From a1e707d30e4d0d1fb2178e14d5e170ea90ace9c4 Mon Sep 17 00:00:00 2001 From: Eduardo Rodrigues Date: Wed, 27 May 2020 13:55:16 +0200 Subject: [PATCH 01/16] expose eks cluster additional attributes --- .../lib/cluster-resource-handler/cluster.ts | 2 + .../@aws-cdk/aws-eks/lib/cluster-resource.ts | 4 ++ packages/@aws-cdk/aws-eks/lib/cluster.ts | 38 +++++++++++++++++++ packages/@aws-cdk/aws-eks/package.json | 8 +--- 4 files changed, 45 insertions(+), 7 deletions(-) diff --git a/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/cluster.ts b/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/cluster.ts index 8733463cce31b..5fc1c0afdcde2 100644 --- a/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/cluster.ts +++ b/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/cluster.ts @@ -198,6 +198,8 @@ export class ClusterResourceHandler extends ResourceHandler { Endpoint: cluster.endpoint, Arn: cluster.arn, CertificateAuthorityData: cluster.certificateAuthority?.data, + ClusterSecurityGroupId: cluster.resourcesVpcConfig?.clusterSecurityGroupId, + EncryptionConfigKeyArn: cluster.encryptionConfig?.shift()?.provider?.keyArn, OpenIdConnectIssuerUrl: cluster.identity?.oidc?.issuer, OpenIdConnectIssuer: cluster.identity?.oidc?.issuer?.substring(8), // Strips off https:// from the issuer url }, diff --git a/packages/@aws-cdk/aws-eks/lib/cluster-resource.ts b/packages/@aws-cdk/aws-eks/lib/cluster-resource.ts index 52557776c97e8..5694f92054ad1 100644 --- a/packages/@aws-cdk/aws-eks/lib/cluster-resource.ts +++ b/packages/@aws-cdk/aws-eks/lib/cluster-resource.ts @@ -18,6 +18,8 @@ export class ClusterResource extends Construct { public readonly attrEndpoint: string; public readonly attrArn: string; public readonly attrCertificateAuthorityData: string; + public readonly attrClusterSecurityGroupId: string; + public readonly attrEncryptionConfigKeyArn: string; public readonly attrOpenIdConnectIssuerUrl: string; public readonly attrOpenIdConnectIssuer: string; public readonly ref: string; @@ -126,6 +128,8 @@ export class ClusterResource extends Construct { this.attrEndpoint = Token.asString(resource.getAtt('Endpoint')); this.attrArn = Token.asString(resource.getAtt('Arn')); this.attrCertificateAuthorityData = Token.asString(resource.getAtt('CertificateAuthorityData')); + this.attrClusterSecurityGroupId = Token.asString(resource.getAtt('ClusterSecurityGroupId')); + this.attrEncryptionConfigKeyArn = Token.asString(resource.getAtt('EncryptionConfigKeyArn')); this.attrOpenIdConnectIssuerUrl = Token.asString(resource.getAtt('OpenIdConnectIssuerUrl')); this.attrOpenIdConnectIssuer = Token.asString(resource.getAtt('OpenIdConnectIssuer')); } diff --git a/packages/@aws-cdk/aws-eks/lib/cluster.ts b/packages/@aws-cdk/aws-eks/lib/cluster.ts index d1fb2bf60352b..9604e8edcb25f 100644 --- a/packages/@aws-cdk/aws-eks/lib/cluster.ts +++ b/packages/@aws-cdk/aws-eks/lib/cluster.ts @@ -52,6 +52,18 @@ export interface ICluster extends IResource, ec2.IConnectable { * @attribute */ readonly clusterCertificateAuthorityData: string; + + /** + * The cluster security group that was created by Amazon EKS for the cluster. + * @attribute + */ + readonly clusterSecurityGroupId: string; + + /** + * Amazon Resource Name (ARN) or alias of the customer master key (CMK). + * @attribute + */ + readonly clusterEncryptionConfigKeyArn: string; } /** @@ -84,6 +96,16 @@ export interface ClusterAttributes { */ readonly clusterCertificateAuthorityData: string; + /** + * The cluster security group that was created by Amazon EKS for the cluster. + */ + readonly clusterSecurityGroupId: string; + + /** + * Amazon Resource Name (ARN) or alias of the customer master key (CMK). + */ + readonly clusterEncryptionConfigKeyArn: string; + /** * The security groups associated with this cluster. */ @@ -299,6 +321,16 @@ export class Cluster extends Resource implements ICluster { */ public readonly clusterCertificateAuthorityData: string; + /** + * The cluster security group that was created by Amazon EKS for the cluster. + */ + public readonly clusterSecurityGroupId: string; + + /** + * Amazon Resource Name (ARN) or alias of the customer master key (CMK). + */ + public readonly clusterEncryptionConfigKeyArn: string; + /** * Manages connection rules (Security Group Rules) for the cluster * @@ -414,6 +446,8 @@ export class Cluster extends Resource implements ICluster { this.clusterEndpoint = resource.attrEndpoint; this.clusterCertificateAuthorityData = resource.attrCertificateAuthorityData; + this.clusterSecurityGroupId = resource.attrClusterSecurityGroupId; + this.clusterEncryptionConfigKeyArn = resource.attrEncryptionConfigKeyArn; const updateConfigCommandPrefix = `aws eks update-kubeconfig --name ${this.clusterName}`; const getTokenCommandPrefix = `aws eks get-token --cluster-name ${this.clusterName}`; @@ -990,6 +1024,8 @@ export interface AutoScalingGroupOptions { class ImportedCluster extends Resource implements ICluster { public readonly vpc: ec2.IVpc; public readonly clusterCertificateAuthorityData: string; + public readonly clusterSecurityGroupId: string; + public readonly clusterEncryptionConfigKeyArn: string; public readonly clusterName: string; public readonly clusterArn: string; public readonly clusterEndpoint: string; @@ -1003,6 +1039,8 @@ class ImportedCluster extends Resource implements ICluster { this.clusterEndpoint = props.clusterEndpoint; this.clusterArn = props.clusterArn; this.clusterCertificateAuthorityData = props.clusterCertificateAuthorityData; + this.clusterSecurityGroupId = props.clusterSecurityGroupId; + this.clusterEncryptionConfigKeyArn = props.clusterEncryptionConfigKeyArn; let i = 1; for (const sgProps of props.securityGroups) { diff --git a/packages/@aws-cdk/aws-eks/package.json b/packages/@aws-cdk/aws-eks/package.json index aa0b114f5de47..0d1cdb3befa64 100644 --- a/packages/@aws-cdk/aws-eks/package.json +++ b/packages/@aws-cdk/aws-eks/package.json @@ -98,13 +98,7 @@ }, "awslint": { "exclude": [ - "resource-attribute:@aws-cdk/aws-eks.FargateCluster.clusterSecurityGroupId", - "resource-attribute:@aws-cdk/aws-eks.FargateCluster.clusterEncryptionConfigKeyArn", - "resource-attribute:@aws-cdk/aws-eks.Cluster.clusterSecurityGroupId", - "resource-attribute:@aws-cdk/aws-eks.Cluster.clusterEncryptionConfigKeyArn", - "props-no-arn-refs:@aws-cdk/aws-eks.ClusterProps.outputMastersRoleArn", - "resource-attribute:@aws-cdk/aws-eks.Cluster.clusterSecurityGroupId", - "resource-attribute:@aws-cdk/aws-eks.Cluster.clusterSecurityGroupId" + "props-no-arn-refs:@aws-cdk/aws-eks.ClusterProps.outputMastersRoleArn" ] }, "stability": "experimental", From 236cb71239ddbb6ee4c1efcc764b36f719064a86 Mon Sep 17 00:00:00 2001 From: Eduardo Rodrigues Date: Wed, 27 May 2020 23:22:11 +0200 Subject: [PATCH 02/16] deal with boolean properly in resource config --- .../lib/cluster-resource-handler/cluster.ts | 13 +++++++++--- .../lib/cluster-resource-handler/common.ts | 21 +++++++++++++++++++ 