3BDB4" + ] + }, + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet2EIP9186922F": { + "Type": "AWS::EC2::EIP", + "Properties": { + "Domain": "vpc", + "Tags": [ + { + "Key": "kubernetes.io/role/elb", + "Value": "1" + }, + { + "Key": "Name", + "Value": "aws-cdk-eks-handlers-in-vpc-test/EksAllHandlersInVpcStack/DefaultVpc/PublicSubnet2" + } + ] + } + }, + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet2NATGatewayEC0B8252": { + "Type": "AWS::EC2::NatGateway", + "Properties": { + "AllocationId": { + "Fn::GetAtt": [ + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet2EIP9186922F", + "AllocationId" + ] + }, + "SubnetId": { + "Ref": "EksAllHandlersInVpcStackDefaultVpcPublicSubnet2Subnet8A9F7D50" + }, + "Tags": [ + { + "Key": "kubernetes.io/role/elb", + "Value": "1" + }, + { + "Key": "Name", + "Value": "aws-cdk-eks-handlers-in-vpc-test/EksAllHandlersInVpcStack/DefaultVpc/PublicSubnet2" + } + ] + } + }, + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet3SubnetB436275F": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "CidrBlock": "10.0.64.0/19", + "VpcId": { + "Ref": "EksAllHandlersInVpcStackDefaultVpcBE11D4AE" + }, + "AvailabilityZone": "test-region-1c", + "MapPublicIpOnLaunch": true, + "Tags": [ + { + "Key": "aws-cdk:subnet-name", + "Value": "Public" + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Public" + }, + { + "Key": "kubernetes.io/role/elb", + "Value": "1" + }, + { + "Key": "Name", + "Value": "aws-cdk-eks-handlers-in-vpc-test/EksAllHandlersInVpcStack/DefaultVpc/PublicSubnet3" + } + ] + } + }, + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet3RouteTable85E4266C": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "VpcId": { + "Ref": "EksAllHandlersInVpcStackDefaultVpcBE11D4AE" + }, + "Tags": [ + { + "Key": "kubernetes.io/role/elb", + "Value": "1" + }, + { + "Key": "Name", + "Value": "aws-cdk-eks-handlers-in-vpc-test/EksAllHandlersInVpcStack/DefaultVpc/PublicSubnet3" + } + ] + } + }, + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet3RouteTableAssociationEA306E19": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "EksAllHandlersInVpcStackDefaultVpcPublicSubnet3RouteTable85E4266C" + }, + "SubnetId": { + "Ref": "EksAllHandlersInVpcStackDefaultVpcPublicSubnet3SubnetB436275F" + } + } + }, + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet3DefaultRoute965D74B7": { + "Type": "AWS::EC2::Route", + "Properties": { + "RouteTableId": { + "Ref": "EksAllHandlersInVpcStackDefaultVpcPublicSubnet3RouteTable85E4266C" + }, + "DestinationCidrBlock": "0.0.0.0/0", + "GatewayId": { + "Ref": "EksAllHandlersInVpcStackDefaultVpcIGW916D42F1" + } + }, + "DependsOn": [ + "EksAllHandlersInVpcStackDefaultVpcVPCGW5DC3BDB4" + ] + }, + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet3EIPBF5ED908": { + "Type": "AWS::EC2::EIP", + "Properties": { + "Domain": "vpc", + "Tags": [ + { + "Key": "kubernetes.io/role/elb", + "Value": "1" + }, + { + "Key": "Name", + "Value": "aws-cdk-eks-handlers-in-vpc-test/EksAllHandlersInVpcStack/DefaultVpc/PublicSubnet3" + } + ] + } + }, + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet3NATGateway7AE6F6B3": { + "Type": "AWS::EC2::NatGateway", + "Properties": { + "AllocationId": { + "Fn::GetAtt": [ + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet3EIPBF5ED908", + "AllocationId" + ] + }, + "SubnetId": { + "Ref": "EksAllHandlersInVpcStackDefaultVpcPublicSubnet3SubnetB436275F" + }, + "Tags": [ + { + "Key": "kubernetes.io/role/elb", + "Value": "1" + }, + { + "Key": "Name", + "Value": "aws-cdk-eks-handlers-in-vpc-test/EksAllHandlersInVpcStack/DefaultVpc/PublicSubnet3" + } + ] + } + }, + "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet1SubnetE2B86978": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "CidrBlock": "10.0.96.0/19", + "VpcId": { + "Ref": "EksAllHandlersInVpcStackDefaultVpcBE11D4AE" + }, + "AvailabilityZone": "test-region-1a", + "MapPublicIpOnLaunch": false, + "Tags": [ + { + "Key": "aws-cdk:subnet-name", + "Value": "Private" + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Private" + }, + { + "Key": "kubernetes.io/role/internal-elb", + "Value": "1" + }, + { + "Key": "Name", + "Value": "aws-cdk-eks-handlers-in-vpc-test/EksAllHandlersInVpcStack/DefaultVpc/PrivateSubnet1" + } + ] + } + }, + "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet1RouteTableF214D04E": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "VpcId": { + "Ref": "EksAllHandlersInVpcStackDefaultVpcBE11D4AE" + }, + "Tags": [ + { + "Key": "kubernetes.io/role/internal-elb", + "Value": "1" + }, + { + "Key": "Name", + "Value": "aws-cdk-eks-handlers-in-vpc-test/EksAllHandlersInVpcStack/DefaultVpc/PrivateSubnet1" + } + ] + } + }, + "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet1RouteTableAssociationC09E4B48": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet1RouteTableF214D04E" + }, + "SubnetId": { + "Ref": "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet1SubnetE2B86978" + } + } + }, + "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet1DefaultRoute27B45BF6": { + "Type": "AWS::EC2::Route", + "Properties": { + "RouteTableId": { + "Ref": "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet1RouteTableF214D04E" + }, + "DestinationCidrBlock": "0.0.0.0/0", + "NatGatewayId": { + "Ref": "EksAllHandlersInVpcStackDefaultVpcPublicSubnet1NATGatewayFD57AC6C" + } + } + }, + "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet2SubnetFBAAF3E3": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "CidrBlock": "10.0.128.0/19", + "VpcId": { + "Ref": "EksAllHandlersInVpcStackDefaultVpcBE11D4AE" + }, + "AvailabilityZone": "test-region-1b", + "MapPublicIpOnLaunch": false, + "Tags": [ + { + "Key": "aws-cdk:subnet-name", + "Value": "Private" + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Private" + }, + { + "Key": "kubernetes.io/role/internal-elb", + "Value": "1" + }, + { + "Key": "Name", + "Value": "aws-cdk-eks-handlers-in-vpc-test/EksAllHandlersInVpcStack/DefaultVpc/PrivateSubnet2" + } + ] + } + }, + "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet2RouteTable22627B70": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "VpcId": { + "Ref": "EksAllHandlersInVpcStackDefaultVpcBE11D4AE" + }, + "Tags": [ + { + "Key": "kubernetes.io/role/internal-elb", + "Value": "1" + }, + { + "Key": "Name", + "Value": "aws-cdk-eks-handlers-in-vpc-test/EksAllHandlersInVpcStack/DefaultVpc/PrivateSubnet2" + } + ] + } + }, + "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet2RouteTableAssociation475205D6": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet2RouteTable22627B70" + }, + "SubnetId": { + "Ref": "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet2SubnetFBAAF3E3" + } + } + }, + "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet2DefaultRoute8A741F7F": { + "Type": "AWS::EC2::Route", + "Properties": { + "RouteTableId": { + "Ref": "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet2RouteTable22627B70" + }, + "DestinationCidrBlock": "0.0.0.0/0", + "NatGatewayId": { + "Ref": "EksAllHandlersInVpcStackDefaultVpcPublicSubnet2NATGatewayEC0B8252" + } + } + }, + "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet3SubnetA75A8BA9": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "CidrBlock": "10.0.160.0/19", + "VpcId": { + "Ref": "EksAllHandlersInVpcStackDefaultVpcBE11D4AE" + }, + "AvailabilityZone": "test-region-1c", + "MapPublicIpOnLaunch": false, + "Tags": [ + { + "Key": "aws-cdk:subnet-name", + "Value": "Private" + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Private" + }, + { + "Key": "kubernetes.io/role/internal-elb", + "Value": "1" + }, + { + "Key": "Name", + "Value": "aws-cdk-eks-handlers-in-vpc-test/EksAllHandlersInVpcStack/DefaultVpc/PrivateSubnet3" + } + ] + } + }, + "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet3RouteTable19D4047C": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "VpcId": { + "Ref": "EksAllHandlersInVpcStackDefaultVpcBE11D4AE" + }, + "Tags": [ + { + "Key": "kubernetes.io/role/internal-elb", + "Value": "1" + }, + { + "Key": "Name", + "Value": "aws-cdk-eks-handlers-in-vpc-test/EksAllHandlersInVpcStack/DefaultVpc/PrivateSubnet3" + } + ] + } + }, + "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet3RouteTableAssociationC07A6A83": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet3RouteTable19D4047C" + }, + "SubnetId": { + "Ref": "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet3SubnetA75A8BA9" + } + } + }, + "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet3DefaultRoute203EAFA4": { + "Type": "AWS::EC2::Route", + "Properties": { + "RouteTableId": { + "Ref": "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet3RouteTable19D4047C" + }, + "DestinationCidrBlock": "0.0.0.0/0", + "NatGatewayId": { + "Ref": "EksAllHandlersInVpcStackDefaultVpcPublicSubnet3NATGateway7AE6F6B3" + } + } + }, + "EksAllHandlersInVpcStackDefaultVpcIGW916D42F1": { + "Type": "AWS::EC2::InternetGateway", + "Properties": { + "Tags": [ + { + "Key": "Name", + "Value": "aws-cdk-eks-handlers-in-vpc-test/EksAllHandlersInVpcStack/DefaultVpc" + } + ] + } + }, + "EksAllHandlersInVpcStackDefaultVpcVPCGW5DC3BDB4": { + "Type": "AWS::EC2::VPCGatewayAttachment", + "Properties": { + "VpcId": { + "Ref": "EksAllHandlersInVpcStackDefaultVpcBE11D4AE" + }, + "InternetGatewayId": { + "Ref": "EksAllHandlersInVpcStackDefaultVpcIGW916D42F1" + } + } + }, + "EksAllHandlersInVpcStackRoleC36F09F0": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "eks.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/AmazonEKSClusterPolicy" + ] + ] + } + ] + } + }, + "EksAllHandlersInVpcStackControlPlaneSecurityGroup10B6E594": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "EKS Control Plane Security Group", + "SecurityGroupEgress": [ + { + "CidrIp": "0.0.0.0/0", + "Description": "Allow all outbound traffic by default", + "IpProtocol": "-1" + } + ], + "VpcId": { + "Ref": "EksAllHandlersInVpcStackDefaultVpcBE11D4AE" + } + } + }, + "EksAllHandlersInVpcStackCreationRole0BAA4CDC": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::12345678:root" + ] + ] + } + } + } + ], + "Version": "2012-10-17" + } + }, + "DependsOn": [ + "EksAllHandlersInVpcStackDefaultVpcIGW916D42F1", + "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet1DefaultRoute27B45BF6", + "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet1RouteTableF214D04E", + "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet1RouteTableAssociationC09E4B48", + "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet1SubnetE2B86978", + "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet2DefaultRoute8A741F7F", + "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet2RouteTable22627B70", + "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet2RouteTableAssociation475205D6", + "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet2SubnetFBAAF3E3", + "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet3DefaultRoute203EAFA4", + "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet3RouteTable19D4047C", + "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet3RouteTableAssociationC07A6A83", + "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet3SubnetA75A8BA9", + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet1DefaultRoute8E294BC5", + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet1EIP9380B54C", + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet1NATGatewayFD57AC6C", + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet1RouteTable183714C5", + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet1RouteTableAssociation1012ACB8", + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet1SubnetEA05A5C7", + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet2DefaultRouteC7B27F81", + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet2EIP9186922F", + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet2NATGatewayEC0B8252", + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet2RouteTableE4762B74", + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet2RouteTableAssociation5DFA3BFD", + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet2Subnet8A9F7D50", + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet3DefaultRoute965D74B7", + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet3EIPBF5ED908", + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet3NATGateway7AE6F6B3", + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet3RouteTable85E4266C", + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet3RouteTableAssociationEA306E19", + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet3SubnetB436275F", + "EksAllHandlersInVpcStackDefaultVpcBE11D4AE", + "EksAllHandlersInVpcStackDefaultVpcVPCGW5DC3BDB4" + ] + }, + "EksAllHandlersInVpcStackCreationRoleDefaultPolicy783D59F3": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": "iam:PassRole", + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "EksAllHandlersInVpcStackRoleC36F09F0", + "Arn" + ] + } + }, + { + "Action": [ + "ec2:DescribeSubnets", + "ec2:DescribeRouteTables" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "eks:CreateCluster", + "eks:DescribeCluster", + "eks:DescribeUpdate", + "eks:DeleteCluster", + "eks:UpdateClusterVersion", + "eks:UpdateClusterConfig", + "eks:CreateFargateProfile", + "eks:TagResource", + "eks:UntagResource" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] + }, + { + "Action": [ + "eks:DescribeFargateProfile", + "eks:DeleteFargateProfile" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "iam:GetRole", + "iam:listAttachedRolePolicies" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": "iam:CreateServiceLinkedRole", + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": "ec2:DescribeVpcs", + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ec2:test-region:12345678:vpc/", + { + "Ref": "EksAllHandlersInVpcStackDefaultVpcBE11D4AE" + } + ] + ] + } + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "EksAllHandlersInVpcStackCreationRoleDefaultPolicy783D59F3", + "Roles": [ + { + "Ref": "EksAllHandlersInVpcStackCreationRole0BAA4CDC" + } + ] + }, + "DependsOn": [ + "EksAllHandlersInVpcStackDefaultVpcIGW916D42F1", + "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet1DefaultRoute27B45BF6", + "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet1RouteTableF214D04E", + "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet1RouteTableAssociationC09E4B48", + "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet1SubnetE2B86978", + "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet2DefaultRoute8A741F7F", + "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet2RouteTable22627B70", + "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet2RouteTableAssociation475205D6", + "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet2SubnetFBAAF3E3", + "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet3DefaultRoute203EAFA4", + "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet3RouteTable19D4047C", + "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet3RouteTableAssociationC07A6A83", + "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet3SubnetA75A8BA9", + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet1DefaultRoute8E294BC5", + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet1EIP9380B54C", + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet1NATGatewayFD57AC6C", + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet1RouteTable183714C5", + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet1RouteTableAssociation1012ACB8", + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet1SubnetEA05A5C7", + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet2DefaultRouteC7B27F81", + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet2EIP9186922F", + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet2NATGatewayEC0B8252", + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet2RouteTableE4762B74", + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet2RouteTableAssociation5DFA3BFD", + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet2Subnet8A9F7D50", + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet3DefaultRoute965D74B7", + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet3EIPBF5ED908", + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet3NATGateway7AE6F6B3", + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet3RouteTable85E4266C", + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet3RouteTableAssociationEA306E19", + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet3SubnetB436275F", + "EksAllHandlersInVpcStackDefaultVpcBE11D4AE", + "EksAllHandlersInVpcStackDefaultVpcVPCGW5DC3BDB4" + ] + }, + "EksAllHandlersInVpcStack9ED695D7": { + "Type": "Custom::AWSCDK-EKS-Cluster", + "Properties": { + "ServiceToken": { + "Fn::GetAtt": [ + "awscdkawseksClusterResourceProviderNestedStackawscdkawseksClusterResourceProviderNestedStackResource9827C454", + "Outputs.awscdkekshandlersinvpctestawscdkawseksClusterResourceProviderframeworkonEvent5C6C2463Arn" + ] + }, + "Config": { + "version": "1.18", + "roleArn": { + "Fn::GetAtt": [ + "EksAllHandlersInVpcStackRoleC36F09F0", + "Arn" + ] + }, + "resourcesVpcConfig": { + "subnetIds": [ + { + "Ref": "EksAllHandlersInVpcStackDefaultVpcPublicSubnet1SubnetEA05A5C7" + }, + { + "Ref": "EksAllHandlersInVpcStackDefaultVpcPublicSubnet2Subnet8A9F7D50" + }, + { + "Ref": "EksAllHandlersInVpcStackDefaultVpcPublicSubnet3SubnetB436275F" + }, + { + "Ref": "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet1SubnetE2B86978" + }, + { + "Ref": "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet2SubnetFBAAF3E3" + }, + { + "Ref": "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet3SubnetA75A8BA9" + } + ], + "securityGroupIds": [ + { + "Fn::GetAtt": [ + "EksAllHandlersInVpcStackControlPlaneSecurityGroup10B6E594", + "GroupId" + ] + } + ], + "endpointPublicAccess": true, + "endpointPrivateAccess": true + } + }, + "AssumeRoleArn": { + "Fn::GetAtt": [ + "EksAllHandlersInVpcStackCreationRole0BAA4CDC", + "Arn" + ] + }, + "AttributesRevision": 2 + }, + "DependsOn": [ + "EksAllHandlersInVpcStackDefaultVpcIGW916D42F1", + "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet1DefaultRoute27B45BF6", + "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet1RouteTableF214D04E", + "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet1RouteTableAssociationC09E4B48", + "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet1SubnetE2B86978", + "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet2DefaultRoute8A741F7F", + "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet2RouteTable22627B70", + "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet2RouteTableAssociation475205D6", + "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet2SubnetFBAAF3E3", + "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet3DefaultRoute203EAFA4", + "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet3RouteTable19D4047C", + "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet3RouteTableAssociationC07A6A83", + "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet3SubnetA75A8BA9", + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet1DefaultRoute8E294BC5", + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet1EIP9380B54C", + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet1NATGatewayFD57AC6C", + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet1RouteTable183714C5", + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet1RouteTableAssociation1012ACB8", + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet1SubnetEA05A5C7", + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet2DefaultRouteC7B27F81", + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet2EIP9186922F", + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet2NATGatewayEC0B8252", + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet2RouteTableE4762B74", + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet2RouteTableAssociation5DFA3BFD", + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet2Subnet8A9F7D50", + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet3DefaultRoute965D74B7", + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet3EIPBF5ED908", + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet3NATGateway7AE6F6B3", + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet3RouteTable85E4266C", + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet3RouteTableAssociationEA306E19", + "EksAllHandlersInVpcStackDefaultVpcPublicSubnet3SubnetB436275F", + "EksAllHandlersInVpcStackDefaultVpcBE11D4AE", + "EksAllHandlersInVpcStackDefaultVpcVPCGW5DC3BDB4", + "EksAllHandlersInVpcStackCreationRoleDefaultPolicy783D59F3", + "EksAllHandlersInVpcStackCreationRole0BAA4CDC" + ], + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "EksAllHandlersInVpcStackKubectlReadyBarrier8687350F": { + "Type": "AWS::SSM::Parameter", + "Properties": { + "Type": "String", + "Value": "aws:cdk:eks:kubectl-ready" + }, + "DependsOn": [ + "EksAllHandlersInVpcStackCreationRoleDefaultPolicy783D59F3", + "EksAllHandlersInVpcStackCreationRole0BAA4CDC", + "EksAllHandlersInVpcStack9ED695D7" + ] + }, + "EksAllHandlersInVpcStackMastersRole825EE5E6": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::12345678:root" + ] + ] + } + } + } + ], + "Version": "2012-10-17" + } + } + }, + "EksAllHandlersInVpcStackAwsAuthmanifest66335CD9": { + "Type": "Custom::AWSCDK-EKS-KubernetesResource", + "Properties": { + "ServiceToken": { + "Fn::GetAtt": [ + "awscdkawseksKubectlProviderNestedStackawscdkawseksKubectlProviderNestedStackResourceA7AEBA6B", + "Outputs.awscdkekshandlersinvpctestawscdkawseksKubectlProviderframeworkonEventB8D0A5E7Arn" + ] + }, + "Manifest": { + "Fn::Join": [ + "", + [ + "[{\"apiVersion\":\"v1\",\"kind\":\"ConfigMap\",\"metadata\":{\"name\":\"aws-auth\",\"namespace\":\"kube-system\",\"labels\":{\"aws.cdk.eks/prune-c8fa2698c0d935568a51a7732ad19350286b302ae8\":\"\"}},\"data\":{\"mapRoles\":\"[{\\\"rolearn\\\":\\\"", + { + "Fn::GetAtt": [ + "EksAllHandlersInVpcStackMastersRole825EE5E6", + "Arn" + ] + }, + "\\\",\\\"username\\\":\\\"", + { + "Fn::GetAtt": [ + "EksAllHandlersInVpcStackMastersRole825EE5E6", + "Arn" + ] + }, + "\\\",\\\"groups\\\":[\\\"system:masters\\\"]},{\\\"rolearn\\\":\\\"", + { + "Fn::GetAtt": [ + "EksAllHandlersInVpcStackNodegroupDefaultCapacityNodeGroupRoleFFBF949C", + "Arn" + ] + }, + "\\\",\\\"username\\\":\\\"system:node:{{EC2PrivateDNSName}}\\\",\\\"groups\\\":[\\\"system:bootstrappers\\\",\\\"system:nodes\\\"]}]\",\"mapUsers\":\"[]\",\"mapAccounts\":\"[]\"}}]" + ] + ] + }, + "ClusterName": { + "Ref": "EksAllHandlersInVpcStack9ED695D7" + }, + "RoleArn": { + "Fn::GetAtt": [ + "EksAllHandlersInVpcStackCreationRole0BAA4CDC", + "Arn" + ] + }, + "PruneLabel": "aws.cdk.eks/prune-c8fa2698c0d935568a51a7732ad19350286b302ae8", + "Overwrite": true + }, + "DependsOn": [ + "EksAllHandlersInVpcStackKubectlReadyBarrier8687350F" + ], + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "EksAllHandlersInVpcStackNodegroupDefaultCapacityNodeGroupRoleFFBF949C": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": { + "Fn::Join": [ + "", + [ + "ec2.", + { + "Ref": "AWS::URLSuffix" + } + ] + ] + } + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/AmazonEKSWorkerNodePolicy" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/AmazonEKS_CNI_Policy" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/AmazonEC2ContainerRegistryReadOnly" + ] + ] + } + ] + } + }, + "EksAllHandlersInVpcStackNodegroupDefaultCapacityD8DD5ECF": { + "Type": "AWS::EKS::Nodegroup", + "Properties": { + "ClusterName": { + "Ref": "EksAllHandlersInVpcStack9ED695D7" + }, + "NodeRole": { + "Fn::GetAtt": [ + "EksAllHandlersInVpcStackNodegroupDefaultCapacityNodeGroupRoleFFBF949C", + "Arn" + ] + }, + "Subnets": [ + { + "Ref": "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet1SubnetE2B86978" + }, + { + "Ref": "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet2SubnetFBAAF3E3" + }, + { + "Ref": "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet3SubnetA75A8BA9" + } + ], + "AmiType": "AL2_x86_64", + "ForceUpdateEnabled": true, + "InstanceTypes": [ + "m5.large" + ], + "ScalingConfig": { + "DesiredSize": 2, + "MaxSize": 2, + "MinSize": 2 + } + } + }, + "awscdkawseksClusterResourceProviderNestedStackawscdkawseksClusterResourceProviderNestedStackResource9827C454": { + "Type": "AWS::CloudFormation::Stack", + "Properties": { + "TemplateURL": { + "Fn::Join": [ + "", + [ + "https://s3.test-region.", + { + "Ref": "AWS::URLSuffix" + }, + "/", + { + "Ref": "AssetParameters1a2bf12b9f0cf5ab2c838e7dd9be4d485bbf32056d6d5333bce57e49d12a172cS3Bucket151BE34C" + }, + "/", + { + "Fn::Select": [ + 0, + { + "Fn::Split": [ + "||", + { + "Ref": "AssetParameters1a2bf12b9f0cf5ab2c838e7dd9be4d485bbf32056d6d5333bce57e49d12a172cS3VersionKey89E7CC67" + } + ] + } + ] + }, + { + "Fn::Select": [ + 1, + { + "Fn::Split": [ + "||", + { + "Ref": "AssetParameters1a2bf12b9f0cf5ab2c838e7dd9be4d485bbf32056d6d5333bce57e49d12a172cS3VersionKey89E7CC67" + } + ] + } + ] + } + ] + ] + }, + "Parameters": { + "referencetoawscdkekshandlersinvpctestEksAllHandlersInVpcStackCreationRoleADAAC7FDArn": { + "Fn::GetAtt": [ + "EksAllHandlersInVpcStackCreationRole0BAA4CDC", + "Arn" + ] + }, + "referencetoawscdkekshandlersinvpctestEksAllHandlersInVpcStackDefaultVpcE40EA7ACRef": { + "Ref": "EksAllHandlersInVpcStackDefaultVpcBE11D4AE" + }, + "referencetoawscdkekshandlersinvpctestAssetParameters87b1e2c41f84590d14f7ab8cb0f338c51d6fa3efe78943867af07fa959593dbaS3Bucket020723FERef": { + "Ref": "AssetParameters87b1e2c41f84590d14f7ab8cb0f338c51d6fa3efe78943867af07fa959593dbaS3Bucket14D204F9" + }, + "referencetoawscdkekshandlersinvpctestAssetParameters87b1e2c41f84590d14f7ab8cb0f338c51d6fa3efe78943867af07fa959593dbaS3VersionKeyEC505E3ARef": { + "Ref": "AssetParameters87b1e2c41f84590d14f7ab8cb0f338c51d6fa3efe78943867af07fa959593dbaS3VersionKeyDE8A2F1F" + }, + "referencetoawscdkekshandlersinvpctestEksAllHandlersInVpcStackDefaultVpcPrivateSubnet1Subnet9479BAA8Ref": { + "Ref": "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet1SubnetE2B86978" + }, + "referencetoawscdkekshandlersinvpctestEksAllHandlersInVpcStackDefaultVpcPrivateSubnet2Subnet9480A740Ref": { + "Ref": "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet2SubnetFBAAF3E3" + }, + "referencetoawscdkekshandlersinvpctestEksAllHandlersInVpcStackDefaultVpcPrivateSubnet3Subnet1B127970Ref": { + "Ref": "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet3SubnetA75A8BA9" + }, + "referencetoawscdkekshandlersinvpctestAssetParametersdaeb79e3cee39c9b902dc0d5c780223e227ed573ea60976252947adab5fb2be1S3Bucket9D7E9998Ref": { + "Ref": "AssetParametersdaeb79e3cee39c9b902dc0d5c780223e227ed573ea60976252947adab5fb2be1S3BucketDC4B98B1" + }, + "referencetoawscdkekshandlersinvpctestAssetParametersdaeb79e3cee39c9b902dc0d5c780223e227ed573ea60976252947adab5fb2be1S3VersionKeyE6908FD8Ref": { + "Ref": "AssetParametersdaeb79e3cee39c9b902dc0d5c780223e227ed573ea60976252947adab5fb2be1S3VersionKeyA495226F" + } + } + } + }, + "awscdkawseksKubectlProviderNestedStackawscdkawseksKubectlProviderNestedStackResourceA7AEBA6B": { + "Type": "AWS::CloudFormation::Stack", + "Properties": { + "TemplateURL": { + "Fn::Join": [ + "", + [ + "https://s3.test-region.", + { + "Ref": "AWS::URLSuffix" + }, + "/", + { + "Ref": "AssetParameters6d292454aff7fb0ebe25e490b924c9c6b388e55e40b8969d458dc14694f8e195S3BucketED10A01F" + }, + "/", + { + "Fn::Select": [ + 0, + { + "Fn::Split": [ + "||", + { + "Ref": "AssetParameters6d292454aff7fb0ebe25e490b924c9c6b388e55e40b8969d458dc14694f8e195S3VersionKey4F604E85" + } + ] + } + ] + }, + { + "Fn::Select": [ + 1, + { + "Fn::Split": [ + "||", + { + "Ref": "AssetParameters6d292454aff7fb0ebe25e490b924c9c6b388e55e40b8969d458dc14694f8e195S3VersionKey4F604E85" + } + ] + } + ] + } + ] + ] + }, + "Parameters": { + "referencetoawscdkekshandlersinvpctestEksAllHandlersInVpcStack429D29C0Arn": { + "Fn::GetAtt": [ + "EksAllHandlersInVpcStack9ED695D7", + "Arn" + ] + }, + "referencetoawscdkekshandlersinvpctestEksAllHandlersInVpcStackCreationRoleADAAC7FDArn": { + "Fn::GetAtt": [ + "EksAllHandlersInVpcStackCreationRole0BAA4CDC", + "Arn" + ] + }, + "referencetoawscdkekshandlersinvpctestAssetParametersd01b2d8959358117de0017e6f18135905e5680cfc8a83e406229c02671c2b34fS3BucketAC8D81C6Ref": { + "Ref": "AssetParametersd01b2d8959358117de0017e6f18135905e5680cfc8a83e406229c02671c2b34fS3Bucket81EA5F11" + }, + "referencetoawscdkekshandlersinvpctestAssetParametersd01b2d8959358117de0017e6f18135905e5680cfc8a83e406229c02671c2b34fS3VersionKeyA25C9B33Ref": { + "Ref": "AssetParametersd01b2d8959358117de0017e6f18135905e5680cfc8a83e406229c02671c2b34fS3VersionKey32DED07C" + }, + "referencetoawscdkekshandlersinvpctestEksAllHandlersInVpcStackDefaultVpcPrivateSubnet1Subnet9479BAA8Ref": { + "Ref": "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet1SubnetE2B86978" + }, + "referencetoawscdkekshandlersinvpctestEksAllHandlersInVpcStackDefaultVpcPrivateSubnet2Subnet9480A740Ref": { + "Ref": "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet2SubnetFBAAF3E3" + }, + "referencetoawscdkekshandlersinvpctestEksAllHandlersInVpcStackDefaultVpcPrivateSubnet3Subnet1B127970Ref": { + "Ref": "EksAllHandlersInVpcStackDefaultVpcPrivateSubnet3SubnetA75A8BA9" + }, + "referencetoawscdkekshandlersinvpctestEksAllHandlersInVpcStack429D29C0ClusterSecurityGroupId": { + "Fn::GetAtt": [ + "EksAllHandlersInVpcStack9ED695D7", + "ClusterSecurityGroupId" + ] + }, + "referencetoawscdkekshandlersinvpctestEksAllHandlersInVpcStackDefaultVpcE40EA7ACRef": { + "Ref": "EksAllHandlersInVpcStackDefaultVpcBE11D4AE" + }, + "referencetoawscdkekshandlersinvpctestAssetParametersdaeb79e3cee39c9b902dc0d5c780223e227ed573ea60976252947adab5fb2be1S3Bucket9D7E9998Ref": { + "Ref": "AssetParametersdaeb79e3cee39c9b902dc0d5c780223e227ed573ea60976252947adab5fb2be1S3BucketDC4B98B1" + }, + "referencetoawscdkekshandlersinvpctestAssetParametersdaeb79e3cee39c9b902dc0d5c780223e227ed573ea60976252947adab5fb2be1S3VersionKeyE6908FD8Ref": { + "Ref": "AssetParametersdaeb79e3cee39c9b902dc0d5c780223e227ed573ea60976252947adab5fb2be1S3VersionKeyA495226F" + } + } + } + } + }, + "Outputs": { + "EksAllHandlersInVpcStackConfigCommandE25F67E8": { + "Value": { + "Fn::Join": [ + "", + [ + "aws eks update-kubeconfig --name ", + { + "Ref": "EksAllHandlersInVpcStack9ED695D7" + }, + " --region test-region --role-arn ", + { + "Fn::GetAtt": [ + "EksAllHandlersInVpcStackMastersRole825EE5E6", + "Arn" + ] + } + ] + ] + } + }, + "EksAllHandlersInVpcStackGetTokenCommand5EB9ED5B": { + "Value": { + "Fn::Join": [ + "", + [ + "aws eks get-token --cluster-name ", + { + "Ref": "EksAllHandlersInVpcStack9ED695D7" + }, + " --region test-region --role-arn ", + { + "Fn::GetAtt": [ + "EksAllHandlersInVpcStackMastersRole825EE5E6", + "Arn" + ] + } + ] + ] + } + } + }, + "Parameters": { + "AssetParameters87b1e2c41f84590d14f7ab8cb0f338c51d6fa3efe78943867af07fa959593dbaS3Bucket14D204F9": { + "Type": "String", + "Description": "S3 bucket for asset \"87b1e2c41f84590d14f7ab8cb0f338c51d6fa3efe78943867af07fa959593dba\"" + }, + "AssetParameters87b1e2c41f84590d14f7ab8cb0f338c51d6fa3efe78943867af07fa959593dbaS3VersionKeyDE8A2F1F": { + "Type": "String", + "Description": "S3 key for asset version \"87b1e2c41f84590d14f7ab8cb0f338c51d6fa3efe78943867af07fa959593dba\"" + }, + "AssetParameters87b1e2c41f84590d14f7ab8cb0f338c51d6fa3efe78943867af07fa959593dbaArtifactHash54822A43": { + "Type": "String", + "Description": "Artifact hash for asset \"87b1e2c41f84590d14f7ab8cb0f338c51d6fa3efe78943867af07fa959593dba\"" + }, + "AssetParametersdaeb79e3cee39c9b902dc0d5c780223e227ed573ea60976252947adab5fb2be1S3BucketDC4B98B1": { + "Type": "String", + "Description": "S3 bucket for asset \"daeb79e3cee39c9b902dc0d5c780223e227ed573ea60976252947adab5fb2be1\"" + }, + "AssetParametersdaeb79e3cee39c9b902dc0d5c780223e227ed573ea60976252947adab5fb2be1S3VersionKeyA495226F": { + "Type": "String", + "Description": "S3 key for asset version \"daeb79e3cee39c9b902dc0d5c780223e227ed573ea60976252947adab5fb2be1\"" + }, + "AssetParametersdaeb79e3cee39c9b902dc0d5c780223e227ed573ea60976252947adab5fb2be1ArtifactHashA521A16F": { + "Type": "String", + "Description": "Artifact hash for asset \"daeb79e3cee39c9b902dc0d5c780223e227ed573ea60976252947adab5fb2be1\"" + }, + "AssetParametersd01b2d8959358117de0017e6f18135905e5680cfc8a83e406229c02671c2b34fS3Bucket81EA5F11": { + "Type": "String", + "Description": "S3 bucket for asset \"d01b2d8959358117de0017e6f18135905e5680cfc8a83e406229c02671c2b34f\"" + }, + "AssetParametersd01b2d8959358117de0017e6f18135905e5680cfc8a83e406229c02671c2b34fS3VersionKey32DED07C": { + "Type": "String", + "Description": "S3 key for asset version \"d01b2d8959358117de0017e6f18135905e5680cfc8a83e406229c02671c2b34f\"" + }, + "AssetParametersd01b2d8959358117de0017e6f18135905e5680cfc8a83e406229c02671c2b34fArtifactHashE68669BA": { + "Type": "String", + "Description": "Artifact hash for asset \"d01b2d8959358117de0017e6f18135905e5680cfc8a83e406229c02671c2b34f\"" + }, + "AssetParameters1a2bf12b9f0cf5ab2c838e7dd9be4d485bbf32056d6d5333bce57e49d12a172cS3Bucket151BE34C": { + "Type": "String", + "Description": "S3 bucket for asset \"1a2bf12b9f0cf5ab2c838e7dd9be4d485bbf32056d6d5333bce57e49d12a172c\"" + }, + "AssetParameters1a2bf12b9f0cf5ab2c838e7dd9be4d485bbf32056d6d5333bce57e49d12a172cS3VersionKey89E7CC67": { + "Type": "String", + "Description": "S3 key for asset version \"1a2bf12b9f0cf5ab2c838e7dd9be4d485bbf32056d6d5333bce57e49d12a172c\"" + }, + "AssetParameters1a2bf12b9f0cf5ab2c838e7dd9be4d485bbf32056d6d5333bce57e49d12a172cArtifactHashAEE8C2AB": { + "Type": "String", + "Description": "Artifact hash for asset \"1a2bf12b9f0cf5ab2c838e7dd9be4d485bbf32056d6d5333bce57e49d12a172c\"" + }, + "AssetParameters6d292454aff7fb0ebe25e490b924c9c6b388e55e40b8969d458dc14694f8e195S3BucketED10A01F": { + "Type": "String", + "Description": "S3 bucket for asset \"6d292454aff7fb0ebe25e490b924c9c6b388e55e40b8969d458dc14694f8e195\"" + }, + "AssetParameters6d292454aff7fb0ebe25e490b924c9c6b388e55e40b8969d458dc14694f8e195S3VersionKey4F604E85": { + "Type": "String", + "Description": "S3 key for asset version \"6d292454aff7fb0ebe25e490b924c9c6b388e55e40b8969d458dc14694f8e195\"" + }, + "AssetParameters6d292454aff7fb0ebe25e490b924c9c6b388e55e40b8969d458dc14694f8e195ArtifactHashFB75BE03": { + "Type": "String", + "Description": "Artifact hash for asset \"6d292454aff7fb0ebe25e490b924c9c6b388e55e40b8969d458dc14694f8e195\"" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster-handlers-vpc.ts b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster-handlers-vpc.ts new file mode 100644 index 0000000000000..ec9fe15d081da --- /dev/null +++ b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster-handlers-vpc.ts @@ -0,0 +1,25 @@ +/// !cdk-integ pragma:ignore-assets +import { App } from '@aws-cdk/core'; +import * as eks from '../lib'; +import { TestStack } from './util'; + +const CLUSTER_VERSION = eks.KubernetesVersion.V1_18; + + +class EksAllHandlersInVpcStack extends TestStack { + + constructor(scope: App, id: string) { + super(scope, id); + + new eks.Cluster(this, 'EksAllHandlersInVpcStack', { + version: CLUSTER_VERSION, + placeClusterHandlerInVpc: true, + }); + } +} + +const app = new App(); + +new EksAllHandlersInVpcStack(app, 'aws-cdk-eks-handlers-in-vpc-test'); + +app.synth(); \ No newline at end of file diff --git a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster-private-endpoint.expected.json b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster-private-endpoint.expected.json index 32d3c5a987aad..1b3b3db682b51 100644 --- a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster-private-endpoint.expected.json +++ b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster-private-endpoint.expected.json @@ -1129,7 +1129,7 @@ }, "/", { - "Ref": "AssetParameterseeb4fa933b4519eba8df76051f9b605d447e254cadff1caf25e8f95bd9b580b8S3BucketDC07F45A" + "Ref": "AssetParameters82a02b024ddccd7e1020d7fb799652ba63ec9fc1b0605b3011233acd374b1601S3Bucket69FEE662" }, "/", { @@ -1139,7 +1139,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParameterseeb4fa933b4519eba8df76051f9b605d447e254cadff1caf25e8f95bd9b580b8S3VersionKey10075D53" + "Ref": "AssetParameters82a02b024ddccd7e1020d7fb799652ba63ec9fc1b0605b3011233acd374b1601S3VersionKeyF62FBF50" } ] } @@ -1152,7 +1152,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParameterseeb4fa933b4519eba8df76051f9b605d447e254cadff1caf25e8f95bd9b580b8S3VersionKey10075D53" + "Ref": "AssetParameters82a02b024ddccd7e1020d7fb799652ba63ec9fc1b0605b3011233acd374b1601S3VersionKeyF62FBF50" } ] } @@ -1174,11 +1174,11 @@ "Arn" ] }, - "referencetoawscdkeksclusterprivateendpointtestAssetParameterse4ce1c625ef8590bc63f26160777b1c74421c8f5290dc5d15227810eedff2e6cS3BucketF8806B76Ref": { - "Ref": "AssetParameterse4ce1c625ef8590bc63f26160777b1c74421c8f5290dc5d15227810eedff2e6cS3BucketD473D2B6" + "referencetoawscdkeksclusterprivateendpointtestAssetParametersd01b2d8959358117de0017e6f18135905e5680cfc8a83e406229c02671c2b34fS3Bucket254F28AERef": { + "Ref": "AssetParametersd01b2d8959358117de0017e6f18135905e5680cfc8a83e406229c02671c2b34fS3Bucket81EA5F11" }, - "referencetoawscdkeksclusterprivateendpointtestAssetParameterse4ce1c625ef8590bc63f26160777b1c74421c8f5290dc5d15227810eedff2e6cS3VersionKeyB0AD1257Ref": { - "Ref": "AssetParameterse4ce1c625ef8590bc63f26160777b1c74421c8f5290dc5d15227810eedff2e6cS3VersionKey8213FD47" + "referencetoawscdkeksclusterprivateendpointtestAssetParametersd01b2d8959358117de0017e6f18135905e5680cfc8a83e406229c02671c2b34fS3VersionKeyE913A985Ref": { + "Ref": "AssetParametersd01b2d8959358117de0017e6f18135905e5680cfc8a83e406229c02671c2b34fS3VersionKey32DED07C" }, "referencetoawscdkeksclusterprivateendpointtestVpcPrivateSubnet1Subnet94DAD769Ref": { "Ref": "VpcPrivateSubnet1Subnet536B997A" @@ -1195,6 +1195,9 @@ "ClusterSecurityGroupId" ] }, + "referencetoawscdkeksclusterprivateendpointtestVpcFCD064BFRef": { + "Ref": "Vpc8378EB38" + }, "referencetoawscdkeksclusterprivateendpointtestAssetParametersdaeb79e3cee39c9b902dc0d5c780223e227ed573ea60976252947adab5fb2be1S3Bucket7DDAFC04Ref": { "Ref": "AssetParametersdaeb79e3cee39c9b902dc0d5c780223e227ed573ea60976252947adab5fb2be1S3BucketDC4B98B1" }, @@ -1272,17 +1275,17 @@ "Type": "String", "Description": "Artifact hash for asset \"daeb79e3cee39c9b902dc0d5c780223e227ed573ea60976252947adab5fb2be1\"" }, - "AssetParameterse4ce1c625ef8590bc63f26160777b1c74421c8f5290dc5d15227810eedff2e6cS3BucketD473D2B6": { + "AssetParametersd01b2d8959358117de0017e6f18135905e5680cfc8a83e406229c02671c2b34fS3Bucket81EA5F11": { "Type": "String", - "Description": "S3 bucket for asset \"e4ce1c625ef8590bc63f26160777b1c74421c8f5290dc5d15227810eedff2e6c\"" + "Description": "S3 bucket for asset \"d01b2d8959358117de0017e6f18135905e5680cfc8a83e406229c02671c2b34f\"" }, - "AssetParameterse4ce1c625ef8590bc63f26160777b1c74421c8f5290dc5d15227810eedff2e6cS3VersionKey8213FD47": { + "AssetParametersd01b2d8959358117de0017e6f18135905e5680cfc8a83e406229c02671c2b34fS3VersionKey32DED07C": { "Type": "String", - "Description": "S3 key for asset version \"e4ce1c625ef8590bc63f26160777b1c74421c8f5290dc5d15227810eedff2e6c\"" + "Description": "S3 key for asset version \"d01b2d8959358117de0017e6f18135905e5680cfc8a83e406229c02671c2b34f\"" }, - "AssetParameterse4ce1c625ef8590bc63f26160777b1c74421c8f5290dc5d15227810eedff2e6cArtifactHashDEE5AB5C": { + "AssetParametersd01b2d8959358117de0017e6f18135905e5680cfc8a83e406229c02671c2b34fArtifactHashE68669BA": { "Type": "String", - "Description": "Artifact hash for asset \"e4ce1c625ef8590bc63f26160777b1c74421c8f5290dc5d15227810eedff2e6c\"" + "Description": "Artifact hash for asset \"d01b2d8959358117de0017e6f18135905e5680cfc8a83e406229c02671c2b34f\"" }, "AssetParameters84ba29b05aaf6a233dbb97b37e48eb1300f9d014f270252e29a8b2c22d6a08beS3Bucket9E737267": { "Type": "String", @@ -1296,17 +1299,17 @@ "Type": "String", "Description": "Artifact hash for asset \"84ba29b05aaf6a233dbb97b37e48eb1300f9d014f270252e29a8b2c22d6a08be\"" }, - "AssetParameterseeb4fa933b4519eba8df76051f9b605d447e254cadff1caf25e8f95bd9b580b8S3BucketDC07F45A": { + "AssetParameters82a02b024ddccd7e1020d7fb799652ba63ec9fc1b0605b3011233acd374b1601S3Bucket69FEE662": { "Type": "String", - "Description": "S3 bucket for asset \"eeb4fa933b4519eba8df76051f9b605d447e254cadff1caf25e8f95bd9b580b8\"" + "Description": "S3 bucket for asset \"82a02b024ddccd7e1020d7fb799652ba63ec9fc1b0605b3011233acd374b1601\"" }, - "AssetParameterseeb4fa933b4519eba8df76051f9b605d447e254cadff1caf25e8f95bd9b580b8S3VersionKey10075D53": { + "AssetParameters82a02b024ddccd7e1020d7fb799652ba63ec9fc1b0605b3011233acd374b1601S3VersionKeyF62FBF50": { "Type": "String", - "Description": "S3 key for asset version \"eeb4fa933b4519eba8df76051f9b605d447e254cadff1caf25e8f95bd9b580b8\"" + "Description": "S3 key for asset version \"82a02b024ddccd7e1020d7fb799652ba63ec9fc1b0605b3011233acd374b1601\"" }, - "AssetParameterseeb4fa933b4519eba8df76051f9b605d447e254cadff1caf25e8f95bd9b580b8ArtifactHash329E94D2": { + "AssetParameters82a02b024ddccd7e1020d7fb799652ba63ec9fc1b0605b3011233acd374b1601ArtifactHash2BC15E4C": { "Type": "String", - "Description": "Artifact hash for asset \"eeb4fa933b4519eba8df76051f9b605d447e254cadff1caf25e8f95bd9b580b8\"" + "Description": "Artifact hash for asset \"82a02b024ddccd7e1020d7fb799652ba63ec9fc1b0605b3011233acd374b1601\"" } } } \ No newline at end of file diff --git a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.expected.json b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.expected.json index c6ffd1c00444a..cb1c0010b5d41 100644 --- a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.expected.json +++ b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.expected.json @@ -3867,7 +3867,7 @@ }, "/", { - "Ref": "AssetParameters752d247b8d517e792000798030be8ebb727fc47c48ee1ae0502fd4fe447543a4S3BucketC467D75F" + "Ref": "AssetParameters9a25dd6d9e57e25d745576dc7750da1634d4b890ca4f11546b8c1cf5411957c2S3BucketBE7D619F" }, "/", { @@ -3877,7 +3877,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParameters752d247b8d517e792000798030be8ebb727fc47c48ee1ae0502fd4fe447543a4S3VersionKeyFB61265A" + "Ref": "AssetParameters9a25dd6d9e57e25d745576dc7750da1634d4b890ca4f11546b8c1cf5411957c2S3VersionKeyB0752C6A" } ] } @@ -3890,7 +3890,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParameters752d247b8d517e792000798030be8ebb727fc47c48ee1ae0502fd4fe447543a4S3VersionKeyFB61265A" + "Ref": "AssetParameters9a25dd6d9e57e25d745576dc7750da1634d4b890ca4f11546b8c1cf5411957c2S3VersionKeyB0752C6A" } ] } @@ -3933,6 +3933,9 @@ "ClusterSecurityGroupId" ] }, + "referencetoawscdkeksclustertestVpc9A302ADDRef": { + "Ref": "Vpc8378EB38" + }, "referencetoawscdkeksclustertestAssetParametersdaeb79e3cee39c9b902dc0d5c780223e227ed573ea60976252947adab5fb2be1S3Bucket0815E7B5Ref": { "Ref": "AssetParametersdaeb79e3cee39c9b902dc0d5c780223e227ed573ea60976252947adab5fb2be1S3BucketDC4B98B1" }, @@ -4632,17 +4635,17 @@ "Type": "String", "Description": "Artifact hash for asset \"a69aadbed84d554dd9f2eb7987ffe5d8f76b53a86f1909059df07050e57bef0c\"" }, - "AssetParameters752d247b8d517e792000798030be8ebb727fc47c48ee1ae0502fd4fe447543a4S3BucketC467D75F": { + "AssetParameters9a25dd6d9e57e25d745576dc7750da1634d4b890ca4f11546b8c1cf5411957c2S3BucketBE7D619F": { "Type": "String", - "Description": "S3 bucket for asset \"752d247b8d517e792000798030be8ebb727fc47c48ee1ae0502fd4fe447543a4\"" + "Description": "S3 bucket for asset \"9a25dd6d9e57e25d745576dc7750da1634d4b890ca4f11546b8c1cf5411957c2\"" }, - "AssetParameters752d247b8d517e792000798030be8ebb727fc47c48ee1ae0502fd4fe447543a4S3VersionKeyFB61265A": { + "AssetParameters9a25dd6d9e57e25d745576dc7750da1634d4b890ca4f11546b8c1cf5411957c2S3VersionKeyB0752C6A": { "Type": "String", - "Description": "S3 key for asset version \"752d247b8d517e792000798030be8ebb727fc47c48ee1ae0502fd4fe447543a4\"" + "Description": "S3 key for asset version \"9a25dd6d9e57e25d745576dc7750da1634d4b890ca4f11546b8c1cf5411957c2\"" }, - "AssetParameters752d247b8d517e792000798030be8ebb727fc47c48ee1ae0502fd4fe447543a4ArtifactHash638D9167": { + "AssetParameters9a25dd6d9e57e25d745576dc7750da1634d4b890ca4f11546b8c1cf5411957c2ArtifactHash332C2FA3": { "Type": "String", - "Description": "Artifact hash for asset \"752d247b8d517e792000798030be8ebb727fc47c48ee1ae0502fd4fe447543a4\"" + "Description": "Artifact hash for asset \"9a25dd6d9e57e25d745576dc7750da1634d4b890ca4f11546b8c1cf5411957c2\"" }, "SsmParameterValueawsserviceeksoptimizedami118amazonlinux2recommendedimageidC96584B6F00A464EAD1953AFF4B05118Parameter": { "Type": "AWS::SSM::Parameter::Value", diff --git a/packages/@aws-cdk/aws-eks/test/integ.fargate-cluster.expected.json b/packages/@aws-cdk/aws-eks/test/integ.fargate-cluster.expected.json index 72e2b8af54606..f5d7700c1a775 100644 --- a/packages/@aws-cdk/aws-eks/test/integ.fargate-cluster.expected.json +++ b/packages/@aws-cdk/aws-eks/test/integ.fargate-cluster.expected.json @@ -1206,7 +1206,7 @@ }, "/", { - "Ref": "AssetParametersacf32c87c31efb4722eb278661a3b1910a7e18604a7c03d378957406b1a676dfS3Bucket055DB2DD" + "Ref": "AssetParameters8fce5bde577fa3ab216c79574e335882996439da94b6d9183329e4fc4bff4eafS3Bucket36A38A03" }, "/", { @@ -1216,7 +1216,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParametersacf32c87c31efb4722eb278661a3b1910a7e18604a7c03d378957406b1a676dfS3VersionKey768DC253" + "Ref": "AssetParameters8fce5bde577fa3ab216c79574e335882996439da94b6d9183329e4fc4bff4eafS3VersionKey5B11B043" } ] } @@ -1229,7 +1229,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParametersacf32c87c31efb4722eb278661a3b1910a7e18604a7c03d378957406b1a676dfS3VersionKey768DC253" + "Ref": "AssetParameters8fce5bde577fa3ab216c79574e335882996439da94b6d9183329e4fc4bff4eafS3VersionKey5B11B043" } ] } @@ -1272,6 +1272,9 @@ "ClusterSecurityGroupId" ] }, + "referencetoawscdkeksfargateclustertestFargateClusterDefaultVpcBD3C976FRef": { + "Ref": "FargateClusterDefaultVpcE69D3A13" + }, "referencetoawscdkeksfargateclustertestAssetParametersdaeb79e3cee39c9b902dc0d5c780223e227ed573ea60976252947adab5fb2be1S3Bucket8EEF0922Ref": { "Ref": "AssetParametersdaeb79e3cee39c9b902dc0d5c780223e227ed573ea60976252947adab5fb2be1S3BucketDC4B98B1" }, @@ -1373,17 +1376,17 @@ "Type": "String", "Description": "Artifact hash for asset \"ae946640aaf0743990584e4a1cf45ddebbaddcaf60611f572e80100a02162f48\"" }, - "AssetParametersacf32c87c31efb4722eb278661a3b1910a7e18604a7c03d378957406b1a676dfS3Bucket055DB2DD": { + "AssetParameters8fce5bde577fa3ab216c79574e335882996439da94b6d9183329e4fc4bff4eafS3Bucket36A38A03": { "Type": "String", - "Description": "S3 bucket for asset \"acf32c87c31efb4722eb278661a3b1910a7e18604a7c03d378957406b1a676df\"" + "Description": "S3 bucket for asset \"8fce5bde577fa3ab216c79574e335882996439da94b6d9183329e4fc4bff4eaf\"" }, - "AssetParametersacf32c87c31efb4722eb278661a3b1910a7e18604a7c03d378957406b1a676dfS3VersionKey768DC253": { + "AssetParameters8fce5bde577fa3ab216c79574e335882996439da94b6d9183329e4fc4bff4eafS3VersionKey5B11B043": { "Type": "String", - "Description": "S3 key for asset version \"acf32c87c31efb4722eb278661a3b1910a7e18604a7c03d378957406b1a676df\"" + "Description": "S3 key for asset version \"8fce5bde577fa3ab216c79574e335882996439da94b6d9183329e4fc4bff4eaf\"" }, - "AssetParametersacf32c87c31efb4722eb278661a3b1910a7e18604a7c03d378957406b1a676dfArtifactHash6B525785": { + "AssetParameters8fce5bde577fa3ab216c79574e335882996439da94b6d9183329e4fc4bff4eafArtifactHashE40CA470": { "Type": "String", - "Description": "Artifact hash for asset \"acf32c87c31efb4722eb278661a3b1910a7e18604a7c03d378957406b1a676df\"" + "Description": "Artifact hash for asset \"8fce5bde577fa3ab216c79574e335882996439da94b6d9183329e4fc4bff4eaf\"" } } } \ No newline at end of file diff --git a/packages/@aws-cdk/aws-eks/test/test.cluster.ts b/packages/@aws-cdk/aws-eks/test/test.cluster.ts index 7c23d49a0b2f3..0c8f1dac31f10 100644 --- a/packages/@aws-cdk/aws-eks/test/test.cluster.ts +++ b/packages/@aws-cdk/aws-eks/test/test.cluster.ts @@ -22,6 +22,42 @@ const CLUSTER_VERSION = eks.KubernetesVersion.V1_18; export = { + 'can specify custom environment to cluster resource handler'(test: Test) { + + const { stack } = testFixture(); + + new eks.Cluster(stack, 'Cluster', { + version: CLUSTER_VERSION, + clusterHandlerEnvironment: { + foo: 'bar', + }, + }); + + const nested = stack.node.tryFindChild('@aws-cdk/aws-eks.ClusterResourceProvider') as cdk.NestedStack; + + test.deepEqual(expect(nested).value.Resources.OnEventHandler42BEBAE0.Properties.Environment, { Variables: { foo: 'bar' } }); + test.done(); + + }, + + 'throws when trying to place cluster handlers in a vpc with no private subnets'(test: Test) { + + const { stack } = testFixture(); + + const vpc = new ec2.Vpc(stack, 'Vpc'); + + test.throws(() => { + new eks.Cluster(stack, 'Cluster', { + version: CLUSTER_VERSION, + placeClusterHandlerInVpc: true, + vpc: vpc, + vpcSubnets: [{ subnetType: ec2.SubnetType.PUBLIC }], + }); + }, /Cannot place cluster handler in the VPC since no private subnets could be selected/); + + test.done(); + }, + 'throws when accessing cluster security group for imported cluster without cluster security group id'(test: Test) { const { stack } = testFixture(); @@ -35,6 +71,33 @@ export = { }, + 'can place cluster handlers in the cluster vpc'(test: Test) { + + const { stack } = testFixture(); + + new eks.Cluster(stack, 'Cluster', { + version: CLUSTER_VERSION, + placeClusterHandlerInVpc: true, + }); + + const nested = stack.node.tryFindChild('@aws-cdk/aws-eks.ClusterResourceProvider') as cdk.NestedStack; + + function assertFunctionPlacedInVpc(id: string) { + test.deepEqual(expect(nested).value.Resources[id].Properties.VpcConfig.SubnetIds, [ + { Ref: 'referencetoStackClusterDefaultVpcPrivateSubnet1SubnetA64D1BF0Ref' }, + { Ref: 'referencetoStackClusterDefaultVpcPrivateSubnet2Subnet32D85AB8Ref' }, + ]); + } + + assertFunctionPlacedInVpc('OnEventHandler42BEBAE0'); + assertFunctionPlacedInVpc('IsCompleteHandler7073F4DA'); + assertFunctionPlacedInVpc('ProviderframeworkonEvent83C1D0A7'); + assertFunctionPlacedInVpc('ProviderframeworkisComplete26D7B0CB'); + assertFunctionPlacedInVpc('ProviderframeworkonTimeout0B47CA38'); + + test.done(); + }, + 'can access cluster security group for imported cluster with cluster security group id'(test: Test) { const { stack } = testFixture(); diff --git a/packages/@aws-cdk/custom-resources/lib/provider-framework/provider.ts b/packages/@aws-cdk/custom-resources/lib/provider-framework/provider.ts index a61e7ab475939..3ae10fdf2e560 100644 --- a/packages/@aws-cdk/custom-resources/lib/provider-framework/provider.ts +++ b/packages/@aws-cdk/custom-resources/lib/provider-framework/provider.ts @@ -1,5 +1,6 @@ import * as path from 'path'; import * as cfn from '@aws-cdk/aws-cloudformation'; +import * as ec2 from '@aws-cdk/aws-ec2'; import * as lambda from '@aws-cdk/aws-lambda'; import * as logs from '@aws-cdk/aws-logs'; import { Construct as CoreConstruct, Duration } from '@aws-cdk/core'; @@ -70,6 +71,24 @@ export interface ProviderProps { * @default logs.RetentionDays.INFINITE */ readonly logRetention?: logs.RetentionDays; + + /** + * The vpc to provision the lambda functions in. + * + * @default - functions are not provisioned inside a vpc. + */ + readonly vpc?: ec2.IVpc; + + /** + * Which subnets from the VPC to place the lambda functions in. + * + * Only used if 'vpc' is supplied. Note: internet access for Lambdas + * requires a NAT gateway, so picking Public subnets is not allowed. + * + * @default - the Vpc default strategy if not specified + */ + readonly vpcSubnets?: ec2.SubnetSelection; + } /** @@ -97,6 +116,8 @@ export class Provider extends CoreConstruct implements cfn.ICustomResourceProvid private readonly entrypoint: lambda.Function; private readonly logRetention?: logs.RetentionDays; + private readonly vpc?: ec2.IVpc; + private readonly vpcSubnets?: ec2.SubnetSelection; constructor(scope: Construct, id: string, props: ProviderProps) { super(scope, id); @@ -110,6 +131,8 @@ export class Provider extends CoreConstruct implements cfn.ICustomResourceProvid this.isCompleteHandler = props.isCompleteHandler; this.logRetention = props.logRetention; + this.vpc = props.vpc; + this.vpcSubnets = props.vpcSubnets; const onEventFunction = this.createFunction(consts.FRAMEWORK_ON_EVENT_HANDLER_NAME); @@ -153,6 +176,8 @@ export class Provider extends CoreConstruct implements cfn.ICustomResourceProvid handler: `framework.${entrypoint}`, timeout: FRAMEWORK_HANDLER_TIMEOUT, logRetention: this.logRetention, + vpc: this.vpc, + vpcSubnets: this.vpcSubnets, }); fn.addEnvironment(consts.USER_ON_EVENT_FUNCTION_ARN_ENV, this.onEventHandler.functionArn); diff --git a/packages/@aws-cdk/custom-resources/package.json b/packages/@aws-cdk/custom-resources/package.json index 61908e19814c2..d291d6b66815b 100644 --- a/packages/@aws-cdk/custom-resources/package.json +++ b/packages/@aws-cdk/custom-resources/package.json @@ -96,6 +96,7 @@ "@aws-cdk/aws-lambda": "0.0.0", "@aws-cdk/aws-logs": "0.0.0", "@aws-cdk/aws-sns": "0.0.0", + "@aws-cdk/aws-ec2": "0.0.0", "@aws-cdk/core": "0.0.0", "constructs": "^3.2.0" }, @@ -106,6 +107,7 @@ "@aws-cdk/aws-lambda": "0.0.0", "@aws-cdk/aws-logs": "0.0.0", "@aws-cdk/aws-sns": "0.0.0", + "@aws-cdk/aws-ec2": "0.0.0", "@aws-cdk/core": "0.0.0", "constructs": "^3.2.0" }, diff --git a/packages/@aws-cdk/custom-resources/test/provider-framework/provider.test.ts b/packages/@aws-cdk/custom-resources/test/provider-framework/provider.test.ts index 0d0f98f634d07..deed031d8909f 100644 --- a/packages/@aws-cdk/custom-resources/test/provider-framework/provider.test.ts +++ b/packages/@aws-cdk/custom-resources/test/provider-framework/provider.test.ts @@ -1,4 +1,5 @@ import * as path from 'path'; +import * as ec2 from '@aws-cdk/aws-ec2'; import * as lambda from '@aws-cdk/aws-lambda'; import * as logs from '@aws-cdk/aws-logs'; import { Duration, Stack } from '@aws-cdk/core'; @@ -7,6 +8,61 @@ import * as util from '../../lib/provider-framework/util'; import '@aws-cdk/assert/jest'; +test('vpc is applied to all framework functions', () => { + + // GIVEN + const stack = new Stack(); + + const vpc = new ec2.Vpc(stack, 'Vpc'); + + // WHEN + new cr.Provider(stack, 'MyProvider', { + onEventHandler: new lambda.Function(stack, 'OnEvent', { + code: lambda.Code.fromInline('foo'), + handler: 'index.onEvent', + runtime: lambda.Runtime.NODEJS_10_X, + }), + isCompleteHandler: new lambda.Function(stack, 'IsComplete', { + code: lambda.Code.fromInline('foo'), + handler: 'index.isComplete', + runtime: lambda.Runtime.NODEJS_10_X, + }), + vpc: vpc, + vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE }, + }); + + expect(stack).toHaveResourceLike('AWS::Lambda::Function', { + Handler: 'framework.onEvent', + VpcConfig: { + SubnetIds: [ + { Ref: 'VpcPrivateSubnet1Subnet536B997A' }, + { Ref: 'VpcPrivateSubnet2Subnet3788AAA1' }, + ], + }, + }); + + expect(stack).toHaveResourceLike('AWS::Lambda::Function', { + Handler: 'framework.isComplete', + VpcConfig: { + SubnetIds: [ + { Ref: 'VpcPrivateSubnet1Subnet536B997A' }, + { Ref: 'VpcPrivateSubnet2Subnet3788AAA1' }, + ], + }, + }); + + expect(stack).toHaveResourceLike('AWS::Lambda::Function', { + Handler: 'framework.onTimeout', + VpcConfig: { + SubnetIds: [ + { Ref: 'VpcPrivateSubnet1Subnet536B997A' }, + { Ref: 'VpcPrivateSubnet2Subnet3788AAA1' }, + ], + }, + }); + +}); + test('minimal setup', () => { // GIVEN const stack = new Stack();