From 0650ba502bd648787963d4639d1298cb47c826cf Mon Sep 17 00:00:00 2001 From: epolon Date: Thu, 16 Jul 2020 04:02:49 +0300 Subject: [PATCH 01/33] mid work --- .../lib/cluster-resource-handler/cluster.ts | 22 +++- .../@aws-cdk/aws-eks/lib/cluster-resource.ts | 29 ++++- packages/@aws-cdk/aws-eks/lib/cluster.ts | 122 +++++++++++++++++- .../@aws-cdk/aws-eks/lib/kubectl-provider.ts | 18 ++- 4 files changed, 176 insertions(+), 15 deletions(-) diff --git a/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/cluster.ts b/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/cluster.ts index d88c8900e3020..e6e3dbd5d872e 100644 --- a/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/cluster.ts +++ b/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/cluster.ts @@ -22,8 +22,16 @@ export class ClusterResourceHandler extends ResourceHandler { constructor(eks: EksClient, event: ResourceEvent) { super(eks, event); - this.newProps = parseProps(this.event.ResourceProperties); - this.oldProps = event.RequestType === 'Update' ? parseProps(event.OldResourceProperties) : { }; + function patchEndpointAccess(props: aws.EKS.CreateClusterRequest): aws.EKS.CreateClusterRequest { + + Object.assign(props.resourcesVpcConfig, { endpointPrivateAccess: (props.resourcesVpcConfig.endpointPrivateAccess as any) === 'true' }); + Object.assign(props.resourcesVpcConfig, { endpointPublicAccess: (props.resourcesVpcConfig.endpointPublicAccess as any) === 'true' }); + + return props; + } + + this.newProps = patchEndpointAccess(parseProps(this.event.ResourceProperties)); + this.oldProps = event.RequestType === 'Update' ? patchEndpointAccess(parseProps(event.OldResourceProperties)) : { }; } // ------ @@ -280,6 +288,9 @@ function analyzeUpdate(oldProps: Partial, newProps const newVpcProps = newProps.resourcesVpcConfig || { }; const oldVpcProps = oldProps.resourcesVpcConfig || { }; + const oldPublicAccessCidrs = new Set(oldVpcProps.publicAccessCidrs ?? []); + const newPublicAccessCidrs = new Set(newVpcProps.publicAccessCidrs ?? []); + return { replaceName: newProps.name !== oldProps.name, replaceVpc: @@ -287,9 +298,14 @@ function analyzeUpdate(oldProps: Partial, newProps JSON.stringify(newVpcProps.securityGroupIds) !== JSON.stringify(oldVpcProps.securityGroupIds), updateAccess: newVpcProps.endpointPrivateAccess !== oldVpcProps.endpointPrivateAccess || - newVpcProps.endpointPublicAccess !== oldVpcProps.endpointPublicAccess, + newVpcProps.endpointPublicAccess !== oldVpcProps.endpointPublicAccess || + !setsEqual(newPublicAccessCidrs, oldPublicAccessCidrs), replaceRole: newProps.roleArn !== oldProps.roleArn, updateVersion: newProps.version !== oldProps.version, updateLogging: JSON.stringify(newProps.logging) !== JSON.stringify(oldProps.logging), }; } + +function setsEqual(first: Set, second: Set) { + return first.size === second.size || [...first].every((e: string) => second.has(e)); +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-eks/lib/cluster-resource.ts b/packages/@aws-cdk/aws-eks/lib/cluster-resource.ts index 13b493808d0b0..a6cd1e72ced79 100644 --- a/packages/@aws-cdk/aws-eks/lib/cluster-resource.ts +++ b/packages/@aws-cdk/aws-eks/lib/cluster-resource.ts @@ -1,8 +1,31 @@ import * as iam from '@aws-cdk/aws-iam'; -import { ArnComponents, Construct, CustomResource, Lazy, Stack, Token } from '@aws-cdk/core'; +import { ArnComponents, Construct, CustomResource, Lazy, Stack, Token, IResolvable } from '@aws-cdk/core'; import { CLUSTER_RESOURCE_TYPE } from './cluster-resource-handler/consts'; import { ClusterResourceProvider } from './cluster-resource-provider'; -import { CfnClusterProps } from './eks.generated'; +import { CfnClusterProps, CfnCluster } from './eks.generated'; + +interface ResourcesVpcConfig extends CfnCluster.ResourcesVpcConfigProperty { + + /** + * Enable private endpoint access to the cluster. + */ + readonly endpointPrivateAccess: boolean; + + /** + * Enable public endpoint access to the cluster. + */ + readonly endpointPublicAccess: boolean; + + /** + * Limit public address with CIDR blocks. + */ + readonly publicAccessCidrs?: string[]; + +} +interface ClusterResourceProps extends Omit { + + readonly resourcesVpcConfig: ResourcesVpcConfig | IResolvable; +} /** * A low-level CFN resource Amazon EKS cluster implemented through a custom @@ -32,7 +55,7 @@ export class ClusterResource extends Construct { private readonly trustedPrincipals: string[] = []; - constructor(scope: Construct, id: string, props: CfnClusterProps) { + constructor(scope: Construct, id: string, props: ClusterResourceProps) { super(scope, id); const stack = Stack.of(this); diff --git a/packages/@aws-cdk/aws-eks/lib/cluster.ts b/packages/@aws-cdk/aws-eks/lib/cluster.ts index 64338e877075b..ff7da45468e02 100644 --- a/packages/@aws-cdk/aws-eks/lib/cluster.ts +++ b/packages/@aws-cdk/aws-eks/lib/cluster.ts @@ -13,7 +13,7 @@ import { FargateProfile, FargateProfileOptions } from './fargate-profile'; import { HelmChart, HelmChartOptions } from './helm-chart'; import { KubernetesPatch } from './k8s-patch'; import { KubernetesResource } from './k8s-resource'; -import { KubectlProvider } from './kubectl-provider'; +import { KubectlProvider, KubectlProviderProps } from './kubectl-provider'; import { Nodegroup, NodegroupOptions } from './managed-nodegroup'; import { ServiceAccount, ServiceAccountOptions } from './service-account'; import { LifecycleLabel, renderAmazonLinuxUserData, renderBottlerocketUserData } from './user-data'; @@ -120,7 +120,11 @@ export interface ClusterAttributes { */ export interface ClusterOptions { /** - * The VPC in which to create the Cluster + * The VPC in which to create the Cluster. + * + * Note that if `endpointAccess` is configured to private only, the VPC must + * have `enableDnsHostnames` and `enableDnsSupport` set to true. + * In addition, the DHCP options set for your VPC must include 'AmazonProvidedDNS' in its domain name servers list. * * @default - a VPC with default configuration will be created and can be accessed through `cluster.vpc`. */ @@ -216,6 +220,78 @@ export interface ClusterOptions { * @default true */ readonly outputConfigCommand?: boolean; + + /** + * Configure access to the Kubernetes API server endpoint. + * + * @see https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html + * + * @default - Private and Public. The cluster endpoint is accessible from outside of your VPC. + * Worker node traffic will leave your VPC to connect to the endpoint + */ + readonly endpointAccess?: EndpointAccess; +} + +/** + * Endpoint access characteristics. + */ +export class EndpointAccess { + + /** + * The cluster endpoint is only accessible through your VPC. + * Worker node traffic to the endpoint will stay within your VPC. + */ + public static private() { + return new EndpointAccess(true, false, []); + } + + /** + * The cluster endpoint is accessible from outside of your VPC. + * Worker node traffic will leave your VPC to connect to the endpoint. + * + * By default, the endpoint is exposed to all adresses. You can optionally limit the CIDR blocks that can access the public endpoint. + * If you limit access to specific CIDR blocks, you must ensure that the CIDR blocks that you + * specify include the addresses that worker nodes and Fargate pods (if you use them) + * access the public endpoint from. + * + * @param cidr The CIDR blocks. + */ + public static public(...cidr: string[]) { + return new EndpointAccess(false, true, cidr.length > 0 ? cidr : undefined); + } + + /** + * The cluster endpoint is accessible from outside of your VPC. + * Worker node traffic to the endpoint will stay within your VPC. + * + * By default, the endpoint is exposed to all adresses. You can optionally limit the CIDR blocks that can access the public endpoint. + * If you limit access to specific CIDR blocks, you must ensure that the CIDR blocks that you + * specify include the addresses that worker nodes and Fargate pods (if you use them) + * access the public endpoint from. + * + * @param cidr The CIDR blocks. + */ + public static publicAndPrivate(...cidr: string[]) { + return new EndpointAccess(true, true, cidr.length > 0 ? cidr : undefined); + } + + private constructor( + + /** + * Enable private endpoint access to the cluster. + */ + public readonly endpointPrivateAccess: boolean, + + /** + * Limit public address with CIDR blocks. + */ + public readonly endpointPublicAccess: boolean, + + /** + * Enable public endpoint access to the cluster. + */ + public readonly publicAccessCidrs?: string[]) {} + } /** @@ -424,6 +500,10 @@ export class Cluster extends Resource implements ICluster { private _neuronDevicePlugin?: KubernetesResource; + private readonly endpointAccess: EndpointAccess; + + private readonly controlPlaneSecurityGroup: ec2.ISecurityGroup; + private readonly version: KubernetesVersion; /** @@ -467,16 +547,20 @@ export class Cluster extends Resource implements ICluster { ], }); - const securityGroup = props.securityGroup || new ec2.SecurityGroup(this, 'ControlPlaneSecurityGroup', { + this.controlPlaneSecurityGroup = props.securityGroup || new ec2.SecurityGroup(this, 'ControlPlaneSecurityGroup', { vpc: this.vpc, description: 'EKS Control Plane Security Group', }); this.connections = new ec2.Connections({ - securityGroups: [securityGroup], + securityGroups: [this.controlPlaneSecurityGroup], defaultPort: ec2.Port.tcp(443), // Control Plane has an HTTPS API }); + // allow resources with the same security group to connect to the control plane. + // needed for private access from the KubeCtlProvider, and in general doesn't hurt. + this.connections.allowFrom(this.controlPlaneSecurityGroup, ec2.Port.tcp(443)); + // Get subnetIds for all selected subnets const placements = props.vpcSubnets || [{ subnetType: ec2.SubnetType.PUBLIC }, { subnetType: ec2.SubnetType.PRIVATE }]; const subnetIds = [...new Set(Array().concat(...placements.map(s => this.vpc.selectSubnets(s).subnetIds)))]; @@ -486,15 +570,25 @@ export class Cluster extends Resource implements ICluster { roleArn: this.role.roleArn, version: props.version.version, resourcesVpcConfig: { - securityGroupIds: [securityGroup.securityGroupId], + securityGroupIds: [this.controlPlaneSecurityGroup.securityGroupId], subnetIds, }, }; + this.endpointAccess = props.endpointAccess ?? EndpointAccess.publicAndPrivate(); + let resource; this.kubectlEnabled = props.kubectlEnabled === undefined ? true : props.kubectlEnabled; if (this.kubectlEnabled) { - resource = new ClusterResource(this, 'Resource', clusterProps); + resource = new ClusterResource(this, 'Resource', { + ...clusterProps, + resourcesVpcConfig: { + ...clusterProps.resourcesVpcConfig, + endpointPrivateAccess: this.endpointAccess.endpointPrivateAccess, + endpointPublicAccess: this.endpointAccess.endpointPublicAccess, + publicAccessCidrs: this.endpointAccess.publicAccessCidrs, + }, + }); this._clusterResource = resource; // see https://github.com/aws/aws-cdk/issues/9027 @@ -904,7 +998,21 @@ export class Cluster extends Resource implements ICluster { let provider = this.stack.node.tryFindChild(uid) as KubectlProvider; if (!provider) { // create the provider. - provider = new KubectlProvider(this.stack, uid); + + let providerProps: KubectlProviderProps = {}; + + if (!this.endpointAccess.endpointPublicAccess) { + // endpoint access is private only, we need to attach the + // provider to the VPC so that it can access the cluster. + providerProps = { + ...providerProps, + vpc: this.vpc, + vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE }, + securityGroups: [this.controlPlaneSecurityGroup], + }; + } + + provider = new KubectlProvider(this.stack, uid, providerProps); } // allow the kubectl provider to assume the cluster creation role. diff --git a/packages/@aws-cdk/aws-eks/lib/kubectl-provider.ts b/packages/@aws-cdk/aws-eks/lib/kubectl-provider.ts index 9fe12c4b6169b..782af55d7f20b 100644 --- a/packages/@aws-cdk/aws-eks/lib/kubectl-provider.ts +++ b/packages/@aws-cdk/aws-eks/lib/kubectl-provider.ts @@ -1,10 +1,21 @@ +import * as path from 'path'; +import { IVpc, ISecurityGroup, SubnetSelection } from '@aws-cdk/aws-ec2'; import * as iam from '@aws-cdk/aws-iam'; import * as lambda from '@aws-cdk/aws-lambda'; import { Construct, Duration, NestedStack } from '@aws-cdk/core'; import * as cr from '@aws-cdk/custom-resources'; -import * as path from 'path'; import { KubectlLayer } from './kubectl-layer'; +export interface KubectlProviderProps { + + readonly vpc?: IVpc; + + readonly securityGroups?: ISecurityGroup[]; + + readonly vpcSubnets?: SubnetSelection; + +} + export class KubectlProvider extends NestedStack { /** * The custom resource provider. @@ -16,7 +27,7 @@ export class KubectlProvider extends NestedStack { */ public readonly role: iam.IRole; - public constructor(scope: Construct, id: string) { + public constructor(scope: Construct, id: string, props: KubectlProviderProps) { super(scope, id); const handler = new lambda.Function(this, 'Handler', { @@ -27,6 +38,9 @@ export class KubectlProvider extends NestedStack { description: 'onEvent handler for EKS kubectl resource provider', layers: [ KubectlLayer.getOrCreate(this, { version: '2.0.0' }) ], memorySize: 256, + vpc: props.vpc, + securityGroups: props.securityGroups, + vpcSubnets: props.vpcSubnets, }); this.provider = new cr.Provider(this, 'Provider', { From 597b6880cb2efeb1f121cdde6359a105d7b19a21 Mon Sep 17 00:00:00 2001 From: epolon Date: Thu, 16 Jul 2020 21:50:21 +0300 Subject: [PATCH 02/33] explain a weird patch --- .../@aws-cdk/aws-eks/lib/cluster-resource-handler/cluster.ts | 3 +++ 1 file changed, 3 insertions(+) diff --git a/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/cluster.ts b/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/cluster.ts index e6e3dbd5d872e..aa021d920688d 100644 --- a/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/cluster.ts +++ b/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/cluster.ts @@ -24,6 +24,9 @@ export class ClusterResourceHandler extends ResourceHandler { function patchEndpointAccess(props: aws.EKS.CreateClusterRequest): aws.EKS.CreateClusterRequest { + // this is weird but these boolean properties are passed here as a string, and need them to be booleanic for the SDK. + // Otherwise it fails with 'Unexpected Parameter: params.resourcesVpcConfig.endpointPrivateAccess is expected to be a boolean' + Object.assign(props.resourcesVpcConfig, { endpointPrivateAccess: (props.resourcesVpcConfig.endpointPrivateAccess as any) === 'true' }); Object.assign(props.resourcesVpcConfig, { endpointPublicAccess: (props.resourcesVpcConfig.endpointPublicAccess as any) === 'true' }); From 6f6725f791c34744715b092104b466d657bbb56f Mon Sep 17 00:00:00 2001 From: epolon Date: Thu, 16 Jul 2020 21:51:25 +0300 Subject: [PATCH 03/33] refactor endpoint config --- .../@aws-cdk/aws-eks/lib/cluster-resource.ts | 31 ++++++++++++++++--- 1 file changed, 26 insertions(+), 5 deletions(-) diff --git a/packages/@aws-cdk/aws-eks/lib/cluster-resource.ts b/packages/@aws-cdk/aws-eks/lib/cluster-resource.ts index a6cd1e72ced79..df7a371f53b4b 100644 --- a/packages/@aws-cdk/aws-eks/lib/cluster-resource.ts +++ b/packages/@aws-cdk/aws-eks/lib/cluster-resource.ts @@ -1,10 +1,13 @@ import * as iam from '@aws-cdk/aws-iam'; -import { ArnComponents, Construct, CustomResource, Lazy, Stack, Token, IResolvable } from '@aws-cdk/core'; +import { ArnComponents, Construct, CustomResource, Lazy, Stack, Token } from '@aws-cdk/core'; import { CLUSTER_RESOURCE_TYPE } from './cluster-resource-handler/consts'; import { ClusterResourceProvider } from './cluster-resource-provider'; import { CfnClusterProps, CfnCluster } from './eks.generated'; -interface ResourcesVpcConfig extends CfnCluster.ResourcesVpcConfigProperty { +/** + * Cluster Endpoint access configuration. + */ +export interface EndpointAccessConfig { /** * Enable private endpoint access to the cluster. @@ -22,9 +25,13 @@ interface ResourcesVpcConfig extends CfnCluster.ResourcesVpcConfigProperty { readonly publicAccessCidrs?: string[]; } -interface ClusterResourceProps extends Omit { +export interface ClusterResourceProps extends CfnClusterProps { + + /** + * Endpoint access configuration. + */ + readonly endpointAccessConfig: EndpointAccessConfig - readonly resourcesVpcConfig: ResourcesVpcConfig | IResolvable; } /** @@ -140,7 +147,21 @@ export class ClusterResource extends Construct { resourceType: CLUSTER_RESOURCE_TYPE, serviceToken: provider.serviceToken, properties: { - Config: props, + // the structure of config needs to be that of 'aws.EKS.CreateClusterRequest' since its passed as is + // to the eks.createCluster sdk invocation. + Config: { + name: props.name, + version: props.version, + roleArn: props.roleArn, + encryptionConfig: props.encryptionConfig, + resourcesVpcConfig: { + subnetIds: (props.resourcesVpcConfig as CfnCluster.ResourcesVpcConfigProperty).subnetIds, + securityGroupIds: (props.resourcesVpcConfig as CfnCluster.ResourcesVpcConfigProperty).securityGroupIds, + endpointPublicAccess: props.endpointAccessConfig.endpointPublicAccess, + endpointPrivateAccess: props.endpointAccessConfig.endpointPrivateAccess, + publicAccessCidrs: props.endpointAccessConfig.publicAccessCidrs, + }, + }, AssumeRoleArn: this.creationRole.roleArn, // IMPORTANT: increment this number when you add new attributes to the From 50409f10a69abb524c7c7cbabc5e70063c4de853 Mon Sep 17 00:00:00 2001 From: epolon Date: Thu, 16 Jul 2020 21:52:14 +0300 Subject: [PATCH 04/33] deprecate 'kubectlEnabled' --- packages/@aws-cdk/aws-eks/lib/cluster.ts | 65 ++++++++++++++++-------- 1 file changed, 45 insertions(+), 20 deletions(-) diff --git a/packages/@aws-cdk/aws-eks/lib/cluster.ts b/packages/@aws-cdk/aws-eks/lib/cluster.ts index ff7da45468e02..a15cd94e8aa3a 100644 --- a/packages/@aws-cdk/aws-eks/lib/cluster.ts +++ b/packages/@aws-cdk/aws-eks/lib/cluster.ts @@ -223,6 +223,7 @@ export interface ClusterOptions { /** * Configure access to the Kubernetes API server endpoint. + * This feature is only available for kubectl enabled clusters, i.e `kubectlEnabled: true`. * * @see https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html * @@ -237,14 +238,6 @@ export interface ClusterOptions { */ export class EndpointAccess { - /** - * The cluster endpoint is only accessible through your VPC. - * Worker node traffic to the endpoint will stay within your VPC. - */ - public static private() { - return new EndpointAccess(true, false, []); - } - /** * The cluster endpoint is accessible from outside of your VPC. * Worker node traffic will leave your VPC to connect to the endpoint. @@ -257,7 +250,15 @@ export class EndpointAccess { * @param cidr The CIDR blocks. */ public static public(...cidr: string[]) { - return new EndpointAccess(false, true, cidr.length > 0 ? cidr : undefined); + return new EndpointAccess(false, true, cidr); + } + + /** + * The cluster endpoint is only accessible through your VPC. + * Worker node traffic to the endpoint will stay within your VPC. + */ + public static private() { + return new EndpointAccess(true, false, undefined); } /** @@ -272,7 +273,7 @@ export class EndpointAccess { * @param cidr The CIDR blocks. */ public static publicAndPrivate(...cidr: string[]) { - return new EndpointAccess(true, true, cidr.length > 0 ? cidr : undefined); + return new EndpointAccess(true, true, cidr); } private constructor( @@ -290,7 +291,13 @@ export class EndpointAccess { /** * Enable public endpoint access to the cluster. */ - public readonly publicAccessCidrs?: string[]) {} + public readonly publicAccessCidrs?: string[]) { + + if (this.publicAccessCidrs && this.publicAccessCidrs.length === 0) { + // an empty array is an illegal value, set to undefined so it won't be specified at all. + this.publicAccessCidrs = undefined; + } + } } @@ -308,16 +315,19 @@ export interface ClusterProps extends ClusterOptions { * - `addRoleMapping` * - `addUserMapping` * - `addMastersRole` and `props.mastersRole` + * - `endpointAccess` * * If this is disabled, the cluster can only be managed by issuing `kubectl` * commands from a session that uses the IAM role/user that created the * account. * - * _NOTE_: changing this value will destoy the cluster. This is because a + * _NOTE_: changing this value will destroy the cluster. This is because a * managable cluster must be created using an AWS CloudFormation custom * resource which executes with an IAM role owned by the CDK app. * + * * @default true The cluster can be managed by the AWS CDK application. + * @deprecated Omit this property as it wil be removed in future releases and enabled to all clusters. */ readonly kubectlEnabled?: boolean; @@ -459,6 +469,8 @@ export class Cluster extends Resource implements ICluster { /** * Indicates if `kubectl` related operations can be performed on this cluster. + * + * @deprecated Will always be true in future releases. */ public readonly kubectlEnabled: boolean; @@ -500,7 +512,7 @@ export class Cluster extends Resource implements ICluster { private _neuronDevicePlugin?: KubernetesResource; - private readonly endpointAccess: EndpointAccess; + private readonly endpointAccess?: EndpointAccess; private readonly controlPlaneSecurityGroup: ec2.ISecurityGroup; @@ -552,14 +564,16 @@ export class Cluster extends Resource implements ICluster { description: 'EKS Control Plane Security Group', }); + const connectionPort = ec2.Port.tcp(443); // Control Plane has an HTTPS API + this.connections = new ec2.Connections({ securityGroups: [this.controlPlaneSecurityGroup], - defaultPort: ec2.Port.tcp(443), // Control Plane has an HTTPS API + defaultPort: connectionPort, }); // allow resources with the same security group to connect to the control plane. // needed for private access from the KubeCtlProvider, and in general doesn't hurt. - this.connections.allowFrom(this.controlPlaneSecurityGroup, ec2.Port.tcp(443)); + this.connections.allowFrom(this.controlPlaneSecurityGroup, connectionPort); // Get subnetIds for all selected subnets const placements = props.vpcSubnets || [{ subnetType: ec2.SubnetType.PUBLIC }, { subnetType: ec2.SubnetType.PRIVATE }]; @@ -575,15 +589,15 @@ export class Cluster extends Resource implements ICluster { }, }; - this.endpointAccess = props.endpointAccess ?? EndpointAccess.publicAndPrivate(); - let resource; this.kubectlEnabled = props.kubectlEnabled === undefined ? true : props.kubectlEnabled; if (this.kubectlEnabled) { + + this.endpointAccess = props.endpointAccess ?? EndpointAccess.publicAndPrivate(); + resource = new ClusterResource(this, 'Resource', { ...clusterProps, - resourcesVpcConfig: { - ...clusterProps.resourcesVpcConfig, + endpointAccessConfig: { endpointPrivateAccess: this.endpointAccess.endpointPrivateAccess, endpointPublicAccess: this.endpointAccess.endpointPublicAccess, publicAccessCidrs: this.endpointAccess.publicAccessCidrs, @@ -613,9 +627,20 @@ export class Cluster extends Resource implements ICluster { // add the cluster resource itself as a dependency of the barrier this._kubectlReadyBarrier.node.addDependency(this._clusterResource); } else { + + const depractionNotice = 'Basic EKS clusters are depracated. Please consider omiting the property, as it will be removed in future releases.'; + if (props.endpointAccess) { + throw new Error(`'endpointAccess' is not supported for basic clusters. ${depractionNotice}`); + } + resource = new CfnCluster(this, 'Resource', clusterProps); + resource.node.addWarning(depractionNotice); } + // for kubectl enabled clusters, this is required so that manifests can be applied to the cluster. + // for other clusters, it doesnt hurt. + resource.node.addDependency(this.controlPlaneSecurityGroup, this.vpc); + this.clusterName = this.getResourceNameAttribute(resource.ref); this.clusterArn = this.getResourceArnAttribute(resource.attrArn, clusterArnComponents(this.physicalName)); @@ -1001,7 +1026,7 @@ export class Cluster extends Resource implements ICluster { let providerProps: KubectlProviderProps = {}; - if (!this.endpointAccess.endpointPublicAccess) { + if (!this.endpointAccess!.endpointPublicAccess) { // endpoint access is private only, we need to attach the // provider to the VPC so that it can access the cluster. providerProps = { From ceeb35c371a18f8c88a93127ba057747fd77006c Mon Sep 17 00:00:00 2001 From: epolon Date: Thu, 16 Jul 2020 21:52:30 +0300 Subject: [PATCH 05/33] some unit tests --- .../@aws-cdk/aws-eks/test/test.cluster.ts | 56 +++++++++++++++++++ 1 file changed, 56 insertions(+) diff --git a/packages/@aws-cdk/aws-eks/test/test.cluster.ts b/packages/@aws-cdk/aws-eks/test/test.cluster.ts index 1b87a8d94a152..d228a1a94981e 100644 --- a/packages/@aws-cdk/aws-eks/test/test.cluster.ts +++ b/packages/@aws-cdk/aws-eks/test/test.cluster.ts @@ -895,6 +895,8 @@ export = { { Ref: 'MyClusterDefaultVpcPrivateSubnet1SubnetE1D0DCDB' }, { Ref: 'MyClusterDefaultVpcPrivateSubnet2Subnet11FEA8D0' }, ], + endpointPrivateAccess: true, + endpointPublicAccess: true, }, }, })); @@ -1378,5 +1380,59 @@ export = { } test.done(); }, + + 'can configure private endpoint access'(test: Test) { + // GIVEN + const { stack } = testFixture(); + new eks.Cluster(stack, 'Cluster1', { version: CLUSTER_VERSION, endpointAccess: eks.EndpointAccess.private() }); + + expect(stack).to(haveResource('Custom::AWSCDK-EKS-Cluster', { + Config: { + roleArn: { 'Fn::GetAtt': ['Cluster1RoleE88C32AD', 'Arn'] }, + version: '1.16', + resourcesVpcConfig: { + securityGroupIds: [{ 'Fn::GetAtt': ['Cluster1ControlPlaneSecurityGroupF9C67C32', 'GroupId'] }], + subnetIds: [ + { Ref: 'Cluster1DefaultVpcPublicSubnet1SubnetBEABA6ED' }, + { Ref: 'Cluster1DefaultVpcPublicSubnet2Subnet947A5158' }, + { Ref: 'Cluster1DefaultVpcPrivateSubnet1Subnet4E30ECA1' }, + { Ref: 'Cluster1DefaultVpcPrivateSubnet2Subnet707FCD37' }, + ], + endpointPrivateAccess: true, + endpointPublicAccess: false, + }, + }, + })); + + test.done(); + }, + + 'can configure cidr blocks in public