2 files changed, 31 insertions(+), 3 deletions(-) diff --git a/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/cluster.ts b/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/cluster.ts index 5fc1c0afdcde2..c103fa5f06e9b 100644 --- a/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/cluster.ts +++ b/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/cluster.ts @@ -131,11 +131,18 @@ export class ClusterResourceHandler extends ResourceHandler { } if (updates.updateLogging || updates.updateAccess) { - const updateResponse = await this.eks.updateClusterConfig({ + const config: aws.EKS.UpdateClusterConfigRequest = { name: this.clusterName, logging: this.newProps.logging, - resourcesVpcConfig: this.newProps.resourcesVpcConfig, - }); + }; + if (updates.updateAccess) { + config.resourcesVpcConfig = { + endpointPrivateAccess: this.newProps.resourcesVpcConfig.endpointPrivateAccess, + endpointPublicAccess: this.newProps.resourcesVpcConfig.endpointPublicAccess, + publicAccessCidrs: this.newProps.resourcesVpcConfig.publicAccessCidrs, + } + } + const updateResponse = await this.eks.updateClusterConfig(config); return { EksUpdateId: updateResponse.update?.id }; } diff --git a/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/common.ts b/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/common.ts index 57d3ae20f8cef..014435dd8e986 100644 --- a/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/common.ts +++ b/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/common.ts @@ -14,6 +14,23 @@ export interface EksUpdateId { export type ResourceEvent = AWSLambda.CloudFormationCustomResourceEvent & EksUpdateId; + +/** + * Decodes encoded true/false values + */ +function decodeBooleans(object: object) { + return JSON.parse(JSON.stringify(object), (_k, v) => { + switch (v) { + case 'TRUE:BOOLEAN': + return true; + case 'FALSE:BOOLEAN': + return false; + default: + return v; + } + }); +} + export abstract class ResourceHandler { protected readonly requestId: string; protected readonly logicalResourceId: string; @@ -33,6 +50,10 @@ export abstract class ResourceHandler { throw new Error('AssumeRoleArn must be provided'); } + if (event.ResourceProperties.Config) { + this.event.ResourceProperties.Config = decodeBooleans(event.ResourceProperties.Config); + } + eks.configureAssumeRole({ RoleArn: roleToAssume, RoleSessionName: `AWSCDK.EKSCluster.${this.requestType}.${this.requestId}`, From 7dc67648baaaa1b61bccef3461fed9d0dc8b73b6 Mon Sep 17 00:00:00 2001 From: Eduardo Rodrigues Date: Tue, 2 Jun 2020 11:25:48 +0200 Subject: [PATCH 03/16] update automated testing for eks --- .../aws-eks/test/integ.eks-cluster.expected.json | 16 ++++++++++++++++ .../@aws-cdk/aws-eks/test/integ.eks-cluster.ts | 2 ++ .../test/test.cluster-resource-provider.ts | 4 ++++ packages/@aws-cdk/aws-eks/test/test.cluster.ts | 2 ++ 4 files changed, 24 insertions(+) diff --git a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.expected.json b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.expected.json index 164377d944797..d7099bdd6a67d 100644 --- a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.expected.json +++ b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.expected.json @@ -2700,6 +2700,22 @@ ] } }, + "ClusterSecurityGroupId": { + "Value": { + "Fn::GetAtt": [ + "Cluster9EE0221C", + "ClusterSecurityGroupId" + ] + } + }, + "ClusterEncryptionConfigKeyArn": { + "Value": { + "Fn::GetAtt": [ + "Cluster9EE0221C", + "EncryptionConfigKeyArn" + ] + } + }, "ClusterName": { "Value": { "Ref": "Cluster9EE0221C" diff --git a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.ts b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.ts index f6e883f773140..ff6d62e74c20f 100644 --- a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.ts +++ b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.ts @@ -72,6 +72,8 @@ class EksClusterStack extends TestStack { new CfnOutput(this, 'ClusterEndpoint', { value: cluster.clusterEndpoint }); new CfnOutput(this, 'ClusterArn', { value: cluster.clusterArn }); new CfnOutput(this, 'ClusterCertificateAuthorityData', { value: cluster.clusterCertificateAuthorityData }); + new CfnOutput(this, 'ClusterSecurityGroupId', { value: cluster.clusterSecurityGroupId }); + new CfnOutput(this, 'ClusterEncryptionConfigKeyArn', { value: cluster.clusterEncryptionConfigKeyArn }); new CfnOutput(this, 'ClusterName', { value: cluster.clusterName }); } } diff --git a/packages/@aws-cdk/aws-eks/test/test.cluster-resource-provider.ts b/packages/@aws-cdk/aws-eks/test/test.cluster-resource-provider.ts index 29dcfac4e89b6..78ce09416f3c0 100644 --- a/packages/@aws-cdk/aws-eks/test/test.cluster-resource-provider.ts +++ b/packages/@aws-cdk/aws-eks/test/test.cluster-resource-provider.ts @@ -99,6 +99,8 @@ export = { Endpoint: 'http://endpoint', Arn: 'arn:cluster-arn', CertificateAuthorityData: 'certificateAuthority-data', + ClusterSecurityGroupId: undefined, + EncryptionConfigKeyArn: undefined, OpenIdConnectIssuerUrl: undefined, OpenIdConnectIssuer: undefined, }, @@ -422,6 +424,8 @@ export = { Endpoint: 'http://endpoint', Arn: 'arn:cluster-arn', CertificateAuthorityData: 'certificateAuthority-data', + ClusterSecurityGroupId: undefined, + EncryptionConfigKeyArn: undefined, OpenIdConnectIssuerUrl: undefined, OpenIdConnectIssuer: undefined, }, diff --git a/packages/@aws-cdk/aws-eks/test/test.cluster.ts b/packages/@aws-cdk/aws-eks/test/test.cluster.ts index daeded7e80743..4b00ac1ec6e36 100644 --- a/packages/@aws-cdk/aws-eks/test/test.cluster.ts +++ b/packages/@aws-cdk/aws-eks/test/test.cluster.ts @@ -306,6 +306,8 @@ export = { clusterName: cluster.clusterName, securityGroups: cluster.connections.securityGroups, clusterCertificateAuthorityData: cluster.clusterCertificateAuthorityData, + clusterSecurityGroupId: cluster.clusterSecurityGroupId, + clusterEncryptionConfigKeyArn: cluster.clusterEncryptionConfigKeyArn, }); // this should cause an export/import From 178b6da4bc264d3bc37e25e8e905d97594e346e0 Mon Sep 17 00:00:00 2001 From: Eduardo Rodrigues Date: Tue, 2 Jun 2020 12:24:56 +0200 Subject: [PATCH 04/16] fix linting --- .../@aws-cdk/aws-eks/lib/cluster-resource-handler/cluster.ts | 2 +- .../@aws-cdk/aws-eks/lib/cluster-resource-handler/common.ts | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/cluster.ts b/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/cluster.ts index c103fa5f06e9b..69f6eb1006dfe 100644 --- a/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/cluster.ts +++ b/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/cluster.ts @@ -140,7 +140,7 @@ export class ClusterResourceHandler extends ResourceHandler { endpointPrivateAccess: this.newProps.resourcesVpcConfig.endpointPrivateAccess, endpointPublicAccess: this.newProps.resourcesVpcConfig.endpointPublicAccess, publicAccessCidrs: this.newProps.resourcesVpcConfig.publicAccessCidrs, - } + }; } const updateResponse = await this.eks.updateClusterConfig(config); diff --git a/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/common.ts b/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/common.ts index 014435dd8e986..6f17be9738019 100644 --- a/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/common.ts +++ b/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/common.ts @@ -14,7 +14,6 @@ export interface EksUpdateId { export type ResourceEvent = AWSLambda.CloudFormationCustomResourceEvent & EksUpdateId; - /** * Decodes encoded true/false values */ From cd7ef843961d0e6d1aa497869f19e123b9dcce44 Mon Sep 17 00:00:00 2001 From: Eduardo Rodrigues Date: Tue, 2 Jun 2020 12:48:30 +0200 Subject: [PATCH 05/16] fix integration test difference --- .../test/integ.eks-cluster.expected.json | 38 +++++++++---------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.expected.json b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.expected.json index d7099bdd6a67d..75add96cf882b 100644 --- a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.expected.json +++ b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.expected.json @@ -2348,7 +2348,7 @@ }, "/", { - "Ref": "AssetParameters7c148fb102ee8790aaf67d5e2a2dce8f5d9b87285c8b7e91f984216ee66f1be6S3BucketB18DC500" + "Ref": "AssetParameters898cb8fe551e5efd77d0e305946c6fe8b31faaf47da39fda438dbefff108467cS3BucketDBF3513A" }, "/", { @@ -2358,7 +2358,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParameters7c148fb102ee8790aaf67d5e2a2dce8f5d9b87285c8b7e91f984216ee66f1be6S3VersionKeyBE7DFF7A" + "Ref": "AssetParameters898cb8fe551e5efd77d0e305946c6fe8b31faaf47da39fda438dbefff108467cS3VersionKeyF219726C" } ] } @@ -2371,7 +2371,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParameters7c148fb102ee8790aaf67d5e2a2dce8f5d9b87285c8b7e91f984216ee66f1be6S3VersionKeyBE7DFF7A" + "Ref": "AssetParameters898cb8fe551e5efd77d0e305946c6fe8b31faaf47da39fda438dbefff108467cS3VersionKeyF219726C" } ] } @@ -2381,11 +2381,11 @@ ] }, "Parameters": { - "referencetoawscdkeksclustertestAssetParameters01ec3fa8451b6541733a25ec9c0c13a2b7dcee848ddad2edf6cb9c1f40cbc896S3Bucket35BE45A3Ref": { - "Ref": "AssetParameters01ec3fa8451b6541733a25ec9c0c13a2b7dcee848ddad2edf6cb9c1f40cbc896S3Bucket221B7FEE" + "referencetoawscdkeksclustertestAssetParameters2d9e7677554c60da9452c9a70d94f6c199478fbe06dad2036cc4f98a9eeb7073S3Bucket29AC036CRef": { + "Ref": "AssetParameters2d9e7677554c60da9452c9a70d94f6c199478fbe06dad2036cc4f98a9eeb7073S3Bucket472D9DAD" }, - "referencetoawscdkeksclustertestAssetParameters01ec3fa8451b6541733a25ec9c0c13a2b7dcee848ddad2edf6cb9c1f40cbc896S3VersionKey60905A80Ref": { - "Ref": "AssetParameters01ec3fa8451b6541733a25ec9c0c13a2b7dcee848ddad2edf6cb9c1f40cbc896S3VersionKeyA8C9A018" + "referencetoawscdkeksclustertestAssetParameters2d9e7677554c60da9452c9a70d94f6c199478fbe06dad2036cc4f98a9eeb7073S3VersionKey6CBD7124Ref": { + "Ref": "AssetParameters2d9e7677554c60da9452c9a70d94f6c199478fbe06dad2036cc4f98a9eeb7073S3VersionKeyE839C0C7" }, "referencetoawscdkeksclustertestAssetParameters5e49cf64d8027f48872790f80cdb76c5b836ecf9a70b71be1eb937a5c25a47c1S3BucketC7CBF350Ref": { "Ref": "AssetParameters5e49cf64d8027f48872790f80cdb76c5b836ecf9a70b71be1eb937a5c25a47c1S3Bucket663A709C" @@ -2723,17 +2723,17 @@ } }, "Parameters": { - "AssetParameters01ec3fa8451b6541733a25ec9c0c13a2b7dcee848ddad2edf6cb9c1f40cbc896S3Bucket221B7FEE": { + "AssetParameters2d9e7677554c60da9452c9a70d94f6c199478fbe06dad2036cc4f98a9eeb7073S3Bucket472D9DAD": { "Type": "String", - "Description": "S3 bucket for asset \"01ec3fa8451b6541733a25ec9c0c13a2b7dcee848ddad2edf6cb9c1f40cbc896\"" + "Description": "S3 bucket for asset \"2d9e7677554c60da9452c9a70d94f6c199478fbe06dad2036cc4f98a9eeb7073\"" }, - "AssetParameters01ec3fa8451b6541733a25ec9c0c13a2b7dcee848ddad2edf6cb9c1f40cbc896S3VersionKeyA8C9A018": { + "AssetParameters2d9e7677554c60da9452c9a70d94f6c199478fbe06dad2036cc4f98a9eeb7073S3VersionKeyE839C0C7": { "Type": "String", - "Description": "S3 key for asset version \"01ec3fa8451b6541733a25ec9c0c13a2b7dcee848ddad2edf6cb9c1f40cbc896\"" + "Description": "S3 key for asset version \"2d9e7677554c60da9452c9a70d94f6c199478fbe06dad2036cc4f98a9eeb7073\"" }, - "AssetParameters01ec3fa8451b6541733a25ec9c0c13a2b7dcee848ddad2edf6cb9c1f40cbc896ArtifactHashED8C0EF9": { + "AssetParameters2d9e7677554c60da9452c9a70d94f6c199478fbe06dad2036cc4f98a9eeb7073ArtifactHash56ED958E": { "Type": "String", - "Description": "Artifact hash for asset \"01ec3fa8451b6541733a25ec9c0c13a2b7dcee848ddad2edf6cb9c1f40cbc896\"" + "Description": "Artifact hash for asset \"2d9e7677554c60da9452c9a70d94f6c199478fbe06dad2036cc4f98a9eeb7073\"" }, "AssetParameters5e49cf64d8027f48872790f80cdb76c5b836ecf9a70b71be1eb937a5c25a47c1S3Bucket663A709C": { "Type": "String", @@ -2783,17 +2783,17 @@ "Type": "String", "Description": "Artifact hash for asset \"4c04b604b3ea48cf40394c3b4b898525a99ce5f981bc13ad94bf126997416319\"" }, - "AssetParameters7c148fb102ee8790aaf67d5e2a2dce8f5d9b87285c8b7e91f984216ee66f1be6S3BucketB18DC500": { + "AssetParameters898cb8fe551e5efd77d0e305946c6fe8b31faaf47da39fda438dbefff108467cS3BucketDBF3513A": { "Type": "String", - "Description": "S3 bucket for asset \"7c148fb102ee8790aaf67d5e2a2dce8f5d9b87285c8b7e91f984216ee66f1be6\"" + "Description": "S3 bucket for asset \"898cb8fe551e5efd77d0e305946c6fe8b31faaf47da39fda438dbefff108467c\"" }, - "AssetParameters7c148fb102ee8790aaf67d5e2a2dce8f5d9b87285c8b7e91f984216ee66f1be6S3VersionKeyBE7DFF7A": { + "AssetParameters898cb8fe551e5efd77d0e305946c6fe8b31faaf47da39fda438dbefff108467cS3VersionKeyF219726C": { "Type": "String", - "Description": "S3 key for asset version \"7c148fb102ee8790aaf67d5e2a2dce8f5d9b87285c8b7e91f984216ee66f1be6\"" + "Description": "S3 key for asset version \"898cb8fe551e5efd77d0e305946c6fe8b31faaf47da39fda438dbefff108467c\"" }, - "AssetParameters7c148fb102ee8790aaf67d5e2a2dce8f5d9b87285c8b7e91f984216ee66f1be6ArtifactHash5F906FBC": { + "AssetParameters898cb8fe551e5efd77d0e305946c6fe8b31faaf47da39fda438dbefff108467cArtifactHash5F906FBC": { "Type": "String", - "Description": "Artifact hash for asset \"7c148fb102ee8790aaf67d5e2a2dce8f5d9b87285c8b7e91f984216ee66f1be6\"" + "Description": "Artifact hash for asset \"898cb8fe551e5efd77d0e305946c6fe8b31faaf47da39fda438dbefff108467c\"" }, "AssetParameters36525a61abfaf5764fad460fd03c24215fd00da60805807d6138c51be4d03dbcS3Bucket2D824DEF": { "Type": "String", From 2f9213a7ec2d69fc18d65dc285a5ba3c2ac2777d Mon Sep 17 00:00:00 2001 From: Eduardo Rodrigues Date: Tue, 2 Jun 2020 13:25:02 +0200 Subject: [PATCH 06/16] fix --- packages/@aws-cdk/aws-eks/test/integ.eks-cluster.expected.