diff --git a/packages/@aws-cdk/aws-config/lib/rule.ts b/packages/@aws-cdk/aws-config/lib/rule.ts index d4d176bc69c3b..f47625651c990 100644 --- a/packages/@aws-cdk/aws-config/lib/rule.ts +++ b/packages/@aws-cdk/aws-config/lib/rule.ts @@ -783,6 +783,16 @@ export class ManagedRuleIdentifiers { * @see https://docs.aws.amazon.com/config/latest/developerguide/ec2-imdsv2-check.html */ public static readonly EC2_IMDSV2_CHECK = 'EC2_IMDSV2_CHECK'; + /** + * Checks if an Amazon Elastic Kubernetes Service (EKS) cluster is running the oldest supported version. + * @see https://docs.aws.amazon.com/config/latest/developerguide/eks-cluster-oldest-supported-version.html + */ + public static readonly EKS_CLUSTER_OLDEST_SUPPORTED_VERSION = 'EKS_CLUSTER_OLDEST_SUPPORTED_VERSION'; + /** + * Checks if an Amazon Elastic Kubernetes Service (EKS) cluster is running a supported Kubernetes version. + * @see https://docs.aws.amazon.com/config/latest/developerguide/eks-cluster-supported-version.html + */ + public static readonly EKS_CLUSTER_SUPPORTED_VERSION = 'EKS_CLUSTER_SUPPORTED_VERSION'; /** * Checks whether Amazon Elastic Kubernetes Service (Amazon EKS) endpoint is not publicly accessible. * @see https://docs.aws.amazon.com/config/latest/developerguide/eks-endpoint-no-public-access.html @@ -1322,6 +1332,8 @@ export class ResourceType { public static readonly EC2_VPC_ENDPOINT_SERVICE = new ResourceType('AWS::EC2::VPCEndpointService'); /** EC2 VPC peering connection */ public static readonly EC2_VPC_PEERING_CONNECTION = new ResourceType('AWS::EC2::VPCPeeringConnection'); + /** Amazon Elastic Kubernetes Service cluster */ + public static readonly EKS_CLUSTER = new ResourceType('AWS::EKS::Cluster'); /** Amazon ElasticSearch domain */ public static readonly ELASTICSEARCH_DOMAIN = new ResourceType('AWS::Elasticsearch::Domain'); /** Amazon QLDB ledger */ diff --git a/packages/@aws-cdk/aws-config/test/rule.test.ts b/packages/@aws-cdk/aws-config/test/rule.test.ts index 93f614073687d..bc33acf58d5ab 100644 --- a/packages/@aws-cdk/aws-config/test/rule.test.ts +++ b/packages/@aws-cdk/aws-config/test/rule.test.ts @@ -264,4 +264,38 @@ describe('rule', () => { }, }); }); + + test('Add EKS Cluster check to ManagedRule', () => { + // GIVEN + const stack1 = new cdk.Stack(); + const stack2 = new cdk.Stack(); + + // WHEN + new config.ManagedRule(stack1, 'RuleEksClusterOldest', { + identifier: config.ManagedRuleIdentifiers.EKS_CLUSTER_OLDEST_SUPPORTED_VERSION, + ruleScope: config.RuleScope.fromResource(config.ResourceType.EKS_CLUSTER), + }); + new config.ManagedRule(stack2, 'RuleEksClusterVersion', { + identifier: config.ManagedRuleIdentifiers.EKS_CLUSTER_SUPPORTED_VERSION, + ruleScope: config.RuleScope.fromResources([config.ResourceType.EKS_CLUSTER]), + }); + + // THEN + Template.fromStack(stack1).hasResourceProperties('AWS::Config::ConfigRule', { + Source: { + SourceIdentifier: 'EKS_CLUSTER_OLDEST_SUPPORTED_VERSION', + }, + Scope: { + ComplianceResourceTypes: ['AWS::EKS::Cluster'], + }, + }); + Template.fromStack(stack2).hasResourceProperties('AWS::Config::ConfigRule', { + Source: { + SourceIdentifier: 'EKS_CLUSTER_SUPPORTED_VERSION', + }, + Scope: { + ComplianceResourceTypes: ['AWS::EKS::Cluster'], + }, + }); + }); });