diff --git a/packages/@aws-cdk/aws-eks/lib/cluster.ts b/packages/@aws-cdk/aws-eks/lib/cluster.ts index bae26dad2b737..3b6608fbba648 100644 --- a/packages/@aws-cdk/aws-eks/lib/cluster.ts +++ b/packages/@aws-cdk/aws-eks/lib/cluster.ts @@ -4,7 +4,7 @@ import { Subnet } from '@aws-cdk/aws-ec2'; import iam = require('@aws-cdk/aws-iam'); import lambda = require('@aws-cdk/aws-lambda'); import ssm = require('@aws-cdk/aws-ssm'); -import { CfnOutput, Construct, Duration, IResource, Resource, Stack, Tag } from '@aws-cdk/core'; +import { CfnOutput, Construct, Duration, IResource, Resource, Stack, Tag, Token } from '@aws-cdk/core'; import path = require('path'); import { AwsAuth } from './aws-auth'; import { ClusterResource } from './cluster-resource'; @@ -611,15 +611,24 @@ export class Cluster extends Resource implements ICluster { * @see https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html */ private tagSubnets() { - for (const subnet of this.vpc.privateSubnets) { - if (!Subnet.isVpcSubnet(subnet)) { - // Just give up, all of them will be the same. - this.node.addWarning('Could not auto-tag private subnets with "kubernetes.io/role/internal-elb=1", please remember to do this manually'); - return; + const tagAllSubnets = (type: string, subnets: ec2.ISubnet[], tag: string) => { + for (const subnet of subnets) { + // if this is not a concrete subnet, attach a construct warning + if (!Subnet.isVpcSubnet(subnet)) { + // message (if token): "could not auto-tag public/private subnet with tag..." + // message (if not token): "count not auto-tag public/private subnet xxxxx with tag..." + const subnetID = Token.isUnresolved(subnet.subnetId) ? '' : ` ${subnet.subnetId}`; + this.node.addWarning(`Could not auto-tag ${type} subnet${subnetID} with "${tag}=1", please remember to do this manually`); + continue; + } + + subnet.node.applyAspect(new Tag(tag, "1")); } + }; - subnet.node.applyAspect(new Tag("kubernetes.io/role/internal-elb", "1")); - } + // https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html + tagAllSubnets('private', this.vpc.privateSubnets, "kubernetes.io/role/internal-elb"); + tagAllSubnets('public', this.vpc.publicSubnets, "kubernetes.io/role/elb"); } } diff --git a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.defaults.expected.json b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.defaults.expected.json index 8f3298357e708..7ff2bc1aa7024 100644 --- a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.defaults.expected.json +++ b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.defaults.expected.json @@ -37,6 +37,10 @@ { "Key": "aws-cdk:subnet-type", "Value": "Public" + }, + { + "Key": "kubernetes.io/role/elb", + "Value": "1" } ] } @@ -51,6 +55,10 @@ { "Key": "Name", "Value": "eks-integ-defaults/Cluster/DefaultVpc/PublicSubnet1" + }, + { + "Key": "kubernetes.io/role/elb", + "Value": "1" } ] } @@ -89,6 +97,10 @@ { "Key": "Name", "Value": "eks-integ-defaults/Cluster/DefaultVpc/PublicSubnet1" + }, + { + "Key": "kubernetes.io/role/elb", + "Value": "1" } ] } @@ -109,6 +121,10 @@ { "Key": "Name", "Value": "eks-integ-defaults/Cluster/DefaultVpc/PublicSubnet1" + }, + { + "Key": "kubernetes.io/role/elb", + "Value": "1" } ] } @@ -134,6 +150,10 @@ { "Key": "aws-cdk:subnet-type", "Value": "Public" + }, + { + "Key": "kubernetes.io/role/elb", + "Value": "1" } ] } @@ -148,6 +168,10 @@ { "Key": "Name", "Value": "eks-integ-defaults/Cluster/DefaultVpc/PublicSubnet2" + }, + { + "Key": "kubernetes.io/role/elb", + "Value": "1" } ] } @@ -186,6 +210,10 @@ { "Key": "Name", "Value": "eks-integ-defaults/Cluster/DefaultVpc/PublicSubnet2" + }, + { + "Key": "kubernetes.io/role/elb", + "Value": "1" } ] } @@ -206,6 +234,10 @@ { "Key": "Name", "Value": "eks-integ-defaults/Cluster/DefaultVpc/PublicSubnet2" + }, + { + "Key": "kubernetes.io/role/elb", + "Value": "1" } ] } @@ -231,6 +263,10 @@ { "Key": "aws-cdk:subnet-type", "Value": "Public" + }, + { + "Key": "kubernetes.io/role/elb", + "Value": "1" } ] } @@ -245,6 +281,10 @@ { "Key": "Name", "Value": "eks-integ-defaults/Cluster/DefaultVpc/PublicSubnet3" + }, + { + "Key": "kubernetes.io/role/elb", + "Value": "1" } ] } @@ -283,6 +323,10 @@ { "Key": "Name", "Value": "eks-integ-defaults/Cluster/DefaultVpc/PublicSubnet3" + }, + { + "Key": "kubernetes.io/role/elb", + "Value": "1" } ] } @@ -303,6 +347,10 @@ { "Key": "Name", "Value": "eks-integ-defaults/Cluster/DefaultVpc/PublicSubnet3" + }, + { + "Key": "kubernetes.io/role/elb", + "Value": "1" } ] } diff --git a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.kubectl-disabled.expected.json b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.kubectl-disabled.expected.json index 2006baaecfa50..4c00d1f93bd8a 100644 --- a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.kubectl-disabled.expected.json +++ b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.kubectl-disabled.expected.json @@ -36,6 +36,10 @@ { "Key": "aws-cdk:subnet-type", "Value": "Public" + }, + { + "Key": "kubernetes.io/role/elb", + "Value": "1" } ] } @@ -50,7 +54,11 @@ { "Key": "Name", "Value": "eks-integ-kubectl-disabled/VPC/PublicSubnet1" - } + }, + { + "Key": "kubernetes.io/role/elb", + "Value": "1" + } ] } }, @@ -88,7 +96,11 @@ { "Key": "Name", "Value": "eks-integ-kubectl-disabled/VPC/PublicSubnet1" - } + }, + { + "Key": "kubernetes.io/role/elb", + "Value": "1" + } ] } }, @@ -108,6 +120,10 @@ { "Key": "Name", "Value": "eks-integ-kubectl-disabled/VPC/PublicSubnet1" + }, + { + "Key": "kubernetes.io/role/elb", + "Value": "1" } ] } @@ -133,7 +149,11 @@ { "Key": "aws-cdk:subnet-type", "Value": "Public" - } + }, + { + "Key": "kubernetes.io/role/elb", + "Value": "1" + } ] } }, @@ -147,6 +167,10 @@ { "Key": "Name", "Value": "eks-integ-kubectl-disabled/VPC/PublicSubnet2" + }, + { + "Key": "kubernetes.io/role/elb", + "Value": "1" } ] } @@ -185,6 +209,10 @@ { "Key": "Name", "Value": "eks-integ-kubectl-disabled/VPC/PublicSubnet2" + }, + { + "Key": "kubernetes.io/role/elb", + "Value": "1" } ] } @@ -205,6 +233,10 @@ { "Key": "Name", "Value": "eks-integ-kubectl-disabled/VPC/PublicSubnet2" + }, + { + "Key": "kubernetes.io/role/elb", + "Value": "1" } ] } @@ -230,6 +262,10 @@ { "Key": "aws-cdk:subnet-type", "Value": "Public" + }, + { + "Key": "kubernetes.io/role/elb", + "Value": "1" } ] } @@ -244,6 +280,10 @@ { "Key": "Name", "Value": "eks-integ-kubectl-disabled/VPC/PublicSubnet3" + }, + { + "Key": "kubernetes.io/role/elb", + "Value": "1" } ] } @@ -282,6 +322,10 @@ { "Key": "Name", "Value": "eks-integ-kubectl-disabled/VPC/PublicSubnet3" + }, + { + "Key": "kubernetes.io/role/elb", + "Value": "1" } ] } @@ -302,6 +346,10 @@ { "Key": "Name", "Value": "eks-integ-kubectl-disabled/VPC/PublicSubnet3" + }, + { + "Key": "kubernetes.io/role/elb", + "Value": "1" } ] } diff --git a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.lit.expected.json b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.lit.expected.json index a3d248d900c11..ad3e616b39bb6 100644 --- a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.lit.expected.json +++ b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.lit.expected.json @@ -37,6 +37,10 @@ { "Key": "aws-cdk:subnet-type", "Value": "Public" + }, + { + "Key": "kubernetes.io/role/elb", + "Value": "1" } ] } @@ -51,6 +55,10 @@ { "Key": "Name", "Value": "eks-integ-test-basic/VPC/PublicSubnet1" + }, + { + "Key": "kubernetes.io/role/elb", + "Value": "1" } ] } @@ -89,6 +97,10 @@ { "Key": "Name", "Value": "eks-integ-test-basic/VPC/PublicSubnet1" + }, + { + "Key": "kubernetes.io/role/elb", + "Value": "1" } ] } @@ -109,6 +121,10 @@ { "Key": "Name", "Value": "eks-integ-test-basic/VPC/PublicSubnet1" + }, + { + "Key": "kubernetes.io/role/elb", + "Value": "1" } ] } @@ -134,6 +150,10 @@ { "Key": "aws-cdk:subnet-type", "Value": "Public" + }, + { + "Key": "kubernetes.io/role/elb", + "Value": "1" } ] } @@ -148,6 +168,10 @@ { "Key": "Name", "Value": "eks-integ-test-basic/VPC/PublicSubnet2" + }, + { + "Key": "kubernetes.io/role/elb", + "Value": "1" } ] } @@ -186,6 +210,10 @@ { "Key": "Name", "Value": "eks-integ-test-basic/VPC/PublicSubnet2" + }, + { + "Key": "kubernetes.io/role/elb", + "Value": "1" } ] } @@ -206,6 +234,10 @@ { "Key": "Name", "Value": "eks-integ-test-basic/VPC/PublicSubnet2" + }, + { + "Key": "kubernetes.io/role/elb", + "Value": "1" } ] } @@ -231,6 +263,10 @@ { "Key": "aws-cdk:subnet-type", "Value": "Public" + }, + { + "Key": "kubernetes.io/role/elb", + "Value": "1" } ] } @@ -245,6 +281,10 @@ { "Key": "Name", "Value": "eks-integ-test-basic/VPC/PublicSubnet3" + }, + { + "Key": "kubernetes.io/role/elb", + "Value": "1" } ] } @@ -283,6 +323,10 @@ { "Key": "Name", "Value": "eks-integ-test-basic/VPC/PublicSubnet3" + }, + { + "Key": "kubernetes.io/role/elb", + "Value": "1" } ] } @@ -303,6 +347,10 @@ { "Key": "Name", "Value": "eks-integ-test-basic/VPC/PublicSubnet3" + }, + { + "Key": "kubernetes.io/role/elb", + "Value": "1" } ] } diff --git a/packages/@aws-cdk/aws-eks/test/integ.eks-kubectl.lit.expected.json b/packages/@aws-cdk/aws-eks/test/integ.eks-kubectl.lit.expected.json index 09cd31eb0f9c3..720d8f76704e9 100644 --- a/packages/@aws-cdk/aws-eks/test/integ.eks-kubectl.lit.expected.json +++ b/packages/@aws-cdk/aws-eks/test/integ.eks-kubectl.lit.expected.json @@ -37,7 +37,11 @@ { "Key": "aws-cdk:subnet-type", "Value": "Public" - } + }, + { + "Key": "kubernetes.io/role/elb", + "Value": "1" + } ] } }, @@ -51,7 +55,11 @@ { "Key": "Name", "Value": "k8s-vpc/vpc/PublicSubnet1" - } + }, + { + "Key": "kubernetes.io/role/elb", + "Value": "1" + } ] } }, @@ -89,7 +97,11 @@ { "Key": "Name", "Value": "k8s-vpc/vpc/PublicSubnet1" - } + }, + { + "Key": "kubernetes.io/role/elb", + "Value": "1" + } ] } }, @@ -109,7 +121,11 @@ { "Key": "Name", "Value": "k8s-vpc/vpc/PublicSubnet1" - } + }, + { + "Key": "kubernetes.io/role/elb", + "Value": "1" + } ] } }, @@ -134,7 +150,11 @@ { "Key": "aws-cdk:subnet-type", "Value": "Public" - } + }, + { + "Key": "kubernetes.io/role/elb", + "Value": "1" + } ] } }, @@ -148,7 +168,11 @@ { "Key": "Name", "Value": "k8s-vpc/vpc/PublicSubnet2" - } + }, + { + "Key": "kubernetes.io/role/elb", + "Value": "1" + } ] } }, @@ -186,7 +210,11 @@ { "Key": "Name", "Value": "k8s-vpc/vpc/PublicSubnet2" - } + }, + { + "Key": "kubernetes.io/role/elb", + "Value": "1" + } ] } }, @@ -206,7 +234,11 @@ { "Key": "Name", "Value": "k8s-vpc/vpc/PublicSubnet2" - } + }, + { + "Key": "kubernetes.io/role/elb", + "Value": "1" + } ] } }, diff --git a/packages/@aws-cdk/aws-eks/test/integ.eks-spot.expected.json b/packages/@aws-cdk/aws-eks/test/integ.eks-spot.expected.json index 8c58122a536c2..a993c2604f9f6 100644 --- a/packages/@aws-cdk/aws-eks/test/integ.eks-spot.expected.json +++ b/packages/@aws-cdk/aws-eks/test/integ.eks-spot.expected.json @@ -37,6 +37,10 @@ { "Key": "aws-cdk:subnet-type", "Value": "Public" + }, + { + "Key": "kubernetes.io/role/elb", + "Value": "1" } ] } @@ -51,6 +55,10 @@ { "Key": "Name", "Value": "integ-eks-spot/vpc/PublicSubnet1" + }, + { + "Key": "kubernetes.io/role/elb", + "Value": "1" } ] } @@ -89,6 +97,10 @@ { "Key": "Name", "Value": "integ-eks-spot/vpc/PublicSubnet1" + }, + { + "Key": "kubernetes.io/role/elb", + "Value": "1" } ] } @@ -109,6 +121,10 @@ { "Key": "Name", "Value": "integ-eks-spot/vpc/PublicSubnet1" + }, + { + "Key": "kubernetes.io/role/elb", + "Value": "1" } ] } @@ -134,6 +150,10 @@ { "Key": "aws-cdk:subnet-type", "Value": "Public" + }, + { + "Key": "kubernetes.io/role/elb", + "Value": "1" } ] } @@ -148,6 +168,10 @@ { "Key": "Name", "Value": "integ-eks-spot/vpc/PublicSubnet2" + }, + { + "Key": "kubernetes.io/role/elb", + "Value": "1" } ] } @@ -186,6 +210,10 @@ { "Key": "Name", "Value": "integ-eks-spot/vpc/PublicSubnet2" + }, + { + "Key": "kubernetes.io/role/elb", + "Value": "1" } ] } @@ -206,6 +234,10 @@ { "Key": "Name", "Value": "integ-eks-spot/vpc/PublicSubnet2" + }, + { + "Key": "kubernetes.io/role/elb", + "Value": "1" } ] } diff --git a/packages/@aws-cdk/aws-eks/test/test.cluster.ts b/packages/@aws-cdk/aws-eks/test/test.cluster.ts index 66bc257bfaf94..c1994dcf8aa40 100644 --- a/packages/@aws-cdk/aws-eks/test/test.cluster.ts +++ b/packages/@aws-cdk/aws-eks/test/test.cluster.ts @@ -114,6 +114,27 @@ export = { test.done(); }, + 'creating a cluster tags the public VPC subnets'(test: Test) { + // GIVEN + const { stack, vpc } = testFixture(); + + // WHEN + new eks.Cluster(stack, 'Cluster', { vpc, kubectlEnabled: false, defaultCapacity: 0 }); + + // THEN + expect(stack).to(haveResource('AWS::EC2::Subnet', { + MapPublicIpOnLaunch: true, + Tags: [ + { Key: "Name", Value: "Stack/VPC/PublicSubnet1" }, + { Key: "aws-cdk:subnet-name", Value: "Public" }, + { Key: "aws-cdk:subnet-type", Value: "Public" }, + { Key: "kubernetes.io/role/elb", Value: "1" } + ] + })); + + test.done(); + }, + 'adding capacity creates an ASG with tags'(test: Test) { // GIVEN const { stack, vpc } = testFixture();