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.expected.json b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.expected.json index 75add96cf882b..9c71983677ac8 100644 --- a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.expected.json +++ b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.expected.json @@ -2791,7 +2791,7 @@ "Type": "String", "Description": "S3 key for asset version \"898cb8fe551e5efd77d0e305946c6fe8b31faaf47da39fda438dbefff108467c\"" }, - "AssetParameters898cb8fe551e5efd77d0e305946c6fe8b31faaf47da39fda438dbefff108467cArtifactHash5F906FBC": { + "AssetParameters898cb8fe551e5efd77d0e305946c6fe8b31faaf47da39fda438dbefff108467cArtifactHashC2EBE628": { "Type": "String", "Description": "Artifact hash for asset \"898cb8fe551e5efd77d0e305946c6fe8b31faaf47da39fda438dbefff108467c\"" }, From c62b0887730cc1d7bd54eb42007befc6d75fffa6 Mon Sep 17 00:00:00 2001 From: Eduardo Rodrigues Date: Tue, 2 Jun 2020 14:43:25 +0200 Subject: [PATCH 07/16] update readme --- packages/@aws-cdk/aws-eks/README.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/packages/@aws-cdk/aws-eks/README.md b/packages/@aws-cdk/aws-eks/README.md index d77259e7fb3fb..0735d3dd0247d 100644 --- a/packages/@aws-cdk/aws-eks/README.md +++ b/packages/@aws-cdk/aws-eks/README.md @@ -386,6 +386,20 @@ A convenience method for mapping a role to the `system:masters` group is also av cluster.awsAuth.addMastersRole(role) ``` +### Cluster Security Group + +When you create an Amazon EKS cluster, a +[cluster security group](https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html) +is automatically created as well. This security group is designed to allow +all traffic from the control plane and managed node groups to flow freely +between each other. + +The ID for that security group can be retrieved after creating the cluster. + +```ts +const clusterSecurityGroupId = cluster.clusterSecurityGroupId; +``` + ### Node ssh Access If you want to be able to SSH into your worker nodes, you must already From 1d9bca98e0b728d154257e607e0dba2e126c75de Mon Sep 17 00:00:00 2001 From: Eduardo Rodrigues Date: Thu, 4 Jun 2020 16:49:07 +0200 Subject: [PATCH 08/16] add comments in handler code --- .../@aws-cdk/aws-eks/lib/cluster-resource-handler/cluster.ts | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/cluster.ts b/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/cluster.ts index 69f6eb1006dfe..b202fe39df0cc 100644 --- a/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/cluster.ts +++ b/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/cluster.ts @@ -136,6 +136,9 @@ export class ClusterResourceHandler extends ResourceHandler { logging: this.newProps.logging, }; if (updates.updateAccess) { + // Updating the cluster with securityGroupIds and subnetIds (as specified in the warning here: + // https://awscli.amazonaws.com/v2/documentation/api/latest/reference/eks/update-cluster-config.html) + // will fail, therefore we take only the access fields explicitly config.resourcesVpcConfig = { endpointPrivateAccess: this.newProps.resourcesVpcConfig.endpointPrivateAccess, endpointPublicAccess: this.newProps.resourcesVpcConfig.endpointPublicAccess, @@ -206,6 +209,8 @@ export class ClusterResourceHandler extends ResourceHandler { Arn: cluster.arn, CertificateAuthorityData: cluster.certificateAuthority?.data, ClusterSecurityGroupId: cluster.resourcesVpcConfig?.clusterSecurityGroupId, + // We can safely return the first item from encryption configuration array, because it has a limit of 1 item + // https://docs.aws.amazon.com/eks/latest/APIReference/API_CreateCluster.html#AmazonEKS-CreateCluster-request-encryptionConfig EncryptionConfigKeyArn: cluster.encryptionConfig?.shift()?.provider?.keyArn, OpenIdConnectIssuerUrl: cluster.identity?.oidc?.issuer, OpenIdConnectIssuer: cluster.identity?.oidc?.issuer?.substring(8), // Strips off https:// from the issuer url From 4e3a6c20012557e6253c3941b88516095e445daf Mon Sep 17 00:00:00 2001 From: Eduardo Rodrigues Date: Thu, 4 Jun 2020 17:53:46 +0200 Subject: [PATCH 09/16] update unit tests --- .../test/test.cluster-resource-provider.ts | 101 +++++++++++++++++- 1 file changed, 99 insertions(+), 2 deletions(-) diff --git a/packages/@aws-cdk/aws-eks/test/test.cluster-resource-provider.ts b/packages/@aws-cdk/aws-eks/test/test.cluster-resource-provider.ts index 78ce09416f3c0..3cc06fd490810 100644 --- a/packages/@aws-cdk/aws-eks/test/test.cluster-resource-provider.ts +++ b/packages/@aws-cdk/aws-eks/test/test.cluster-resource-provider.ts @@ -274,7 +274,7 @@ export = { test.done(); }, - async '"roleArn" requires a replcement'(test: Test) { + async '"roleArn" requires a replacement'(test: Test) { const handler = new ClusterResourceHandler(mocks.client, mocks.newRequest('Update', { roleArn: 'new-arn', }, { @@ -500,7 +500,104 @@ export = { test.done(); }, }, + + 'logging or access change': { + async 'from undefined to partial logging enabled'(test: Test) { + const handler = new ClusterResourceHandler(mocks.client, mocks.newRequest('Update', { + logging: { + clusterLogging: [ + { + types: [ 'api' ], + enabled: true, + }, + ], + }, + }, { + logging: undefined, + })); + const resp = await handler.onEvent(); + test.deepEqual(resp, { EksUpdateId: mocks.MOCK_UPDATE_STATUS_ID }); + test.deepEqual(mocks.actualRequest.updateClusterVersionRequest!, { + name: 'physical-resource-id', + logging: { + clusterLogging: [ + { + types: [ 'api' ], + enabled: true, + }, + ], + }, + }); + test.equal(mocks.actualRequest.createClusterRequest, undefined); + test.done(); + }, + + async 'from partial vpc configuration to only private access enabled'(test: Test) { + const handler = new ClusterResourceHandler(mocks.client, mocks.newRequest('Update', { + resourcesVpcConfig: { + securityGroupIds: [ '111111111' ], + endpointPrivateAccess: true, + }, + }, { + resourcesVpcConfig: { + securityGroupIds: [ '111111111' ], + }, + })); + const resp = await handler.onEvent(); + test.deepEqual(resp, { EksUpdateId: mocks.MOCK_UPDATE_STATUS_ID }); + test.deepEqual(mocks.actualRequest.updateClusterVersionRequest!, { + name: 'physical-resource-id', + resourcesVpcConfig: { + securityGroupIds: [ '111111111' ], + endpointPrivateAccess: true, + }, + }); + test.equal(mocks.actualRequest.createClusterRequest, undefined); + test.done(); + }, + + async 'from undefined to both logging and access fully enabled'(test: Test) { + const handler = new ClusterResourceHandler(mocks.client, mocks.newRequest('Update', { + logging: { + clusterLogging: [ + { + types: [ 'api', 'audit', 'authenticator', 'controllerManager', 'scheduler' ], + enabled: true, + }, + ], + }, + resourcesVpcConfig: { + endpointPrivateAccess: true, + endpointPublicAccess: true, + publicAccessCidrs: [ '0.0.0.0/0' ], + }, + }, { + logging: undefined, + resourcesVpcConfig: undefined, + })); + + const resp = await handler.onEvent(); + test.deepEqual(resp, { EksUpdateId: mocks.MOCK_UPDATE_STATUS_ID }); + test.deepEqual(mocks.actualRequest.updateClusterVersionRequest!, { + name: 'physical-resource-id', + logging: { + clusterLogging: [ + { + types: [ 'api', 'audit', 'authenticator', 'controllerManager', 'scheduler' ], + enabled: true, + }, + ], + }, + resourcesVpcConfig: { + endpointPrivateAccess: true, + endpointPublicAccess: true, + publicAccessCidrs: [ '0.0.0.0/0' ], + }, + }); + test.equal(mocks.actualRequest.createClusterRequest, undefined); + test.done(); + }, + }, }, }, - }; \ No newline at end of file From f2d1bccfcc8da0aac5e7d79a2ed79250069bfe92 Mon Sep 17 00:00:00 2001 From: Eduardo Rodrigues Date: Thu, 4 Jun 2020 19:48:19 +0200 Subject: [PATCH 10/16] update for failing unit tests --- .../aws-eks/test/test.cluster-resource-provider.ts | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/packages/@aws-cdk/aws-eks/test/test.cluster-resource-provider.ts b/packages/@aws-cdk/aws-eks/test/test.cluster-resource-provider.ts index 3cc06fd490810..67662fe42f648 100644 --- a/packages/@aws-cdk/aws-eks/test/test.cluster-resource-provider.ts +++ b/packages/@aws-cdk/aws-eks/test/test.cluster-resource-provider.ts @@ -517,7 +517,7 @@ export = { })); const resp = await handler.onEvent(); test.deepEqual(resp, { EksUpdateId: mocks.MOCK_UPDATE_STATUS_ID }); - test.deepEqual(mocks.actualRequest.updateClusterVersionRequest!, { + test.deepEqual(mocks.actualRequest.updateClusterConfigRequest!, { name: 'physical-resource-id', logging: { clusterLogging: [ @@ -535,21 +535,23 @@ export = { async 'from partial vpc configuration to only private access enabled'(test: Test) { const handler = new ClusterResourceHandler(mocks.client, mocks.newRequest('Update', { resourcesVpcConfig: { - securityGroupIds: [ '111111111' ], + securityGroupIds: ['sg1', 'sg2', 'sg3'], endpointPrivateAccess: true, }, }, { resourcesVpcConfig: { - securityGroupIds: [ '111111111' ], + securityGroupIds: ['sg1', 'sg2', 'sg3'], }, })); const resp = await handler.onEvent(); test.deepEqual(resp, { EksUpdateId: mocks.MOCK_UPDATE_STATUS_ID }); - test.deepEqual(mocks.actualRequest.updateClusterVersionRequest!, { + test.deepEqual(mocks.actualRequest.updateClusterConfigRequest!, { name: 'physical-resource-id', + logging: undefined, resourcesVpcConfig: { - securityGroupIds: [ '111111111' ], endpointPrivateAccess: true, + endpointPublicAccess: undefined, + publicAccessCidrs: undefined, }, }); test.equal(mocks.actualRequest.createClusterRequest, undefined); @@ -578,7 +580,7 @@ export = { const resp = await handler.onEvent(); test.deepEqual(resp, { EksUpdateId: mocks.MOCK_UPDATE_STATUS_ID }); - test.deepEqual(mocks.actualRequest.updateClusterVersionRequest!, { + test.deepEqual(mocks.actualRequest.updateClusterConfigRequest!, { name: 'physical-resource-id', logging: { clusterLogging: [ From 17a7df17ff79f1ef20d9b6200434fee79035b5d4 Mon Sep 17 00:00:00 2001 From: Eduardo Rodrigues Date: Fri, 5 Jun 2020 19:10:20 +0200 Subject: [PATCH 11/16] update integration test expected file --- .../test/integ.eks-cluster.expected.json | 38 +++++++++---------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.expected.json b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.expected.json index 9c71983677ac8..2f9a4f91c7317 100644 --- a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.expected.json +++ b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.expected.json @@ -2348,7 +2348,7 @@ }, "/", { - "Ref": "AssetParameters898cb8fe551e5efd77d0e305946c6fe8b31faaf47da39fda438dbefff108467cS3BucketDBF3513A" + "Ref": "AssetParameters13eb5e19a1f069daaa5fd3729a81e67a03a19b377a0e8d57b49aa9ad3d85f25bS3Bucket64CE7DD7" }, "/", { @@ -2358,7 +2358,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParameters898cb8fe551e5efd77d0e305946c6fe8b31faaf47da39fda438dbefff108467cS3VersionKeyF219726C" + "Ref": "AssetParameters13eb5e19a1f069daaa5fd3729a81e67a03a19b377a0e8d57b49aa9ad3d85f25bS3VersionKey9FF559EC" } ] } @@ -2371,7 +2371,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParameters898cb8fe551e5efd77d0e305946c6fe8b31faaf47da39fda438dbefff108467cS3VersionKeyF219726C" + "Ref": "AssetParameters13eb5e19a1f069daaa5fd3729a81e67a03a19b377a0e8d57b49aa9ad3d85f25bS3VersionKey9FF559EC" } ] } @@ -2381,11 +2381,11 @@ ] }, "Parameters": { - "referencetoawscdkeksclustertestAssetParameters2d9e7677554c60da9452c9a70d94f6c199478fbe06dad2036cc4f98a9eeb7073S3Bucket29AC036CRef": { - "Ref": "AssetParameters2d9e7677554c60da9452c9a70d94f6c199478fbe06dad2036cc4f98a9eeb7073S3Bucket472D9DAD" + "referencetoawscdkeksclustertestAssetParameters8c2628fbc95254e5cd62c059ef1599a35e29e9b485dc9d876bcc27dec653ce0aS3BucketF30D2723Ref": { + "Ref": "AssetParameters8c2628fbc95254e5cd62c059ef1599a35e29e9b485dc9d876bcc27dec653ce0aS3BucketD7990166" }, - "referencetoawscdkeksclustertestAssetParameters2d9e7677554c60da9452c9a70d94f6c199478fbe06dad2036cc4f98a9eeb7073S3VersionKey6CBD7124Ref": { - "Ref": "AssetParameters2d9e7677554c60da9452c9a70d94f6c199478fbe06dad2036cc4f98a9eeb7073S3VersionKeyE839C0C7" + "referencetoawscdkeksclustertestAssetParameters8c2628fbc95254e5cd62c059ef1599a35e29e9b485dc9d876bcc27dec653ce0aS3VersionKey14A0CEF4Ref": { + "Ref": "AssetParameters8c2628fbc95254e5cd62c059ef1599a35e29e9b485dc9d876bcc27dec653ce0aS3VersionKey58818CE9" }, "referencetoawscdkeksclustertestAssetParameters5e49cf64d8027f48872790f80cdb76c5b836ecf9a70b71be1eb937a5c25a47c1S3BucketC7CBF350Ref": { "Ref": "AssetParameters5e49cf64d8027f48872790f80cdb76c5b836ecf9a70b71be1eb937a5c25a47c1S3Bucket663A709C" @@ -2723,17 +2723,17 @@ } }, "Parameters": { - "AssetParameters2d9e7677554c60da9452c9a70d94f6c199478fbe06dad2036cc4f98a9eeb7073S3Bucket472D9DAD": { + "AssetParameters8c2628fbc95254e5cd62c059ef1599a35e29e9b485dc9d876bcc27dec653ce0aS3BucketD7990166": { "Type": "String", - "Description": "S3 bucket for asset \"2d9e7677554c60da9452c9a70d94f6c199478fbe06dad2036cc4f98a9eeb7073\"" + "Description": "S3 bucket for asset \"8c2628fbc95254e5cd62c059ef1599a35e29e9b485dc9d876bcc27dec653ce0a\"" }, - "AssetParameters2d9e7677554c60da9452c9a70d94f6c199478fbe06dad2036cc4f98a9eeb7073S3VersionKeyE839C0C7": { + "AssetParameters8c2628fbc95254e5cd62c059ef1599a35e29e9b485dc9d876bcc27dec653ce0aS3VersionKey58818CE9": { "Type": "String", - "Description": "S3 key for asset version \"2d9e7677554c60da9452c9a70d94f6c199478fbe06dad2036cc4f98a9eeb7073\"" + "Description": "S3 key for asset version \"8c2628fbc95254e5cd62c059ef1599a35e29e9b485dc9d876bcc27dec653ce0a\"" }, - "AssetParameters2d9e7677554c60da9452c9a70d94f6c199478fbe06dad2036cc4f98a9eeb7073ArtifactHash56ED958E": { + "AssetParameters8c2628fbc95254e5cd62c059ef1599a35e29e9b485dc9d876bcc27dec653ce0aArtifactHashD7202CA2": { "Type": "String", - "Description": "Artifact hash for asset \"2d9e7677554c60da9452c9a70d94f6c199478fbe06dad2036cc4f98a9eeb7073\"" + "Description": "Artifact hash for asset \"8c2628fbc95254e5cd62c059ef1599a35e29e9b485dc9d876bcc27dec653ce0a\"" }, "AssetParameters5e49cf64d8027f48872790f80cdb76c5b836ecf9a70b71be1eb937a5c25a47c1S3Bucket663A709C": { "Type": "String", @@ -2783,17 +2783,17 @@ "Type": "String", "Description": "Artifact hash for asset \"4c04b604b3ea48cf40394c3b4b898525a99ce5f981bc13ad94bf126997416319\"" }, - "AssetParameters898cb8fe551e5efd77d0e305946c6fe8b31faaf47da39fda438dbefff108467cS3BucketDBF3513A": { + "AssetParameters13eb5e19a1f069daaa5fd3729a81e67a03a19b377a0e8d57b49aa9ad3d85f25bS3Bucket64CE7DD7": { "Type": "String", - "Description": "S3 