endpoint access'(test: Test) { + // GIVEN + const { stack } = testFixture(); + new eks.Cluster(stack, 'Cluster1', { version: CLUSTER_VERSION, endpointAccess: eks.EndpointAccess.public('1.2.3.4/5') }); + + expect(stack).to(haveResource('Custom::AWSCDK-EKS-Cluster', { + Config: { + roleArn: { 'Fn::GetAtt': ['Cluster1RoleE88C32AD', 'Arn'] }, + version: '1.16', + resourcesVpcConfig: { + securityGroupIds: [{ 'Fn::GetAtt': ['Cluster1ControlPlaneSecurityGroupF9C67C32', 'GroupId'] }], + subnetIds: [ + { Ref: 'Cluster1DefaultVpcPublicSubnet1SubnetBEABA6ED' }, + { Ref: 'Cluster1DefaultVpcPublicSubnet2Subnet947A5158' }, + { Ref: 'Cluster1DefaultVpcPrivateSubnet1Subnet4E30ECA1' }, + { Ref: 'Cluster1DefaultVpcPrivateSubnet2Subnet707FCD37' }, + ], + endpointPrivateAccess: false, + endpointPublicAccess: true, + publicAccessCidrs: ['1.2.3.4/5'], + }, + }, + })); + + test.done(); + }, + }, }; From 23fdfa04f6dafe8d3ea138cae2029ad8931eb5c0 Mon Sep 17 00:00:00 2001 From: epolon Date: Thu, 16 Jul 2020 21:53:47 +0300 Subject: [PATCH 06/33] fail if max retries is exceeded in kubectl handlers --- .../aws-eks/lib/kubectl-handler/apply/__init__.py | 9 ++++++--- .../aws-eks/lib/kubectl-handler/helm/__init__.py | 8 +++++--- .../aws-eks/lib/kubectl-handler/patch/__init__.py | 10 ++++++---- 3 files changed, 17 insertions(+), 10 deletions(-) diff --git a/packages/@aws-cdk/aws-eks/lib/kubectl-handler/apply/__init__.py b/packages/@aws-cdk/aws-eks/lib/kubectl-handler/apply/__init__.py index c892d9bc4e7ff..e5c9d712758fd 100644 --- a/packages/@aws-cdk/aws-eks/lib/kubectl-handler/apply/__init__.py +++ b/packages/@aws-cdk/aws-eks/lib/kubectl-handler/apply/__init__.py @@ -49,18 +49,21 @@ def apply_handler(event, context): def kubectl(verb, file): - retry = 3 + maxAttempts = 3 + retry = maxAttempts while retry > 0: try: cmd = ['kubectl', verb, '--kubeconfig', kubeconfig, '-f', file] + logger.info(f'Running command: {cmd}') output = subprocess.check_output(cmd, stderr=subprocess.STDOUT) except subprocess.CalledProcessError as exc: output = exc.output if b'i/o timeout' in output and retry > 0: - logger.info("kubectl timed out, retries left: %s" % retry) - retry = retry - 1 + retry = retry - 1 + logger.info("kubectl timed out, retries left: %s" % retry) else: raise Exception(output) else: logger.info(output) return + raise Exception(f'Operation failed after {maxAttempts} attempts: {output}') diff --git a/packages/@aws-cdk/aws-eks/lib/kubectl-handler/helm/__init__.py b/packages/@aws-cdk/aws-eks/lib/kubectl-handler/helm/__init__.py index 6e740b1cdaca8..67171b11aeede 100644 --- a/packages/@aws-cdk/aws-eks/lib/kubectl-handler/helm/__init__.py +++ b/packages/@aws-cdk/aws-eks/lib/kubectl-handler/helm/__init__.py @@ -75,10 +75,11 @@ def helm(verb, release, chart = None, repo = None, file = None, namespace = None if wait: cmnd.append('--wait') if not timeout is None: - cmnd.extend(['--timeout', timeout]) + cmnd.extend(['--timeout', timeout]) cmnd.extend(['--kubeconfig', kubeconfig]) - retry = 3 + maxAttempts = 3 + retry = maxAttempts while retry > 0: try: output = subprocess.check_output(cmnd, stderr=subprocess.STDOUT, cwd=outdir) @@ -87,7 +88,8 @@ def helm(verb, release, chart = None, repo = None, file = None, namespace = None except subprocess.CalledProcessError as exc: output = exc.output if b'Broken pipe' in output: - logger.info("Broken pipe, retries left: %s" % retry) retry = retry - 1 + logger.info("Broken pipe, retries left: %s" % retry) else: raise Exception(output) + raise Exception(f'Operation failed after {maxAttempts} attempts: {output}') diff --git a/packages/@aws-cdk/aws-eks/lib/kubectl-handler/patch/__init__.py b/packages/@aws-cdk/aws-eks/lib/kubectl-handler/patch/__init__.py index d6211b9348e1e..6597341a4806d 100644 --- a/packages/@aws-cdk/aws-eks/lib/kubectl-handler/patch/__init__.py +++ b/packages/@aws-cdk/aws-eks/lib/kubectl-handler/patch/__init__.py @@ -36,9 +36,9 @@ def patch_handler(event, context): patch_type = props['PatchType'] patch_json = None - if request_type == 'Create' or request_type == 'Update': + if request_type == 'Create' or request_type == 'Update': patch_json = apply_patch_json - elif request_type == 'Delete': + elif request_type == 'Delete': patch_json = restore_patch_json else: raise Exception("invalid request type %s" % request_type) @@ -47,7 +47,8 @@ def patch_handler(event, context): def kubectl(args): - retry = 3 + maxAttempts = 3 + retry = maxAttempts while retry > 0: try: cmd = [ 'kubectl', '--kubeconfig', kubeconfig ] + args @@ -55,10 +56,11 @@ def kubectl(args): except subprocess.CalledProcessError as exc: output = exc.output if b'i/o timeout' in output and retry > 0: - logger.info("kubectl timed out, retries left: %s" % retry) retry = retry - 1 + logger.info("kubectl timed out, retries left: %s" % retry) else: raise Exception(output) else: logger.info(output) return + raise Exception(f'Operation failed after {maxAttempts} attempts: {output}') \ No newline at end of file From 6b2cba2b8ce615684211796b60aabd0c95eea7fe Mon Sep 17 00:00:00 2001 From: epolon Date: Thu, 16 Jul 2020 21:54:05 +0300 Subject: [PATCH 07/33] private endpoint integ test --- ...eks-cluster-private-endpoint.expected.json | 1333 +++++++++++++++++ .../integ.eks-cluster-private-endpoint.ts | 49 + 2 files changed, 1382 insertions(+) create mode 100644 packages/@aws-cdk/aws-eks/test/integ.eks-cluster-private-endpoint.expected.json create mode 100644 packages/@aws-cdk/aws-eks/test/integ.eks-cluster-private-endpoint.ts diff --git a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster-private-endpoint.expected.json b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster-private-endpoint.expected.json new file mode 100644 index 0000000000000..838969371996a --- /dev/null +++ b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster-private-endpoint.expected.json @@ -0,0 +1,1333 @@ +{ + "Resources": { + "AdminRole38563C57": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::12345678:root" + ] + ] + } + } + } + ], + "Version": "2012-10-17" + } + } + }, + "Vpc8378EB38": { + "Type": "AWS::EC2::VPC", + "Properties": { + "CidrBlock": "10.0.0.0/16", + "EnableDnsHostnames": true, + "EnableDnsSupport": true, + "InstanceTenancy": "default", + "Tags": [ + { + "Key": "Name", + "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc" + } + ] + } + }, + "VpcPublicSubnet1Subnet5C2D37C4": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "CidrBlock": "10.0.0.0/19", + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "AvailabilityZone": "test-region-1a", + "MapPublicIpOnLaunch": true, + "Tags": [ + { + "Key": "aws-cdk:subnet-name", + "Value": "Public" + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Public" + }, + { + "Key": "kubernetes.io/role/elb", + "Value": "1" + }, + { + "Key": "Name", + "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/PublicSubnet1" + } + ] + } + }, + "VpcPublicSubnet1RouteTable6C95E38E": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "Tags": [ + { + "Key": "kubernetes.io/role/elb", + "Value": "1" + }, + { + "Key": "Name", + "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/PublicSubnet1" + } + ] + } + }, + "VpcPublicSubnet1RouteTableAssociation97140677": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "VpcPublicSubnet1RouteTable6C95E38E" + }, + "SubnetId": { + "Ref": "VpcPublicSubnet1Subnet5C2D37C4" + } + } + }, + "VpcPublicSubnet1DefaultRoute3DA9E72A": { + "Type": "AWS::EC2::Route", + "Properties": { + "RouteTableId": { + "Ref": "VpcPublicSubnet1RouteTable6C95E38E" + }, + "DestinationCidrBlock": "0.0.0.0/0", + "GatewayId": { + "Ref": "VpcIGWD7BA715C" + } + }, + "DependsOn": [ + "VpcVPCGWBF912B6E" + ] + }, + "VpcPublicSubnet1EIPD7E02669": { + "Type": "AWS::EC2::EIP", + "Properties": { + "Domain": "vpc", + "Tags": [ + { + "Key": "kubernetes.io/role/elb", + "Value": "1" + }, + { + "Key": "Name", + "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/PublicSubnet1" + } + ] + } + }, + "VpcPublicSubnet1NATGateway4D7517AA": { + "Type": "AWS::EC2::NatGateway", + "Properties": { + "AllocationId": { + "Fn::GetAtt": [ + "VpcPublicSubnet1EIPD7E02669", + "AllocationId" + ] + }, + "SubnetId": { + "Ref": "VpcPublicSubnet1Subnet5C2D37C4" + }, + "Tags": [ + { + "Key": "kubernetes.io/role/elb", + "Value": "1" + }, + { + "Key": "Name", + "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/PublicSubnet1" + } + ] + } + }, + "VpcPublicSubnet2Subnet691E08A3": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "CidrBlock": "10.0.32.0/19", + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "AvailabilityZone": "test-region-1b", + "MapPublicIpOnLaunch": true, + "Tags": [ + { + "Key": "aws-cdk:subnet-name", + "Value": "Public" + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Public" + }, + { + "Key": "kubernetes.io/role/elb", + "Value": "1" + }, + { + "Key": "Name", + "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/PublicSubnet2" + } + ] + } + }, + "VpcPublicSubnet2RouteTable94F7E489": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "Tags": [ + { + "Key": "kubernetes.io/role/elb", + "Value": "1" + }, + { + "Key": "Name", + "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/PublicSubnet2" + } + ] + } + }, + "VpcPublicSubnet2RouteTableAssociationDD5762D8": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "VpcPublicSubnet2RouteTable94F7E489" + }, + "SubnetId": { + "Ref": "VpcPublicSubnet2Subnet691E08A3" + } + } + }, + "VpcPublicSubnet2DefaultRoute97F91067": { + "Type": "AWS::EC2::Route", + "Properties": { + "RouteTableId": { + "Ref": "VpcPublicSubnet2RouteTable94F7E489" + }, + "DestinationCidrBlock": "0.0.0.0/0", + "GatewayId": { + "Ref": "VpcIGWD7BA715C" + } + }, + "DependsOn": [ + "VpcVPCGWBF912B6E" + ] + }, + "VpcPublicSubnet3SubnetBE12F0B6": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "CidrBlock": "10.0.64.0/19", + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "AvailabilityZone": "test-region-1c", + "MapPublicIpOnLaunch": true, + "Tags": [ + { + "Key": "aws-cdk:subnet-name", + "Value": "Public" + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Public" + }, + { + "Key": "kubernetes.io/role/elb", + "Value": "1" + }, + { + "Key": "Name", + "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/PublicSubnet3" + } + ] + } + }, + "VpcPublicSubnet3RouteTable93458DBB": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "Tags": [ + { + "Key": "kubernetes.io/role/elb", + "Value": "1" + }, + { + "Key": "Name", + "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/PublicSubnet3" + } + ] + } + }, + "VpcPublicSubnet3RouteTableAssociation1F1EDF02": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "VpcPublicSubnet3RouteTable93458DBB" + }, + "SubnetId": { + "Ref": "VpcPublicSubnet3SubnetBE12F0B6" + } + } + }, + "VpcPublicSubnet3DefaultRoute4697774F": { + "Type": "AWS::EC2::Route", + "Properties": { + "RouteTableId": { + "Ref": "VpcPublicSubnet3RouteTable93458DBB" + }, + "DestinationCidrBlock": "0.0.0.0/0", + "GatewayId": { + "Ref": "VpcIGWD7BA715C" + } + }, + "DependsOn": [ + "VpcVPCGWBF912B6E" + ] + }, + "VpcPrivateSubnet1Subnet536B997A": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "CidrBlock": "10.0.96.0/19", + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "AvailabilityZone": "test-region-1a", + "MapPublicIpOnLaunch": false, + "Tags": [ + { + "Key": "aws-cdk:subnet-name", + "Value": "Private" + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Private" + }, + { + "Key": "kubernetes.io/role/internal-elb", + "Value": "1" + }, + { + "Key": "Name", + "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/PrivateSubnet1" + } + ] + } + }, + "VpcPrivateSubnet1RouteTableB2C5B500": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "Tags": [ + { + "Key": "kubernetes.io/role/internal-elb", + "Value": "1" + }, + { + "Key": "Name", + "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/PrivateSubnet1" + } + ] + } + }, + "VpcPrivateSubnet1RouteTableAssociation70C59FA6": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "VpcPrivateSubnet1RouteTableB2C5B500" + }, + "SubnetId": { + "Ref": "VpcPrivateSubnet1Subnet536B997A" + } + } + }, + "VpcPrivateSubnet1DefaultRouteBE02A9ED": { + "Type": "AWS::EC2::Route", + "Properties": { + "RouteTableId": { + "Ref": "VpcPrivateSubnet1RouteTableB2C5B500" + }, + "DestinationCidrBlock": "0.0.0.0/0", + "NatGatewayId": { + "Ref": "VpcPublicSubnet1NATGateway4D7517AA" + } + } + }, + "VpcPrivateSubnet2Subnet3788AAA1": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "CidrBlock": "10.0.128.0/19", + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "AvailabilityZone": "test-region-1b", + "MapPublicIpOnLaunch": false, + "Tags": [ + { + "Key": "aws-cdk:subnet-name", + "Value": "Private" + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Private" + }, + { + "Key": "kubernetes.io/role/internal-elb", + "Value": "1" + }, + { + "Key": "Name", + "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/PrivateSubnet2" + } + ] + } + }, + "VpcPrivateSubnet2RouteTableA678073B": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "Tags": [ + { + "Key": "kubernetes.io/role/internal-elb", + "Value": "1" + }, + { + "Key": "Name", + "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/PrivateSubnet2" + } + ] + } + }, + "VpcPrivateSubnet2RouteTableAssociationA89CAD56": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "VpcPrivateSubnet2RouteTableA678073B" + }, + "SubnetId": { + "Ref": "VpcPrivateSubnet2Subnet3788AAA1" + } + } + }, + "VpcPrivateSubnet2DefaultRoute060D2087": { + "Type": "AWS::EC2::Route", + "Properties": { + "RouteTableId": { + "Ref": "VpcPrivateSubnet2RouteTableA678073B" + }, + "DestinationCidrBlock": "0.0.0.0/0", + "NatGatewayId": { + "Ref": "VpcPublicSubnet1NATGateway4D7517AA" + } + } + }, + "VpcPrivateSubnet3SubnetF258B56E": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "CidrBlock": "10.0.160.0/19", + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "AvailabilityZone": "test-region-1c", + "MapPublicIpOnLaunch": false, + "Tags": [ + { + "Key": "aws-cdk:subnet-name", + "Value": "Private" + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Private" + }, + { + "Key": "kubernetes.io/role/internal-elb", + "Value": "1" + }, + { + "Key": "Name", + "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/PrivateSubnet3" + } + ] + } + }, + "VpcPrivateSubnet3RouteTableD98824C7": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "Tags": [ + { + "Key": "kubernetes.io/role/internal-elb", + "Value": "1" + }, + { + "Key": "Name", + "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/PrivateSubnet3" + } + ] + } + }, + "VpcPrivateSubnet3RouteTableAssociation16BDDC43": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "VpcPrivateSubnet3RouteTableD98824C7" + }, + "SubnetId": { + "Ref": "VpcPrivateSubnet3SubnetF258B56E" + } + } + }, + "VpcPrivateSubnet3DefaultRoute94B74F0D": { + "Type": "AWS::EC2::Route", + "Properties": { + "RouteTableId": { + "Ref": "VpcPrivateSubnet3RouteTableD98824C7" + }, + "DestinationCidrBlock": "0.0.0.0/0", + "NatGatewayId": { + "Ref": "VpcPublicSubnet1NATGateway4D7517AA" + } + } + }, + "VpcIGWD7BA715C": { + "Type": "AWS::EC2::InternetGateway", + "Properties": { + "Tags": [ + { + "Key": "Name", + "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc" + } + ] + } + }, + "VpcVPCGWBF912B6E": { + "Type": "AWS::EC2::VPCGatewayAttachment", + "Properties": { + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "InternetGatewayId": { + "Ref": "VpcIGWD7BA715C" + } + } + }, + "ClusterRoleFA261979": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "eks.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/AmazonEKSClusterPolicy" + ] + ] + } + ] + } + }, + "ClusterControlPlaneSecurityGroupD274242C": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "EKS Control Plane Security Group", + "SecurityGroupEgress": [ + { + "CidrIp": "0.0.0.0/0", + "Description": "Allow all outbound traffic by default", + "IpProtocol": "-1" + } + ], + "VpcId": { + "Ref": "Vpc8378EB38" + } + } + }, + "ClusterControlPlaneSecurityGroupfromawscdkeksclusterprivateendpointtestClusterControlPlaneSecurityGroupD4062C82443389925FD": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "IpProtocol": "tcp", + "Description": "from awscdkeksclusterprivateendpointtestClusterControlPlaneSecurityGroupD4062C82:443", + "FromPort": 443, + "GroupId": { + "Fn::GetAtt": [ + "ClusterControlPlaneSecurityGroupD274242C", + "GroupId" + ] + }, + "SourceSecurityGroupId": { + "Fn::GetAtt": [ + "ClusterControlPlaneSecurityGroupD274242C", + "GroupId" + ] + }, + "ToPort": 443 + } + }, + "ClusterCreationRole360249B6": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "AWS": [ + { + "Fn::GetAtt": [ + "awscdkawseksClusterResourceProviderNestedStackawscdkawseksClusterResourceProviderNestedStackResource9827C454", + "Outputs.awscdkeksclusterprivateendpointtestawscdkawseksClusterResourceProviderOnEventHandlerServiceRole4392FD6EArn" + ] + }, + { + "Fn::GetAtt": [ + "awscdkawseksClusterResourceProviderNestedStackawscdkawseksClusterResourceProviderNestedStackResource9827C454", + "Outputs.awscdkeksclusterprivateendpointtestawscdkawseksClusterResourceProviderIsCompleteHandlerServiceRole956A78E2Arn" + ] + } + ] + } + }, + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::GetAtt": [ + "awscdkawseksKubectlProviderNestedStackawscdkawseksKubectlProviderNestedStackResourceA7AEBA6B", + "Outputs.awscdkeksclusterprivateendpointtestawscdkawseksKubectlProviderHandlerServiceRole5505C312Arn" + ] + } + } + } + ], + "Version": "2012-10-17" + } + }, + "DependsOn": [ + "ClusterControlPlaneSecurityGroupfromawscdkeksclusterprivateendpointtestClusterControlPlaneSecurityGroupD4062C82443389925FD", + "ClusterControlPlaneSecurityGroupD274242C", + "VpcIGWD7BA715C", + "VpcPrivateSubnet1DefaultRouteBE02A9ED", + "VpcPrivateSubnet1RouteTableB2C5B500", + "VpcPrivateSubnet1RouteTableAssociation70C59FA6", + "VpcPrivateSubnet1Subnet536B997A", + "VpcPrivateSubnet2DefaultRoute060D2087", + "VpcPrivateSubnet2RouteTableA678073B", + "VpcPrivateSubnet2RouteTableAssociationA89CAD56", + "VpcPrivateSubnet2Subnet3788AAA1", + "VpcPrivateSubnet3DefaultRoute94B74F0D", + "VpcPrivateSubnet3RouteTableD98824C7", + "VpcPrivateSubnet3RouteTableAssociation16BDDC43", + "VpcPrivateSubnet3SubnetF258B56E", + "VpcPublicSubnet1DefaultRoute3DA9E72A", + "VpcPublicSubnet1EIPD7E02669", + "VpcPublicSubnet1NATGateway4D7517AA", + "VpcPublicSubnet1RouteTable6C95E38E", + "VpcPublicSubnet1RouteTableAssociation97140677", + "VpcPublicSubnet1Subnet5C2D37C4", + "VpcPublicSubnet2DefaultRoute97F91067", + "VpcPublicSubnet2RouteTable94F7E489", + "VpcPublicSubnet2RouteTableAssociationDD5762D8", + "VpcPublicSubnet2Subnet691E08A3", + "VpcPublicSubnet3DefaultRoute4697774F", + "VpcPublicSubnet3RouteTable93458DBB", + "VpcPublicSubnet3RouteTableAssociation1F1EDF02", + "VpcPublicSubnet3SubnetBE12F0B6", + "Vpc8378EB38", + "VpcVPCGWBF912B6E" + ] + }, + "ClusterCreationRoleDefaultPolicyE8BDFC7B": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": "iam:PassRole", + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "ClusterRoleFA261979", + "Arn" + ] + } + }, + { + "Action": [ + "ec2:DescribeSubnets", + "ec2:DescribeRouteTables" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "eks:CreateCluster", + "eks:DescribeCluster", + "eks:DescribeUpdate", + "eks:DeleteCluster", + "eks:UpdateClusterVersion", + "eks:UpdateClusterConfig", + "eks:CreateFargateProfile", + "eks:TagResource", + "eks:UntagResource" + ], + "Effect": "Allow", + "Resource": [ + "*" + ] + }, + { + "Action": [ + "eks:DescribeFargateProfile", + "eks:DeleteFargateProfile" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "iam:GetRole", + "iam:listAttachedRolePolicies" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": "iam:CreateServiceLinkedRole", + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": "ec2:DescribeVpcs", + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":ec2:test-region:12345678:vpc/", + { + "Ref": "Vpc8378EB38" + } + ] + ] + } + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "ClusterCreationRoleDefaultPolicyE8BDFC7B", + "Roles": [ + { + "Ref": "ClusterCreationRole360249B6" + } + ] + }, + "DependsOn": [ + "ClusterControlPlaneSecurityGroupfromawscdkeksclusterprivateendpointtestClusterControlPlaneSecurityGroupD4062C82443389925FD", + "ClusterControlPlaneSecurityGroupD274242C", + "VpcIGWD7BA715C", + "VpcPrivateSubnet1DefaultRouteBE02A9ED", + "VpcPrivateSubnet1RouteTableB2C5B500", + "VpcPrivateSubnet1RouteTableAssociation70C59FA6", + "VpcPrivateSubnet1Subnet536B997A", + "VpcPrivateSubnet2DefaultRoute060D2087", + "VpcPrivateSubnet2RouteTableA678073B", + "VpcPrivateSubnet2RouteTableAssociationA89CAD56", + "VpcPrivateSubnet2Subnet3788AAA1", + "VpcPrivateSubnet3DefaultRoute94B74F0D", + "VpcPrivateSubnet3RouteTableD98824C7", + "VpcPrivateSubnet3RouteTableAssociation16BDDC43", + "VpcPrivateSubnet3SubnetF258B56E", + "VpcPublicSubnet1DefaultRoute3DA9E72A", + "VpcPublicSubnet1EIPD7E02669", + "VpcPublicSubnet1NATGateway4D7517AA", + "VpcPublicSubnet1RouteTable6C95E38E", + "VpcPublicSubnet1RouteTableAssociation97140677", + "VpcPublicSubnet1Subnet5C2D37C4", + "VpcPublicSubnet2DefaultRoute97F91067", + "VpcPublicSubnet2RouteTable94F7E489", + "VpcPublicSubnet2RouteTableAssociationDD5762D8", + "VpcPublicSubnet2Subnet691E08A3", + "VpcPublicSubnet3DefaultRoute4697774F", + "VpcPublicSubnet3RouteTable93458DBB", + "VpcPublicSubnet3RouteTableAssociation1F1EDF02", + "VpcPublicSubnet3SubnetBE12F0B6", + "Vpc8378EB38", + "VpcVPCGWBF912B6E" + ] + }, + "Cluster9EE0221C": { + "Type": "Custom::AWSCDK-EKS-Cluster", + "Properties": { + "ServiceToken": { + "Fn::GetAtt": [ + "awscdkawseksClusterResourceProviderNestedStackawscdkawseksClusterResourceProviderNestedStackResource9827C454", + "Outputs.awscdkeksclusterprivateendpointtestawscdkawseksClusterResourceProviderframeworkonEvent080B290CArn" + ] + }, + "Config": { + "version": "1.16", + "roleArn": { + "Fn::GetAtt": [ + "ClusterRoleFA261979", + "Arn" + ] + }, + "resourcesVpcConfig": { + "subnetIds": [ + { + "Ref": "VpcPublicSubnet1Subnet5C2D37C4" + }, + { + "Ref": "VpcPublicSubnet2Subnet691E08A3" + }, + { + "Ref": "VpcPublicSubnet3SubnetBE12F0B6" + }, + { + "Ref": "VpcPrivateSubnet1Subnet536B997A" + }, + { + "Ref": "VpcPrivateSubnet2Subnet3788AAA1" + }, + { + "Ref": "VpcPrivateSubnet3SubnetF258B56E" + } + ], + "securityGroupIds": [ + { + "Fn::GetAtt": [ + "ClusterControlPlaneSecurityGroupD274242C", + "GroupId" + ] + } + ], + "endpointPublicAccess": false, + "endpointPrivateAccess": true + } + }, + "AssumeRoleArn": { + "Fn::GetAtt": [ + "ClusterCreationRole360249B6", + "Arn" + ] + }, + "AttributesRevision": 2 + }, + "DependsOn": [ + "ClusterControlPlaneSecurityGroupfromawscdkeksclusterprivateendpointtestClusterControlPlaneSecurityGroupD4062C82443389925FD", + "ClusterControlPlaneSecurityGroupD274242C", + "ClusterCreationRoleDefaultPolicyE8BDFC7B", + "ClusterCreationRole360249B6", + "VpcIGWD7BA715C", + "VpcPrivateSubnet1DefaultRouteBE02A9ED", + "VpcPrivateSubnet1RouteTableB2C5B500", + "VpcPrivateSubnet1RouteTableAssociation70C59FA6", + "VpcPrivateSubnet1Subnet536B997A", + "VpcPrivateSubnet2DefaultRoute060D2087", + "VpcPrivateSubnet2RouteTableA678073B", + "VpcPrivateSubnet2RouteTableAssociationA89CAD56", + "VpcPrivateSubnet2Subnet3788AAA1", + "VpcPrivateSubnet3DefaultRoute94B74F0D", + "VpcPrivateSubnet3RouteTableD98824C7", + "VpcPrivateSubnet3RouteTableAssociation16BDDC43", + "VpcPrivateSubnet3SubnetF258B56E", + "VpcPublicSubnet1DefaultRoute3DA9E72A", + "VpcPublicSubnet1EIPD7E02669", + "VpcPublicSubnet1NATGateway4D7517AA", + "VpcPublicSubnet1RouteTable6C95E38E", + "VpcPublicSubnet1RouteTableAssociation97140677", + "VpcPublicSubnet1Subnet5C2D37C4", + "VpcPublicSubnet2DefaultRoute97F91067", + "VpcPublicSubnet2RouteTable94F7E489", + "VpcPublicSubnet2RouteTableAssociationDD5762D8", + "VpcPublicSubnet2Subnet691E08A3", + "VpcPublicSubnet3DefaultRoute4697774F", + "VpcPublicSubnet3RouteTable93458DBB", + "VpcPublicSubnet3RouteTableAssociation1F1EDF02", + "VpcPublicSubnet3SubnetBE12F0B6", + "Vpc8378EB38", + "VpcVPCGWBF912B6E" + ], + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "ClusterKubectlReadyBarrier200052AF": { + "Type": "AWS::SSM::Parameter", + "Properties": { + "Type": "String", + "Value": "aws:cdk:eks:kubectl-ready" + }, + "DependsOn": [ + "ClusterCreationRoleDefaultPolicyE8BDFC7B", + "ClusterCreationRole360249B6", + "Cluster9EE0221C" + ] + }, + "ClusterAwsAuthmanifestFE51F8AE": { + "Type": "Custom::AWSCDK-EKS-KubernetesResource", + "Properties": { + "ServiceToken": { + "Fn::GetAtt": [ + "awscdkawseksKubectlProviderNestedStackawscdkawseksKubectlProviderNestedStackResourceA7AEBA6B", + "Outputs.awscdkeksclusterprivateendpointtestawscdkawseksKubectlProviderframeworkonEventC2C76E2FArn" + ] + }, + "Manifest": { + "Fn::Join": [ + "", + [ + "[{\"apiVersion\":\"v1\",\"kind\":\"ConfigMap\",\"metadata\":{\"name\":\"aws-auth\",\"namespace\":\"kube-system\"},\"data\":{\"mapRoles\":\"[{\\\"rolearn\\\":\\\"", + { + "Fn::GetAtt": [ + "AdminRole38563C57", + "Arn" + ] + }, + "\\\",\\\"username\\\":\\\"", + { + "Fn::GetAtt": [ + "AdminRole38563C57", + "Arn" + ] + }, + "\\\",\\\"groups\\\":[\\\"system:masters\\\"]},{\\\"rolearn\\\":\\\"", + { + "Fn::GetAtt": [ + "ClusterNodegroupDefaultCapacityNodeGroupRole55953B04", + "Arn" + ] + }, + "\\\",\\\"username\\\":\\\"system:node:{{EC2PrivateDNSName}}\\\",\\\"groups\\\":[\\\"system:bootstrappers\\\",\\\"system:nodes\\\"]}]\",\"mapUsers\":\"[]\",\"mapAccounts\":\"[]\"}}]" + ] + ] + }, + "ClusterName": { + "Ref": "Cluster9EE0221C" + }, + "RoleArn": { + "Fn::GetAtt": [ + "ClusterCreationRole360249B6", + "Arn" + ] + } + }, + "DependsOn": [ + "ClusterKubectlReadyBarrier200052AF" + ], + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "ClusterNodegroupDefaultCapacityNodeGroupRole55953B04": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": { + "Fn::Join": [ + "", + [ + "ec2.", + { + "Ref": "AWS::URLSuffix" + } + ] + ] + } + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/AmazonEKSWorkerNodePolicy" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/AmazonEKS_CNI_Policy" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/AmazonEC2ContainerRegistryReadOnly" + ] + ] + } + ] + } + }, + "ClusterNodegroupDefaultCapacityDA0920A3": { + "Type": "AWS::EKS::Nodegroup", + "Properties": { + "ClusterName": { + "Ref": "Cluster9EE0221C" + }, + "NodeRole": { + "Fn::GetAtt": [ + "ClusterNodegroupDefaultCapacityNodeGroupRole55953B04", + "Arn" + ] + }, + "Subnets": [ + { + "Ref": "VpcPrivateSubnet1Subnet536B997A" + }, + { + "Ref": "VpcPrivateSubnet2Subnet3788AAA1" + }, + { + "Ref": "VpcPrivateSubnet3SubnetF258B56E" + } + ], + "ForceUpdateEnabled": true, + "InstanceTypes": [ + "m5.large" + ], + "ScalingConfig": { + "DesiredSize": 2, + "MaxSize": 2, + "MinSize": 2 + } + } + }, + "Clustermanifestconfigmap3F180550": { + "Type": "Custom::AWSCDK-EKS-KubernetesResource", + "Properties": { + "ServiceToken": { + "Fn::GetAtt": [ + "awscdkawseksKubectlProviderNestedStackawscdkawseksKubectlProviderNestedStackResourceA7AEBA6B", + "Outputs.awscdkeksclusterprivateendpointtestawscdkawseksKubectlProviderframeworkonEventC2C76E2FArn" + ] + }, + "Manifest": "[{\"kind\":\"ConfigMap\",\"apiVersion\":\"v1\",\"data\":{\"hello\":\"world\"},\"metadata\":{\"name\":\"config-map\"}}]", + "ClusterName": { + "Ref": "Cluster9EE0221C" + }, + "RoleArn": { + "Fn::GetAtt": [ + "ClusterCreationRole360249B6", + "Arn" + ] + } + }, + "DependsOn": [ + "ClusterKubectlReadyBarrier200052AF" + ], + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "awscdkawseksClusterResourceProviderNestedStackawscdkawseksClusterResourceProviderNestedStackResource9827C454": { + "Type": "AWS::CloudFormation::Stack", + "Properties": { + "TemplateURL": { + "Fn::Join": [ + "", + [ + "https://s3.test-region.", + { + "Ref": "AWS::URLSuffix" + }, + "/", + { + "Ref": "AssetParameters1d54fe392c17a77f062eb9589a146cca9103d80e1454c4c6a2af1d1693cfc443S3Bucket8DAC1637" + }, + "/", + { + "Fn::Select": [ + 0, + { + "Fn::Split": [ + "||", + { + "Ref": "AssetParameters1d54fe392c17a77f062eb9589a146cca9103d80e1454c4c6a2af1d1693cfc443S3VersionKey0F7AEF85" + } + ] + } + ] + }, + { + "Fn::Select": [ + 1, + { + "Fn::Split": [ + "||", + { + "Ref": "AssetParameters1d54fe392c17a77f062eb9589a146cca9103d80e1454c4c6a2af1d1693cfc443S3VersionKey0F7AEF85" + } + ] + } + ] + } + ] + ] + }, + "Parameters": { + "referencetoawscdkeksclusterprivateendpointtestAssetParametersce797d85c1c1e40a9e91e69fae75739d1dcea61d82b1e164720fc69c442e2a1bS3Bucket1D2F354ERef": { + "Ref": "AssetParametersce797d85c1c1e40a9e91e69fae75739d1dcea61d82b1e164720fc69c442e2a1bS3BucketF5EB4657" + }, + "referencetoawscdkeksclusterprivateendpointtestAssetParametersce797d85c1c1e40a9e91e69fae75739d1dcea61d82b1e164720fc69c442e2a1bS3VersionKey53B61BAFRef": { + "Ref": "AssetParametersce797d85c1c1e40a9e91e69fae75739d1dcea61d82b1e164720fc69c442e2a1bS3VersionKey1BD28F17" + }, + "referencetoawscdkeksclusterprivateendpointtestAssetParameters974a6fb29abbd1d98fce56346da3743e79277f0f52e0e2cdf3f1867ac5b1e74cS3Bucket7CB66361Ref": { + "Ref": "AssetParameters974a6fb29abbd1d98fce56346da3743e79277f0f52e0e2cdf3f1867ac5b1e74cS3BucketF1BD2256" + }, + "referencetoawscdkeksclusterprivateendpointtestAssetParameters974a6fb29abbd1d98fce56346da3743e79277f0f52e0e2cdf3f1867ac5b1e74cS3VersionKeyF78CAD23Ref": { + "Ref": "AssetParameters974a6fb29abbd1d98fce56346da3743e79277f0f52e0e2cdf3f1867ac5b1e74cS3VersionKeyF47FA401" + } + } + } + }, + "awscdkawseksKubectlProviderNestedStackawscdkawseksKubectlProviderNestedStackResourceA7AEBA6B": { + "Type": "AWS::CloudFormation::Stack", + "Properties": { + "TemplateURL": { + "Fn::Join": [ + "", + [ + "https://s3.test-region.", + { + "Ref": "AWS::URLSuffix" + }, + "/", + { + "Ref": "AssetParameters072bfc9adfd1e03e7f2e49fbd64390e2fc05058b2764366dfeafe48a5fb02314S3Bucket1E1DCF01" + }, + "/", + { + "Fn::Select": [ + 0, + { + "Fn::Split": [ + "||", + { + "Ref": "AssetParameters072bfc9adfd1e03e7f2e49fbd64390e2fc05058b2764366dfeafe48a5fb02314S3VersionKey6986DC2D" + } + ] + } + ] + }, + { + "Fn::Select": [ + 1, + { + "Fn::Split": [ + "||", + { + "Ref": "AssetParameters072bfc9adfd1e03e7f2e49fbd64390e2fc05058b2764366dfeafe48a5fb02314S3VersionKey6986DC2D" + } + ] + } + ] + } + ] + ] + }, + "Parameters": { + "referencetoawscdkeksclusterprivateendpointtestAssetParameters002221efd60f8b0158670e8e9bc2f0a66203cec698160e2b085b3fd0284bf31fS3BucketF99DEE1FRef": { + "Ref": "AssetParameters002221efd60f8b0158670e8e9bc2f0a66203cec698160e2b085b3fd0284bf31fS3BucketE15DE473" + }, + "referencetoawscdkeksclusterprivateendpointtestAssetParameters002221efd60f8b0158670e8e9bc2f0a66203cec698160e2b085b3fd0284bf31fS3VersionKeyF0B03FC6Ref": { + "Ref": "AssetParameters002221efd60f8b0158670e8e9bc2f0a66203cec698160e2b085b3fd0284bf31fS3VersionKeyDCCDCE64" + }, + "referencetoawscdkeksclusterprivateendpointtestVpcPrivateSubnet1Subnet94DAD769Ref": { + "Ref": "VpcPrivateSubnet1Subnet536B997A" + }, + "referencetoawscdkeksclusterprivateendpointtestVpcPrivateSubnet2Subnet04963C08Ref": { + "Ref": "VpcPrivateSubnet2Subnet3788AAA1" + }, + "referencetoawscdkeksclusterprivateendpointtestVpcPrivateSubnet3SubnetC47FD39ARef": { + "Ref": "VpcPrivateSubnet3SubnetF258B56E" + }, + "referencetoawscdkeksclusterprivateendpointtestClusterControlPlaneSecurityGroup197B1436GroupId": { + "Fn::GetAtt": [ + "ClusterControlPlaneSecurityGroupD274242C", + "GroupId" + ] + }, + "referencetoawscdkeksclusterprivateendpointtestAssetParameters974a6fb29abbd1d98fce56346da3743e79277f0f52e0e2cdf3f1867ac5b1e74cS3Bucket7CB66361Ref": { + "Ref": "AssetParameters974a6fb29abbd1d98fce56346da3743e79277f0f52e0e2cdf3f1867ac5b1e74cS3BucketF1BD2256" + }, + "referencetoawscdkeksclusterprivateendpointtestAssetParameters974a6fb29abbd1d98fce56346da3743e79277f0f52e0e2cdf3f1867ac5b1e74cS3VersionKeyF78CAD23Ref": { + "Ref": "AssetParameters974a6fb29abbd1d98fce56346da3743e79277f0f52e0e2cdf3f1867ac5b1e74cS3VersionKeyF47FA401" + } + } + } + } + }, + "Outputs": { + "ClusterConfigCommand43AAE40F": { + "Value": { + "Fn::Join": [ + "", + [ + "aws eks update-kubeconfig --name ", + { + "Ref": "Cluster9EE0221C" + }, + " --region test-region --role-arn ", + { + "Fn::GetAtt": [ + "AdminRole38563C57", + "Arn" + ] + } + ] + ] + } + }, + "ClusterGetTokenCommand06AE992E": { + "Value": { + "Fn::Join": [ + "", + [ + "aws eks get-token --cluster-name ", + { + "Ref": "Cluster9EE0221C" + }, + " --region test-region --role-arn ", + { + "Fn::GetAtt": [ + "AdminRole38563C57", + "Arn" + ] + } + ] + ] + } + } + }, + "Parameters": { + "AssetParametersce797d85c1c1e40a9e91e69fae75739d1dcea61d82b1e164720fc69c442e2a1bS3BucketF5EB4657": { + "Type": "String", + "Description": "S3 bucket for asset \"ce797d85c1c1e40a9e91e69fae75739d1dcea61d82b1e164720fc69c442e2a1b\"" + }, + "AssetParametersce797d85c1c1e40a9e91e69fae75739d1dcea61d82b1e164720fc69c442e2a1bS3VersionKey1BD28F17": { + "Type": "String", + "Description": "S3 key for asset version \"ce797d85c1c1e40a9e91e69fae75739d1dcea61d82b1e164720fc69c442e2a1b\"" + }, + "AssetParametersce797d85c1c1e40a9e91e69fae75739d1dcea61d82b1e164720fc69c442e2a1bArtifactHashBF71476C": { + "Type": "String", + "Description": "Artifact hash for asset \"ce797d85c1c1e40a9e91e69fae75739d1dcea61d82b1e164720fc69c442e2a1b\"" + }, + "AssetParameters974a6fb29abbd1d98fce56346da3743e79277f0f52e0e2cdf3f1867ac5b1e74cS3BucketF1BD2256": { + "Type": "String", + "Description": "S3 bucket for asset \"974a6fb29abbd1d98fce56346da3743e79277f0f52e0e2cdf3f1867ac5b1e74c\"" + }, + "AssetParameters974a6fb29abbd1d98fce56346da3743e79277f0f52e0e2cdf3f1867ac5b1e74cS3VersionKeyF47FA401": { + "Type": "String", + "Description": "S3 key for asset version \"974a6fb29abbd1d98fce56346da3743e79277f0f52e0e2cdf3f1867ac5b1e74c\"" + }, + "AssetParameters974a6fb29abbd1d98fce56346da3743e79277f0f52e0e2cdf3f1867ac5b1e74cArtifactHash5C0B1EA0": { + "Type": "String", + "Description": "Artifact hash for asset \"974a6fb29abbd1d98fce56346da3743e79277f0f52e0e2cdf3f1867ac5b1e74c\"" + }, + "AssetParameters002221efd60f8b0158670e8e9bc2f0a66203cec698160e2b085b3fd0284bf31fS3BucketE15DE473": { + "Type": "String", + "Description": "S3 bucket for asset \"002221efd60f8b0158670e8e9bc2f0a66203cec698160e2b085b3fd0284bf31f\"" + }, + "AssetParameters002221efd60f8b0158670e8e9bc2f0a66203cec698160e2b085b3fd0284bf31fS3VersionKeyDCCDCE64": { + "Type": "String", + "Description": "S3 key for asset version \"002221efd60f8b0158670e8e9bc2f0a66203cec698160e2b085b3fd0284bf31f\"" + }, + "AssetParameters002221efd60f8b0158670e8e9bc2f0a66203cec698160e2b085b3fd0284bf31fArtifactHash48F9DCF6": { + "Type": "String", + "Description": "Artifact hash for asset \"002221efd60f8b0158670e8e9bc2f0a66203cec698160e2b085b3fd0284bf31f\"" + }, + "AssetParameters1d54fe392c17a77f062eb9589a146cca9103d80e1454c4c6a2af1d1693cfc443S3Bucket8DAC1637": { + "Type": "String", + "Description": "S3 bucket for asset \"1d54fe392c17a77f062eb9589a146cca9103d80e1454c4c6a2af1d1693cfc443\"" + }, + "AssetParameters1d54fe392c17a77f062eb9589a146cca9103d80e1454c4c6a2af1d1693cfc443S3VersionKey0F7AEF85": { + "Type": "String", + "Description": "S3 key for asset version \"1d54fe392c17a77f062eb9589a146cca9103d80e1454c4c6a2af1d1693cfc443\"" + }, + "AssetParameters1d54fe392c17a77f062eb9589a146cca9103d80e1454c4c6a2af1d1693cfc443ArtifactHash8D22ACCD": { + "Type": "String", + "Description": "Artifact hash for asset \"1d54fe392c17a77f062eb9589a146cca9103d80e1454c4c6a2af1d1693cfc443\"" + }, + "AssetParameters072bfc9adfd1e03e7f2e49fbd64390e2fc05058b2764366dfeafe48a5fb02314S3Bucket1E1DCF01": { + "Type": "String", + "Description": "S3 bucket for asset \"072bfc9adfd1e03e7f2e49fbd64390e2fc05058b2764366dfeafe48a5fb02314\"" + }, + "AssetParameters072bfc9adfd1e03e7f2e49fbd64390e2fc05058b2764366dfeafe48a5fb02314S3VersionKey6986DC2D": { + "Type": "String", + "Description": "S3 key for asset version \"072bfc9adfd1e03e7f2e49fbd64390e2fc05058b2764366dfeafe48a5fb02314\"" + }, + "AssetParameters072bfc9adfd1e03e7f2e49fbd64390e2fc05058b2764366dfeafe48a5fb02314ArtifactHashFB37F1C4": { + "Type": "String", + "Description": "Artifact hash for asset \"072bfc9adfd1e03e7f2e49fbd64390e2fc05058b2764366dfeafe48a5fb02314\"" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster-private-endpoint.ts b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster-private-endpoint.ts new file mode 100644 index 0000000000000..c7e3df24cc070 --- /dev/null +++ b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster-private-endpoint.ts @@ -0,0 +1,49 @@ +/// !cdk-integ pragma:ignore-assets +import * as ec2 from '@aws-cdk/aws-ec2'; +import * as iam from '@aws-cdk/aws-iam'; +import { App } from '@aws-cdk/core'; +import * as eks from '../lib'; +import { TestStack } from './util'; + +class EksClusterStack extends TestStack { + constructor(scope: App, id: string) { + super(scope, id); + + // allow all account users to assume this role in order to admin the cluster + const mastersRole = new iam.Role(this, 'AdminRole', { + assumedBy: new iam.AccountRootPrincipal(), + }); + + // just need one nat gateway to simplify the test + const vpc = new ec2.Vpc(this, 'Vpc', { maxAzs: 3, natGateways: 1 }); + + // create the cluster with a default nodegroup capacity + const cluster = new eks.Cluster(this, 'Cluster', { + vpc, + mastersRole, + defaultCapacity: 2, + version: eks.KubernetesVersion.V1_16, + endpointAccess: eks.EndpointAccess.private(), + }); + + // this is the valdiation. it won't work if the private access is setup properly. + cluster.addResource('config-map', { + kind: 'ConfigMap', + apiVersion: 'v1', + data: { + hello: 'world', + }, + metadata: { + name: 'config-map', + }, + }); + + } +} + + +const app = new App(); + +new EksClusterStack(app, 'aws-cdk-eks-cluster-private-endpoint-test'); + +app.synth(); From c84686317b5d5cbeb50bf2b518171516e4241a41 Mon Sep 17 00:00:00 2001 From: epolon Date: Thu, 16 Jul 2020 23:19:37 +0300 Subject: [PATCH 08/33] fix unit tests --- .../aws-eks/lib/cluster-resource-handler/cluster.ts | 13 +++++++++---- packages/@aws-cdk/aws-eks/test/integ.eks-cluster.ts | 10 +++++----- .../aws-eks/test/test.cluster-resource-provider.ts | 3 +-- 3 files changed, 15 insertions(+), 11 deletions(-) diff --git a/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/cluster.ts b/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/cluster.ts index aa021d920688d..bc5c0ee09fbb6 100644 --- a/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/cluster.ts +++ b/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/cluster.ts @@ -22,13 +22,18 @@ export class ClusterResourceHandler extends ResourceHandler { constructor(eks: EksClient, event: ResourceEvent) { super(eks, event); - function patchEndpointAccess(props: aws.EKS.CreateClusterRequest): aws.EKS.CreateClusterRequest { + function patchEndpointAccess(props: any) { - // this is weird but these boolean properties are passed here as a string, and need them to be booleanic for the SDK. + // this is weird but these boolean properties are passed by CFN as a string, and we need them to be booleanic for the SDK. // Otherwise it fails with 'Unexpected Parameter: params.resourcesVpcConfig.endpointPrivateAccess is expected to be a boolean' - Object.assign(props.resourcesVpcConfig, { endpointPrivateAccess: (props.resourcesVpcConfig.endpointPrivateAccess as any) === 'true' }); - Object.assign(props.resourcesVpcConfig, { endpointPublicAccess: (props.resourcesVpcConfig.endpointPublicAccess as any) === 'true' }); + if (typeof(props.resourcesVpcConfig?.endpointPrivateAccess) === 'string') { + Object.assign(props.resourcesVpcConfig, { endpointPrivateAccess: props.resourcesVpcConfig.endpointPrivateAccess === 'true' }); + } + + if (typeof(props.resourcesVpcConfig?.endpointPublicAccess) === 'string') { + Object.assign(props.resourcesVpcConfig, { endpointPublicAccess: props.resourcesVpcConfig.endpointPublicAccess === 'true' }); + } return props; } diff --git a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.ts b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.ts index 6340be221a298..fae1879e2b929 100644 --- a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.ts +++ b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.ts @@ -56,11 +56,11 @@ class EksClusterStack extends TestStack { }, }); - // inference instances - cluster.addCapacity('InferenceInstances', { - instanceType: new ec2.InstanceType('inf1.2xlarge'), - minCapacity: 1, - }); + // // inference instances + // cluster.addCapacity('InferenceInstances', { + // instanceType: new ec2.InstanceType('inf1.2xlarge'), + // minCapacity: 1, + // }); // add a extra nodegroup cluster.addNodegroup('extra-ng', { diff --git a/packages/@aws-cdk/aws-eks/test/test.cluster-resource-provider.ts b/packages/@aws-cdk/aws-eks/test/test.cluster-resource-provider.ts index e762d6c7abbd3..0a7690d7f0702 100644 --- a/packages/@aws-cdk/aws-eks/test/test.cluster-resource-provider.ts +++ b/packages/@aws-cdk/aws-eks/test/test.cluster-resource-provider.ts @@ -571,7 +571,6 @@ export = { resourcesVpcConfig: { endpointPrivateAccess: true, endpointPublicAccess: true, - publicAccessCidrs: [ '0.0.0.0/0' ], }, }, { logging: undefined, @@ -593,7 +592,7 @@ export = { resourcesVpcConfig: { endpointPrivateAccess: true, endpointPublicAccess: true, - publicAccessCidrs: [ '0.0.0.0/0' ], + publicAccessCidrs: undefined, }, }); test.equal(mocks.actualRequest.createClusterRequest, undefined); From 4d66582f1bd97a779ea32843c8d9f13ea9aab8d6 Mon Sep 17 00:00:00 2001 From: epolon Date: Fri, 17 Jul 2020 20:40:02 +0300 Subject: [PATCH 09/33] revert change test --- .../@aws-cdk/aws-eks/test/test.cluster-resource-provider.ts | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/packages/@aws-cdk/aws-eks/test/test.cluster-resource-provider.ts b/packages/@aws-cdk/aws-eks/test/test.cluster-resource-provider.ts index 0a7690d7f0702..e762d6c7abbd3 100644 --- a/packages/@aws-cdk/aws-eks/test/test.cluster-resource-provider.ts +++ b/packages/@aws-cdk/aws-eks/test/test.cluster-resource-provider.ts @@ -571,6 +571,7 @@ export = { resourcesVpcConfig: { endpointPrivateAccess: true, endpointPublicAccess: true, + publicAccessCidrs: [ '0.0.0.0/0' ], }, }, { logging: undefined, @@ -592,7 +593,7 @@ export = { resourcesVpcConfig: { endpointPrivateAccess: true, endpointPublicAccess: true, - publicAccessCidrs: undefined, + publicAccessCidrs: [ '0.0.0.0/0' ], }, }); test.equal(mocks.actualRequest.createClusterRequest, undefined); From e7b009ca079f6918bcf7536369da68f6e4442fad Mon Sep 17 00:00:00 2001 From: epolon Date: Sat, 18 Jul 2020 00:52:17 +0300 Subject: [PATCH 10/33] added docstrings --- .../@aws-cdk/aws-eks/lib/kubectl-provider.ts | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/packages/@aws-cdk/aws-eks/lib/kubectl-provider.ts b/packages/@aws-cdk/aws-eks/lib/kubectl-provider.ts index 782af55d7f20b..aa406d560ef36 100644 --- a/packages/@aws-cdk/aws-eks/lib/kubectl-provider.ts +++ b/packages/@aws-cdk/aws-eks/lib/kubectl-provider.ts @@ -8,12 +8,27 @@ import { KubectlLayer } from './kubectl-layer'; export interface KubectlProviderProps { + /** + * Connect the provider to a VPC. + * + * @default - no vpc attachement. + */ readonly vpc?: IVpc; - readonly securityGroups?: ISecurityGroup[]; - + /** + * Select the Vpc subnets to attach to the provider. + * + * @default - no subnets. + */ readonly vpcSubnets?: SubnetSelection; + /** + * Attach security groups to the provider. + * + * @default - no security groups. + */ + readonly securityGroups?: ISecurityGroup[]; + } export class KubectlProvider extends NestedStack { From 11912f93d5d2d1855a11ed0ba78362e43be6a44b Mon Sep 17 00:00:00 2001 From: epolon Date: Sat, 18 Jul 2020 00:54:32 +0300 Subject: [PATCH 11/33] fix circular dep issue by creating a dedicated kubectl provider sg --- packages/@aws-cdk/aws-eks/lib/cluster.ts | 29 +++++++++++++++--------- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/packages/@aws-cdk/aws-eks/lib/cluster.ts b/packages/@aws-cdk/aws-eks/lib/cluster.ts index a15cd94e8aa3a..208e145a93275 100644 --- a/packages/@aws-cdk/aws-eks/lib/cluster.ts +++ b/packages/@aws-cdk/aws-eks/lib/cluster.ts @@ -514,6 +514,8 @@ export class Cluster extends Resource implements ICluster { private readonly endpointAccess?: EndpointAccess; + private readonly kubctlProviderSecurityGroup?: ec2.ISecurityGroup; + private readonly controlPlaneSecurityGroup: ec2.ISecurityGroup; private readonly version: KubernetesVersion; @@ -561,7 +563,7 @@ export class Cluster extends Resource implements ICluster { this.controlPlaneSecurityGroup = props.securityGroup || new ec2.SecurityGroup(this, 'ControlPlaneSecurityGroup', { vpc: this.vpc, - description: 'EKS Control Plane Security Group', + description: 'Communication between EKS nodes and EKS Control Plane', }); const connectionPort = ec2.Port.tcp(443); // Control Plane has an HTTPS API @@ -571,10 +573,6 @@ export class Cluster extends Resource implements ICluster { defaultPort: connectionPort, }); - // allow resources with the same security group to connect to the control plane. - // needed for private access from the KubeCtlProvider, and in general doesn't hurt. - this.connections.allowFrom(this.controlPlaneSecurityGroup, connectionPort); - // Get subnetIds for all selected subnets const placements = props.vpcSubnets || [{ subnetType: ec2.SubnetType.PUBLIC }, { subnetType: ec2.SubnetType.PRIVATE }]; const subnetIds = [...new Set(Array().concat(...placements.map(s => this.vpc.selectSubnets(s).subnetIds)))]; @@ -584,7 +582,9 @@ export class Cluster extends Resource implements ICluster { roleArn: this.role.roleArn, version: props.version.version, resourcesVpcConfig: { - securityGroupIds: [this.controlPlaneSecurityGroup.securityGroupId], + securityGroupIds: [ + this.controlPlaneSecurityGroup.securityGroupId, + ], subnetIds, }, }; @@ -594,6 +594,13 @@ export class Cluster extends Resource implements ICluster { if (this.kubectlEnabled) { this.endpointAccess = props.endpointAccess ?? EndpointAccess.publicAndPrivate(); + this.kubctlProviderSecurityGroup = new ec2.SecurityGroup(this, 'KubectlProviderSecurityGroup', { + vpc: this.vpc, + description: 'Comminication between KubectlProvider and EKS Control Plane', + }); + + // grant the kubectl provider access to the cluster control plane. + this.connections.allowFrom(this.kubctlProviderSecurityGroup, connectionPort); resource = new ClusterResource(this, 'Resource', { ...clusterProps, @@ -605,6 +612,10 @@ export class Cluster extends Resource implements ICluster { }); this._clusterResource = resource; + // the security group and vpc must exist in order to properly delete the cluster (since we run `kubectl delete`). + // this ensures that. + this._clusterResource.node.addDependency(this.kubctlProviderSecurityGroup, this.vpc); + // see https://github.com/aws/aws-cdk/issues/9027 this._clusterResource.creationRole.addToPolicy(new iam.PolicyStatement({ actions: ['ec2:DescribeVpcs'], @@ -637,10 +648,6 @@ export class Cluster extends Resource implements ICluster { resource.node.addWarning(depractionNotice); } - // for kubectl enabled clusters, this is required so that manifests can be applied to the cluster. - // for other clusters, it doesnt hurt. - resource.node.addDependency(this.controlPlaneSecurityGroup, this.vpc); - this.clusterName = this.getResourceNameAttribute(resource.ref); this.clusterArn = this.getResourceArnAttribute(resource.attrArn, clusterArnComponents(this.physicalName)); @@ -1033,7 +1040,7 @@ export class Cluster extends Resource implements ICluster { ...providerProps, vpc: this.vpc, vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE }, - securityGroups: [this.controlPlaneSecurityGroup], + securityGroups: [this.kubctlProviderSecurityGroup!], }; } From b91ea54464c5d3851b62fd5e7ea4bfbb8f139a84 Mon Sep 17 00:00:00 2001 From: epolon Date: Sat, 18 Jul 2020 01:16:32 +0300 Subject: [PATCH 12/33] refactor --- packages/@aws-cdk/aws-eks/lib/cluster.ts | 12 ++++-------- packages/@aws-cdk/aws-eks/test/integ.eks-cluster.ts | 10 +++++----- 2 files changed, 9 insertions(+), 13 deletions(-) diff --git a/packages/@aws-cdk/aws-eks/lib/cluster.ts b/packages/@aws-cdk/aws-eks/lib/cluster.ts index 208e145a93275..e7d472193e76d 100644 --- a/packages/@aws-cdk/aws-eks/lib/cluster.ts +++ b/packages/@aws-cdk/aws-eks/lib/cluster.ts @@ -516,8 +516,6 @@ export class Cluster extends Resource implements ICluster { private readonly kubctlProviderSecurityGroup?: ec2.ISecurityGroup; - private readonly controlPlaneSecurityGroup: ec2.ISecurityGroup; - private readonly version: KubernetesVersion; /** @@ -561,15 +559,15 @@ export class Cluster extends Resource implements ICluster { ], }); - this.controlPlaneSecurityGroup = props.securityGroup || new ec2.SecurityGroup(this, 'ControlPlaneSecurityGroup', { + const securityGroup = props.securityGroup || new ec2.SecurityGroup(this, 'ControlPlaneSecurityGroup', { vpc: this.vpc, - description: 'Communication between EKS nodes and EKS Control Plane', + description: 'EKS Control Plane Security Group', }); const connectionPort = ec2.Port.tcp(443); // Control Plane has an HTTPS API this.connections = new ec2.Connections({ - securityGroups: [this.controlPlaneSecurityGroup], + securityGroups: [securityGroup], defaultPort: connectionPort, }); @@ -582,9 +580,7 @@ export class Cluster extends Resource implements ICluster { roleArn: this.role.roleArn, version: props.version.version, resourcesVpcConfig: { - securityGroupIds: [ - this.controlPlaneSecurityGroup.securityGroupId, - ], + securityGroupIds: [securityGroup.securityGroupId], subnetIds, }, }; diff --git a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.ts b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.ts index fae1879e2b929..6340be221a298 100644 --- a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.ts +++ b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.ts @@ -56,11 +56,11 @@ class EksClusterStack extends TestStack { }, }); - // // inference instances - // cluster.addCapacity('InferenceInstances', { - // instanceType: new ec2.InstanceType('inf1.2xlarge'), - // minCapacity: 1, - // }); + // inference instances + cluster.addCapacity('InferenceInstances', { + instanceType: new ec2.InstanceType('inf1.2xlarge'), + minCapacity: 1, + }); // add a extra nodegroup cluster.addNodegroup('extra-ng', { From 5b6f04dbf5dce6ba08f29e9ad307a5b595c32e85 Mon Sep 17 00:00:00 2001 From: epolon Date: Sat, 18 Jul 2020 01:29:03 +0300 Subject: [PATCH 13/33] refactor --- packages/@aws-cdk/aws-eks/lib/cluster.ts | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/packages/@aws-cdk/aws-eks/lib/cluster.ts b/packages/@aws-cdk/aws-eks/lib/cluster.ts index e7d472193e76d..ef141d2460a7e 100644 --- a/packages/@aws-cdk/aws-eks/lib/cluster.ts +++ b/packages/@aws-cdk/aws-eks/lib/cluster.ts @@ -564,11 +564,9 @@ export class Cluster extends Resource implements ICluster { description: 'EKS Control Plane Security Group', }); - const connectionPort = ec2.Port.tcp(443); // Control Plane has an HTTPS API - this.connections = new ec2.Connections({ securityGroups: [securityGroup], - defaultPort: connectionPort, + defaultPort: ec2.Port.tcp(443), // Control Plane has an HTTPS API, }); // Get subnetIds for all selected subnets @@ -596,7 +594,7 @@ export class Cluster extends Resource implements ICluster { }); // grant the kubectl provider access to the cluster control plane. - this.connections.allowFrom(this.kubctlProviderSecurityGroup, connectionPort); + this.connections.allowFrom(this.kubctlProviderSecurityGroup, this.connections.defaultPort!); resource = new ClusterResource(this, 'Resource', { ...clusterProps, From b24b9931fc2deea19f9dc0ce80be8b3b9a1f9b96 Mon Sep 17 00:00:00 2001 From: epolon Date: Sun, 19 Jul 2020 20:21:07 +0300 Subject: [PATCH 14/33] formatting --- packages/@aws-cdk/aws-eks/lib/cluster.