bucket for asset \"898cb8fe551e5efd77d0e305946c6fe8b31faaf47da39fda438dbefff108467c\"" + "Description": "S3 bucket for asset \"13eb5e19a1f069daaa5fd3729a81e67a03a19b377a0e8d57b49aa9ad3d85f25b\"" }, - "AssetParameters898cb8fe551e5efd77d0e305946c6fe8b31faaf47da39fda438dbefff108467cS3VersionKeyF219726C": { + "AssetParameters13eb5e19a1f069daaa5fd3729a81e67a03a19b377a0e8d57b49aa9ad3d85f25bS3VersionKey9FF559EC": { "Type": "String", - "Description": "S3 key for asset version \"898cb8fe551e5efd77d0e305946c6fe8b31faaf47da39fda438dbefff108467c\"" + "Description": "S3 key for asset version \"13eb5e19a1f069daaa5fd3729a81e67a03a19b377a0e8d57b49aa9ad3d85f25b\"" }, - "AssetParameters898cb8fe551e5efd77d0e305946c6fe8b31faaf47da39fda438dbefff108467cArtifactHashC2EBE628": { + "AssetParameters13eb5e19a1f069daaa5fd3729a81e67a03a19b377a0e8d57b49aa9ad3d85f25bArtifactHash7F6C6EA9": { "Type": "String", - "Description": "Artifact hash for asset \"898cb8fe551e5efd77d0e305946c6fe8b31faaf47da39fda438dbefff108467c\"" + "Description": "Artifact hash for asset \"13eb5e19a1f069daaa5fd3729a81e67a03a19b377a0e8d57b49aa9ad3d85f25b\"" }, "AssetParameters36525a61abfaf5764fad460fd03c24215fd00da60805807d6138c51be4d03dbcS3Bucket2D824DEF": { "Type": "String", From 1b9182e611ba1491f7b14eeb7b3b887a2b4e6c6f Mon Sep 17 00:00:00 2001 From: Elad Ben-Israel Date: Tue, 9 Jun 2020 14:47:28 +0300 Subject: [PATCH 12/16] avoid "vendor response doesn't contain key" issues If a custom resource returns an attribute with an "undefined" value, CFN will fail with a "vendor response doesn't contain key" error. To avoid this, we return empty strings in case an attribute is undefined. This is also true for when adding new attributes, in which case updating to the new version will fail on previously deployed clusters with the same error. To mitigate this (and fix #8276 along the way), we add a fake property called "AttributesRevision" with a number that needs to be manually incremented every time new attributes are introduced. This will cause old clusters to be updated and the new attributes returned. --- .../lib/cluster-resource-handler/cluster.ts | 17 +++++--- .../@aws-cdk/aws-eks/lib/cluster-resource.ts | 7 ++++ .../test/integ.eks-cluster.expected.json | 41 ++++++++++--------- 3 files changed, 40 insertions(+), 25 deletions(-) diff --git a/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/cluster.ts b/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/cluster.ts index b202fe39df0cc..f20ddd85c5704 100644 --- a/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/cluster.ts +++ b/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/cluster.ts @@ -207,13 +207,20 @@ export class ClusterResourceHandler extends ResourceHandler { Name: cluster.name, Endpoint: cluster.endpoint, Arn: cluster.arn, - CertificateAuthorityData: cluster.certificateAuthority?.data, - ClusterSecurityGroupId: cluster.resourcesVpcConfig?.clusterSecurityGroupId, + + // IMPORTANT: CFN expects that attributes will *always* have values, + // so return an empty string in case the value is not defined. + // Otherwise, CFN will throw with `Vendor response doesn't contain + // XXXX key`. + + CertificateAuthorityData: cluster.certificateAuthority?.data ?? '', + ClusterSecurityGroupId: cluster.resourcesVpcConfig?.clusterSecurityGroupId ?? '', + OpenIdConnectIssuerUrl: cluster.identity?.oidc?.issuer ?? '', + OpenIdConnectIssuer: cluster.identity?.oidc?.issuer?.substring(8) ?? '', // Strips off https:// from the issuer url + // We can safely return the first item from encryption configuration array, because it has a limit of 1 item // https://docs.aws.amazon.com/eks/latest/APIReference/API_CreateCluster.html#AmazonEKS-CreateCluster-request-encryptionConfig - EncryptionConfigKeyArn: cluster.encryptionConfig?.shift()?.provider?.keyArn, - OpenIdConnectIssuerUrl: cluster.identity?.oidc?.issuer, - OpenIdConnectIssuer: cluster.identity?.oidc?.issuer?.substring(8), // Strips off https:// from the issuer url + EncryptionConfigKeyArn: cluster.encryptionConfig?.shift()?.provider?.keyArn ?? '', }, }; } diff --git a/packages/@aws-cdk/aws-eks/lib/cluster-resource.ts b/packages/@aws-cdk/aws-eks/lib/cluster-resource.ts index 5694f92054ad1..18dfaa4716752 100644 --- a/packages/@aws-cdk/aws-eks/lib/cluster-resource.ts +++ b/packages/@aws-cdk/aws-eks/lib/cluster-resource.ts @@ -119,6 +119,13 @@ export class ClusterResource extends Construct { properties: { Config: props, AssumeRoleArn: this.creationRole.roleArn, + + // IMPORTANT: increment this number when you add new attributes to the + // resource. Otherwise, CloudFormation will error with "Vendor response + // doesn't contain XXX key in object" (see #8276) by incrementing this + // number, you will effectively cause a "no-op update" to the cluster + // which will return the new set of attribute. + AttributesRevision: 2, }, }); diff --git a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.expected.json b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.expected.json index 2f9a4f91c7317..ad48b959f54a3 100644 --- a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.expected.json +++ b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.expected.json @@ -888,7 +888,8 @@ "ClusterCreationRole360249B6", "Arn" ] - } + }, + "AttributesRevision": 2 }, "DependsOn": [ "ClusterCreationRoleDefaultPolicyE8BDFC7B", @@ -2348,7 +2349,7 @@ }, "/", { - "Ref": "AssetParameters13eb5e19a1f069daaa5fd3729a81e67a03a19b377a0e8d57b49aa9ad3d85f25bS3Bucket64CE7DD7" + "Ref": "AssetParameterseb8644bc7891dd1945dc11cc3cf24bb3b69a9497abc761346e3555a444dbaf7fS3BucketF79B7325" }, "/", { @@ -2358,7 +2359,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParameters13eb5e19a1f069daaa5fd3729a81e67a03a19b377a0e8d57b49aa9ad3d85f25bS3VersionKey9FF559EC" + "Ref": "AssetParameterseb8644bc7891dd1945dc11cc3cf24bb3b69a9497abc761346e3555a444dbaf7fS3VersionKeyA5A2A4AF" } ] } @@ -2371,7 +2372,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParameters13eb5e19a1f069daaa5fd3729a81e67a03a19b377a0e8d57b49aa9ad3d85f25bS3VersionKey9FF559EC" + "Ref": "AssetParameterseb8644bc7891dd1945dc11cc3cf24bb3b69a9497abc761346e3555a444dbaf7fS3VersionKeyA5A2A4AF" } ] } @@ -2381,11 +2382,11 @@ ] }, "Parameters": { - "referencetoawscdkeksclustertestAssetParameters8c2628fbc95254e5cd62c059ef1599a35e29e9b485dc9d876bcc27dec653ce0aS3BucketF30D2723Ref": { - "Ref": "AssetParameters8c2628fbc95254e5cd62c059ef1599a35e29e9b485dc9d876bcc27dec653ce0aS3BucketD7990166" + "referencetoawscdkeksclustertestAssetParametersc6b47d34cf6aea5e483bdafcc25697aa7dfb28b4baa7ee701cdc13bf3f51f28bS3Bucket5B42433FRef": { + "Ref": "AssetParametersc6b47d34cf6aea5e483bdafcc25697aa7dfb28b4baa7ee701cdc13bf3f51f28bS3Bucket73F0DD11" }, - "referencetoawscdkeksclustertestAssetParameters8c2628fbc95254e5cd62c059ef1599a35e29e9b485dc9d876bcc27dec653ce0aS3VersionKey14A0CEF4Ref": { - "Ref": "AssetParameters8c2628fbc95254e5cd62c059ef1599a35e29e9b485dc9d876bcc27dec653ce0aS3VersionKey58818CE9" + "referencetoawscdkeksclustertestAssetParametersc6b47d34cf6aea5e483bdafcc25697aa7dfb28b4baa7ee701cdc13bf3f51f28bS3VersionKey359E7CEDRef": { + "Ref": "AssetParametersc6b47d34cf6aea5e483bdafcc25697aa7dfb28b4baa7ee701cdc13bf3f51f28bS3VersionKeyE2DE1579" }, "referencetoawscdkeksclustertestAssetParameters5e49cf64d8027f48872790f80cdb76c5b836ecf9a70b71be1eb937a5c25a47c1S3BucketC7CBF350Ref": { "Ref": "AssetParameters5e49cf64d8027f48872790f80cdb76c5b836ecf9a70b71be1eb937a5c25a47c1S3Bucket663A709C" @@ -2723,17 +2724,17 @@ } }, "Parameters": { - "AssetParameters8c2628fbc95254e5cd62c059ef1599a35e29e9b485dc9d876bcc27dec653ce0aS3BucketD7990166": { + "AssetParametersc6b47d34cf6aea5e483bdafcc25697aa7dfb28b4baa7ee701cdc13bf3f51f28bS3Bucket73F0DD11": { "Type": "String", - "Description": "S3 bucket for asset \"8c2628fbc95254e5cd62c059ef1599a35e29e9b485dc9d876bcc27dec653ce0a\"" + "Description": "S3 bucket for asset \"c6b47d34cf6aea5e483bdafcc25697aa7dfb28b4baa7ee701cdc13bf3f51f28b\"" }, - "AssetParameters8c2628fbc95254e5cd62c059ef1599a35e29e9b485dc9d876bcc27dec653ce0aS3VersionKey58818CE9": { + "AssetParametersc6b47d34cf6aea5e483bdafcc25697aa7dfb28b4baa7ee701cdc13bf3f51f28bS3VersionKeyE2DE1579": { "Type": "String", - "Description": "S3 key for asset version \"8c2628fbc95254e5cd62c059ef1599a35e29e9b485dc9d876bcc27dec653ce0a\"" + "Description": "S3 key for asset version \"c6b47d34cf6aea5e483bdafcc25697aa7dfb28b4baa7ee701cdc13bf3f51f28b\"" }, - "AssetParameters8c2628fbc95254e5cd62c059ef1599a35e29e9b485dc9d876bcc27dec653ce0aArtifactHashD7202CA2": { + "AssetParametersc6b47d34cf6aea5e483bdafcc25697aa7dfb28b4baa7ee701cdc13bf3f51f28bArtifactHash37039C6E": { "Type": "String", - "Description": "Artifact hash for asset \"8c2628fbc95254e5cd62c059ef1599a35e29e9b485dc9d876bcc27dec653ce0a\"" + "Description": "Artifact hash for asset \"c6b47d34cf6aea5e483bdafcc25697aa7dfb28b4baa7ee701cdc13bf3f51f28b\"" }, "AssetParameters5e49cf64d8027f48872790f80cdb76c5b836ecf9a70b71be1eb937a5c25a47c1S3Bucket663A709C": { "Type": "String", @@ -2783,17 +2784,17 @@ "Type": "String", "Description": "Artifact hash for asset \"4c04b604b3ea48cf40394c3b4b898525a99ce5f981bc13ad94bf126997416319\"" }, - "AssetParameters13eb5e19a1f069daaa5fd3729a81e67a03a19b377a0e8d57b49aa9ad3d85f25bS3Bucket64CE7DD7": { + "AssetParameterseb8644bc7891dd1945dc11cc3cf24bb3b69a9497abc761346e3555a444dbaf7fS3BucketF79B7325": { "Type": "String", - "Description": "S3 bucket for asset \"13eb5e19a1f069daaa5fd3729a81e67a03a19b377a0e8d57b49aa9ad3d85f25b\"" + "Description": "S3 bucket for asset \"eb8644bc7891dd1945dc11cc3cf24bb3b69a9497abc761346e3555a444dbaf7f\"" }, - "AssetParameters13eb5e19a1f069daaa5fd3729a81e67a03a19b377a0e8d57b49aa9ad3d85f25bS3VersionKey9FF559EC": { + "AssetParameterseb8644bc7891dd1945dc11cc3cf24bb3b69a9497abc761346e3555a444dbaf7fS3VersionKeyA5A2A4AF": { "Type": "String", - "Description": "S3 key for asset version \"13eb5e19a1f069daaa5fd3729a81e67a03a19b377a0e8d57b49aa9ad3d85f25b\"" + "Description": "S3 key for asset version \"eb8644bc7891dd1945dc11cc3cf24bb3b69a9497abc761346e3555a444dbaf7f\"" }, - "AssetParameters13eb5e19a1f069daaa5fd3729a81e67a03a19b377a0e8d57b49aa9ad3d85f25bArtifactHash7F6C6EA9": { + "AssetParameterseb8644bc7891dd1945dc11cc3cf24bb3b69a9497abc761346e3555a444dbaf7fArtifactHashA2CB3EF7": { "Type": "String", - "Description": "Artifact hash for asset \"13eb5e19a1f069daaa5fd3729a81e67a03a19b377a0e8d57b49aa9ad3d85f25b\"" + "Description": "Artifact hash for asset \"eb8644bc7891dd1945dc11cc3cf24bb3b69a9497abc761346e3555a444dbaf7f\"" }, "AssetParameters36525a61abfaf5764fad460fd03c24215fd00da60805807d6138c51be4d03dbcS3Bucket2D824DEF": { "Type": "String", From 0e635f4ae755a0911a6c1efdc7edbba22abea3ce Mon Sep 17 00:00:00 2001 From: Eduardo Rodrigues Date: Tue, 9 Jun 2020 14:57:09 +0200 Subject: [PATCH 13/16] update readme with encryption config --- packages/@aws-cdk/aws-eks/README.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/packages/@aws-cdk/aws-eks/README.md b/packages/@aws-cdk/aws-eks/README.md index 0735d3dd0247d..b1e52b71a78d5 100644 --- a/packages/@aws-cdk/aws-eks/README.md +++ b/packages/@aws-cdk/aws-eks/README.md @@ -400,6 +400,19 @@ The ID for that security group can be retrieved after creating the cluster. const clusterSecurityGroupId = cluster.clusterSecurityGroupId; ``` +### Cluster Encryption Configuration + +When you create an Amazon EKS cluster, envelope encryption of +Kubernetes secrets using the AWS Key Management Service (AWS KMS) can be enabled. The documentation +on [creating a cluster](https://docs.aws.amazon.com/eks/latest/userguide/create-cluster.html) +can provide more details about the customer master key (CMK) that can be used for the encryption. + +The Amazon Resource Name (ARN) for that CMK can be retrieved. + +```ts +const clusterEncryptionConfigKeyArn = cluster.clusterEncryptionConfigKeyArn; +``` + ### Node ssh Access If you want to be able to SSH into your worker nodes, you must already From 6978ec400a06f898e2162120b85a9c93d4bc7b8f Mon Sep 17 00:00:00 2001 From: Elad Ben-Israel Date: Wed, 10 Jun 2020 11:37:39 +0300 Subject: [PATCH 14/16] update tests --- .../test/test.cluster-resource-provider.ts | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/packages/@aws-cdk/aws-eks/test/test.cluster-resource-provider.ts b/packages/@aws-cdk/aws-eks/test/test.cluster-resource-provider.ts index 67662fe42f648..e762d6c7abbd3 100644 --- a/packages/@aws-cdk/aws-eks/test/test.cluster-resource-provider.ts +++ b/packages/@aws-cdk/aws-eks/test/test.cluster-resource-provider.ts @@ -99,10 +99,10 @@ export = { Endpoint: 'http://endpoint', Arn: 'arn:cluster-arn', CertificateAuthorityData: 'certificateAuthority-data', - ClusterSecurityGroupId: undefined, - EncryptionConfigKeyArn: undefined, - OpenIdConnectIssuerUrl: undefined, - OpenIdConnectIssuer: undefined, + ClusterSecurityGroupId: '', + EncryptionConfigKeyArn: '', + OpenIdConnectIssuerUrl: '', + OpenIdConnectIssuer: '', }, }); test.done(); @@ -424,10 +424,10 @@ export = { Endpoint: 'http://endpoint', Arn: 'arn:cluster-arn', CertificateAuthorityData: 'certificateAuthority-data', - ClusterSecurityGroupId: undefined, - EncryptionConfigKeyArn: undefined, - OpenIdConnectIssuerUrl: undefined, - OpenIdConnectIssuer: undefined, + ClusterSecurityGroupId: '', + EncryptionConfigKeyArn: '', + OpenIdConnectIssuerUrl: '', + OpenIdConnectIssuer: '', }, }); test.done(); From e7ef1cfa6a54eff725815e9d01bd280fcf6da5f9 Mon Sep 17 00:00:00 2001 From: Elad Ben-Israel Date: Wed, 10 Jun 2020 15:05:16 +0300 Subject: [PATCH 15/16] get rid of `decodeBooleans` --- .../lib/cluster-resource-handler/common.ts | 20 ------------------- 1 file changed, 20 deletions(-) diff --git a/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/common.ts b/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/common.ts index 6f17be9738019..57d3ae20f8cef 100644 --- a/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/common.ts +++ b/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/common.ts @@ -14,22 +14,6 @@ export interface EksUpdateId { export type ResourceEvent = AWSLambda.CloudFormationCustomResourceEvent & EksUpdateId; -/** - * Decodes encoded true/false values - */ -function decodeBooleans(object: object) { - return JSON.parse(JSON.stringify(object), (_k, v) => { - switch (v) { - case 'TRUE:BOOLEAN': - return true; - case 'FALSE:BOOLEAN': - return false; - default: - return v; - } - }); -} - export abstract class ResourceHandler { protected readonly requestId: string; protected readonly logicalResourceId: string; @@ -49,10 +33,6 @@ export abstract class ResourceHandler { throw new Error('AssumeRoleArn must be provided'); } - if (event.ResourceProperties.Config) { - this.event.ResourceProperties.Config = decodeBooleans(event.ResourceProperties.Config); - } - eks.configureAssumeRole({ RoleArn: roleToAssume, RoleSessionName: `AWSCDK.EKSCluster.${this.requestType}.${this.requestId}`, From 66ece9aa61eb4564f0b55f74b2dcedc12857fe86 Mon Sep 17 00:00:00 2001 From: Elad Ben-Israel Date: Wed, 10 Jun 2020 15:45:54 +0300 Subject: [PATCH 16/16] update expectations --- .../test/integ.eks-cluster.expected.json | 38 +++++++++---------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.expected.json b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.expected.json index 80defcd4790c1..64d77fd5a5eb7 100644 --- a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.expected.json +++ b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.expected.json @@ -2356,7 +2356,7 @@ }, "/", { - "Ref": "AssetParameterseb8644bc7891dd1945dc11cc3cf24bb3b69a9497abc761346e3555a444dbaf7fS3BucketF79B7325" + "Ref": "AssetParameters18f930a3a3efac8df646c455c3afda1a743c13805600915d02fd4f4be87443f5S3Bucket7B48152A" }, "/", { @@ -2366,7 +2366,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParameterseb8644bc7891dd1945dc11cc3cf24bb3b69a9497abc761346e3555a444dbaf7fS3VersionKeyA5A2A4AF" + "Ref": "AssetParameters18f930a3a3efac8df646c455c3afda1a743c13805600915d02fd4f4be87443f5S3VersionKey75927692" } ] } @@ -2379,7 +2379,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParameterseb8644bc7891dd1945dc11cc3cf24bb3b69a9497abc761346e3555a444dbaf7fS3VersionKeyA5A2A4AF" + "Ref": "AssetParameters18f930a3a3efac8df646c455c3afda1a743c13805600915d02fd4f4be87443f5S3VersionKey75927692" } ] } @@ -2389,11 +2389,11 @@ ] }, "Parameters": { - "referencetoawscdkeksclustertestAssetParametersc6b47d34cf6aea5e483bdafcc25697aa7dfb28b4baa7ee701cdc13bf3f51f28bS3Bucket5B42433FRef": { - "Ref": "AssetParametersc6b47d34cf6aea5e483bdafcc25697aa7dfb28b4baa7ee701cdc13bf3f51f28bS3Bucket73F0DD11" + "referencetoawscdkeksclustertestAssetParameters95d3377fefffa0934741552d39e46eef13de3a2094050df1057480e0344b402cS3Bucket60058D6ARef": { + "Ref": "AssetParameters95d3377fefffa0934741552d39e46eef13de3a2094050df1057480e0344b402cS3Bucket7F8D74FE" }, - "referencetoawscdkeksclustertestAssetParametersc6b47d34cf6aea5e483bdafcc25697aa7dfb28b4baa7ee701cdc13bf3f51f28bS3VersionKey359E7CEDRef": { - "Ref": "AssetParametersc6b47d34cf6aea5e483bdafcc25697aa7dfb28b4baa7ee701cdc13bf3f51f28bS3VersionKeyE2DE1579" + "referencetoawscdkeksclustertestAssetParameters95d3377fefffa0934741552d39e46eef13de3a2094050df1057480e0344b402cS3VersionKey42E00C5ARef": { + "Ref": "AssetParameters95d3377fefffa0934741552d39e46eef13de3a2094050df1057480e0344b402cS3VersionKey1DF2734D" }, "referencetoawscdkeksclustertestAssetParameters5e49cf64d8027f48872790f80cdb76c5b836ecf9a70b71be1eb937a5c25a47c1S3BucketC7CBF350Ref": { "Ref": "AssetParameters5e49cf64d8027f48872790f80cdb76c5b836ecf9a70b71be1eb937a5c25a47c1S3Bucket663A709C" @@ -2731,17 +2731,17 @@ } }, "Parameters": { - "AssetParametersc6b47d34cf6aea5e483bdafcc25697aa7dfb28b4baa7ee701cdc13bf3f51f28bS3Bucket73F0DD11": { + "AssetParameters95d3377fefffa0934741552d39e46eef13de3a2094050df1057480e0344b402cS3Bucket7F8D74FE": { "Type": "String", - "Description": "S3 bucket for asset \"c6b47d34cf6aea5e483bdafcc25697aa7dfb28b4baa7ee701cdc13bf3f51f28b\"" + "Description": "S3 bucket for asset \"95d3377fefffa0934741552d39e46eef13de3a2094050df1057480e0344b402c\"" }, - "AssetParametersc6b47d34cf6aea5e483bdafcc25697aa7dfb28b4baa7ee701cdc13bf3f51f28bS3VersionKeyE2DE1579": { + "AssetParameters95d3377fefffa0934741552d39e46eef13de3a2094050df1057480e0344b402cS3VersionKey1DF2734D": { "Type": "String", - "Description": "S3 key for asset version \"c6b47d34cf6aea5e483bdafcc25697aa7dfb28b4baa7ee701cdc13bf3f51f28b\"" + "Description": "S3 key for asset version \"95d3377fefffa0934741552d39e46eef13de3a2094050df1057480e0344b402c\"" }, - "AssetParametersc6b47d34cf6aea5e483bdafcc25697aa7dfb28b4baa7ee701cdc13bf3f51f28bArtifactHash37039C6E": { + "AssetParameters95d3377fefffa0934741552d39e46eef13de3a2094050df1057480e0344b402cArtifactHash38FFB16E": { "Type": "String", - "Description": "Artifact hash for asset \"c6b47d34cf6aea5e483bdafcc25697aa7dfb28b4baa7ee701cdc13bf3f51f28b\"" + "Description": "Artifact hash for asset \"95d3377fefffa0934741552d39e46eef13de3a2094050df1057480e0344b402c\"" }, "AssetParameters5e49cf64d8027f48872790f80cdb76c5b836ecf9a70b71be1eb937a5c25a47c1S3Bucket663A709C": { "Type": "String", @@ -2791,17 +2791,17 @@ "Type": "String", "Description": "Artifact hash for asset \"4c04b604b3ea48cf40394c3b4b898525a99ce5f981bc13ad94bf126997416319\"" }, - "AssetParameterseb8644bc7891dd1945dc11cc3cf24bb3b69a9497abc761346e3555a444dbaf7fS3BucketF79B7325": { + "AssetParameters18f930a3a3efac8df646c455c3afda1a743c13805600915d02fd4f4be87443f5S3Bucket7B48152A": { "Type": "String", - "Description": "S3 bucket for asset \"eb8644bc7891dd1945dc11cc3cf24bb3b69a9497abc761346e3555a444dbaf7f\"" + "Description": "S3 bucket for asset \"18f930a3a3efac8df646c455c3afda1a743c13805600915d02fd4f4be87443f5\"" }, - "AssetParameterseb8644bc7891dd1945dc11cc3cf24bb3b69a9497abc761346e3555a444dbaf7fS3VersionKeyA5A2A4AF": { + "AssetParameters18f930a3a3efac8df646c455c3afda1a743c13805600915d02fd4f4be87443f5S3VersionKey75927692": { "Type": "String", - "Description": "S3 key for asset version \"eb8644bc7891dd1945dc11cc3cf24bb3b69a9497abc761346e3555a444dbaf7f\"" + "Description": "S3 key for asset version \"18f930a3a3efac8df646c455c3afda1a743c13805600915d02fd4f4be87443f5\"" }, - "AssetParameterseb8644bc7891dd1945dc11cc3cf24bb3b69a9497abc761346e3555a444dbaf7fArtifactHashA2CB3EF7": { + "AssetParameters18f930a3a3efac8df646c455c3afda1a743c13805600915d02fd4f4be87443f5ArtifactHash3F4FE787": { "Type": "String", - "Description": "Artifact hash for asset \"eb8644bc7891dd1945dc11cc3cf24bb3b69a9497abc761346e3555a444dbaf7f\"" + "Description": "Artifact hash for asset \"18f930a3a3efac8df646c455c3afda1a743c13805600915d02fd4f4be87443f5\"" }, "AssetParameters36525a61abfaf5764fad460fd03c24215fd00da60805807d6138c51be4d03dbcS3Bucket2D824DEF": { "Type": "String",