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/@aws-cdk/aws-eks/lib/cluster.ts b/packages/@aws-cdk/aws-eks/lib/cluster.ts index ef141d2460a7e..7e36226d2dbe0 100644 --- a/packages/@aws-cdk/aws-eks/lib/cluster.ts +++ b/packages/@aws-cdk/aws-eks/lib/cluster.ts @@ -566,7 +566,7 @@ export class Cluster extends Resource implements ICluster { this.connections = new ec2.Connections({ securityGroups: [securityGroup], - defaultPort: ec2.Port.tcp(443), // Control Plane has an HTTPS API, + defaultPort: ec2.Port.tcp(443), // Control Plane has an HTTPS API }); // Get subnetIds for all selected subnets From 2761431e43dd002ccede4c73d06a9cc87b731aa5 Mon Sep 17 00:00:00 2001 From: epolon Date: Wed, 22 Jul 2020 18:06:04 +0300 Subject: [PATCH 15/33] added README and change test to use multiple subnets per az --- packages/@aws-cdk/aws-eks/README.md | 22 +- packages/@aws-cdk/aws-eks/lib/cluster.ts | 2 + ...eks-cluster-private-endpoint.expected.json | 728 +++++++++++------- .../integ.eks-cluster-private-endpoint.ts | 26 +- 4 files changed, 506 insertions(+), 272 deletions(-) diff --git a/packages/@aws-cdk/aws-eks/README.md b/packages/@aws-cdk/aws-eks/README.md index ee73d0bedcba5..73dcbd75de931 100644 --- a/packages/@aws-cdk/aws-eks/README.md +++ b/packages/@aws-cdk/aws-eks/README.md @@ -45,6 +45,20 @@ cluster.addResource('mypod', { }); ``` +### Endpoint Access + +You can configure the [cluster endpoint access](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) by using the `endpointAccess` property: + +```typescript +const cluster = new eks.Cluster(this, 'hello-eks', { + version: eks.KubernetesVersion.V1_16, + endpointAccess: eks.EndpointAccess.private() // No access outside of your VPC. +}); +``` + +The default value is `eks.EndpointAccess.publicAndPrivate()`, which means the cluster endpoint is accessible from outside of your VPC, and worker node traffic to the endpoint will stay within your VPC. + + ### Capacity By default, `eks.Cluster` is created with a managed nodegroup with x2 `m5.large` instances. You must specify the kubernetes version for the cluster with the `version` property. @@ -78,7 +92,7 @@ new eks.Cluster(this, 'cluster', { To disable the default capacity, simply set `defaultCapacity` to `0`: ```ts -new eks.Cluster(this, 'cluster-with-no-capacity', { +new eks.Cluster(this, 'cluster-with-no-capacity', { defaultCapacity: 0, version: eks.KubernetesVersion.V1_16, }); @@ -105,8 +119,8 @@ cluster.addCapacity('frontend-nodes', { ### Managed Node Groups -Amazon EKS managed node groups automate the provisioning and lifecycle management of nodes (Amazon EC2 instances) -for Amazon EKS Kubernetes clusters. By default, `eks.Nodegroup` create a nodegroup with x2 `t3.medium` instances. +Amazon EKS managed node groups automate the provisioning and lifecycle management of nodes (Amazon EC2 instances) +for Amazon EKS Kubernetes clusters. By default, `eks.Nodegroup` create a nodegroup with x2 `t3.medium` instances. ```ts new eks.Nodegroup(stack, 'nodegroup', { cluster }); @@ -128,7 +142,7 @@ AWS Fargate is a technology that provides on-demand, right-sized compute capacity for containers. With AWS Fargate, you no longer have to provision, configure, or scale groups of virtual machines to run containers. This removes the need to choose server types, decide when to scale your node groups, or -optimize cluster packing. +optimize cluster packing. You can control which pods start on Fargate and how they run with Fargate Profiles, which are defined as part of your Amazon EKS cluster. diff --git a/packages/@aws-cdk/aws-eks/lib/cluster.ts b/packages/@aws-cdk/aws-eks/lib/cluster.ts index 7e36226d2dbe0..dc9292ad87dcd 100644 --- a/packages/@aws-cdk/aws-eks/lib/cluster.ts +++ b/packages/@aws-cdk/aws-eks/lib/cluster.ts @@ -1033,6 +1033,8 @@ export class Cluster extends Resource implements ICluster { providerProps = { ...providerProps, vpc: this.vpc, + // lambda functions can only bind to one subnet per az, also, only private subnets + // are allowed (and needed). vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE }, securityGroups: [this.kubctlProviderSecurityGroup!], }; diff --git a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster-private-endpoint.expected.json b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster-private-endpoint.expected.json index 838969371996a..eeeb76c3c2156 100644 --- a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster-private-endpoint.expected.json +++ b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster-private-endpoint.expected.json @@ -43,7 +43,7 @@ ] } }, - "VpcPublicSubnet1Subnet5C2D37C4": { + "VpcPrivate1Subnet1SubnetC688B2B1": { "Type": "AWS::EC2::Subnet", "Properties": { "CidrBlock": "10.0.0.0/19", @@ -51,28 +51,28 @@ "Ref": "Vpc8378EB38" }, "AvailabilityZone": "test-region-1a", - "MapPublicIpOnLaunch": true, + "MapPublicIpOnLaunch": false, "Tags": [ { "Key": "aws-cdk:subnet-name", - "Value": "Public" + "Value": "Private1" }, { "Key": "aws-cdk:subnet-type", - "Value": "Public" + "Value": "Private" }, { - "Key": "kubernetes.io/role/elb", + "Key": "kubernetes.io/role/internal-elb", "Value": "1" }, { "Key": "Name", - "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/PublicSubnet1" + "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/Private1Subnet1" } ] } }, - "VpcPublicSubnet1RouteTable6C95E38E": { + "VpcPrivate1Subnet1RouteTable63B93D7A": { "Type": "AWS::EC2::RouteTable", "Properties": { "VpcId": { @@ -80,112 +80,139 @@ }, "Tags": [ { - "Key": "kubernetes.io/role/elb", + "Key": "kubernetes.io/role/internal-elb", "Value": "1" }, { "Key": "Name", - "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/PublicSubnet1" + "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/Private1Subnet1" } ] } }, - "VpcPublicSubnet1RouteTableAssociation97140677": { + "VpcPrivate1Subnet1RouteTableAssociation97501102": { "Type": "AWS::EC2::SubnetRouteTableAssociation", "Properties": { "RouteTableId": { - "Ref": "VpcPublicSubnet1RouteTable6C95E38E" + "Ref": "VpcPrivate1Subnet1RouteTable63B93D7A" }, "SubnetId": { - "Ref": "VpcPublicSubnet1Subnet5C2D37C4" + "Ref": "VpcPrivate1Subnet1SubnetC688B2B1" } } }, - "VpcPublicSubnet1DefaultRoute3DA9E72A": { + "VpcPrivate1Subnet1DefaultRouteF2E75A1D": { "Type": "AWS::EC2::Route", "Properties": { "RouteTableId": { - "Ref": "VpcPublicSubnet1RouteTable6C95E38E" + "Ref": "VpcPrivate1Subnet1RouteTable63B93D7A" }, "DestinationCidrBlock": "0.0.0.0/0", - "GatewayId": { - "Ref": "VpcIGWD7BA715C" + "NatGatewayId": { + "Ref": "VpcPublic1Subnet1NATGatewayF6E55728" } - }, - "DependsOn": [ - "VpcVPCGWBF912B6E" - ] + } }, - "VpcPublicSubnet1EIPD7E02669": { - "Type": "AWS::EC2::EIP", + "VpcPrivate1Subnet2SubnetA2AF15C7": { + "Type": "AWS::EC2::Subnet", "Properties": { - "Domain": "vpc", + "CidrBlock": "10.0.32.0/19", + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "AvailabilityZone": "test-region-1b", + "MapPublicIpOnLaunch": false, "Tags": [ { - "Key": "kubernetes.io/role/elb", + "Key": "aws-cdk:subnet-name", + "Value": "Private1" + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Private" + }, + { + "Key": "kubernetes.io/role/internal-elb", "Value": "1" }, { "Key": "Name", - "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/PublicSubnet1" + "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/Private1Subnet2" } ] } }, - "VpcPublicSubnet1NATGateway4D7517AA": { - "Type": "AWS::EC2::NatGateway", + "VpcPrivate1Subnet2RouteTable695199F8": { + "Type": "AWS::EC2::RouteTable", "Properties": { - "AllocationId": { - "Fn::GetAtt": [ - "VpcPublicSubnet1EIPD7E02669", - "AllocationId" - ] - }, - "SubnetId": { - "Ref": "VpcPublicSubnet1Subnet5C2D37C4" + "VpcId": { + "Ref": "Vpc8378EB38" }, "Tags": [ { - "Key": "kubernetes.io/role/elb", + "Key": "kubernetes.io/role/internal-elb", "Value": "1" }, { "Key": "Name", - "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/PublicSubnet1" + "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/Private1Subnet2" } ] } }, - "VpcPublicSubnet2Subnet691E08A3": { + "VpcPrivate1Subnet2RouteTableAssociation24F600FF": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "VpcPrivate1Subnet2RouteTable695199F8" + }, + "SubnetId": { + "Ref": "VpcPrivate1Subnet2SubnetA2AF15C7" + } + } + }, + "VpcPrivate1Subnet2DefaultRouteD86AEB1B": { + "Type": "AWS::EC2::Route", + "Properties": { + "RouteTableId": { + "Ref": "VpcPrivate1Subnet2RouteTable695199F8" + }, + "DestinationCidrBlock": "0.0.0.0/0", + "NatGatewayId": { + "Ref": "VpcPublic1Subnet1NATGatewayF6E55728" + } + } + }, + "VpcPrivate2Subnet1SubnetE13E2E30": { "Type": "AWS::EC2::Subnet", "Properties": { - "CidrBlock": "10.0.32.0/19", + "CidrBlock": "10.0.64.0/19", "VpcId": { "Ref": "Vpc8378EB38" }, - "AvailabilityZone": "test-region-1b", - "MapPublicIpOnLaunch": true, + "AvailabilityZone": "test-region-1a", + "MapPublicIpOnLaunch": false, "Tags": [ { "Key": "aws-cdk:subnet-name", - "Value": "Public" + "Value": "Private2" }, { "Key": "aws-cdk:subnet-type", - "Value": "Public" + "Value": "Private" }, { - "Key": "kubernetes.io/role/elb", + "Key": "kubernetes.io/role/internal-elb", "Value": "1" }, { "Key": "Name", - "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/PublicSubnet2" + "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/Private2Subnet1" } ] } }, - "VpcPublicSubnet2RouteTable94F7E489": { + "VpcPrivate2Subnet1RouteTableDBA2D67B": { "Type": "AWS::EC2::RouteTable", "Properties": { "VpcId": { @@ -193,72 +220,69 @@ }, "Tags": [ { - "Key": "kubernetes.io/role/elb", + "Key": "kubernetes.io/role/internal-elb", "Value": "1" }, { "Key": "Name", - "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/PublicSubnet2" + "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/Private2Subnet1" } ] } }, - "VpcPublicSubnet2RouteTableAssociationDD5762D8": { + "VpcPrivate2Subnet1RouteTableAssociationF5F23DD8": { "Type": "AWS::EC2::SubnetRouteTableAssociation", "Properties": { "RouteTableId": { - "Ref": "VpcPublicSubnet2RouteTable94F7E489" + "Ref": "VpcPrivate2Subnet1RouteTableDBA2D67B" }, "SubnetId": { - "Ref": "VpcPublicSubnet2Subnet691E08A3" + "Ref": "VpcPrivate2Subnet1SubnetE13E2E30" } } }, - "VpcPublicSubnet2DefaultRoute97F91067": { + "VpcPrivate2Subnet1DefaultRouteAB9E1DA7": { "Type": "AWS::EC2::Route", "Properties": { "RouteTableId": { - "Ref": "VpcPublicSubnet2RouteTable94F7E489" + "Ref": "VpcPrivate2Subnet1RouteTableDBA2D67B" }, "DestinationCidrBlock": "0.0.0.0/0", - "GatewayId": { - "Ref": "VpcIGWD7BA715C" + "NatGatewayId": { + "Ref": "VpcPublic1Subnet1NATGatewayF6E55728" } - }, - "DependsOn": [ - "VpcVPCGWBF912B6E" - ] + } }, - "VpcPublicSubnet3SubnetBE12F0B6": { + "VpcPrivate2Subnet2Subnet158A38AB": { "Type": "AWS::EC2::Subnet", "Properties": { - "CidrBlock": "10.0.64.0/19", + "CidrBlock": "10.0.96.0/19", "VpcId": { "Ref": "Vpc8378EB38" }, - "AvailabilityZone": "test-region-1c", - "MapPublicIpOnLaunch": true, + "AvailabilityZone": "test-region-1b", + "MapPublicIpOnLaunch": false, "Tags": [ { "Key": "aws-cdk:subnet-name", - "Value": "Public" + "Value": "Private2" }, { "Key": "aws-cdk:subnet-type", - "Value": "Public" + "Value": "Private" }, { - "Key": "kubernetes.io/role/elb", + "Key": "kubernetes.io/role/internal-elb", "Value": "1" }, { "Key": "Name", - "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/PublicSubnet3" + "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/Private2Subnet2" } ] } }, - "VpcPublicSubnet3RouteTable93458DBB": { + "VpcPrivate2Subnet2RouteTableAE2A7039": { "Type": "AWS::EC2::RouteTable", "Properties": { "VpcId": { @@ -266,46 +290,43 @@ }, "Tags": [ { - "Key": "kubernetes.io/role/elb", + "Key": "kubernetes.io/role/internal-elb", "Value": "1" }, { "Key": "Name", - "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/PublicSubnet3" + "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/Private2Subnet2" } ] } }, - "VpcPublicSubnet3RouteTableAssociation1F1EDF02": { + "VpcPrivate2Subnet2RouteTableAssociation84DD7BE3": { "Type": "AWS::EC2::SubnetRouteTableAssociation", "Properties": { "RouteTableId": { - "Ref": "VpcPublicSubnet3RouteTable93458DBB" + "Ref": "VpcPrivate2Subnet2RouteTableAE2A7039" }, "SubnetId": { - "Ref": "VpcPublicSubnet3SubnetBE12F0B6" + "Ref": "VpcPrivate2Subnet2Subnet158A38AB" } } }, - "VpcPublicSubnet3DefaultRoute4697774F": { + "VpcPrivate2Subnet2DefaultRoute819C9A9A": { "Type": "AWS::EC2::Route", "Properties": { "RouteTableId": { - "Ref": "VpcPublicSubnet3RouteTable93458DBB" + "Ref": "VpcPrivate2Subnet2RouteTableAE2A7039" }, "DestinationCidrBlock": "0.0.0.0/0", - "GatewayId": { - "Ref": "VpcIGWD7BA715C" + "NatGatewayId": { + "Ref": "VpcPublic1Subnet1NATGatewayF6E55728" } - }, - "DependsOn": [ - "VpcVPCGWBF912B6E" - ] + } }, - "VpcPrivateSubnet1Subnet536B997A": { + "VpcPrivate3Subnet1Subnet0E5E4806": { "Type": "AWS::EC2::Subnet", "Properties": { - "CidrBlock": "10.0.96.0/19", + "CidrBlock": "10.0.128.0/19", "VpcId": { "Ref": "Vpc8378EB38" }, @@ -314,7 +335,7 @@ "Tags": [ { "Key": "aws-cdk:subnet-name", - "Value": "Private" + "Value": "Private3" }, { "Key": "aws-cdk:subnet-type", @@ -326,12 +347,12 @@ }, { "Key": "Name", - "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/PrivateSubnet1" + "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/Private3Subnet1" } ] } }, - "VpcPrivateSubnet1RouteTableB2C5B500": { + "VpcPrivate3Subnet1RouteTableF63E0CF3": { "Type": "AWS::EC2::RouteTable", "Properties": { "VpcId": { @@ -344,38 +365,38 @@ }, { "Key": "Name", - "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/PrivateSubnet1" + "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/Private3Subnet1" } ] } }, - "VpcPrivateSubnet1RouteTableAssociation70C59FA6": { + "VpcPrivate3Subnet1RouteTableAssociationC5688D3B": { "Type": "AWS::EC2::SubnetRouteTableAssociation", "Properties": { "RouteTableId": { - "Ref": "VpcPrivateSubnet1RouteTableB2C5B500" + "Ref": "VpcPrivate3Subnet1RouteTableF63E0CF3" }, "SubnetId": { - "Ref": "VpcPrivateSubnet1Subnet536B997A" + "Ref": "VpcPrivate3Subnet1Subnet0E5E4806" } } }, - "VpcPrivateSubnet1DefaultRouteBE02A9ED": { + "VpcPrivate3Subnet1DefaultRoute5318328D": { "Type": "AWS::EC2::Route", "Properties": { "RouteTableId": { - "Ref": "VpcPrivateSubnet1RouteTableB2C5B500" + "Ref": "VpcPrivate3Subnet1RouteTableF63E0CF3" }, "DestinationCidrBlock": "0.0.0.0/0", "NatGatewayId": { - "Ref": "VpcPublicSubnet1NATGateway4D7517AA" + "Ref": "VpcPublic1Subnet1NATGatewayF6E55728" } } }, - "VpcPrivateSubnet2Subnet3788AAA1": { + "VpcPrivate3Subnet2SubnetD72105DD": { "Type": "AWS::EC2::Subnet", "Properties": { - "CidrBlock": "10.0.128.0/19", + "CidrBlock": "10.0.160.0/19", "VpcId": { "Ref": "Vpc8378EB38" }, @@ -384,7 +405,7 @@ "Tags": [ { "Key": "aws-cdk:subnet-name", - "Value": "Private" + "Value": "Private3" }, { "Key": "aws-cdk:subnet-type", @@ -396,12 +417,12 @@ }, { "Key": "Name", - "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/PrivateSubnet2" + "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/Private3Subnet2" } ] } }, - "VpcPrivateSubnet2RouteTableA678073B": { + "VpcPrivate3Subnet2RouteTable1DBBA64A": { "Type": "AWS::EC2::RouteTable", "Properties": { "VpcId": { @@ -414,64 +435,64 @@ }, { "Key": "Name", - "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/PrivateSubnet2" + "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/Private3Subnet2" } ] } }, - "VpcPrivateSubnet2RouteTableAssociationA89CAD56": { + "VpcPrivate3Subnet2RouteTableAssociation31AF23B3": { "Type": "AWS::EC2::SubnetRouteTableAssociation", "Properties": { "RouteTableId": { - "Ref": "VpcPrivateSubnet2RouteTableA678073B" + "Ref": "VpcPrivate3Subnet2RouteTable1DBBA64A" }, "SubnetId": { - "Ref": "VpcPrivateSubnet2Subnet3788AAA1" + "Ref": "VpcPrivate3Subnet2SubnetD72105DD" } } }, - "VpcPrivateSubnet2DefaultRoute060D2087": { + "VpcPrivate3Subnet2DefaultRoute1F5E0972": { "Type": "AWS::EC2::Route", "Properties": { "RouteTableId": { - "Ref": "VpcPrivateSubnet2RouteTableA678073B" + "Ref": "VpcPrivate3Subnet2RouteTable1DBBA64A" }, "DestinationCidrBlock": "0.0.0.0/0", "NatGatewayId": { - "Ref": "VpcPublicSubnet1NATGateway4D7517AA" + "Ref": "VpcPublic1Subnet1NATGatewayF6E55728" } } }, - "VpcPrivateSubnet3SubnetF258B56E": { + "VpcPublic1Subnet1Subnet822C42F4": { "Type": "AWS::EC2::Subnet", "Properties": { - "CidrBlock": "10.0.160.0/19", + "CidrBlock": "10.0.192.0/19", "VpcId": { "Ref": "Vpc8378EB38" }, - "AvailabilityZone": "test-region-1c", - "MapPublicIpOnLaunch": false, + "AvailabilityZone": "test-region-1a", + "MapPublicIpOnLaunch": true, "Tags": [ { "Key": "aws-cdk:subnet-name", - "Value": "Private" + "Value": "Public1" }, { "Key": "aws-cdk:subnet-type", - "Value": "Private" + "Value": "Public" }, { - "Key": "kubernetes.io/role/internal-elb", + "Key": "kubernetes.io/role/elb", "Value": "1" }, { "Key": "Name", - "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/PrivateSubnet3" + "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/Public1Subnet1" } ] } }, - "VpcPrivateSubnet3RouteTableD98824C7": { + "VpcPublic1Subnet1RouteTable656E2024": { "Type": "AWS::EC2::RouteTable", "Properties": { "VpcId": { @@ -479,39 +500,155 @@ }, "Tags": [ { - "Key": "kubernetes.io/role/internal-elb", + "Key": "kubernetes.io/role/elb", "Value": "1" }, { "Key": "Name", - "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/PrivateSubnet3" + "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/Public1Subnet1" } ] } }, - "VpcPrivateSubnet3RouteTableAssociation16BDDC43": { + "VpcPublic1Subnet1RouteTableAssociation5CE153E6": { "Type": "AWS::EC2::SubnetRouteTableAssociation", "Properties": { "RouteTableId": { - "Ref": "VpcPrivateSubnet3RouteTableD98824C7" + "Ref": "VpcPublic1Subnet1RouteTable656E2024" }, "SubnetId": { - "Ref": "VpcPrivateSubnet3SubnetF258B56E" + "Ref": "VpcPublic1Subnet1Subnet822C42F4" } } }, - "VpcPrivateSubnet3DefaultRoute94B74F0D": { + "VpcPublic1Subnet1DefaultRouteD855846C": { "Type": "AWS::EC2::Route", "Properties": { "RouteTableId": { - "Ref": "VpcPrivateSubnet3RouteTableD98824C7" + "Ref": "VpcPublic1Subnet1RouteTable656E2024" }, "DestinationCidrBlock": "0.0.0.0/0", - "NatGatewayId": { - "Ref": "VpcPublicSubnet1NATGateway4D7517AA" + "GatewayId": { + "Ref": "VpcIGWD7BA715C" + } + }, + "DependsOn": [ + "VpcVPCGWBF912B6E" + ] + }, + "VpcPublic1Subnet1EIP6E1EA980": { + "Type": "AWS::EC2::EIP", + "Properties": { + "Domain": "vpc", + "Tags": [ + { + "Key": "kubernetes.io/role/elb", + "Value": "1" + }, + { + "Key": "Name", + "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/Public1Subnet1" + } + ] + } + }, + "VpcPublic1Subnet1NATGatewayF6E55728": { + "Type": "AWS::EC2::NatGateway", + "Properties": { + "AllocationId": { + "Fn::GetAtt": [ + "VpcPublic1Subnet1EIP6E1EA980", + "AllocationId" + ] + }, + "SubnetId": { + "Ref": "VpcPublic1Subnet1Subnet822C42F4" + }, + "Tags": [ + { + "Key": "kubernetes.io/role/elb", + "Value": "1" + }, + { + "Key": "Name", + "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/Public1Subnet1" + } + ] + } + }, + "VpcPublic1Subnet2Subnet47603E66": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "CidrBlock": "10.0.224.0/19", + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "AvailabilityZone": "test-region-1b", + "MapPublicIpOnLaunch": true, + "Tags": [ + { + "Key": "aws-cdk:subnet-name", + "Value": "Public1" + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Public" + }, + { + "Key": "kubernetes.io/role/elb", + "Value": "1" + }, + { + "Key": "Name", + "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/Public1Subnet2" + } + ] + } + }, + "VpcPublic1Subnet2RouteTable99F73B51": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "VpcId": { + "Ref": "Vpc8378EB38" + }, + "Tags": [ + { + "Key": "kubernetes.io/role/elb", + "Value": "1" + }, + { + "Key": "Name", + "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/Public1Subnet2" + } + ] + } + }, + "VpcPublic1Subnet2RouteTableAssociationC9119526": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "VpcPublic1Subnet2RouteTable99F73B51" + }, + "SubnetId": { + "Ref": "VpcPublic1Subnet2Subnet47603E66" } } }, + "VpcPublic1Subnet2DefaultRoute73AD7054": { + "Type": "AWS::EC2::Route", + "Properties": { + "RouteTableId": { + "Ref": "VpcPublic1Subnet2RouteTable99F73B51" + }, + "DestinationCidrBlock": "0.0.0.0/0", + "GatewayId": { + "Ref": "VpcIGWD7BA715C" + } + }, + "DependsOn": [ + "VpcVPCGWBF912B6E" + ] + }, "VpcIGWD7BA715C": { "Type": "AWS::EC2::InternetGateway", "Properties": { @@ -581,11 +718,11 @@ } } }, - "ClusterControlPlaneSecurityGroupfromawscdkeksclusterprivateendpointtestClusterControlPlaneSecurityGroupD4062C82443389925FD": { + "ClusterControlPlaneSecurityGroupfromawscdkeksclusterprivateendpointtestClusterKubectlProviderSecurityGroup6A0B729C443DF3A2707": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "IpProtocol": "tcp", - "Description": "from awscdkeksclusterprivateendpointtestClusterControlPlaneSecurityGroupD4062C82:443", + "Description": "from awscdkeksclusterprivateendpointtestClusterKubectlProviderSecurityGroup6A0B729C:443", "FromPort": 443, "GroupId": { "Fn::GetAtt": [ @@ -595,13 +732,29 @@ }, "SourceSecurityGroupId": { "Fn::GetAtt": [ - "ClusterControlPlaneSecurityGroupD274242C", + "ClusterKubectlProviderSecurityGroup2D90691C", "GroupId" ] }, "ToPort": 443 } }, + "ClusterKubectlProviderSecurityGroup2D90691C": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Comminication between KubectlProvider and EKS Control Plane", + "SecurityGroupEgress": [ + { + "CidrIp": "0.0.0.0/0", + "Description": "Allow all outbound traffic by default", + "IpProtocol": "-1" + } + ], + "VpcId": { + "Ref": "Vpc8378EB38" + } + } + }, "ClusterCreationRole360249B6": { "Type": "AWS::IAM::Role", "Properties": { @@ -644,35 +797,42 @@ } }, "DependsOn": [ - "ClusterControlPlaneSecurityGroupfromawscdkeksclusterprivateendpointtestClusterControlPlaneSecurityGroupD4062C82443389925FD", - "ClusterControlPlaneSecurityGroupD274242C", + "ClusterKubectlProviderSecurityGroup2D90691C", "VpcIGWD7BA715C", - "VpcPrivateSubnet1DefaultRouteBE02A9ED", - "VpcPrivateSubnet1RouteTableB2C5B500", - "VpcPrivateSubnet1RouteTableAssociation70C59FA6", - "VpcPrivateSubnet1Subnet536B997A", - "VpcPrivateSubnet2DefaultRoute060D2087", - "VpcPrivateSubnet2RouteTableA678073B", - "VpcPrivateSubnet2RouteTableAssociationA89CAD56", - "VpcPrivateSubnet2Subnet3788AAA1", - "VpcPrivateSubnet3DefaultRoute94B74F0D", - "VpcPrivateSubnet3RouteTableD98824C7", - "VpcPrivateSubnet3RouteTableAssociation16BDDC43", - "VpcPrivateSubnet3SubnetF258B56E", - "VpcPublicSubnet1DefaultRoute3DA9E72A", - "VpcPublicSubnet1EIPD7E02669", - "VpcPublicSubnet1NATGateway4D7517AA", - "VpcPublicSubnet1RouteTable6C95E38E", - "VpcPublicSubnet1RouteTableAssociation97140677", - "VpcPublicSubnet1Subnet5C2D37C4", - "VpcPublicSubnet2DefaultRoute97F91067", - "VpcPublicSubnet2RouteTable94F7E489", - "VpcPublicSubnet2RouteTableAssociationDD5762D8", - "VpcPublicSubnet2Subnet691E08A3", - "VpcPublicSubnet3DefaultRoute4697774F", - "VpcPublicSubnet3RouteTable93458DBB", - "VpcPublicSubnet3RouteTableAssociation1F1EDF02", - "VpcPublicSubnet3SubnetBE12F0B6", + "VpcPrivate1Subnet1DefaultRouteF2E75A1D", + "VpcPrivate1Subnet1RouteTable63B93D7A", + "VpcPrivate1Subnet1RouteTableAssociation97501102", + "VpcPrivate1Subnet1SubnetC688B2B1", + "VpcPrivate1Subnet2DefaultRouteD86AEB1B", + "VpcPrivate1Subnet2RouteTable695199F8", + "VpcPrivate1Subnet2RouteTableAssociation24F600FF", + "VpcPrivate1Subnet2SubnetA2AF15C7", + "VpcPrivate2Subnet1DefaultRouteAB9E1DA7", + "VpcPrivate2Subnet1RouteTableDBA2D67B", + "VpcPrivate2Subnet1RouteTableAssociationF5F23DD8", + "VpcPrivate2Subnet1SubnetE13E2E30", + "VpcPrivate2Subnet2DefaultRoute819C9A9A", + "VpcPrivate2Subnet2RouteTableAE2A7039", + "VpcPrivate2Subnet2RouteTableAssociation84DD7BE3", + "VpcPrivate2Subnet2Subnet158A38AB", + "VpcPrivate3Subnet1DefaultRoute5318328D", + "VpcPrivate3Subnet1RouteTableF63E0CF3", + "VpcPrivate3Subnet1RouteTableAssociationC5688D3B", + "VpcPrivate3Subnet1Subnet0E5E4806", + "VpcPrivate3Subnet2DefaultRoute1F5E0972", + "VpcPrivate3Subnet2RouteTable1DBBA64A", + "VpcPrivate3Subnet2RouteTableAssociation31AF23B3", + "VpcPrivate3Subnet2SubnetD72105DD", + "VpcPublic1Subnet1DefaultRouteD855846C", + "VpcPublic1Subnet1EIP6E1EA980", + "VpcPublic1Subnet1NATGatewayF6E55728", + "VpcPublic1Subnet1RouteTable656E2024", + "VpcPublic1Subnet1RouteTableAssociation5CE153E6", + "VpcPublic1Subnet1Subnet822C42F4", + "VpcPublic1Subnet2DefaultRoute73AD7054", + "VpcPublic1Subnet2RouteTable99F73B51", + "VpcPublic1Subnet2RouteTableAssociationC9119526", + "VpcPublic1Subnet2Subnet47603E66", "Vpc8378EB38", "VpcVPCGWBF912B6E" ] @@ -768,35 +928,42 @@ ] }, "DependsOn": [ - "ClusterControlPlaneSecurityGroupfromawscdkeksclusterprivateendpointtestClusterControlPlaneSecurityGroupD4062C82443389925FD", - "ClusterControlPlaneSecurityGroupD274242C", + "ClusterKubectlProviderSecurityGroup2D90691C", "VpcIGWD7BA715C", - "VpcPrivateSubnet1DefaultRouteBE02A9ED", - "VpcPrivateSubnet1RouteTableB2C5B500", - "VpcPrivateSubnet1RouteTableAssociation70C59FA6", - "VpcPrivateSubnet1Subnet536B997A", - "VpcPrivateSubnet2DefaultRoute060D2087", - "VpcPrivateSubnet2RouteTableA678073B", - "VpcPrivateSubnet2RouteTableAssociationA89CAD56", - "VpcPrivateSubnet2Subnet3788AAA1", - "VpcPrivateSubnet3DefaultRoute94B74F0D", - "VpcPrivateSubnet3RouteTableD98824C7", - "VpcPrivateSubnet3RouteTableAssociation16BDDC43", - "VpcPrivateSubnet3SubnetF258B56E", - "VpcPublicSubnet1DefaultRoute3DA9E72A", - "VpcPublicSubnet1EIPD7E02669", - "VpcPublicSubnet1NATGateway4D7517AA", - "VpcPublicSubnet1RouteTable6C95E38E", - "VpcPublicSubnet1RouteTableAssociation97140677", - "VpcPublicSubnet1Subnet5C2D37C4", - "VpcPublicSubnet2DefaultRoute97F91067", - "VpcPublicSubnet2RouteTable94F7E489", - "VpcPublicSubnet2RouteTableAssociationDD5762D8", - "VpcPublicSubnet2Subnet691E08A3", - "VpcPublicSubnet3DefaultRoute4697774F", - "VpcPublicSubnet3RouteTable93458DBB", - "VpcPublicSubnet3RouteTableAssociation1F1EDF02", - "VpcPublicSubnet3SubnetBE12F0B6", + "VpcPrivate1Subnet1DefaultRouteF2E75A1D", + "VpcPrivate1Subnet1RouteTable63B93D7A", + "VpcPrivate1Subnet1RouteTableAssociation97501102", + "VpcPrivate1Subnet1SubnetC688B2B1", + "VpcPrivate1Subnet2DefaultRouteD86AEB1B", + "VpcPrivate1Subnet2RouteTable695199F8", + "VpcPrivate1Subnet2RouteTableAssociation24F600FF", + "VpcPrivate1Subnet2SubnetA2AF15C7", + "VpcPrivate2Subnet1DefaultRouteAB9E1DA7", + "VpcPrivate2Subnet1RouteTableDBA2D67B", + "VpcPrivate2Subnet1RouteTableAssociationF5F23DD8", + "VpcPrivate2Subnet1SubnetE13E2E30", + "VpcPrivate2Subnet2DefaultRoute819C9A9A", + "VpcPrivate2Subnet2RouteTableAE2A7039", + "VpcPrivate2Subnet2RouteTableAssociation84DD7BE3", + "VpcPrivate2Subnet2Subnet158A38AB", + "VpcPrivate3Subnet1DefaultRoute5318328D", + "VpcPrivate3Subnet1RouteTableF63E0CF3", + "VpcPrivate3Subnet1RouteTableAssociationC5688D3B", + "VpcPrivate3Subnet1Subnet0E5E4806", + "VpcPrivate3Subnet2DefaultRoute1F5E0972", + "VpcPrivate3Subnet2RouteTable1DBBA64A", + "VpcPrivate3Subnet2RouteTableAssociation31AF23B3", + "VpcPrivate3Subnet2SubnetD72105DD", + "VpcPublic1Subnet1DefaultRouteD855846C", + "VpcPublic1Subnet1EIP6E1EA980", + "VpcPublic1Subnet1NATGatewayF6E55728", + "VpcPublic1Subnet1RouteTable656E2024", + "VpcPublic1Subnet1RouteTableAssociation5CE153E6", + "VpcPublic1Subnet1Subnet822C42F4", + "VpcPublic1Subnet2DefaultRoute73AD7054", + "VpcPublic1Subnet2RouteTable99F73B51", + "VpcPublic1Subnet2RouteTableAssociationC9119526", + "VpcPublic1Subnet2Subnet47603E66", "Vpc8378EB38", "VpcVPCGWBF912B6E" ] @@ -821,22 +988,28 @@ "resourcesVpcConfig": { "subnetIds": [ { - "Ref": "VpcPublicSubnet1Subnet5C2D37C4" + "Ref": "VpcPublic1Subnet1Subnet822C42F4" + }, + { + "Ref": "VpcPublic1Subnet2Subnet47603E66" }, { - "Ref": "VpcPublicSubnet2Subnet691E08A3" + "Ref": "VpcPrivate1Subnet1SubnetC688B2B1" }, { - "Ref": "VpcPublicSubnet3SubnetBE12F0B6" + "Ref": "VpcPrivate1Subnet2SubnetA2AF15C7" }, { - "Ref": "VpcPrivateSubnet1Subnet536B997A" + "Ref": "VpcPrivate2Subnet1SubnetE13E2E30" }, { - "Ref": "VpcPrivateSubnet2Subnet3788AAA1" + "Ref": "VpcPrivate2Subnet2Subnet158A38AB" }, { - "Ref": "VpcPrivateSubnet3SubnetF258B56E" + "Ref": "VpcPrivate3Subnet1Subnet0E5E4806" + }, + { + "Ref": "VpcPrivate3Subnet2SubnetD72105DD" } ], "securityGroupIds": [ @@ -860,37 +1033,44 @@ "AttributesRevision": 2 }, "DependsOn": [ - "ClusterControlPlaneSecurityGroupfromawscdkeksclusterprivateendpointtestClusterControlPlaneSecurityGroupD4062C82443389925FD", - "ClusterControlPlaneSecurityGroupD274242C", + "ClusterKubectlProviderSecurityGroup2D90691C", "ClusterCreationRoleDefaultPolicyE8BDFC7B", "ClusterCreationRole360249B6", "VpcIGWD7BA715C", - "VpcPrivateSubnet1DefaultRouteBE02A9ED", - "VpcPrivateSubnet1RouteTableB2C5B500", - "VpcPrivateSubnet1RouteTableAssociation70C59FA6", - "VpcPrivateSubnet1Subnet536B997A", - "VpcPrivateSubnet2DefaultRoute060D2087", - "VpcPrivateSubnet2RouteTableA678073B", - "VpcPrivateSubnet2RouteTableAssociationA89CAD56", - "VpcPrivateSubnet2Subnet3788AAA1", - "VpcPrivateSubnet3DefaultRoute94B74F0D", - "VpcPrivateSubnet3RouteTableD98824C7", - "VpcPrivateSubnet3RouteTableAssociation16BDDC43", - "VpcPrivateSubnet3SubnetF258B56E", - "VpcPublicSubnet1DefaultRoute3DA9E72A", - "VpcPublicSubnet1EIPD7E02669", - "VpcPublicSubnet1NATGateway4D7517AA", - "VpcPublicSubnet1RouteTable6C95E38E", - "VpcPublicSubnet1RouteTableAssociation97140677", - "VpcPublicSubnet1Subnet5C2D37C4", - "VpcPublicSubnet2DefaultRoute97F91067", - "VpcPublicSubnet2RouteTable94F7E489", - "VpcPublicSubnet2RouteTableAssociationDD5762D8", - "VpcPublicSubnet2Subnet691E08A3", - "VpcPublicSubnet3DefaultRoute4697774F", - "VpcPublicSubnet3RouteTable93458DBB", - "VpcPublicSubnet3RouteTableAssociation1F1EDF02", - "VpcPublicSubnet3SubnetBE12F0B6", + "VpcPrivate1Subnet1DefaultRouteF2E75A1D", + "VpcPrivate1Subnet1RouteTable63B93D7A", + "VpcPrivate1Subnet1RouteTableAssociation97501102", + "VpcPrivate1Subnet1SubnetC688B2B1", + "VpcPrivate1Subnet2DefaultRouteD86AEB1B", + "VpcPrivate1Subnet2RouteTable695199F8", + "VpcPrivate1Subnet2RouteTableAssociation24F600FF", + "VpcPrivate1Subnet2SubnetA2AF15C7", + "VpcPrivate2Subnet1DefaultRouteAB9E1DA7", + "VpcPrivate2Subnet1RouteTableDBA2D67B", + "VpcPrivate2Subnet1RouteTableAssociationF5F23DD8", + "VpcPrivate2Subnet1SubnetE13E2E30", + "VpcPrivate2Subnet2DefaultRoute819C9A9A", + "VpcPrivate2Subnet2RouteTableAE2A7039", + "VpcPrivate2Subnet2RouteTableAssociation84DD7BE3", + "VpcPrivate2Subnet2Subnet158A38AB", + "VpcPrivate3Subnet1DefaultRoute5318328D", + "VpcPrivate3Subnet1RouteTableF63E0CF3", + "VpcPrivate3Subnet1RouteTableAssociationC5688D3B", + "VpcPrivate3Subnet1Subnet0E5E4806", + "VpcPrivate3Subnet2DefaultRoute1F5E0972", + "VpcPrivate3Subnet2RouteTable1DBBA64A", + "VpcPrivate3Subnet2RouteTableAssociation31AF23B3", + "VpcPrivate3Subnet2SubnetD72105DD", + "VpcPublic1Subnet1DefaultRouteD855846C", + "VpcPublic1Subnet1EIP6E1EA980", + "VpcPublic1Subnet1NATGatewayF6E55728", + "VpcPublic1Subnet1RouteTable656E2024", + "VpcPublic1Subnet1RouteTableAssociation5CE153E6", + "VpcPublic1Subnet1Subnet822C42F4", + "VpcPublic1Subnet2DefaultRoute73AD7054", + "VpcPublic1Subnet2RouteTable99F73B51", + "VpcPublic1Subnet2RouteTableAssociationC9119526", + "VpcPublic1Subnet2Subnet47603E66", "Vpc8378EB38", "VpcVPCGWBF912B6E" ], @@ -1042,13 +1222,22 @@ }, "Subnets": [ { - "Ref": "VpcPrivateSubnet1Subnet536B997A" + "Ref": "VpcPrivate1Subnet1SubnetC688B2B1" + }, + { + "Ref": "VpcPrivate1Subnet2SubnetA2AF15C7" }, { - "Ref": "VpcPrivateSubnet2Subnet3788AAA1" + "Ref": "VpcPrivate2Subnet1SubnetE13E2E30" }, { - "Ref": "VpcPrivateSubnet3SubnetF258B56E" + "Ref": "VpcPrivate2Subnet2Subnet158A38AB" + }, + { + "Ref": "VpcPrivate3Subnet1Subnet0E5E4806" + }, + { + "Ref": "VpcPrivate3Subnet2SubnetD72105DD" } ], "ForceUpdateEnabled": true, @@ -1101,7 +1290,7 @@ }, "/", { - "Ref": "AssetParameters1d54fe392c17a77f062eb9589a146cca9103d80e1454c4c6a2af1d1693cfc443S3Bucket8DAC1637" + "Ref": "AssetParameters71844bd8bc4fc1081e3028a5c0efd7345bcdb4185daff9955359444c643aa2b4S3BucketE3798CD4" }, "/", { @@ -1111,7 +1300,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParameters1d54fe392c17a77f062eb9589a146cca9103d80e1454c4c6a2af1d1693cfc443S3VersionKey0F7AEF85" + "Ref": "AssetParameters71844bd8bc4fc1081e3028a5c0efd7345bcdb4185daff9955359444c643aa2b4S3VersionKey97783D11" } ] } @@ -1124,7 +1313,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParameters1d54fe392c17a77f062eb9589a146cca9103d80e1454c4c6a2af1d1693cfc443S3VersionKey0F7AEF85" + "Ref": "AssetParameters71844bd8bc4fc1081e3028a5c0efd7345bcdb4185daff9955359444c643aa2b4S3VersionKey97783D11" } ] } @@ -1134,11 +1323,11 @@ ] }, "Parameters": { - "referencetoawscdkeksclusterprivateendpointtestAssetParametersce797d85c1c1e40a9e91e69fae75739d1dcea61d82b1e164720fc69c442e2a1bS3Bucket1D2F354ERef": { - "Ref": "AssetParametersce797d85c1c1e40a9e91e69fae75739d1dcea61d82b1e164720fc69c442e2a1bS3BucketF5EB4657" + "referencetoawscdkeksclusterprivateendpointtestAssetParametersc53ce5256da21f646ed2f8a5db4fe604787205bea4eda5c3c5596983c135b71aS3BucketFDC1B6C7Ref": { + "Ref": "AssetParametersc53ce5256da21f646ed2f8a5db4fe604787205bea4eda5c3c5596983c135b71aS3Bucket5F33664E" }, - "referencetoawscdkeksclusterprivateendpointtestAssetParametersce797d85c1c1e40a9e91e69fae75739d1dcea61d82b1e164720fc69c442e2a1bS3VersionKey53B61BAFRef": { - "Ref": "AssetParametersce797d85c1c1e40a9e91e69fae75739d1dcea61d82b1e164720fc69c442e2a1bS3VersionKey1BD28F17" + "referencetoawscdkeksclusterprivateendpointtestAssetParametersc53ce5256da21f646ed2f8a5db4fe604787205bea4eda5c3c5596983c135b71aS3VersionKey369B097DRef": { + "Ref": "AssetParametersc53ce5256da21f646ed2f8a5db4fe604787205bea4eda5c3c5596983c135b71aS3VersionKey5C517502" }, "referencetoawscdkeksclusterprivateendpointtestAssetParameters974a6fb29abbd1d98fce56346da3743e79277f0f52e0e2cdf3f1867ac5b1e74cS3Bucket7CB66361Ref": { "Ref": "AssetParameters974a6fb29abbd1d98fce56346da3743e79277f0f52e0e2cdf3f1867ac5b1e74cS3BucketF1BD2256" @@ -1162,7 +1351,7 @@ }, "/", { - "Ref": "AssetParameters072bfc9adfd1e03e7f2e49fbd64390e2fc05058b2764366dfeafe48a5fb02314S3Bucket1E1DCF01" + "Ref": "AssetParameters467dc5404fa790f0a49d61285c6d778520134153d660220de8cb6b8db19227cbS3BucketE6511518" }, "/", { @@ -1172,7 +1361,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParameters072bfc9adfd1e03e7f2e49fbd64390e2fc05058b2764366dfeafe48a5fb02314S3VersionKey6986DC2D" + "Ref": "AssetParameters467dc5404fa790f0a49d61285c6d778520134153d660220de8cb6b8db19227cbS3VersionKey2582513C" } ] } @@ -1185,7 +1374,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParameters072bfc9adfd1e03e7f2e49fbd64390e2fc05058b2764366dfeafe48a5fb02314S3VersionKey6986DC2D" + "Ref": "AssetParameters467dc5404fa790f0a49d61285c6d778520134153d660220de8cb6b8db19227cbS3VersionKey2582513C" } ] } @@ -1195,24 +1384,33 @@ ] }, "Parameters": { - "referencetoawscdkeksclusterprivateendpointtestAssetParameters002221efd60f8b0158670e8e9bc2f0a66203cec698160e2b085b3fd0284bf31fS3BucketF99DEE1FRef": { - "Ref": "AssetParameters002221efd60f8b0158670e8e9bc2f0a66203cec698160e2b085b3fd0284bf31fS3BucketE15DE473" + "referencetoawscdkeksclusterprivateendpointtestAssetParameters649b09403c8414e624c965d6c2f0e41c341c2afa5d8e7bae4ac5746fe230f502S3Bucket5848D8F5Ref": { + "Ref": "AssetParameters649b09403c8414e624c965d6c2f0e41c341c2afa5d8e7bae4ac5746fe230f502S3BucketE7D09A6B" + }, + "referencetoawscdkeksclusterprivateendpointtestAssetParameters649b09403c8414e624c965d6c2f0e41c341c2afa5d8e7bae4ac5746fe230f502S3VersionKeyD69255C2Ref": { + "Ref": "AssetParameters649b09403c8414e624c965d6c2f0e41c341c2afa5d8e7bae4ac5746fe230f502S3VersionKey1DA734B2" + }, + "referencetoawscdkeksclusterprivateendpointtestVpcPrivate1Subnet1Subnet5DD1FB9CRef": { + "Ref": "VpcPrivate1Subnet1SubnetC688B2B1" + }, + "referencetoawscdkeksclusterprivateendpointtestVpcPrivate1Subnet2Subnet4A892E2CRef": { + "Ref": "VpcPrivate1Subnet2SubnetA2AF15C7" }, - "referencetoawscdkeksclusterprivateendpointtestAssetParameters002221efd60f8b0158670e8e9bc2f0a66203cec698160e2b085b3fd0284bf31fS3VersionKeyF0B03FC6Ref": { - "Ref": "AssetParameters002221efd60f8b0158670e8e9bc2f0a66203cec698160e2b085b3fd0284bf31fS3VersionKeyDCCDCE64" + "referencetoawscdkeksclusterprivateendpointtestVpcPrivate2Subnet1Subnet4249F3C7Ref": { + "Ref": "VpcPrivate2Subnet1SubnetE13E2E30" }, - "referencetoawscdkeksclusterprivateendpointtestVpcPrivateSubnet1Subnet94DAD769Ref": { - "Ref": "VpcPrivateSubnet1Subnet536B997A" + "referencetoawscdkeksclusterprivateendpointtestVpcPrivate2Subnet2SubnetA4430AEARef": { + "Ref": "VpcPrivate2Subnet2Subnet158A38AB" }, - "referencetoawscdkeksclusterprivateendpointtestVpcPrivateSubnet2Subnet04963C08Ref": { - "Ref": "VpcPrivateSubnet2Subnet3788AAA1" + "referencetoawscdkeksclusterprivateendpointtestVpcPrivate3Subnet1Subnet9A0DA5C2Ref": { + "Ref": "VpcPrivate3Subnet1Subnet0E5E4806" }, - "referencetoawscdkeksclusterprivateendpointtestVpcPrivateSubnet3SubnetC47FD39ARef": { - "Ref": "VpcPrivateSubnet3SubnetF258B56E" + "referencetoawscdkeksclusterprivateendpointtestVpcPrivate3Subnet2Subnet68EF00A2Ref": { + "Ref": "VpcPrivate3Subnet2SubnetD72105DD" }, - "referencetoawscdkeksclusterprivateendpointtestClusterControlPlaneSecurityGroup197B1436GroupId": { + "referencetoawscdkeksclusterprivateendpointtestClusterKubectlProviderSecurityGroup67FA4325GroupId": { "Fn::GetAtt": [ - "ClusterControlPlaneSecurityGroupD274242C", + "ClusterKubectlProviderSecurityGroup2D90691C", "GroupId" ] }, @@ -1269,17 +1467,17 @@ } }, "Parameters": { - "AssetParametersce797d85c1c1e40a9e91e69fae75739d1dcea61d82b1e164720fc69c442e2a1bS3BucketF5EB4657": { + "AssetParametersc53ce5256da21f646ed2f8a5db4fe604787205bea4eda5c3c5596983c135b71aS3Bucket5F33664E": { "Type": "String", - "Description": "S3 bucket for asset \"ce797d85c1c1e40a9e91e69fae75739d1dcea61d82b1e164720fc69c442e2a1b\"" + "Description": "S3 bucket for asset \"c53ce5256da21f646ed2f8a5db4fe604787205bea4eda5c3c5596983c135b71a\"" }, - "AssetParametersce797d85c1c1e40a9e91e69fae75739d1dcea61d82b1e164720fc69c442e2a1bS3VersionKey1BD28F17": { + "AssetParametersc53ce5256da21f646ed2f8a5db4fe604787205bea4eda5c3c5596983c135b71aS3VersionKey5C517502": { "Type": "String", - "Description": "S3 key for asset version \"ce797d85c1c1e40a9e91e69fae75739d1dcea61d82b1e164720fc69c442e2a1b\"" + "Description": "S3 key for asset version \"c53ce5256da21f646ed2f8a5db4fe604787205bea4eda5c3c5596983c135b71a\"" }, - "AssetParametersce797d85c1c1e40a9e91e69fae75739d1dcea61d82b1e164720fc69c442e2a1bArtifactHashBF71476C": { + "AssetParametersc53ce5256da21f646ed2f8a5db4fe604787205bea4eda5c3c5596983c135b71aArtifactHashFDE4A4C8": { "Type": "String", - "Description": "Artifact hash for asset \"ce797d85c1c1e40a9e91e69fae75739d1dcea61d82b1e164720fc69c442e2a1b\"" + "Description": "Artifact hash for asset \"c53ce5256da21f646ed2f8a5db4fe604787205bea4eda5c3c5596983c135b71a\"" }, "AssetParameters974a6fb29abbd1d98fce56346da3743e79277f0f52e0e2cdf3f1867ac5b1e74cS3BucketF1BD2256": { "Type": "String", @@ -1293,41 +1491,41 @@ "Type": "String", "Description": "Artifact hash for asset \"974a6fb29abbd1d98fce56346da3743e79277f0f52e0e2cdf3f1867ac5b1e74c\"" }, - "AssetParameters002221efd60f8b0158670e8e9bc2f0a66203cec698160e2b085b3fd0284bf31fS3BucketE15DE473": { + "AssetParameters649b09403c8414e624c965d6c2f0e41c341c2afa5d8e7bae4ac5746fe230f502S3BucketE7D09A6B": { "Type": "String", - "Description": "S3 bucket for asset \"002221efd60f8b0158670e8e9bc2f0a66203cec698160e2b085b3fd0284bf31f\"" + "Description": "S3 bucket for asset \"649b09403c8414e624c965d6c2f0e41c341c2afa5d8e7bae4ac5746fe230f502\"" }, - "AssetParameters002221efd60f8b0158670e8e9bc2f0a66203cec698160e2b085b3fd0284bf31fS3VersionKeyDCCDCE64": { + "AssetParameters649b09403c8414e624c965d6c2f0e41c341c2afa5d8e7bae4ac5746fe230f502S3VersionKey1DA734B2": { "Type": "String", - "Description": "S3 key for asset version \"002221efd60f8b0158670e8e9bc2f0a66203cec698160e2b085b3fd0284bf31f\"" + "Description": "S3 key for asset version \"649b09403c8414e624c965d6c2f0e41c341c2afa5d8e7bae4ac5746fe230f502\"" }, - "AssetParameters002221efd60f8b0158670e8e9bc2f0a66203cec698160e2b085b3fd0284bf31fArtifactHash48F9DCF6": { + "AssetParameters649b09403c8414e624c965d6c2f0e41c341c2afa5d8e7bae4ac5746fe230f502ArtifactHash815E1969": { "Type": "String", - "Description": "Artifact hash for asset \"002221efd60f8b0158670e8e9bc2f0a66203cec698160e2b085b3fd0284bf31f\"" + "Description": "Artifact hash for asset \"649b09403c8414e624c965d6c2f0e41c341c2afa5d8e7bae4ac5746fe230f502\"" }, - "AssetParameters1d54fe392c17a77f062eb9589a146cca9103d80e1454c4c6a2af1d1693cfc443S3Bucket8DAC1637": { + "AssetParameters71844bd8bc4fc1081e3028a5c0efd7345bcdb4185daff9955359444c643aa2b4S3BucketE3798CD4": { "Type": "String", - "Description": "S3 bucket for asset \"1d54fe392c17a77f062eb9589a146cca9103d80e1454c4c6a2af1d1693cfc443\"" + "Description": "S3 bucket for asset \"71844bd8bc4fc1081e3028a5c0efd7345bcdb4185daff9955359444c643aa2b4\"" }, - "AssetParameters1d54fe392c17a77f062eb9589a146cca9103d80e1454c4c6a2af1d1693cfc443S3VersionKey0F7AEF85": { + "AssetParameters71844bd8bc4fc1081e3028a5c0efd7345bcdb4185daff9955359444c643aa2b4S3VersionKey97783D11": { "Type": "String", - "Description": "S3 key for asset version \"1d54fe392c17a77f062eb9589a146cca9103d80e1454c4c6a2af1d1693cfc443\"" + "Description": "S3 key for asset version \"71844bd8bc4fc1081e3028a5c0efd7345bcdb4185daff9955359444c643aa2b4\"" }, - "AssetParameters1d54fe392c17a77f062eb9589a146cca9103d80e1454c4c6a2af1d1693cfc443ArtifactHash8D22ACCD": { + "AssetParameters71844bd8bc4fc1081e3028a5c0efd7345bcdb4185daff9955359444c643aa2b4ArtifactHash0561162E": { "Type": "String", - "Description": "Artifact hash for asset \"1d54fe392c17a77f062eb9589a146cca9103d80e1454c4c6a2af1d1693cfc443\"" + "Description": "Artifact hash for asset \"71844bd8bc4fc1081e3028a5c0efd7345bcdb4185daff9955359444c643aa2b4\"" }, - "AssetParameters072bfc9adfd1e03e7f2e49fbd64390e2fc05058b2764366dfeafe48a5fb02314S3Bucket1E1DCF01": { + "AssetParameters467dc5404fa790f0a49d61285c6d778520134153d660220de8cb6b8db19227cbS3BucketE6511518": { "Type": "String", - "Description": "S3 bucket for asset \"072bfc9adfd1e03e7f2e49fbd64390e2fc05058b2764366dfeafe48a5fb02314\"" + "Description": "S3 bucket for asset \"467dc5404fa790f0a49d61285c6d778520134153d660220de8cb6b8db19227cb\"" }, - "AssetParameters072bfc9adfd1e03e7f2e49fbd64390e2fc05058b2764366dfeafe48a5fb02314S3VersionKey6986DC2D": { + "AssetParameters467dc5404fa790f0a49d61285c6d778520134153d660220de8cb6b8db19227cbS3VersionKey2582513C": { "Type": "String", - "Description": "S3 key for asset version \"072bfc9adfd1e03e7f2e49fbd64390e2fc05058b2764366dfeafe48a5fb02314\"" + "Description": "S3 key for asset version \"467dc5404fa790f0a49d61285c6d778520134153d660220de8cb6b8db19227cb\"" }, - "AssetParameters072bfc9adfd1e03e7f2e49fbd64390e2fc05058b2764366dfeafe48a5fb02314ArtifactHashFB37F1C4": { + "AssetParameters467dc5404fa790f0a49d61285c6d778520134153d660220de8cb6b8db19227cbArtifactHash90F3B465": { "Type": "String", - "Description": "Artifact hash for asset \"072bfc9adfd1e03e7f2e49fbd64390e2fc05058b2764366dfeafe48a5fb02314\"" + "Description": "Artifact hash for asset \"467dc5404fa790f0a49d61285c6d778520134153d660220de8cb6b8db19227cb\"" } } } \ No newline at end of file diff --git a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster-private-endpoint.ts b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster-private-endpoint.ts index c7e3df24cc070..ddc71943d3a97 100644 --- a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster-private-endpoint.ts +++ b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster-private-endpoint.ts @@ -14,10 +14,30 @@ class EksClusterStack extends TestStack { assumedBy: new iam.AccountRootPrincipal(), }); - // just need one nat gateway to simplify the test - const vpc = new ec2.Vpc(this, 'Vpc', { maxAzs: 3, natGateways: 1 }); + const vpc = new ec2.Vpc(this, 'Vpc', { + maxAzs: 2, + natGateways: 1, // just need one nat gateway to simplify the test + // so that we also validate it works with multiple private subnets per az. + subnetConfiguration: [ + { + subnetType: ec2.SubnetType.PRIVATE, + name: 'Private1', + }, + { + subnetType: ec2.SubnetType.PRIVATE, + name: 'Private2', + }, + { + subnetType: ec2.SubnetType.PRIVATE, + name: 'Private3', + }, + { + subnetType: ec2.SubnetType.PUBLIC, + name: 'Public1', + }, + ], + }); - // create the cluster with a default nodegroup capacity const cluster = new eks.Cluster(this, 'Cluster', { vpc, mastersRole, From 1c5c85ac6f77dbad3b1b9c0424913081178b3acd Mon Sep 17 00:00:00 2001 From: epolon Date: Sat, 25 Jul 2020 16:43:42 +0300 Subject: [PATCH 16/33] mid work --- packages/@aws-cdk/aws-eks/README.md | 2 +- .../test/integ.eks-cluster.expected.json | 627 ++++++------------ .../aws-eks/test/integ.eks-cluster.ts | 10 +- 3 files changed, 213 insertions(+), 426 deletions(-) diff --git a/packages/@aws-cdk/aws-eks/README.md b/packages/@aws-cdk/aws-eks/README.md index 73dcbd75de931..9463858f321ff 100644 --- a/packages/@aws-cdk/aws-eks/README.md +++ b/packages/@aws-cdk/aws-eks/README.md @@ -56,7 +56,7 @@ const cluster = new eks.Cluster(this, 'hello-eks', { }); ``` -The default value is `eks.EndpointAccess.publicAndPrivate()`, which means the cluster endpoint is accessible from outside of your VPC, and worker node traffic to the endpoint will stay within your VPC. +The default value is `eks.EndpointAccess.publicAndPrivate()`. Which means the cluster endpoint is accessible from outside of your VPC, and worker node traffic to the endpoint will stay within your VPC. ### Capacity diff --git a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.expected.json b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.expected.json index 1aa1b2d54725d..9610cbafca025 100644 --- a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.expected.json +++ b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.expected.json @@ -581,11 +581,11 @@ } } }, - "ClusterControlPlaneSecurityGroupfromawscdkeksclustertestClusterNodesInstanceSecurityGroupD0B64C54443795AF111": { + "ClusterControlPlaneSecurityGroupfromawscdkeksclustertestClusterKubectlProviderSecurityGroup0285626644359187EDA": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "IpProtocol": "tcp", - "Description": "from awscdkeksclustertestClusterNodesInstanceSecurityGroupD0B64C54:443", + "Description": "from awscdkeksclustertestClusterKubectlProviderSecurityGroup02856266:443", "FromPort": 443, "GroupId": { "Fn::GetAtt": [ @@ -595,18 +595,18 @@ }, "SourceSecurityGroupId": { "Fn::GetAtt": [ - "ClusterNodesInstanceSecurityGroup899246BD", + "ClusterKubectlProviderSecurityGroup2D90691C", "GroupId" ] }, "ToPort": 443 } }, - "ClusterControlPlaneSecurityGroupfromawscdkeksclustertestClusterBottlerocketNodesInstanceSecurityGroup83FE7914443ECEF3F30": { + "ClusterControlPlaneSecurityGroupfromawscdkeksclustertestClusterNodesInstanceSecurityGroupD0B64C54443795AF111": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "IpProtocol": "tcp", - "Description": "from awscdkeksclustertestClusterBottlerocketNodesInstanceSecurityGroup83FE7914:443", + "Description": "from awscdkeksclustertestClusterNodesInstanceSecurityGroupD0B64C54:443", "FromPort": 443, "GroupId": { "Fn::GetAtt": [ @@ -616,18 +616,18 @@ }, "SourceSecurityGroupId": { "Fn::GetAtt": [ - "ClusterBottlerocketNodesInstanceSecurityGroup3794A94B", + "ClusterNodesInstanceSecurityGroup899246BD", "GroupId" ] }, "ToPort": 443 } }, - "ClusterControlPlaneSecurityGroupfromawscdkeksclustertestClusterspotInstanceSecurityGroupF50F5D474431DE5485F": { + "ClusterControlPlaneSecurityGroupfromawscdkeksclustertestClusterBottlerocketNodesInstanceSecurityGroup83FE7914443ECEF3F30": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "IpProtocol": "tcp", - "Description": "from awscdkeksclustertestClusterspotInstanceSecurityGroupF50F5D47:443", + "Description": "from awscdkeksclustertestClusterBottlerocketNodesInstanceSecurityGroup83FE7914:443", "FromPort": 443, "GroupId": { "Fn::GetAtt": [ @@ -637,18 +637,18 @@ }, "SourceSecurityGroupId": { "Fn::GetAtt": [ - "ClusterspotInstanceSecurityGroup01F7B1CE", + "ClusterBottlerocketNodesInstanceSecurityGroup3794A94B", "GroupId" ] }, "ToPort": 443 } }, - "ClusterControlPlaneSecurityGroupfromawscdkeksclustertestClusterInferenceInstancesInstanceSecurityGroup42C57C51443E3176F85": { + "ClusterControlPlaneSecurityGroupfromawscdkeksclustertestClusterspotInstanceSecurityGroupF50F5D474431DE5485F": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "IpProtocol": "tcp", - "Description": "from awscdkeksclustertestClusterInferenceInstancesInstanceSecurityGroup42C57C51:443", + "Description": "from awscdkeksclustertestClusterspotInstanceSecurityGroupF50F5D47:443", "FromPort": 443, "GroupId": { "Fn::GetAtt": [ @@ -658,13 +658,29 @@ }, "SourceSecurityGroupId": { "Fn::GetAtt": [ - "ClusterInferenceInstancesInstanceSecurityGroupECB3FC45", + "ClusterspotInstanceSecurityGroup01F7B1CE", "GroupId" ] }, "ToPort": 443 } }, + "ClusterKubectlProviderSecurityGroup2D90691C": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Comminication between KubectlProvider and EKS Control Plane", + "SecurityGroupEgress": [ + { + "CidrIp": "0.0.0.0/0", + "Description": "Allow all outbound traffic by default", + "IpProtocol": "-1" + } + ], + "VpcId": { + "Ref": "Vpc8378EB38" + } + } + }, "ClusterCreationRole360249B6": { "Type": "AWS::IAM::Role", "Properties": { @@ -705,7 +721,39 @@ ], "Version": "2012-10-17" } - } + }, + "DependsOn": [ + "ClusterKubectlProviderSecurityGroup2D90691C", + "VpcIGWD7BA715C", + "VpcPrivateSubnet1DefaultRouteBE02A9ED", + "VpcPrivateSubnet1RouteTableB2C5B500", + "VpcPrivateSubnet1RouteTableAssociation70C59FA6", + "VpcPrivateSubnet1Subnet536B997A", + "VpcPrivateSubnet2DefaultRoute060D2087", + "VpcPrivateSubnet2RouteTableA678073B", + "VpcPrivateSubnet2RouteTableAssociationA89CAD56", + "VpcPrivateSubnet2Subnet3788AAA1", + "VpcPrivateSubnet3DefaultRoute94B74F0D", + "VpcPrivateSubnet3RouteTableD98824C7", + "VpcPrivateSubnet3RouteTableAssociation16BDDC43", + "VpcPrivateSubnet3SubnetF258B56E", + "VpcPublicSubnet1DefaultRoute3DA9E72A", + "VpcPublicSubnet1EIPD7E02669", + "VpcPublicSubnet1NATGateway4D7517AA", + "VpcPublicSubnet1RouteTable6C95E38E", + "VpcPublicSubnet1RouteTableAssociation97140677", + "VpcPublicSubnet1Subnet5C2D37C4", + "VpcPublicSubnet2DefaultRoute97F91067", + "VpcPublicSubnet2RouteTable94F7E489", + "VpcPublicSubnet2RouteTableAssociationDD5762D8", + "VpcPublicSubnet2Subnet691E08A3", + "VpcPublicSubnet3DefaultRoute4697774F", + "VpcPublicSubnet3RouteTable93458DBB", + "VpcPublicSubnet3RouteTableAssociation1F1EDF02", + "VpcPublicSubnet3SubnetBE12F0B6", + "Vpc8378EB38", + "VpcVPCGWBF912B6E" + ] }, "ClusterCreationRoleDefaultPolicyE8BDFC7B": { "Type": "AWS::IAM::Policy", @@ -806,7 +854,39 @@ "Ref": "ClusterCreationRole360249B6" } ] - } + }, + "DependsOn": [ + "ClusterKubectlProviderSecurityGroup2D90691C", + "VpcIGWD7BA715C", + "VpcPrivateSubnet1DefaultRouteBE02A9ED", + "VpcPrivateSubnet1RouteTableB2C5B500", + "VpcPrivateSubnet1RouteTableAssociation70C59FA6", + "VpcPrivateSubnet1Subnet536B997A", + "VpcPrivateSubnet2DefaultRoute060D2087", + "VpcPrivateSubnet2RouteTableA678073B", + "VpcPrivateSubnet2RouteTableAssociationA89CAD56", + "VpcPrivateSubnet2Subnet3788AAA1", + "VpcPrivateSubnet3DefaultRoute94B74F0D", + "VpcPrivateSubnet3RouteTableD98824C7", + "VpcPrivateSubnet3RouteTableAssociation16BDDC43", + "VpcPrivateSubnet3SubnetF258B56E", + "VpcPublicSubnet1DefaultRoute3DA9E72A", + "VpcPublicSubnet1EIPD7E02669", + "VpcPublicSubnet1NATGateway4D7517AA", + "VpcPublicSubnet1RouteTable6C95E38E", + "VpcPublicSubnet1RouteTableAssociation97140677", + "VpcPublicSubnet1Subnet5C2D37C4", + "VpcPublicSubnet2DefaultRoute97F91067", + "VpcPublicSubnet2RouteTable94F7E489", + "VpcPublicSubnet2RouteTableAssociationDD5762D8", + "VpcPublicSubnet2Subnet691E08A3", + "VpcPublicSubnet3DefaultRoute4697774F", + "VpcPublicSubnet3RouteTable93458DBB", + "VpcPublicSubnet3RouteTableAssociation1F1EDF02", + "VpcPublicSubnet3SubnetBE12F0B6", + "Vpc8378EB38", + "VpcVPCGWBF912B6E" + ] }, "Cluster9EE0221C": { "Type": "Custom::AWSCDK-EKS-Cluster", @@ -818,22 +898,14 @@ ] }, "Config": { + "version": "1.16", "roleArn": { "Fn::GetAtt": [ "ClusterRoleFA261979", "Arn" ] }, - "version": "1.16", "resourcesVpcConfig": { - "securityGroupIds": [ - { - "Fn::GetAtt": [ - "ClusterControlPlaneSecurityGroupD274242C", - "GroupId" - ] - } - ], "subnetIds": [ { "Ref": "VpcPublicSubnet1Subnet5C2D37C4" @@ -853,7 +925,17 @@ { "Ref": "VpcPrivateSubnet3SubnetF258B56E" } - ] + ], + "securityGroupIds": [ + { + "Fn::GetAtt": [ + "ClusterControlPlaneSecurityGroupD274242C", + "GroupId" + ] + } + ], + "endpointPublicAccess": true, + "endpointPrivateAccess": true } }, "AssumeRoleArn": { @@ -865,8 +947,38 @@ "AttributesRevision": 2 }, "DependsOn": [ + "ClusterKubectlProviderSecurityGroup2D90691C", "ClusterCreationRoleDefaultPolicyE8BDFC7B", - "ClusterCreationRole360249B6" + "ClusterCreationRole360249B6", + "VpcIGWD7BA715C", + "VpcPrivateSubnet1DefaultRouteBE02A9ED", + "VpcPrivateSubnet1RouteTableB2C5B500", + "VpcPrivateSubnet1RouteTableAssociation70C59FA6", + "VpcPrivateSubnet1Subnet536B997A", + "VpcPrivateSubnet2DefaultRoute060D2087", + "VpcPrivateSubnet2RouteTableA678073B", + "VpcPrivateSubnet2RouteTableAssociationA89CAD56", + "VpcPrivateSubnet2Subnet3788AAA1", + "VpcPrivateSubnet3DefaultRoute94B74F0D", + "VpcPrivateSubnet3RouteTableD98824C7", + "VpcPrivateSubnet3RouteTableAssociation16BDDC43", + "VpcPrivateSubnet3SubnetF258B56E", + "VpcPublicSubnet1DefaultRoute3DA9E72A", + "VpcPublicSubnet1EIPD7E02669", + "VpcPublicSubnet1NATGateway4D7517AA", + "VpcPublicSubnet1RouteTable6C95E38E", + "VpcPublicSubnet1RouteTableAssociation97140677", + "VpcPublicSubnet1Subnet5C2D37C4", + "VpcPublicSubnet2DefaultRoute97F91067", + "VpcPublicSubnet2RouteTable94F7E489", + "VpcPublicSubnet2RouteTableAssociationDD5762D8", + "VpcPublicSubnet2Subnet691E08A3", + "VpcPublicSubnet3DefaultRoute4697774F", + "VpcPublicSubnet3RouteTable93458DBB", + "VpcPublicSubnet3RouteTableAssociation1F1EDF02", + "VpcPublicSubnet3SubnetBE12F0B6", + "Vpc8378EB38", + "VpcVPCGWBF912B6E" ], "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete" @@ -948,13 +1060,6 @@ ] }, "\\\",\\\"username\\\":\\\"system:node:{{EC2PrivateDNSName}}\\\",\\\"groups\\\":[\\\"system:bootstrappers\\\",\\\"system:nodes\\\"]},{\\\"rolearn\\\":\\\"", - { - "Fn::GetAtt": [ - "ClusterInferenceInstancesInstanceRole59AC6F56", - "Arn" - ] - }, - "\\\",\\\"username\\\":\\\"system:node:{{EC2PrivateDNSName}}\\\",\\\"groups\\\":[\\\"system:bootstrappers\\\",\\\"system:nodes\\\"]},{\\\"rolearn\\\":\\\"", { "Fn::GetAtt": [ "ClusterNodegroupextrangNodeGroupRole23AE23D0", @@ -2057,320 +2162,6 @@ "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete" }, - "ClusterInferenceInstancesInstanceSecurityGroupECB3FC45": { - "Type": "AWS::EC2::SecurityGroup", - "Properties": { - "GroupDescription": "aws-cdk-eks-cluster-test/Cluster/InferenceInstances/InstanceSecurityGroup", - "SecurityGroupEgress": [ - { - "CidrIp": "0.0.0.0/0", - "Description": "Allow all outbound traffic by default", - "IpProtocol": "-1" - } - ], - "Tags": [ - { - "Key": { - "Fn::Join": [ - "", - [ - "kubernetes.io/cluster/", - { - "Ref": "Cluster9EE0221C" - } - ] - ] - }, - "Value": "owned" - }, - { - "Key": "Name", - "Value": "aws-cdk-eks-cluster-test/Cluster/InferenceInstances" - } - ], - "VpcId": { - "Ref": "Vpc8378EB38" - } - } - }, - "ClusterInferenceInstancesInstanceSecurityGroupfromawscdkeksclustertestClusterInferenceInstancesInstanceSecurityGroup42C57C51ALLTRAFFICB6138869": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "IpProtocol": "-1", - "Description": "from awscdkeksclustertestClusterInferenceInstancesInstanceSecurityGroup42C57C51:ALL TRAFFIC", - "GroupId": { - "Fn::GetAtt": [ - "ClusterInferenceInstancesInstanceSecurityGroupECB3FC45", - "GroupId" - ] - }, - "SourceSecurityGroupId": { - "Fn::GetAtt": [ - "ClusterInferenceInstancesInstanceSecurityGroupECB3FC45", - "GroupId" - ] - } - } - }, - "ClusterInferenceInstancesInstanceSecurityGroupfromawscdkeksclustertestClusterControlPlaneSecurityGroup2F1301344437B48FD33": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "IpProtocol": "tcp", - "Description": "from awscdkeksclustertestClusterControlPlaneSecurityGroup2F130134:443", - "FromPort": 443, - "GroupId": { - "Fn::GetAtt": [ - "ClusterInferenceInstancesInstanceSecurityGroupECB3FC45", - "GroupId" - ] - }, - "SourceSecurityGroupId": { - "Fn::GetAtt": [ - "ClusterControlPlaneSecurityGroupD274242C", - "GroupId" - ] - }, - "ToPort": 443 - } - }, - "ClusterInferenceInstancesInstanceSecurityGroupfromawscdkeksclustertestClusterControlPlaneSecurityGroup2F130134102565535A460F673": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "IpProtocol": "tcp", - "Description": "from awscdkeksclustertestClusterControlPlaneSecurityGroup2F130134:1025-65535", - "FromPort": 1025, - "GroupId": { - "Fn::GetAtt": [ - "ClusterInferenceInstancesInstanceSecurityGroupECB3FC45", - "GroupId" - ] - }, - "SourceSecurityGroupId": { - "Fn::GetAtt": [ - "ClusterControlPlaneSecurityGroupD274242C", - "GroupId" - ] - }, - "ToPort": 65535 - } - }, - "ClusterInferenceInstancesInstanceRole59AC6F56": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": { - "Fn::Join": [ - "", - [ - "ec2.", - { - "Ref": "AWS::URLSuffix" - } - ] - ] - } - } - } - ], - "Version": "2012-10-17" - }, - "ManagedPolicyArns": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::aws:policy/AmazonEKSWorkerNodePolicy" - ] - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::aws:policy/AmazonEKS_CNI_Policy" - ] - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::aws:policy/AmazonEC2ContainerRegistryReadOnly" - ] - ] - } - ], - "Tags": [ - { - "Key": { - "Fn::Join": [ - "", - [ - "kubernetes.io/cluster/", - { - "Ref": "Cluster9EE0221C" - } - ] - ] - }, - "Value": "owned" - }, - { - "Key": "Name", - "Value": "aws-cdk-eks-cluster-test/Cluster/InferenceInstances" - } - ] - } - }, - "ClusterInferenceInstancesInstanceProfile5A1209B4": { - "Type": "AWS::IAM::InstanceProfile", - "Properties": { - "Roles": [ - { - "Ref": "ClusterInferenceInstancesInstanceRole59AC6F56" - } - ] - } - }, - "ClusterInferenceInstancesLaunchConfig03BF48FE": { - "Type": "AWS::AutoScaling::LaunchConfiguration", - "Properties": { - "ImageId": { - "Ref": "SsmParameterValueawsserviceeksoptimizedami116amazonlinux2gpurecommendedimageidC96584B6F00A464EAD1953AFF4B05118Parameter" - }, - "InstanceType": "inf1.2xlarge", - "IamInstanceProfile": { - "Ref": "ClusterInferenceInstancesInstanceProfile5A1209B4" - }, - "SecurityGroups": [ - { - "Fn::GetAtt": [ - "ClusterInferenceInstancesInstanceSecurityGroupECB3FC45", - "GroupId" - ] - } - ], - "UserData": { - "Fn::Base64": { - "Fn::Join": [ - "", - [ - "#!/bin/bash\nset -o xtrace\n/etc/eks/bootstrap.sh ", - { - "Ref": "Cluster9EE0221C" - }, - " --kubelet-extra-args \"--node-labels lifecycle=OnDemand\" --use-max-pods true\n/opt/aws/bin/cfn-signal --exit-code $? --stack aws-cdk-eks-cluster-test --resource ClusterInferenceInstancesASGE90717C7 --region test-region" - ] - ] - } - } - }, - "DependsOn": [ - "ClusterInferenceInstancesInstanceRole59AC6F56" - ] - }, - "ClusterInferenceInstancesASGE90717C7": { - "Type": "AWS::AutoScaling::AutoScalingGroup", - "Properties": { - "MaxSize": "1", - "MinSize": "1", - "LaunchConfigurationName": { - "Ref": "ClusterInferenceInstancesLaunchConfig03BF48FE" - }, - "Tags": [ - { - "Key": { - "Fn::Join": [ - "", - [ - "kubernetes.io/cluster/", - { - "Ref": "Cluster9EE0221C" - } - ] - ] - }, - "PropagateAtLaunch": true, - "Value": "owned" - }, - { - "Key": "Name", - "PropagateAtLaunch": true, - "Value": "aws-cdk-eks-cluster-test/Cluster/InferenceInstances" - } - ], - "VPCZoneIdentifier": [ - { - "Ref": "VpcPrivateSubnet1Subnet536B997A" - }, - { - "Ref": "VpcPrivateSubnet2Subnet3788AAA1" - }, - { - "Ref": "VpcPrivateSubnet3SubnetF258B56E" - } - ] - }, - "UpdatePolicy": { - "AutoScalingRollingUpdate": { - "WaitOnResourceSignals": false, - "PauseTime": "PT0S", - "SuspendProcesses": [ - "HealthCheck", - "ReplaceUnhealthy", - "AZRebalance", - "AlarmNotification", - "ScheduledActions" - ] - }, - "AutoScalingScheduledAction": { - "IgnoreUnmodifiedGroupSizeProperties": true - } - } - }, - "ClustermanifestNeuronDevicePlugin0B3E0D17": { - "Type": "Custom::AWSCDK-EKS-KubernetesResource", - "Properties": { - "ServiceToken": { - "Fn::GetAtt": [ - "awscdkawseksKubectlProviderNestedStackawscdkawseksKubectlProviderNestedStackResourceA7AEBA6B", - "Outputs.awscdkeksclustertestawscdkawseksKubectlProviderframeworkonEventC681B49AArn" - ] - }, - "Manifest": "[{\"apiVersion\":\"apps/v1\",\"kind\":\"DaemonSet\",\"metadata\":{\"name\":\"neuron-device-plugin-daemonset\",\"namespace\":\"kube-system\"},\"spec\":{\"selector\":{\"matchLabels\":{\"name\":\"neuron-device-plugin-ds\"}},\"updateStrategy\":{\"type\":\"RollingUpdate\"},\"template\":{\"metadata\":{\"annotations\":{\"scheduler.alpha.kubernetes.io/critical-pod\":\"\"},\"labels\":{\"name\":\"neuron-device-plugin-ds\"}},\"spec\":{\"tolerations\":[{\"key\":\"CriticalAddonsOnly\",\"operator\":\"Exists\"},{\"key\":\"aws.amazon.com/neuron\",\"operator\":\"Exists\",\"effect\":\"NoSchedule\"}],\"priorityClassName\":\"system-node-critical\",\"affinity\":{\"nodeAffinity\":{\"requiredDuringSchedulingIgnoredDuringExecution\":{\"nodeSelectorTerms\":[{\"matchExpressions\":[{\"key\":\"beta.kubernetes.io/instance-type\",\"operator\":\"In\",\"values\":[\"inf1.xlarge\",\"inf1.2xlarge\",\"inf1.6xlarge\",\"inf1.4xlarge\"]}]},{\"matchExpressions\":[{\"key\":\"node.kubernetes.io/instance-type\",\"operator\":\"In\",\"values\":[\"inf1.xlarge\",\"inf1.2xlarge\",\"inf1.6xlarge\",\"inf1.24xlarge\"]}]}]}}},\"containers\":[{\"image\":\"790709498068.dkr.ecr.us-west-2.amazonaws.com/neuron-device-plugin:1.0.9043.0\",\"imagePullPolicy\":\"Always\",\"name\":\"k8s-neuron-device-plugin-ctr\",\"securityContext\":{\"allowPrivilegeEscalation\":false,\"capabilities\":{\"drop\":[\"ALL\"]}},\"volumeMounts\":[{\"name\":\"device-plugin\",\"mountPath\":\"/var/lib/kubelet/device-plugins\"}]}],\"volumes\":[{\"name\":\"device-plugin\",\"hostPath\":{\"path\":\"/var/lib/kubelet/device-plugins\"}}]}}}}]", - "ClusterName": { - "Ref": "Cluster9EE0221C" - }, - "RoleArn": { - "Fn::GetAtt": [ - "ClusterCreationRole360249B6", - "Arn" - ] - } - }, - "DependsOn": [ - "ClusterKubectlReadyBarrier200052AF" - ], - "UpdateReplacePolicy": "Delete", - "DeletionPolicy": "Delete" - }, "ClusterNodegroupextrangNodeGroupRole23AE23D0": { "Type": "AWS::IAM::Role", "Properties": { @@ -2724,7 +2515,7 @@ }, "/", { - "Ref": "AssetParameters5215f685494c7a295ec1b06b713a041a82e7ac216473965711a88e32405e9053S3Bucket50B33A86" + "Ref": "AssetParameters4ac41744e40e9fb01a68874329c4296c842f5af6c18756f17de2b28820c488c9S3BucketCB5B94B8" }, "/", { @@ -2734,7 +2525,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParameters5215f685494c7a295ec1b06b713a041a82e7ac216473965711a88e32405e9053S3VersionKey1FB82B13" + "Ref": "AssetParameters4ac41744e40e9fb01a68874329c4296c842f5af6c18756f17de2b28820c488c9S3VersionKey144808A4" } ] } @@ -2747,7 +2538,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParameters5215f685494c7a295ec1b06b713a041a82e7ac216473965711a88e32405e9053S3VersionKey1FB82B13" + "Ref": "AssetParameters4ac41744e40e9fb01a68874329c4296c842f5af6c18756f17de2b28820c488c9S3VersionKey144808A4" } ] } @@ -2757,17 +2548,17 @@ ] }, "Parameters": { - "referencetoawscdkeksclustertestAssetParametersc23ce59a47ffb1e28812148fb83f7dcb0d94f1f0286e122a2f1aa189c0b35d03S3BucketD5010C93Ref": { - "Ref": "AssetParametersc23ce59a47ffb1e28812148fb83f7dcb0d94f1f0286e122a2f1aa189c0b35d03S3Bucket2F8CA18B" + "referencetoawscdkeksclustertestAssetParametersc53ce5256da21f646ed2f8a5db4fe604787205bea4eda5c3c5596983c135b71aS3BucketDCEAA88FRef": { + "Ref": "AssetParametersc53ce5256da21f646ed2f8a5db4fe604787205bea4eda5c3c5596983c135b71aS3Bucket5F33664E" }, - "referencetoawscdkeksclustertestAssetParametersc23ce59a47ffb1e28812148fb83f7dcb0d94f1f0286e122a2f1aa189c0b35d03S3VersionKeyAC8DDB71Ref": { - "Ref": "AssetParametersc23ce59a47ffb1e28812148fb83f7dcb0d94f1f0286e122a2f1aa189c0b35d03S3VersionKeyEFEE8BE5" + "referencetoawscdkeksclustertestAssetParametersc53ce5256da21f646ed2f8a5db4fe604787205bea4eda5c3c5596983c135b71aS3VersionKey8FF788E1Ref": { + "Ref": "AssetParametersc53ce5256da21f646ed2f8a5db4fe604787205bea4eda5c3c5596983c135b71aS3VersionKey5C517502" }, - "referencetoawscdkeksclustertestAssetParameters956c2f92ddbde06f551fdf914445c679dcadb21c6e8d1ee9c9632144ef5a2ad3S3Bucket8E231383Ref": { - "Ref": "AssetParameters956c2f92ddbde06f551fdf914445c679dcadb21c6e8d1ee9c9632144ef5a2ad3S3Bucket0EEA1C2E" + "referencetoawscdkeksclustertestAssetParameters974a6fb29abbd1d98fce56346da3743e79277f0f52e0e2cdf3f1867ac5b1e74cS3BucketA9A24CF5Ref": { + "Ref": "AssetParameters974a6fb29abbd1d98fce56346da3743e79277f0f52e0e2cdf3f1867ac5b1e74cS3BucketF1BD2256" }, - "referencetoawscdkeksclustertestAssetParameters956c2f92ddbde06f551fdf914445c679dcadb21c6e8d1ee9c9632144ef5a2ad3S3VersionKey33D81F32Ref": { - "Ref": "AssetParameters956c2f92ddbde06f551fdf914445c679dcadb21c6e8d1ee9c9632144ef5a2ad3S3VersionKey7BCE18C9" + "referencetoawscdkeksclustertestAssetParameters974a6fb29abbd1d98fce56346da3743e79277f0f52e0e2cdf3f1867ac5b1e74cS3VersionKey6036F880Ref": { + "Ref": "AssetParameters974a6fb29abbd1d98fce56346da3743e79277f0f52e0e2cdf3f1867ac5b1e74cS3VersionKeyF47FA401" } } } @@ -2785,7 +2576,7 @@ }, "/", { - "Ref": "AssetParameters2181e1ea22ea11a566260dec2f26c5f66ac77bb1b73812ba467b9c3bc564e42bS3BucketBEF9DA08" + "Ref": "AssetParameters5db67dc64d67f3574c3c3e10970910e121e77f67974ab320c4dc47af2f88d2feS3Bucket864A12C7" }, "/", { @@ -2795,7 +2586,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParameters2181e1ea22ea11a566260dec2f26c5f66ac77bb1b73812ba467b9c3bc564e42bS3VersionKey8B401BBD" + "Ref": "AssetParameters5db67dc64d67f3574c3c3e10970910e121e77f67974ab320c4dc47af2f88d2feS3VersionKeyD0F4176F" } ] } @@ -2808,7 +2599,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParameters2181e1ea22ea11a566260dec2f26c5f66ac77bb1b73812ba467b9c3bc564e42bS3VersionKey8B401BBD" + "Ref": "AssetParameters5db67dc64d67f3574c3c3e10970910e121e77f67974ab320c4dc47af2f88d2feS3VersionKeyD0F4176F" } ] } @@ -2818,17 +2609,17 @@ ] }, "Parameters": { - "referencetoawscdkeksclustertestAssetParameters2d65340a9414c04d1844e421bd328aa3b80015d6a02e74afe9a222168b2ba050S3BucketA41B2C70Ref": { - "Ref": "AssetParameters2d65340a9414c04d1844e421bd328aa3b80015d6a02e74afe9a222168b2ba050S3Bucket0EAA682D" + "referencetoawscdkeksclustertestAssetParameters649b09403c8414e624c965d6c2f0e41c341c2afa5d8e7bae4ac5746fe230f502S3Bucket8095B011Ref": { + "Ref": "AssetParameters649b09403c8414e624c965d6c2f0e41c341c2afa5d8e7bae4ac5746fe230f502S3BucketE7D09A6B" }, - "referencetoawscdkeksclustertestAssetParameters2d65340a9414c04d1844e421bd328aa3b80015d6a02e74afe9a222168b2ba050S3VersionKey4E1E47F7Ref": { - "Ref": "AssetParameters2d65340a9414c04d1844e421bd328aa3b80015d6a02e74afe9a222168b2ba050S3VersionKeyF3400812" + "referencetoawscdkeksclustertestAssetParameters649b09403c8414e624c965d6c2f0e41c341c2afa5d8e7bae4ac5746fe230f502S3VersionKeyFE6DC258Ref": { + "Ref": "AssetParameters649b09403c8414e624c965d6c2f0e41c341c2afa5d8e7bae4ac5746fe230f502S3VersionKey1DA734B2" }, - "referencetoawscdkeksclustertestAssetParameters956c2f92ddbde06f551fdf914445c679dcadb21c6e8d1ee9c9632144ef5a2ad3S3Bucket8E231383Ref": { - "Ref": "AssetParameters956c2f92ddbde06f551fdf914445c679dcadb21c6e8d1ee9c9632144ef5a2ad3S3Bucket0EEA1C2E" + "referencetoawscdkeksclustertestAssetParameters974a6fb29abbd1d98fce56346da3743e79277f0f52e0e2cdf3f1867ac5b1e74cS3BucketA9A24CF5Ref": { + "Ref": "AssetParameters974a6fb29abbd1d98fce56346da3743e79277f0f52e0e2cdf3f1867ac5b1e74cS3BucketF1BD2256" }, - "referencetoawscdkeksclustertestAssetParameters956c2f92ddbde06f551fdf914445c679dcadb21c6e8d1ee9c9632144ef5a2ad3S3VersionKey33D81F32Ref": { - "Ref": "AssetParameters956c2f92ddbde06f551fdf914445c679dcadb21c6e8d1ee9c9632144ef5a2ad3S3VersionKey7BCE18C9" + "referencetoawscdkeksclustertestAssetParameters974a6fb29abbd1d98fce56346da3743e79277f0f52e0e2cdf3f1867ac5b1e74cS3VersionKey6036F880Ref": { + "Ref": "AssetParameters974a6fb29abbd1d98fce56346da3743e79277f0f52e0e2cdf3f1867ac5b1e74cS3VersionKeyF47FA401" } } } @@ -2860,7 +2651,7 @@ "Properties": { "Code": { "S3Bucket": { - "Ref": "AssetParameters3b28f4ee261986c158a160900e3042a61238f644fe502199d60bcea592128086S3Bucket57C0655B" + "Ref": "AssetParameters952bd1c03e8201c4c1c67d6de0f3fdaaf88fda05f89a1232c3f6364343cd5344S3Bucket055DC235" }, "S3Key": { "Fn::Join": [ @@ -2873,7 +2664,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParameters3b28f4ee261986c158a160900e3042a61238f644fe502199d60bcea592128086S3VersionKey4BC65AD6" + "Ref": "AssetParameters952bd1c03e8201c4c1c67d6de0f3fdaaf88fda05f89a1232c3f6364343cd5344S3VersionKey2FFFA299" } ] } @@ -2886,7 +2677,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParameters3b28f4ee261986c158a160900e3042a61238f644fe502199d60bcea592128086S3VersionKey4BC65AD6" + "Ref": "AssetParameters952bd1c03e8201c4c1c67d6de0f3fdaaf88fda05f89a1232c3f6364343cd5344S3VersionKey2FFFA299" } ] } @@ -2959,7 +2750,7 @@ "Properties": { "Code": { "S3Bucket": { - "Ref": "AssetParametersea46702e1c05b2735e48e826d630f7bf6acdf7e55d6fa8d9fa8df858d5542161S3Bucket0C424907" + "Ref": "AssetParameterseb7a9b73a02dcd848325fc3abc22c1923c364d7480e06bd68a337dc3f33143d3S3BucketB6A9971A" }, "S3Key": { "Fn::Join": [ @@ -2972,7 +2763,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParametersea46702e1c05b2735e48e826d630f7bf6acdf7e55d6fa8d9fa8df858d5542161S3VersionKey6841F1F8" + "Ref": "AssetParameterseb7a9b73a02dcd848325fc3abc22c1923c364d7480e06bd68a337dc3f33143d3S3VersionKey08BBD845" } ] } @@ -2985,7 +2776,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParametersea46702e1c05b2735e48e826d630f7bf6acdf7e55d6fa8d9fa8df858d5542161S3VersionKey6841F1F8" + "Ref": "AssetParameterseb7a9b73a02dcd848325fc3abc22c1923c364d7480e06bd68a337dc3f33143d3S3VersionKey08BBD845" } ] } @@ -3099,89 +2890,89 @@ } }, "Parameters": { - "AssetParametersc23ce59a47ffb1e28812148fb83f7dcb0d94f1f0286e122a2f1aa189c0b35d03S3Bucket2F8CA18B": { + "AssetParametersc53ce5256da21f646ed2f8a5db4fe604787205bea4eda5c3c5596983c135b71aS3Bucket5F33664E": { "Type": "String", - "Description": "S3 bucket for asset \"c23ce59a47ffb1e28812148fb83f7dcb0d94f1f0286e122a2f1aa189c0b35d03\"" + "Description": "S3 bucket for asset \"c53ce5256da21f646ed2f8a5db4fe604787205bea4eda5c3c5596983c135b71a\"" }, - "AssetParametersc23ce59a47ffb1e28812148fb83f7dcb0d94f1f0286e122a2f1aa189c0b35d03S3VersionKeyEFEE8BE5": { + "AssetParametersc53ce5256da21f646ed2f8a5db4fe604787205bea4eda5c3c5596983c135b71aS3VersionKey5C517502": { "Type": "String", - "Description": "S3 key for asset version \"c23ce59a47ffb1e28812148fb83f7dcb0d94f1f0286e122a2f1aa189c0b35d03\"" + "Description": "S3 key for asset version \"c53ce5256da21f646ed2f8a5db4fe604787205bea4eda5c3c5596983c135b71a\"" }, - "AssetParametersc23ce59a47ffb1e28812148fb83f7dcb0d94f1f0286e122a2f1aa189c0b35d03ArtifactHashC187523A": { + "AssetParametersc53ce5256da21f646ed2f8a5db4fe604787205bea4eda5c3c5596983c135b71aArtifactHashFDE4A4C8": { "Type": "String", - "Description": "Artifact hash for asset \"c23ce59a47ffb1e28812148fb83f7dcb0d94f1f0286e122a2f1aa189c0b35d03\"" + "Description": "Artifact hash for asset \"c53ce5256da21f646ed2f8a5db4fe604787205bea4eda5c3c5596983c135b71a\"" }, - "AssetParameters956c2f92ddbde06f551fdf914445c679dcadb21c6e8d1ee9c9632144ef5a2ad3S3Bucket0EEA1C2E": { + "AssetParameters974a6fb29abbd1d98fce56346da3743e79277f0f52e0e2cdf3f1867ac5b1e74cS3BucketF1BD2256": { "Type": "String", - "Description": "S3 bucket for asset \"956c2f92ddbde06f551fdf914445c679dcadb21c6e8d1ee9c9632144ef5a2ad3\"" + "Description": "S3 bucket for asset \"974a6fb29abbd1d98fce56346da3743e79277f0f52e0e2cdf3f1867ac5b1e74c\"" }, - "AssetParameters956c2f92ddbde06f551fdf914445c679dcadb21c6e8d1ee9c9632144ef5a2ad3S3VersionKey7BCE18C9": { + "AssetParameters974a6fb29abbd1d98fce56346da3743e79277f0f52e0e2cdf3f1867ac5b1e74cS3VersionKeyF47FA401": { "Type": "String", - "Description": "S3 key for asset version \"956c2f92ddbde06f551fdf914445c679dcadb21c6e8d1ee9c9632144ef5a2ad3\"" + "Description": "S3 key for asset version \"974a6fb29abbd1d98fce56346da3743e79277f0f52e0e2cdf3f1867ac5b1e74c\"" }, - "AssetParameters956c2f92ddbde06f551fdf914445c679dcadb21c6e8d1ee9c9632144ef5a2ad3ArtifactHash2CBB11D2": { + "AssetParameters974a6fb29abbd1d98fce56346da3743e79277f0f52e0e2cdf3f1867ac5b1e74cArtifactHash5C0B1EA0": { "Type": "String", - "Description": "Artifact hash for asset \"956c2f92ddbde06f551fdf914445c679dcadb21c6e8d1ee9c9632144ef5a2ad3\"" + "Description": "Artifact hash for asset \"974a6fb29abbd1d98fce56346da3743e79277f0f52e0e2cdf3f1867ac5b1e74c\"" }, - "AssetParameters2d65340a9414c04d1844e421bd328aa3b80015d6a02e74afe9a222168b2ba050S3Bucket0EAA682D": { + "AssetParameters649b09403c8414e624c965d6c2f0e41c341c2afa5d8e7bae4ac5746fe230f502S3BucketE7D09A6B": { "Type": "String", - "Description": "S3 bucket for asset \"2d65340a9414c04d1844e421bd328aa3b80015d6a02e74afe9a222168b2ba050\"" + "Description": "S3 bucket for asset \"649b09403c8414e624c965d6c2f0e41c341c2afa5d8e7bae4ac5746fe230f502\"" }, - "AssetParameters2d65340a9414c04d1844e421bd328aa3b80015d6a02e74afe9a222168b2ba050S3VersionKeyF3400812": { + "AssetParameters649b09403c8414e624c965d6c2f0e41c341c2afa5d8e7bae4ac5746fe230f502S3VersionKey1DA734B2": { "Type": "String", - "Description": "S3 key for asset version \"2d65340a9414c04d1844e421bd328aa3b80015d6a02e74afe9a222168b2ba050\"" + "Description": "S3 key for asset version \"649b09403c8414e624c965d6c2f0e41c341c2afa5d8e7bae4ac5746fe230f502\"" }, - "AssetParameters2d65340a9414c04d1844e421bd328aa3b80015d6a02e74afe9a222168b2ba050ArtifactHashF4CEE19F": { + "AssetParameters649b09403c8414e624c965d6c2f0e41c341c2afa5d8e7bae4ac5746fe230f502ArtifactHash815E1969": { "Type": "String", - "Description": "Artifact hash for asset \"2d65340a9414c04d1844e421bd328aa3b80015d6a02e74afe9a222168b2ba050\"" + "Description": "Artifact hash for asset \"649b09403c8414e624c965d6c2f0e41c341c2afa5d8e7bae4ac5746fe230f502\"" }, - "AssetParameters3b28f4ee261986c158a160900e3042a61238f644fe502199d60bcea592128086S3Bucket57C0655B": { + "AssetParameters952bd1c03e8201c4c1c67d6de0f3fdaaf88fda05f89a1232c3f6364343cd5344S3Bucket055DC235": { "Type": "String", - "Description": "S3 bucket for asset \"3b28f4ee261986c158a160900e3042a61238f644fe502199d60bcea592128086\"" + "Description": "S3 bucket for asset \"952bd1c03e8201c4c1c67d6de0f3fdaaf88fda05f89a1232c3f6364343cd5344\"" }, - "AssetParameters3b28f4ee261986c158a160900e3042a61238f644fe502199d60bcea592128086S3VersionKey4BC65AD6": { + "AssetParameters952bd1c03e8201c4c1c67d6de0f3fdaaf88fda05f89a1232c3f6364343cd5344S3VersionKey2FFFA299": { "Type": "String", - "Description": "S3 key for asset version \"3b28f4ee261986c158a160900e3042a61238f644fe502199d60bcea592128086\"" + "Description": "S3 key for asset version \"952bd1c03e8201c4c1c67d6de0f3fdaaf88fda05f89a1232c3f6364343cd5344\"" }, - "AssetParameters3b28f4ee261986c158a160900e3042a61238f644fe502199d60bcea592128086ArtifactHashD8D99435": { + "AssetParameters952bd1c03e8201c4c1c67d6de0f3fdaaf88fda05f89a1232c3f6364343cd5344ArtifactHash1AB042BC": { "Type": "String", - "Description": "Artifact hash for asset \"3b28f4ee261986c158a160900e3042a61238f644fe502199d60bcea592128086\"" + "Description": "Artifact hash for asset \"952bd1c03e8201c4c1c67d6de0f3fdaaf88fda05f89a1232c3f6364343cd5344\"" }, - "AssetParametersea46702e1c05b2735e48e826d630f7bf6acdf7e55d6fa8d9fa8df858d5542161S3Bucket0C424907": { + "AssetParameterseb7a9b73a02dcd848325fc3abc22c1923c364d7480e06bd68a337dc3f33143d3S3BucketB6A9971A": { "Type": "String", - "Description": "S3 bucket for asset \"ea46702e1c05b2735e48e826d630f7bf6acdf7e55d6fa8d9fa8df858d5542161\"" + "Description": "S3 bucket for asset \"eb7a9b73a02dcd848325fc3abc22c1923c364d7480e06bd68a337dc3f33143d3\"" }, - "AssetParametersea46702e1c05b2735e48e826d630f7bf6acdf7e55d6fa8d9fa8df858d5542161S3VersionKey6841F1F8": { + "AssetParameterseb7a9b73a02dcd848325fc3abc22c1923c364d7480e06bd68a337dc3f33143d3S3VersionKey08BBD845": { "Type": "String", - "Description": "S3 key for asset version \"ea46702e1c05b2735e48e826d630f7bf6acdf7e55d6fa8d9fa8df858d5542161\"" + "Description": "S3 key for asset version \"eb7a9b73a02dcd848325fc3abc22c1923c364d7480e06bd68a337dc3f33143d3\"" }, - "AssetParametersea46702e1c05b2735e48e826d630f7bf6acdf7e55d6fa8d9fa8df858d5542161ArtifactHash67B22EF2": { + "AssetParameterseb7a9b73a02dcd848325fc3abc22c1923c364d7480e06bd68a337dc3f33143d3ArtifactHashADF25EB1": { "Type": "String", - "Description": "Artifact hash for asset \"ea46702e1c05b2735e48e826d630f7bf6acdf7e55d6fa8d9fa8df858d5542161\"" + "Description": "Artifact hash for asset \"eb7a9b73a02dcd848325fc3abc22c1923c364d7480e06bd68a337dc3f33143d3\"" }, - "AssetParameters5215f685494c7a295ec1b06b713a041a82e7ac216473965711a88e32405e9053S3Bucket50B33A86": { + "AssetParameters4ac41744e40e9fb01a68874329c4296c842f5af6c18756f17de2b28820c488c9S3BucketCB5B94B8": { "Type": "String", - "Description": "S3 bucket for asset \"5215f685494c7a295ec1b06b713a041a82e7ac216473965711a88e32405e9053\"" + "Description": "S3 bucket for asset \"4ac41744e40e9fb01a68874329c4296c842f5af6c18756f17de2b28820c488c9\"" }, - "AssetParameters5215f685494c7a295ec1b06b713a041a82e7ac216473965711a88e32405e9053S3VersionKey1FB82B13": { + "AssetParameters4ac41744e40e9fb01a68874329c4296c842f5af6c18756f17de2b28820c488c9S3VersionKey144808A4": { "Type": "String", - "Description": "S3 key for asset version \"5215f685494c7a295ec1b06b713a041a82e7ac216473965711a88e32405e9053\"" + "Description": "S3 key for asset version \"4ac41744e40e9fb01a68874329c4296c842f5af6c18756f17de2b28820c488c9\"" }, - "AssetParameters5215f685494c7a295ec1b06b713a041a82e7ac216473965711a88e32405e9053ArtifactHash599411DD": { + "AssetParameters4ac41744e40e9fb01a68874329c4296c842f5af6c18756f17de2b28820c488c9ArtifactHashD0D702C4": { "Type": "String", - "Description": "Artifact hash for asset \"5215f685494c7a295ec1b06b713a041a82e7ac216473965711a88e32405e9053\"" + "Description": "Artifact hash for asset \"4ac41744e40e9fb01a68874329c4296c842f5af6c18756f17de2b28820c488c9\"" }, - "AssetParameters2181e1ea22ea11a566260dec2f26c5f66ac77bb1b73812ba467b9c3bc564e42bS3BucketBEF9DA08": { + "AssetParameters5db67dc64d67f3574c3c3e10970910e121e77f67974ab320c4dc47af2f88d2feS3Bucket864A12C7": { "Type": "String", - "Description": "S3 bucket for asset \"2181e1ea22ea11a566260dec2f26c5f66ac77bb1b73812ba467b9c3bc564e42b\"" + "Description": "S3 bucket for asset \"5db67dc64d67f3574c3c3e10970910e121e77f67974ab320c4dc47af2f88d2fe\"" }, - "AssetParameters2181e1ea22ea11a566260dec2f26c5f66ac77bb1b73812ba467b9c3bc564e42bS3VersionKey8B401BBD": { + "AssetParameters5db67dc64d67f3574c3c3e10970910e121e77f67974ab320c4dc47af2f88d2feS3VersionKeyD0F4176F": { "Type": "String", - "Description": "S3 key for asset version \"2181e1ea22ea11a566260dec2f26c5f66ac77bb1b73812ba467b9c3bc564e42b\"" + "Description": "S3 key for asset version \"5db67dc64d67f3574c3c3e10970910e121e77f67974ab320c4dc47af2f88d2fe\"" }, - "AssetParameters2181e1ea22ea11a566260dec2f26c5f66ac77bb1b73812ba467b9c3bc564e42bArtifactHash87F44C09": { + "AssetParameters5db67dc64d67f3574c3c3e10970910e121e77f67974ab320c4dc47af2f88d2feArtifactHash2B9F340F": { "Type": "String", - "Description": "Artifact hash for asset \"2181e1ea22ea11a566260dec2f26c5f66ac77bb1b73812ba467b9c3bc564e42b\"" + "Description": "Artifact hash for asset \"5db67dc64d67f3574c3c3e10970910e121e77f67974ab320c4dc47af2f88d2fe\"" }, "SsmParameterValueawsserviceeksoptimizedami116amazonlinux2recommendedimageidC96584B6F00A464EAD1953AFF4B05118Parameter": { "Type": "AWS::SSM::Parameter::Value", @@ -3190,10 +2981,6 @@ "SsmParameterValueawsservicebottlerocketawsk8s115x8664latestimageidC96584B6F00A464EAD1953AFF4B05118Parameter": { "Type": "AWS::SSM::Parameter::Value", "Default": "/aws/service/bottlerocket/aws-k8s-1.15/x86_64/latest/image_id" - }, - "SsmParameterValueawsserviceeksoptimizedami116amazonlinux2gpurecommendedimageidC96584B6F00A464EAD1953AFF4B05118Parameter": { - "Type": "AWS::SSM::Parameter::Value", - "Default": "/aws/service/eks/optimized-ami/1.16/amazon-linux-2-gpu/recommended/image_id" } } } \ No newline at end of file diff --git a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.ts b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.ts index 6340be221a298..fae1879e2b929 100644 --- a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.ts +++ b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.ts @@ -56,11 +56,11 @@ class EksClusterStack extends TestStack { }, }); - // inference instances - cluster.addCapacity('InferenceInstances', { - instanceType: new ec2.InstanceType('inf1.2xlarge'), - minCapacity: 1, - }); + // // inference instances + // cluster.addCapacity('InferenceInstances', { + // instanceType: new ec2.InstanceType('inf1.2xlarge'), + // minCapacity: 1, + // }); // add a extra nodegroup cluster.addNodegroup('extra-ng', { From 744353206b7d2d3679bddc268d2de749a7c2ceb4 Mon Sep 17 00:00:00 2001 From: epolon Date: Sun, 26 Jul 2020 22:55:50 +0300 Subject: [PATCH 17/33] integ tests --- packages/@aws-cdk/aws-eks/lib/cluster.ts | 23 +- ...eks-cluster-private-endpoint.expected.json | 635 +++++++----------- .../integ.eks-cluster-private-endpoint.ts | 27 +- .../test/integ.eks-cluster.expected.json | 346 ++++++++++ .../aws-eks/test/integ.eks-cluster.ts | 10 +- .../@aws-cdk/aws-eks/test/test.cluster.ts | 177 +++++ 6 files changed, 774 insertions(+), 444 deletions(-) diff --git a/packages/@aws-cdk/aws-eks/lib/cluster.ts b/packages/@aws-cdk/aws-eks/lib/cluster.ts index dc9292ad87dcd..85fba1e9de270 100644 --- a/packages/@aws-cdk/aws-eks/lib/cluster.ts +++ b/packages/@aws-cdk/aws-eks/lib/cluster.ts @@ -516,6 +516,8 @@ export class Cluster extends Resource implements ICluster { private readonly kubctlProviderSecurityGroup?: ec2.ISecurityGroup; + private readonly vpcSubnets: ec2.SubnetSelection[]; + private readonly version: KubernetesVersion; /** @@ -569,9 +571,10 @@ export class Cluster extends Resource implements ICluster { defaultPort: ec2.Port.tcp(443), // Control Plane has an HTTPS API }); + this.vpcSubnets = props.vpcSubnets || [{ subnetType: ec2.SubnetType.PUBLIC }, { subnetType: ec2.SubnetType.PRIVATE }]; + // Get subnetIds for all selected subnets - const placements = props.vpcSubnets || [{ subnetType: ec2.SubnetType.PUBLIC }, { subnetType: ec2.SubnetType.PRIVATE }]; - const subnetIds = [...new Set(Array().concat(...placements.map(s => this.vpc.selectSubnets(s).subnetIds)))]; + const subnetIds = [...new Set(Array().concat(...this.vpcSubnets.map(s => this.vpc.selectSubnets(s).subnetIds)))]; const clusterProps: CfnClusterProps = { name: this.physicalName, @@ -1033,9 +1036,8 @@ export class Cluster extends Resource implements ICluster { providerProps = { ...providerProps, vpc: this.vpc, - // lambda functions can only bind to one subnet per az, also, only private subnets - // are allowed (and needed). - vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE }, + // lambda can only be accociated with max 16 subnets and they all need to be private. + vpcSubnets: {subnets: this.selectPrivateSubnets().slice(0, 16)}, securityGroups: [this.kubctlProviderSecurityGroup!], }; } @@ -1055,6 +1057,17 @@ export class Cluster extends Resource implements ICluster { return provider; } + private selectPrivateSubnets(): ec2.ISubnet[] { + + const privateSubnets: ec2.ISubnet[] = []; + + for (const placement of this.vpcSubnets) { + privateSubnets.push(...this.vpc.selectSubnets(placement).subnets.filter(s => s instanceof ec2.PrivateSubnet)); + } + + return privateSubnets; + } + /** * Installs the AWS spot instance interrupt handler on the cluster if it's not * already added. diff --git a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster-private-endpoint.expected.json b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster-private-endpoint.expected.json index eeeb76c3c2156..42e1390bbae97 100644 --- a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster-private-endpoint.expected.json +++ b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster-private-endpoint.expected.json @@ -43,7 +43,7 @@ ] } }, - "VpcPrivate1Subnet1SubnetC688B2B1": { + "VpcPublicSubnet1Subnet5C2D37C4": { "Type": "AWS::EC2::Subnet", "Properties": { "CidrBlock": "10.0.0.0/19", @@ -51,28 +51,28 @@ "Ref": "Vpc8378EB38" }, "AvailabilityZone": "test-region-1a", - "MapPublicIpOnLaunch": false, + "MapPublicIpOnLaunch": true, "Tags": [ { "Key": "aws-cdk:subnet-name", - "Value": "Private1" + "Value": "Public" }, { "Key": "aws-cdk:subnet-type", - "Value": "Private" + "Value": "Public" }, { - "Key": "kubernetes.io/role/internal-elb", + "Key": "kubernetes.io/role/elb", "Value": "1" }, { "Key": "Name", - "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/Private1Subnet1" + "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/PublicSubnet1" } ] } }, - "VpcPrivate1Subnet1RouteTable63B93D7A": { + "VpcPublicSubnet1RouteTable6C95E38E": { "Type": "AWS::EC2::RouteTable", "Properties": { "VpcId": { @@ -80,139 +80,112 @@ }, "Tags": [ { - "Key": "kubernetes.io/role/internal-elb", + "Key": "kubernetes.io/role/elb", "Value": "1" }, { "Key": "Name", - "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/Private1Subnet1" + "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/PublicSubnet1" } ] } }, - "VpcPrivate1Subnet1RouteTableAssociation97501102": { + "VpcPublicSubnet1RouteTableAssociation97140677": { "Type": "AWS::EC2::SubnetRouteTableAssociation", "Properties": { "RouteTableId": { - "Ref": "VpcPrivate1Subnet1RouteTable63B93D7A" + "Ref": "VpcPublicSubnet1RouteTable6C95E38E" }, "SubnetId": { - "Ref": "VpcPrivate1Subnet1SubnetC688B2B1" + "Ref": "VpcPublicSubnet1Subnet5C2D37C4" } } }, - "VpcPrivate1Subnet1DefaultRouteF2E75A1D": { + "VpcPublicSubnet1DefaultRoute3DA9E72A": { "Type": "AWS::EC2::Route", "Properties": { "RouteTableId": { - "Ref": "VpcPrivate1Subnet1RouteTable63B93D7A" + "Ref": "VpcPublicSubnet1RouteTable6C95E38E" }, "DestinationCidrBlock": "0.0.0.0/0", - "NatGatewayId": { - "Ref": "VpcPublic1Subnet1NATGatewayF6E55728" + "GatewayId": { + "Ref": "VpcIGWD7BA715C" } - } + }, + "DependsOn": [ + "VpcVPCGWBF912B6E" + ] }, - "VpcPrivate1Subnet2SubnetA2AF15C7": { - "Type": "AWS::EC2::Subnet", + "VpcPublicSubnet1EIPD7E02669": { + "Type": "AWS::EC2::EIP", "Properties": { - "CidrBlock": "10.0.32.0/19", - "VpcId": { - "Ref": "Vpc8378EB38" - }, - "AvailabilityZone": "test-region-1b", - "MapPublicIpOnLaunch": false, + "Domain": "vpc", "Tags": [ { - "Key": "aws-cdk:subnet-name", - "Value": "Private1" - }, - { - "Key": "aws-cdk:subnet-type", - "Value": "Private" - }, - { - "Key": "kubernetes.io/role/internal-elb", + "Key": "kubernetes.io/role/elb", "Value": "1" }, { "Key": "Name", - "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/Private1Subnet2" + "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/PublicSubnet1" } ] } }, - "VpcPrivate1Subnet2RouteTable695199F8": { - "Type": "AWS::EC2::RouteTable", + "VpcPublicSubnet1NATGateway4D7517AA": { + "Type": "AWS::EC2::NatGateway", "Properties": { - "VpcId": { - "Ref": "Vpc8378EB38" + "AllocationId": { + "Fn::GetAtt": [ + "VpcPublicSubnet1EIPD7E02669", + "AllocationId" + ] + }, + "SubnetId": { + "Ref": "VpcPublicSubnet1Subnet5C2D37C4" }, "Tags": [ { - "Key": "kubernetes.io/role/internal-elb", + "Key": "kubernetes.io/role/elb", "Value": "1" }, { "Key": "Name", - "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/Private1Subnet2" + "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/PublicSubnet1" } ] } }, - "VpcPrivate1Subnet2RouteTableAssociation24F600FF": { - "Type": "AWS::EC2::SubnetRouteTableAssociation", - "Properties": { - "RouteTableId": { - "Ref": "VpcPrivate1Subnet2RouteTable695199F8" - }, - "SubnetId": { - "Ref": "VpcPrivate1Subnet2SubnetA2AF15C7" - } - } - }, - "VpcPrivate1Subnet2DefaultRouteD86AEB1B": { - "Type": "AWS::EC2::Route", - "Properties": { - "RouteTableId": { - "Ref": "VpcPrivate1Subnet2RouteTable695199F8" - }, - "DestinationCidrBlock": "0.0.0.0/0", - "NatGatewayId": { - "Ref": "VpcPublic1Subnet1NATGatewayF6E55728" - } - } - }, - "VpcPrivate2Subnet1SubnetE13E2E30": { + "VpcPublicSubnet2Subnet691E08A3": { "Type": "AWS::EC2::Subnet", "Properties": { - "CidrBlock": "10.0.64.0/19", + "CidrBlock": "10.0.32.0/19", "VpcId": { "Ref": "Vpc8378EB38" }, - "AvailabilityZone": "test-region-1a", - "MapPublicIpOnLaunch": false, + "AvailabilityZone": "test-region-1b", + "MapPublicIpOnLaunch": true, "Tags": [ { "Key": "aws-cdk:subnet-name", - "Value": "Private2" + "Value": "Public" }, { "Key": "aws-cdk:subnet-type", - "Value": "Private" + "Value": "Public" }, { - "Key": "kubernetes.io/role/internal-elb", + "Key": "kubernetes.io/role/elb", "Value": "1" }, { "Key": "Name", - "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/Private2Subnet1" + "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/PublicSubnet2" } ] } }, - "VpcPrivate2Subnet1RouteTableDBA2D67B": { + "VpcPublicSubnet2RouteTable94F7E489": { "Type": "AWS::EC2::RouteTable", "Properties": { "VpcId": { @@ -220,69 +193,72 @@ }, "Tags": [ { - "Key": "kubernetes.io/role/internal-elb", + "Key": "kubernetes.io/role/elb", "Value": "1" }, { "Key": "Name", - "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/Private2Subnet1" + "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/PublicSubnet2" } ] } }, - "VpcPrivate2Subnet1RouteTableAssociationF5F23DD8": { + "VpcPublicSubnet2RouteTableAssociationDD5762D8": { "Type": "AWS::EC2::SubnetRouteTableAssociation", "Properties": { "RouteTableId": { - "Ref": "VpcPrivate2Subnet1RouteTableDBA2D67B" + "Ref": "VpcPublicSubnet2RouteTable94F7E489" }, "SubnetId": { - "Ref": "VpcPrivate2Subnet1SubnetE13E2E30" + "Ref": "VpcPublicSubnet2Subnet691E08A3" } } }, - "VpcPrivate2Subnet1DefaultRouteAB9E1DA7": { + "VpcPublicSubnet2DefaultRoute97F91067": { "Type": "AWS::EC2::Route", "Properties": { "RouteTableId": { - "Ref": "VpcPrivate2Subnet1RouteTableDBA2D67B" + "Ref": "VpcPublicSubnet2RouteTable94F7E489" }, "DestinationCidrBlock": "0.0.0.0/0", - "NatGatewayId": { - "Ref": "VpcPublic1Subnet1NATGatewayF6E55728" + "GatewayId": { + "Ref": "VpcIGWD7BA715C" } - } + }, + "DependsOn": [ + "VpcVPCGWBF912B6E" + ] }, - "VpcPrivate2Subnet2Subnet158A38AB": { + "VpcPublicSubnet3SubnetBE12F0B6": { "Type": "AWS::EC2::Subnet", "Properties": { - "CidrBlock": "10.0.96.0/19", + "CidrBlock": "10.0.64.0/19", "VpcId": { "Ref": "Vpc8378EB38" }, - "AvailabilityZone": "test-region-1b", - "MapPublicIpOnLaunch": false, + "AvailabilityZone": "test-region-1c", + "MapPublicIpOnLaunch": true, "Tags": [ { "Key": "aws-cdk:subnet-name", - "Value": "Private2" + "Value": "Public" }, { "Key": "aws-cdk:subnet-type", - "Value": "Private" + "Value": "Public" }, { - "Key": "kubernetes.io/role/internal-elb", + "Key": "kubernetes.io/role/elb", "Value": "1" }, { "Key": "Name", - "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/Private2Subnet2" + "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/PublicSubnet3" } ] } }, - "VpcPrivate2Subnet2RouteTableAE2A7039": { + "VpcPublicSubnet3RouteTable93458DBB": { "Type": "AWS::EC2::RouteTable", "Properties": { "VpcId": { @@ -290,43 +266,46 @@ }, "Tags": [ { - "Key": "kubernetes.io/role/internal-elb", + "Key": "kubernetes.io/role/elb", "Value": "1" }, { "Key": "Name", - "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/Private2Subnet2" + "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/PublicSubnet3" } ] } }, - "VpcPrivate2Subnet2RouteTableAssociation84DD7BE3": { + "VpcPublicSubnet3RouteTableAssociation1F1EDF02": { "Type": "AWS::EC2::SubnetRouteTableAssociation", "Properties": { "RouteTableId": { - "Ref": "VpcPrivate2Subnet2RouteTableAE2A7039" + "Ref": "VpcPublicSubnet3RouteTable93458DBB" }, "SubnetId": { - "Ref": "VpcPrivate2Subnet2Subnet158A38AB" + "Ref": "VpcPublicSubnet3SubnetBE12F0B6" } } }, - "VpcPrivate2Subnet2DefaultRoute819C9A9A": { + "VpcPublicSubnet3DefaultRoute4697774F": { "Type": "AWS::EC2::Route", "Properties": { "RouteTableId": { - "Ref": "VpcPrivate2Subnet2RouteTableAE2A7039" + "Ref": "VpcPublicSubnet3RouteTable93458DBB" }, "DestinationCidrBlock": "0.0.0.0/0", - "NatGatewayId": { - "Ref": "VpcPublic1Subnet1NATGatewayF6E55728" + "GatewayId": { + "Ref": "VpcIGWD7BA715C" } - } + }, + "DependsOn": [ + "VpcVPCGWBF912B6E" + ] }, - "VpcPrivate3Subnet1Subnet0E5E4806": { + "VpcPrivateSubnet1Subnet536B997A": { "Type": "AWS::EC2::Subnet", "Properties": { - "CidrBlock": "10.0.128.0/19", + "CidrBlock": "10.0.96.0/19", "VpcId": { "Ref": "Vpc8378EB38" }, @@ -335,7 +314,7 @@ "Tags": [ { "Key": "aws-cdk:subnet-name", - "Value": "Private3" + "Value": "Private" }, { "Key": "aws-cdk:subnet-type", @@ -347,12 +326,12 @@ }, { "Key": "Name", - "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/Private3Subnet1" + "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/PrivateSubnet1" } ] } }, - "VpcPrivate3Subnet1RouteTableF63E0CF3": { + "VpcPrivateSubnet1RouteTableB2C5B500": { "Type": "AWS::EC2::RouteTable", "Properties": { "VpcId": { @@ -365,38 +344,38 @@ }, { "Key": "Name", - "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/Private3Subnet1" + "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/PrivateSubnet1" } ] } }, - "VpcPrivate3Subnet1RouteTableAssociationC5688D3B": { + "VpcPrivateSubnet1RouteTableAssociation70C59FA6": { "Type": "AWS::EC2::SubnetRouteTableAssociation", "Properties": { "RouteTableId": { - "Ref": "VpcPrivate3Subnet1RouteTableF63E0CF3" + "Ref": "VpcPrivateSubnet1RouteTableB2C5B500" }, "SubnetId": { - "Ref": "VpcPrivate3Subnet1Subnet0E5E4806" + "Ref": "VpcPrivateSubnet1Subnet536B997A" } } }, - "VpcPrivate3Subnet1DefaultRoute5318328D": { + "VpcPrivateSubnet1DefaultRouteBE02A9ED": { "Type": "AWS::EC2::Route", "Properties": { "RouteTableId": { - "Ref": "VpcPrivate3Subnet1RouteTableF63E0CF3" + "Ref": "VpcPrivateSubnet1RouteTableB2C5B500" }, "DestinationCidrBlock": "0.0.0.0/0", "NatGatewayId": { - "Ref": "VpcPublic1Subnet1NATGatewayF6E55728" + "Ref": "VpcPublicSubnet1NATGateway4D7517AA" } } }, - "VpcPrivate3Subnet2SubnetD72105DD": { + "VpcPrivateSubnet2Subnet3788AAA1": { "Type": "AWS::EC2::Subnet", "Properties": { - "CidrBlock": "10.0.160.0/19", + "CidrBlock": "10.0.128.0/19", "VpcId": { "Ref": "Vpc8378EB38" }, @@ -405,7 +384,7 @@ "Tags": [ { "Key": "aws-cdk:subnet-name", - "Value": "Private3" + "Value": "Private" }, { "Key": "aws-cdk:subnet-type", @@ -417,12 +396,12 @@ }, { "Key": "Name", - "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/Private3Subnet2" + "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/PrivateSubnet2" } ] } }, - "VpcPrivate3Subnet2RouteTable1DBBA64A": { + "VpcPrivateSubnet2RouteTableA678073B": { "Type": "AWS::EC2::RouteTable", "Properties": { "VpcId": { @@ -435,64 +414,64 @@ }, { "Key": "Name", - "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/Private3Subnet2" + "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/PrivateSubnet2" } ] } }, - "VpcPrivate3Subnet2RouteTableAssociation31AF23B3": { + "VpcPrivateSubnet2RouteTableAssociationA89CAD56": { "Type": "AWS::EC2::SubnetRouteTableAssociation", "Properties": { "RouteTableId": { - "Ref": "VpcPrivate3Subnet2RouteTable1DBBA64A" + "Ref": "VpcPrivateSubnet2RouteTableA678073B" }, "SubnetId": { - "Ref": "VpcPrivate3Subnet2SubnetD72105DD" + "Ref": "VpcPrivateSubnet2Subnet3788AAA1" } } }, - "VpcPrivate3Subnet2DefaultRoute1F5E0972": { + "VpcPrivateSubnet2DefaultRoute060D2087": { "Type": "AWS::EC2::Route", "Properties": { "RouteTableId": { - "Ref": "VpcPrivate3Subnet2RouteTable1DBBA64A" + "Ref": "VpcPrivateSubnet2RouteTableA678073B" }, "DestinationCidrBlock": "0.0.0.0/0", "NatGatewayId": { - "Ref": "VpcPublic1Subnet1NATGatewayF6E55728" + "Ref": "VpcPublicSubnet1NATGateway4D7517AA" } } }, - "VpcPublic1Subnet1Subnet822C42F4": { + "VpcPrivateSubnet3SubnetF258B56E": { "Type": "AWS::EC2::Subnet", "Properties": { - "CidrBlock": "10.0.192.0/19", + "CidrBlock": "10.0.160.0/19", "VpcId": { "Ref": "Vpc8378EB38" }, - "AvailabilityZone": "test-region-1a", - "MapPublicIpOnLaunch": true, + "AvailabilityZone": "test-region-1c", + "MapPublicIpOnLaunch": false, "Tags": [ { "Key": "aws-cdk:subnet-name", - "Value": "Public1" + "Value": "Private" }, { "Key": "aws-cdk:subnet-type", - "Value": "Public" + "Value": "Private" }, { - "Key": "kubernetes.io/role/elb", + "Key": "kubernetes.io/role/internal-elb", "Value": "1" }, { "Key": "Name", - "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/Public1Subnet1" + "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/PrivateSubnet3" } ] } }, - "VpcPublic1Subnet1RouteTable656E2024": { + "VpcPrivateSubnet3RouteTableD98824C7": { "Type": "AWS::EC2::RouteTable", "Properties": { "VpcId": { @@ -500,155 +479,39 @@ }, "Tags": [ { - "Key": "kubernetes.io/role/elb", + "Key": "kubernetes.io/role/internal-elb", "Value": "1" }, { "Key": "Name", - "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/Public1Subnet1" + "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/PrivateSubnet3" } ] } }, - "VpcPublic1Subnet1RouteTableAssociation5CE153E6": { + "VpcPrivateSubnet3RouteTableAssociation16BDDC43": { "Type": "AWS::EC2::SubnetRouteTableAssociation", "Properties": { "RouteTableId": { - "Ref": "VpcPublic1Subnet1RouteTable656E2024" + "Ref": "VpcPrivateSubnet3RouteTableD98824C7" }, "SubnetId": { - "Ref": "VpcPublic1Subnet1Subnet822C42F4" + "Ref": "VpcPrivateSubnet3SubnetF258B56E" } } }, - "VpcPublic1Subnet1DefaultRouteD855846C": { + "VpcPrivateSubnet3DefaultRoute94B74F0D": { "Type": "AWS::EC2::Route", "Properties": { "RouteTableId": { - "Ref": "VpcPublic1Subnet1RouteTable656E2024" + "Ref": "VpcPrivateSubnet3RouteTableD98824C7" }, "DestinationCidrBlock": "0.0.0.0/0", - "GatewayId": { - "Ref": "VpcIGWD7BA715C" - } - }, - "DependsOn": [ - "VpcVPCGWBF912B6E" - ] - }, - "VpcPublic1Subnet1EIP6E1EA980": { - "Type": "AWS::EC2::EIP", - "Properties": { - "Domain": "vpc", - "Tags": [ - { - "Key": "kubernetes.io/role/elb", - "Value": "1" - }, - { - "Key": "Name", - "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/Public1Subnet1" - } - ] - } - }, - "VpcPublic1Subnet1NATGatewayF6E55728": { - "Type": "AWS::EC2::NatGateway", - "Properties": { - "AllocationId": { - "Fn::GetAtt": [ - "VpcPublic1Subnet1EIP6E1EA980", - "AllocationId" - ] - }, - "SubnetId": { - "Ref": "VpcPublic1Subnet1Subnet822C42F4" - }, - "Tags": [ - { - "Key": "kubernetes.io/role/elb", - "Value": "1" - }, - { - "Key": "Name", - "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/Public1Subnet1" - } - ] - } - }, - "VpcPublic1Subnet2Subnet47603E66": { - "Type": "AWS::EC2::Subnet", - "Properties": { - "CidrBlock": "10.0.224.0/19", - "VpcId": { - "Ref": "Vpc8378EB38" - }, - "AvailabilityZone": "test-region-1b", - "MapPublicIpOnLaunch": true, - "Tags": [ - { - "Key": "aws-cdk:subnet-name", - "Value": "Public1" - }, - { - "Key": "aws-cdk:subnet-type", - "Value": "Public" - }, - { - "Key": "kubernetes.io/role/elb", - "Value": "1" - }, - { - "Key": "Name", - "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/Public1Subnet2" - } - ] - } - }, - "VpcPublic1Subnet2RouteTable99F73B51": { - "Type": "AWS::EC2::RouteTable", - "Properties": { - "VpcId": { - "Ref": "Vpc8378EB38" - }, - "Tags": [ - { - "Key": "kubernetes.io/role/elb", - "Value": "1" - }, - { - "Key": "Name", - "Value": "aws-cdk-eks-cluster-private-endpoint-test/Vpc/Public1Subnet2" - } - ] - } - }, - "VpcPublic1Subnet2RouteTableAssociationC9119526": { - "Type": "AWS::EC2::SubnetRouteTableAssociation", - "Properties": { - "RouteTableId": { - "Ref": "VpcPublic1Subnet2RouteTable99F73B51" - }, - "SubnetId": { - "Ref": "VpcPublic1Subnet2Subnet47603E66" + "NatGatewayId": { + "Ref": "VpcPublicSubnet1NATGateway4D7517AA" } } }, - "VpcPublic1Subnet2DefaultRoute73AD7054": { - "Type": "AWS::EC2::Route", - "Properties": { - "RouteTableId": { - "Ref": "VpcPublic1Subnet2RouteTable99F73B51" - }, - "DestinationCidrBlock": "0.0.0.0/0", - "GatewayId": { - "Ref": "VpcIGWD7BA715C" - } - }, - "DependsOn": [ - "VpcVPCGWBF912B6E" - ] - }, "VpcIGWD7BA715C": { "Type": "AWS::EC2::InternetGateway", "Properties": { @@ -799,40 +662,32 @@ "DependsOn": [ "ClusterKubectlProviderSecurityGroup2D90691C", "VpcIGWD7BA715C", - "VpcPrivate1Subnet1DefaultRouteF2E75A1D", - "VpcPrivate1Subnet1RouteTable63B93D7A", - "VpcPrivate1Subnet1RouteTableAssociation97501102", - "VpcPrivate1Subnet1SubnetC688B2B1", - "VpcPrivate1Subnet2DefaultRouteD86AEB1B", - "VpcPrivate1Subnet2RouteTable695199F8", - "VpcPrivate1Subnet2RouteTableAssociation24F600FF", - "VpcPrivate1Subnet2SubnetA2AF15C7", - "VpcPrivate2Subnet1DefaultRouteAB9E1DA7", - "VpcPrivate2Subnet1RouteTableDBA2D67B", - "VpcPrivate2Subnet1RouteTableAssociationF5F23DD8", - "VpcPrivate2Subnet1SubnetE13E2E30", - "VpcPrivate2Subnet2DefaultRoute819C9A9A", - "VpcPrivate2Subnet2RouteTableAE2A7039", - "VpcPrivate2Subnet2RouteTableAssociation84DD7BE3", - "VpcPrivate2Subnet2Subnet158A38AB", - "VpcPrivate3Subnet1DefaultRoute5318328D", - "VpcPrivate3Subnet1RouteTableF63E0CF3", - "VpcPrivate3Subnet1RouteTableAssociationC5688D3B", - "VpcPrivate3Subnet1Subnet0E5E4806", - "VpcPrivate3Subnet2DefaultRoute1F5E0972", - "VpcPrivate3Subnet2RouteTable1DBBA64A", - "VpcPrivate3Subnet2RouteTableAssociation31AF23B3", - "VpcPrivate3Subnet2SubnetD72105DD", - "VpcPublic1Subnet1DefaultRouteD855846C", - "VpcPublic1Subnet1EIP6E1EA980", - "VpcPublic1Subnet1NATGatewayF6E55728", - "VpcPublic1Subnet1RouteTable656E2024", - "VpcPublic1Subnet1RouteTableAssociation5CE153E6", - "VpcPublic1Subnet1Subnet822C42F4", - "VpcPublic1Subnet2DefaultRoute73AD7054", - "VpcPublic1Subnet2RouteTable99F73B51", - "VpcPublic1Subnet2RouteTableAssociationC9119526", - "VpcPublic1Subnet2Subnet47603E66", + "VpcPrivateSubnet1DefaultRouteBE02A9ED", + "VpcPrivateSubnet1RouteTableB2C5B500", + "VpcPrivateSubnet1RouteTableAssociation70C59FA6", + "VpcPrivateSubnet1Subnet536B997A", + "VpcPrivateSubnet2DefaultRoute060D2087", + "VpcPrivateSubnet2RouteTableA678073B", + "VpcPrivateSubnet2RouteTableAssociationA89CAD56", + "VpcPrivateSubnet2Subnet3788AAA1", + "VpcPrivateSubnet3DefaultRoute94B74F0D", + "VpcPrivateSubnet3RouteTableD98824C7", + "VpcPrivateSubnet3RouteTableAssociation16BDDC43", + "VpcPrivateSubnet3SubnetF258B56E", + "VpcPublicSubnet1DefaultRoute3DA9E72A", + "VpcPublicSubnet1EIPD7E02669", + "VpcPublicSubnet1NATGateway4D7517AA", + "VpcPublicSubnet1RouteTable6C95E38E", + "VpcPublicSubnet1RouteTableAssociation97140677", + "VpcPublicSubnet1Subnet5C2D37C4", + "VpcPublicSubnet2DefaultRoute97F91067", + "VpcPublicSubnet2RouteTable94F7E489", + "VpcPublicSubnet2RouteTableAssociationDD5762D8", + "VpcPublicSubnet2Subnet691E08A3", + "VpcPublicSubnet3DefaultRoute4697774F", + "VpcPublicSubnet3RouteTable93458DBB", + "VpcPublicSubnet3RouteTableAssociation1F1EDF02", + "VpcPublicSubnet3SubnetBE12F0B6", "Vpc8378EB38", "VpcVPCGWBF912B6E" ] @@ -930,40 +785,32 @@ "DependsOn": [ "ClusterKubectlProviderSecurityGroup2D90691C", "VpcIGWD7BA715C", - "VpcPrivate1Subnet1DefaultRouteF2E75A1D", - "VpcPrivate1Subnet1RouteTable63B93D7A", - "VpcPrivate1Subnet1RouteTableAssociation97501102", - "VpcPrivate1Subnet1SubnetC688B2B1", - "VpcPrivate1Subnet2DefaultRouteD86AEB1B", - "VpcPrivate1Subnet2RouteTable695199F8", - "VpcPrivate1Subnet2RouteTableAssociation24F600FF", - "VpcPrivate1Subnet2SubnetA2AF15C7", - "VpcPrivate2Subnet1DefaultRouteAB9E1DA7", - "VpcPrivate2Subnet1RouteTableDBA2D67B", - "VpcPrivate2Subnet1RouteTableAssociationF5F23DD8", - "VpcPrivate2Subnet1SubnetE13E2E30", - "VpcPrivate2Subnet2DefaultRoute819C9A9A", - "VpcPrivate2Subnet2RouteTableAE2A7039", - "VpcPrivate2Subnet2RouteTableAssociation84DD7BE3", - "VpcPrivate2Subnet2Subnet158A38AB", - "VpcPrivate3Subnet1DefaultRoute5318328D", - "VpcPrivate3Subnet1RouteTableF63E0CF3", - "VpcPrivate3Subnet1RouteTableAssociationC5688D3B", - "VpcPrivate3Subnet1Subnet0E5E4806", - "VpcPrivate3Subnet2DefaultRoute1F5E0972", - "VpcPrivate3Subnet2RouteTable1DBBA64A", - "VpcPrivate3Subnet2RouteTableAssociation31AF23B3", - "VpcPrivate3Subnet2SubnetD72105DD", - "VpcPublic1Subnet1DefaultRouteD855846C", - "VpcPublic1Subnet1EIP6E1EA980", - "VpcPublic1Subnet1NATGatewayF6E55728", - "VpcPublic1Subnet1RouteTable656E2024", - "VpcPublic1Subnet1RouteTableAssociation5CE153E6", - "VpcPublic1Subnet1Subnet822C42F4", - "VpcPublic1Subnet2DefaultRoute73AD7054", - "VpcPublic1Subnet2RouteTable99F73B51", - "VpcPublic1Subnet2RouteTableAssociationC9119526", - "VpcPublic1Subnet2Subnet47603E66", + "VpcPrivateSubnet1DefaultRouteBE02A9ED", + "VpcPrivateSubnet1RouteTableB2C5B500", + "VpcPrivateSubnet1RouteTableAssociation70C59FA6", + "VpcPrivateSubnet1Subnet536B997A", + "VpcPrivateSubnet2DefaultRoute060D2087", + "VpcPrivateSubnet2RouteTableA678073B", + "VpcPrivateSubnet2RouteTableAssociationA89CAD56", + "VpcPrivateSubnet2Subnet3788AAA1", + "VpcPrivateSubnet3DefaultRoute94B74F0D", + "VpcPrivateSubnet3RouteTableD98824C7", + "VpcPrivateSubnet3RouteTableAssociation16BDDC43", + "VpcPrivateSubnet3SubnetF258B56E", + "VpcPublicSubnet1DefaultRoute3DA9E72A", + "VpcPublicSubnet1EIPD7E02669", + "VpcPublicSubnet1NATGateway4D7517AA", + "VpcPublicSubnet1RouteTable6C95E38E", + "VpcPublicSubnet1RouteTableAssociation97140677", + "VpcPublicSubnet1Subnet5C2D37C4", + "VpcPublicSubnet2DefaultRoute97F91067", + "VpcPublicSubnet2RouteTable94F7E489", + "VpcPublicSubnet2RouteTableAssociationDD5762D8", + "VpcPublicSubnet2Subnet691E08A3", + "VpcPublicSubnet3DefaultRoute4697774F", + "VpcPublicSubnet3RouteTable93458DBB", + "VpcPublicSubnet3RouteTableAssociation1F1EDF02", + "VpcPublicSubnet3SubnetBE12F0B6", "Vpc8378EB38", "VpcVPCGWBF912B6E" ] @@ -988,28 +835,22 @@ "resourcesVpcConfig": { "subnetIds": [ { - "Ref": "VpcPublic1Subnet1Subnet822C42F4" - }, - { - "Ref": "VpcPublic1Subnet2Subnet47603E66" + "Ref": "VpcPublicSubnet1Subnet5C2D37C4" }, { - "Ref": "VpcPrivate1Subnet1SubnetC688B2B1" + "Ref": "VpcPublicSubnet2Subnet691E08A3" }, { - "Ref": "VpcPrivate1Subnet2SubnetA2AF15C7" + "Ref": "VpcPublicSubnet3SubnetBE12F0B6" }, { - "Ref": "VpcPrivate2Subnet1SubnetE13E2E30" + "Ref": "VpcPrivateSubnet1Subnet536B997A" }, { - "Ref": "VpcPrivate2Subnet2Subnet158A38AB" + "Ref": "VpcPrivateSubnet2Subnet3788AAA1" }, { - "Ref": "VpcPrivate3Subnet1Subnet0E5E4806" - }, - { - "Ref": "VpcPrivate3Subnet2SubnetD72105DD" + "Ref": "VpcPrivateSubnet3SubnetF258B56E" } ], "securityGroupIds": [ @@ -1037,40 +878,32 @@ "ClusterCreationRoleDefaultPolicyE8BDFC7B", "ClusterCreationRole360249B6", "VpcIGWD7BA715C", - "VpcPrivate1Subnet1DefaultRouteF2E75A1D", - "VpcPrivate1Subnet1RouteTable63B93D7A", - "VpcPrivate1Subnet1RouteTableAssociation97501102", - "VpcPrivate1Subnet1SubnetC688B2B1", - "VpcPrivate1Subnet2DefaultRouteD86AEB1B", - "VpcPrivate1Subnet2RouteTable695199F8", - "VpcPrivate1Subnet2RouteTableAssociation24F600FF", - "VpcPrivate1Subnet2SubnetA2AF15C7", - "VpcPrivate2Subnet1DefaultRouteAB9E1DA7", - "VpcPrivate2Subnet1RouteTableDBA2D67B", - "VpcPrivate2Subnet1RouteTableAssociationF5F23DD8", - "VpcPrivate2Subnet1SubnetE13E2E30", - "VpcPrivate2Subnet2DefaultRoute819C9A9A", - "VpcPrivate2Subnet2RouteTableAE2A7039", - "VpcPrivate2Subnet2RouteTableAssociation84DD7BE3", - "VpcPrivate2Subnet2Subnet158A38AB", - "VpcPrivate3Subnet1DefaultRoute5318328D", - "VpcPrivate3Subnet1RouteTableF63E0CF3", - "VpcPrivate3Subnet1RouteTableAssociationC5688D3B", - "VpcPrivate3Subnet1Subnet0E5E4806", - "VpcPrivate3Subnet2DefaultRoute1F5E0972", - "VpcPrivate3Subnet2RouteTable1DBBA64A", - "VpcPrivate3Subnet2RouteTableAssociation31AF23B3", - "VpcPrivate3Subnet2SubnetD72105DD", - "VpcPublic1Subnet1DefaultRouteD855846C", - "VpcPublic1Subnet1EIP6E1EA980", - "VpcPublic1Subnet1NATGatewayF6E55728", - "VpcPublic1Subnet1RouteTable656E2024", - "VpcPublic1Subnet1RouteTableAssociation5CE153E6", - "VpcPublic1Subnet1Subnet822C42F4", - "VpcPublic1Subnet2DefaultRoute73AD7054", - "VpcPublic1Subnet2RouteTable99F73B51", - "VpcPublic1Subnet2RouteTableAssociationC9119526", - "VpcPublic1Subnet2Subnet47603E66", + "VpcPrivateSubnet1DefaultRouteBE02A9ED", + "VpcPrivateSubnet1RouteTableB2C5B500", + "VpcPrivateSubnet1RouteTableAssociation70C59FA6", + "VpcPrivateSubnet1Subnet536B997A", + "VpcPrivateSubnet2DefaultRoute060D2087", + "VpcPrivateSubnet2RouteTableA678073B", + "VpcPrivateSubnet2RouteTableAssociationA89CAD56", + "VpcPrivateSubnet2Subnet3788AAA1", + "VpcPrivateSubnet3DefaultRoute94B74F0D", + "VpcPrivateSubnet3RouteTableD98824C7", + "VpcPrivateSubnet3RouteTableAssociation16BDDC43", + "VpcPrivateSubnet3SubnetF258B56E", + "VpcPublicSubnet1DefaultRoute3DA9E72A", + "VpcPublicSubnet1EIPD7E02669", + "VpcPublicSubnet1NATGateway4D7517AA", + "VpcPublicSubnet1RouteTable6C95E38E", + "VpcPublicSubnet1RouteTableAssociation97140677", + "VpcPublicSubnet1Subnet5C2D37C4", + "VpcPublicSubnet2DefaultRoute97F91067", + "VpcPublicSubnet2RouteTable94F7E489", + "VpcPublicSubnet2RouteTableAssociationDD5762D8", + "VpcPublicSubnet2Subnet691E08A3", + "VpcPublicSubnet3DefaultRoute4697774F", + "VpcPublicSubnet3RouteTable93458DBB", + "VpcPublicSubnet3RouteTableAssociation1F1EDF02", + "VpcPublicSubnet3SubnetBE12F0B6", "Vpc8378EB38", "VpcVPCGWBF912B6E" ], @@ -1222,22 +1055,13 @@ }, "Subnets": [ { - "Ref": "VpcPrivate1Subnet1SubnetC688B2B1" - }, - { - "Ref": "VpcPrivate1Subnet2SubnetA2AF15C7" + "Ref": "VpcPrivateSubnet1Subnet536B997A" }, { - "Ref": "VpcPrivate2Subnet1SubnetE13E2E30" + "Ref": "VpcPrivateSubnet2Subnet3788AAA1" }, { - "Ref": "VpcPrivate2Subnet2Subnet158A38AB" - }, - { - "Ref": "VpcPrivate3Subnet1Subnet0E5E4806" - }, - { - "Ref": "VpcPrivate3Subnet2SubnetD72105DD" + "Ref": "VpcPrivateSubnet3SubnetF258B56E" } ], "ForceUpdateEnabled": true, @@ -1351,7 +1175,7 @@ }, "/", { - "Ref": "AssetParameters467dc5404fa790f0a49d61285c6d778520134153d660220de8cb6b8db19227cbS3BucketE6511518" + "Ref": "AssetParametersf2ad7629f5f54ad293dccc2fb60891424f9149f12d84f2f12728543b145962a0S3BucketACD6057C" }, "/", { @@ -1361,7 +1185,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParameters467dc5404fa790f0a49d61285c6d778520134153d660220de8cb6b8db19227cbS3VersionKey2582513C" + "Ref": "AssetParametersf2ad7629f5f54ad293dccc2fb60891424f9149f12d84f2f12728543b145962a0S3VersionKey20D7AC7B" } ] } @@ -1374,7 +1198,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParameters467dc5404fa790f0a49d61285c6d778520134153d660220de8cb6b8db19227cbS3VersionKey2582513C" + "Ref": "AssetParametersf2ad7629f5f54ad293dccc2fb60891424f9149f12d84f2f12728543b145962a0S3VersionKey20D7AC7B" } ] } @@ -1390,23 +1214,14 @@ "referencetoawscdkeksclusterprivateendpointtestAssetParameters649b09403c8414e624c965d6c2f0e41c341c2afa5d8e7bae4ac5746fe230f502S3VersionKeyD69255C2Ref": { "Ref": "AssetParameters649b09403c8414e624c965d6c2f0e41c341c2afa5d8e7bae4ac5746fe230f502S3VersionKey1DA734B2" }, - "referencetoawscdkeksclusterprivateendpointtestVpcPrivate1Subnet1Subnet5DD1FB9CRef": { - "Ref": "VpcPrivate1Subnet1SubnetC688B2B1" - }, - "referencetoawscdkeksclusterprivateendpointtestVpcPrivate1Subnet2Subnet4A892E2CRef": { - "Ref": "VpcPrivate1Subnet2SubnetA2AF15C7" - }, - "referencetoawscdkeksclusterprivateendpointtestVpcPrivate2Subnet1Subnet4249F3C7Ref": { - "Ref": "VpcPrivate2Subnet1SubnetE13E2E30" - }, - "referencetoawscdkeksclusterprivateendpointtestVpcPrivate2Subnet2SubnetA4430AEARef": { - "Ref": "VpcPrivate2Subnet2Subnet158A38AB" + "referencetoawscdkeksclusterprivateendpointtestVpcPrivateSubnet1Subnet94DAD769Ref": { + "Ref": "VpcPrivateSubnet1Subnet536B997A" }, - "referencetoawscdkeksclusterprivateendpointtestVpcPrivate3Subnet1Subnet9A0DA5C2Ref": { - "Ref": "VpcPrivate3Subnet1Subnet0E5E4806" + "referencetoawscdkeksclusterprivateendpointtestVpcPrivateSubnet2Subnet04963C08Ref": { + "Ref": "VpcPrivateSubnet2Subnet3788AAA1" }, - "referencetoawscdkeksclusterprivateendpointtestVpcPrivate3Subnet2Subnet68EF00A2Ref": { - "Ref": "VpcPrivate3Subnet2SubnetD72105DD" + "referencetoawscdkeksclusterprivateendpointtestVpcPrivateSubnet3SubnetC47FD39ARef": { + "Ref": "VpcPrivateSubnet3SubnetF258B56E" }, "referencetoawscdkeksclusterprivateendpointtestClusterKubectlProviderSecurityGroup67FA4325GroupId": { "Fn::GetAtt": [ @@ -1515,17 +1330,17 @@ "Type": "String", "Description": "Artifact hash for asset \"71844bd8bc4fc1081e3028a5c0efd7345bcdb4185daff9955359444c643aa2b4\"" }, - "AssetParameters467dc5404fa790f0a49d61285c6d778520134153d660220de8cb6b8db19227cbS3BucketE6511518": { + "AssetParametersf2ad7629f5f54ad293dccc2fb60891424f9149f12d84f2f12728543b145962a0S3BucketACD6057C": { "Type": "String", - "Description": "S3 bucket for asset \"467dc5404fa790f0a49d61285c6d778520134153d660220de8cb6b8db19227cb\"" + "Description": "S3 bucket for asset \"f2ad7629f5f54ad293dccc2fb60891424f9149f12d84f2f12728543b145962a0\"" }, - "AssetParameters467dc5404fa790f0a49d61285c6d778520134153d660220de8cb6b8db19227cbS3VersionKey2582513C": { + "AssetParametersf2ad7629f5f54ad293dccc2fb60891424f9149f12d84f2f12728543b145962a0S3VersionKey20D7AC7B": { "Type": "String", - "Description": "S3 key for asset version \"467dc5404fa790f0a49d61285c6d778520134153d660220de8cb6b8db19227cb\"" + "Description": "S3 key for asset version \"f2ad7629f5f54ad293dccc2fb60891424f9149f12d84f2f12728543b145962a0\"" }, - "AssetParameters467dc5404fa790f0a49d61285c6d778520134153d660220de8cb6b8db19227cbArtifactHash90F3B465": { + "AssetParametersf2ad7629f5f54ad293dccc2fb60891424f9149f12d84f2f12728543b145962a0ArtifactHash05CD8D10": { "Type": "String", - "Description": "Artifact hash for asset \"467dc5404fa790f0a49d61285c6d778520134153d660220de8cb6b8db19227cb\"" + "Description": "Artifact hash for asset \"f2ad7629f5f54ad293dccc2fb60891424f9149f12d84f2f12728543b145962a0\"" } } } \ No newline at end of file diff --git a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster-private-endpoint.ts b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster-private-endpoint.ts index ddc71943d3a97..756d9854e9e69 100644 --- a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster-private-endpoint.ts +++ b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster-private-endpoint.ts @@ -14,29 +14,8 @@ class EksClusterStack extends TestStack { assumedBy: new iam.AccountRootPrincipal(), }); - const vpc = new ec2.Vpc(this, 'Vpc', { - maxAzs: 2, - natGateways: 1, // just need one nat gateway to simplify the test - // so that we also validate it works with multiple private subnets per az. - subnetConfiguration: [ - { - subnetType: ec2.SubnetType.PRIVATE, - name: 'Private1', - }, - { - subnetType: ec2.SubnetType.PRIVATE, - name: 'Private2', - }, - { - subnetType: ec2.SubnetType.PRIVATE, - name: 'Private3', - }, - { - subnetType: ec2.SubnetType.PUBLIC, - name: 'Public1', - }, - ], - }); + // just need one nat gateway to simplify the test + const vpc = new ec2.Vpc(this, 'Vpc', { maxAzs: 3, natGateways: 1 }); const cluster = new eks.Cluster(this, 'Cluster', { vpc, @@ -46,7 +25,7 @@ class EksClusterStack extends TestStack { endpointAccess: eks.EndpointAccess.private(), }); - // this is the valdiation. it won't work if the private access is setup properly. + // this is the valdiation. it won't work if the private access is not setup properly. cluster.addResource('config-map', { kind: 'ConfigMap', apiVersion: 'v1', diff --git a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.expected.json b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.expected.json index 9610cbafca025..14b0c3f79699a 100644 --- a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.expected.json +++ b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.expected.json @@ -665,6 +665,27 @@ "ToPort": 443 } }, + "ClusterControlPlaneSecurityGroupfromawscdkeksclustertestClusterInferenceInstancesInstanceSecurityGroup42C57C51443E3176F85": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "IpProtocol": "tcp", + "Description": "from awscdkeksclustertestClusterInferenceInstancesInstanceSecurityGroup42C57C51:443", + "FromPort": 443, + "GroupId": { + "Fn::GetAtt": [ + "ClusterControlPlaneSecurityGroupD274242C", + "GroupId" + ] + }, + "SourceSecurityGroupId": { + "Fn::GetAtt": [ + "ClusterInferenceInstancesInstanceSecurityGroupECB3FC45", + "GroupId" + ] + }, + "ToPort": 443 + } + }, "ClusterKubectlProviderSecurityGroup2D90691C": { "Type": "AWS::EC2::SecurityGroup", "Properties": { @@ -1060,6 +1081,13 @@ ] }, "\\\",\\\"username\\\":\\\"system:node:{{EC2PrivateDNSName}}\\\",\\\"groups\\\":[\\\"system:bootstrappers\\\",\\\"system:nodes\\\"]},{\\\"rolearn\\\":\\\"", + { + "Fn::GetAtt": [ + "ClusterInferenceInstancesInstanceRole59AC6F56", + "Arn" + ] + }, + "\\\",\\\"username\\\":\\\"system:node:{{EC2PrivateDNSName}}\\\",\\\"groups\\\":[\\\"system:bootstrappers\\\",\\\"system:nodes\\\"]},{\\\"rolearn\\\":\\\"", { "Fn::GetAtt": [ "ClusterNodegroupextrangNodeGroupRole23AE23D0", @@ -2162,6 +2190,320 @@ "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete" }, + "ClusterInferenceInstancesInstanceSecurityGroupECB3FC45": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "aws-cdk-eks-cluster-test/Cluster/InferenceInstances/InstanceSecurityGroup", + "SecurityGroupEgress": [ + { + "CidrIp": "0.0.0.0/0", + "Description": "Allow all outbound traffic by default", + "IpProtocol": "-1" + } + ], + "Tags": [ + { + "Key": { + "Fn::Join": [ + "", + [ + "kubernetes.io/cluster/", + { + "Ref": "Cluster9EE0221C" + } + ] + ] + }, + "Value": "owned" + }, + { + "Key": "Name", + "Value": "aws-cdk-eks-cluster-test/Cluster/InferenceInstances" + } + ], + "VpcId": { + "Ref": "Vpc8378EB38" + } + } + }, + "ClusterInferenceInstancesInstanceSecurityGroupfromawscdkeksclustertestClusterInferenceInstancesInstanceSecurityGroup42C57C51ALLTRAFFICB6138869": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "IpProtocol": "-1", + "Description": "from awscdkeksclustertestClusterInferenceInstancesInstanceSecurityGroup42C57C51:ALL TRAFFIC", + "GroupId": { + "Fn::GetAtt": [ + "ClusterInferenceInstancesInstanceSecurityGroupECB3FC45", + "GroupId" + ] + }, + "SourceSecurityGroupId": { + "Fn::GetAtt": [ + "ClusterInferenceInstancesInstanceSecurityGroupECB3FC45", + "GroupId" + ] + } + } + }, + "ClusterInferenceInstancesInstanceSecurityGroupfromawscdkeksclustertestClusterControlPlaneSecurityGroup2F1301344437B48FD33": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "IpProtocol": "tcp", + "Description": "from awscdkeksclustertestClusterControlPlaneSecurityGroup2F130134:443", + "FromPort": 443, + "GroupId": { + "Fn::GetAtt": [ + "ClusterInferenceInstancesInstanceSecurityGroupECB3FC45", + "GroupId" + ] + }, + "SourceSecurityGroupId": { + "Fn::GetAtt": [ + "ClusterControlPlaneSecurityGroupD274242C", + "GroupId" + ] + }, + "ToPort": 443 + } + }, + "ClusterInferenceInstancesInstanceSecurityGroupfromawscdkeksclustertestClusterControlPlaneSecurityGroup2F130134102565535A460F673": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "IpProtocol": "tcp", + "Description": "from awscdkeksclustertestClusterControlPlaneSecurityGroup2F130134:1025-65535", + "FromPort": 1025, + "GroupId": { + "Fn::GetAtt": [ + "ClusterInferenceInstancesInstanceSecurityGroupECB3FC45", + "GroupId" + ] + }, + "SourceSecurityGroupId": { + "Fn::GetAtt": [ + "ClusterControlPlaneSecurityGroupD274242C", + "GroupId" + ] + }, + "ToPort": 65535 + } + }, + "ClusterInferenceInstancesInstanceRole59AC6F56": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": { + "Fn::Join": [ + "", + [ + "ec2.", + { + "Ref": "AWS::URLSuffix" + } + ] + ] + } + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/AmazonEKSWorkerNodePolicy" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/AmazonEKS_CNI_Policy" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/AmazonEC2ContainerRegistryReadOnly" + ] + ] + } + ], + "Tags": [ + { + "Key": { + "Fn::Join": [ + "", + [ + "kubernetes.io/cluster/", + { + "Ref": "Cluster9EE0221C" + } + ] + ] + }, + "Value": "owned" + }, + { + "Key": "Name", + "Value": "aws-cdk-eks-cluster-test/Cluster/InferenceInstances" + } + ] + } + }, + "ClusterInferenceInstancesInstanceProfile5A1209B4": { + "Type": "AWS::IAM::InstanceProfile", + "Properties": { + "Roles": [ + { + "Ref": "ClusterInferenceInstancesInstanceRole59AC6F56" + } + ] + } + }, + "ClusterInferenceInstancesLaunchConfig03BF48FE": { + "Type": "AWS::AutoScaling::LaunchConfiguration", + "Properties": { + "ImageId": { + "Ref": "SsmParameterValueawsserviceeksoptimizedami116amazonlinux2gpurecommendedimageidC96584B6F00A464EAD1953AFF4B05118Parameter" + }, + "InstanceType": "inf1.2xlarge", + "IamInstanceProfile": { + "Ref": "ClusterInferenceInstancesInstanceProfile5A1209B4" + }, + "SecurityGroups": [ + { + "Fn::GetAtt": [ + "ClusterInferenceInstancesInstanceSecurityGroupECB3FC45", + "GroupId" + ] + } + ], + "UserData": { + "Fn::Base64": { + "Fn::Join": [ + "", + [ + "#!/bin/bash\nset -o xtrace\n/etc/eks/bootstrap.sh ", + { + "Ref": "Cluster9EE0221C" + }, + " --kubelet-extra-args \"--node-labels lifecycle=OnDemand\" --use-max-pods true\n/opt/aws/bin/cfn-signal --exit-code $? --stack aws-cdk-eks-cluster-test --resource ClusterInferenceInstancesASGE90717C7 --region test-region" + ] + ] + } + } + }, + "DependsOn": [ + "ClusterInferenceInstancesInstanceRole59AC6F56" + ] + }, + "ClusterInferenceInstancesASGE90717C7": { + "Type": "AWS::AutoScaling::AutoScalingGroup", + "Properties": { + "MaxSize": "1", + "MinSize": "1", + "LaunchConfigurationName": { + "Ref": "ClusterInferenceInstancesLaunchConfig03BF48FE" + }, + "Tags": [ + { + "Key": { + "Fn::Join": [ + "", + [ + "kubernetes.io/cluster/", + { + "Ref": "Cluster9EE0221C" + } + ] + ] + }, + "PropagateAtLaunch": true, + "Value": "owned" + }, + { + "Key": "Name", + "PropagateAtLaunch": true, + "Value": "aws-cdk-eks-cluster-test/Cluster/InferenceInstances" + } + ], + "VPCZoneIdentifier": [ + { + "Ref": "VpcPrivateSubnet1Subnet536B997A" + }, + { + "Ref": "VpcPrivateSubnet2Subnet3788AAA1" + }, + { + "Ref": "VpcPrivateSubnet3SubnetF258B56E" + } + ] + }, + "UpdatePolicy": { + "AutoScalingRollingUpdate": { + "WaitOnResourceSignals": false, + "PauseTime": "PT0S", + "SuspendProcesses": [ + "HealthCheck", + "ReplaceUnhealthy", + "AZRebalance", + "AlarmNotification", + "ScheduledActions" + ] + }, + "AutoScalingScheduledAction": { + "IgnoreUnmodifiedGroupSizeProperties": true + } + } + }, + "ClustermanifestNeuronDevicePlugin0B3E0D17": { + "Type": "Custom::AWSCDK-EKS-KubernetesResource", + "Properties": { + "ServiceToken": { + "Fn::GetAtt": [ + "awscdkawseksKubectlProviderNestedStackawscdkawseksKubectlProviderNestedStackResourceA7AEBA6B", + "Outputs.awscdkeksclustertestawscdkawseksKubectlProviderframeworkonEventC681B49AArn" + ] + }, + "Manifest": "[{\"apiVersion\":\"apps/v1\",\"kind\":\"DaemonSet\",\"metadata\":{\"name\":\"neuron-device-plugin-daemonset\",\"namespace\":\"kube-system\"},\"spec\":{\"selector\":{\"matchLabels\":{\"name\":\"neuron-device-plugin-ds\"}},\"updateStrategy\":{\"type\":\"RollingUpdate\"},\"template\":{\"metadata\":{\"annotations\":{\"scheduler.alpha.kubernetes.io/critical-pod\":\"\"},\"labels\":{\"name\":\"neuron-device-plugin-ds\"}},\"spec\":{\"tolerations\":[{\"key\":\"CriticalAddonsOnly\",\"operator\":\"Exists\"},{\"key\":\"aws.amazon.com/neuron\",\"operator\":\"Exists\",\"effect\":\"NoSchedule\"}],\"priorityClassName\":\"system-node-critical\",\"affinity\":{\"nodeAffinity\":{\"requiredDuringSchedulingIgnoredDuringExecution\":{\"nodeSelectorTerms\":[{\"matchExpressions\":[{\"key\":\"beta.kubernetes.io/instance-type\",\"operator\":\"In\",\"values\":[\"inf1.xlarge\",\"inf1.2xlarge\",\"inf1.6xlarge\",\"inf1.4xlarge\"]}]},{\"matchExpressions\":[{\"key\":\"node.kubernetes.io/instance-type\",\"operator\":\"In\",\"values\":[\"inf1.xlarge\",\"inf1.2xlarge\",\"inf1.6xlarge\",\"inf1.24xlarge\"]}]}]}}},\"containers\":[{\"image\":\"790709498068.dkr.ecr.us-west-2.amazonaws.com/neuron-device-plugin:1.0.9043.0\",\"imagePullPolicy\":\"Always\",\"name\":\"k8s-neuron-device-plugin-ctr\",\"securityContext\":{\"allowPrivilegeEscalation\":false,\"capabilities\":{\"drop\":[\"ALL\"]}},\"volumeMounts\":[{\"name\":\"device-plugin\",\"mountPath\":\"/var/lib/kubelet/device-plugins\"}]}],\"volumes\":[{\"name\":\"device-plugin\",\"hostPath\":{\"path\":\"/var/lib/kubelet/device-plugins\"}}]}}}}]", + "ClusterName": { + "Ref": "Cluster9EE0221C" + }, + "RoleArn": { + "Fn::GetAtt": [ + "ClusterCreationRole360249B6", + "Arn" + ] + } + }, + "DependsOn": [ + "ClusterKubectlReadyBarrier200052AF" + ], + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, "ClusterNodegroupextrangNodeGroupRole23AE23D0": { "Type": "AWS::IAM::Role", "Properties": { @@ -2981,6 +3323,10 @@ "SsmParameterValueawsservicebottlerocketawsk8s115x8664latestimageidC96584B6F00A464EAD1953AFF4B05118Parameter": { "Type": "AWS::SSM::Parameter::Value", "Default": "/aws/service/bottlerocket/aws-k8s-1.15/x86_64/latest/image_id" + }, + "SsmParameterValueawsserviceeksoptimizedami116amazonlinux2gpurecommendedimageidC96584B6F00A464EAD1953AFF4B05118Parameter": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/aws/service/eks/optimized-ami/1.16/amazon-linux-2-gpu/recommended/image_id" } } } \ No newline at end of file diff --git a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.ts b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.ts index fae1879e2b929..6340be221a298 100644 --- a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.ts +++ b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.ts @@ -56,11 +56,11 @@ class EksClusterStack extends TestStack { }, }); - // // inference instances - // cluster.addCapacity('InferenceInstances', { - // instanceType: new ec2.InstanceType('inf1.2xlarge'), - // minCapacity: 1, - // }); + // inference instances + cluster.addCapacity('InferenceInstances', { + instanceType: new ec2.InstanceType('inf1.2xlarge'), + minCapacity: 1, + }); // add a extra nodegroup cluster.addNodegroup('extra-ng', { diff --git a/packages/@aws-cdk/aws-eks/test/test.cluster.ts b/packages/@aws-cdk/aws-eks/test/test.cluster.ts index d228a1a94981e..1530867189a3c 100644 --- a/packages/@aws-cdk/aws-eks/test/test.cluster.ts +++ b/packages/@aws-cdk/aws-eks/test/test.cluster.ts @@ -1434,5 +1434,182 @@ export = { test.done(); }, + 'kubectl provider chooses only private subnets'(test: Test) { + + const { stack } = testFixture(); + + const vpc = new ec2.Vpc(stack, 'Vpc', { + maxAzs: 2, + natGateways: 1, + subnetConfiguration: [ + { + subnetType: ec2.SubnetType.PRIVATE, + name: 'Private1', + }, + { + subnetType: ec2.SubnetType.PUBLIC, + name: 'Public1', + }, + ], + }); + + const cluster = new eks.Cluster(stack, 'Cluster1', { + version: CLUSTER_VERSION, endpointAccess: eks.EndpointAccess.private(), + vpc, + }); + + cluster.addResource('resource', { + kind: 'ConfigMap', + apiVersion: 'v1', + data: { + hello: 'world', + }, + metadata: { + name: 'config-map', + }, + }); + + // the kubectl provider is inside a nested stack. + const nested = stack.node.tryFindChild('@aws-cdk/aws-eks.KubectlProvider') as cdk.NestedStack; + expect(nested).to(haveResource('AWS::Lambda::Function', { + VpcConfig: { + SecurityGroupIds: [ + { + Ref: 'referencetoStackCluster1KubectlProviderSecurityGroupDF05D03AGroupId', + }, + ], + SubnetIds: [ + { + Ref: 'referencetoStackVpcPrivate1Subnet1Subnet6764A0F6Ref', + }, + { + Ref: 'referencetoStackVpcPrivate1Subnet2SubnetDFD49645Ref', + }, + ], + }, + })); + + test.done(); + }, + + 'kubectl provider limits number of subnets to 16'(test: Test) { + + const { stack } = testFixture(); + + const subnetConfiguration: ec2.SubnetConfiguration[] = []; + + for (let i = 0; i < 20; i++) { + subnetConfiguration.push( { + subnetType: ec2.SubnetType.PRIVATE, + name: `Private${i}`, + }, + ); + } + + subnetConfiguration.push( { + subnetType: ec2.SubnetType.PUBLIC, + name: 'Public1', + }); + + const vpc2 = new ec2.Vpc(stack, 'Vpc', { + maxAzs: 2, + natGateways: 1, + subnetConfiguration, + }); + + const cluster = new eks.Cluster(stack, 'Cluster1', { + version: CLUSTER_VERSION, endpointAccess: eks.EndpointAccess.private(), + vpc: vpc2, + }); + + cluster.addResource('resource', { + kind: 'ConfigMap', + apiVersion: 'v1', + data: { + hello: 'world', + }, + metadata: { + name: 'config-map', + }, + }); + + // the kubectl provider is inside a nested stack. + const nested = stack.node.tryFindChild('@aws-cdk/aws-eks.KubectlProvider') as cdk.NestedStack; + test.equal(16, expect(nested).value.Resources.Handler886CB40B.Properties.VpcConfig.SubnetIds.length); + + test.done(); + }, + + 'kubectl provider considers vpc subnet selection'(test: Test) { + + const { stack } = testFixture(); + + const subnetConfiguration: ec2.SubnetConfiguration[] = []; + + for (let i = 0; i < 20; i++) { + subnetConfiguration.push( { + subnetType: ec2.SubnetType.PRIVATE, + name: `Private${i}`, + }, + ); + } + + subnetConfiguration.push( { + subnetType: ec2.SubnetType.PUBLIC, + name: 'Public1', + }); + + const vpc2 = new ec2.Vpc(stack, 'Vpc', { + maxAzs: 2, + natGateways: 1, + subnetConfiguration, + }); + + const cluster = new eks.Cluster(stack, 'Cluster1', { + version: CLUSTER_VERSION, endpointAccess: eks.EndpointAccess.private(), + vpc: vpc2, + vpcSubnets: [{subnetGroupName: 'Private1'}, {subnetGroupName: 'Private2'}], + }); + + cluster.addResource('resource', { + kind: 'ConfigMap', + apiVersion: 'v1', + data: { + hello: 'world', + }, + metadata: { + name: 'config-map', + }, + }); + + // the kubectl provider is inside a nested stack. + const nested = stack.node.tryFindChild('@aws-cdk/aws-eks.KubectlProvider') as cdk.NestedStack; + expect(nested).to(haveResource('AWS::Lambda::Function', { + VpcConfig: { + SecurityGroupIds: [ + { + Ref: 'referencetoStackCluster1KubectlProviderSecurityGroupDF05D03AGroupId', + }, + ], + SubnetIds: [ + { + Ref: 'referencetoStackVpcPrivate1Subnet1Subnet6764A0F6Ref', + }, + { + Ref: 'referencetoStackVpcPrivate1Subnet2SubnetDFD49645Ref', + }, + { + Ref: 'referencetoStackVpcPrivate2Subnet1Subnet586AD392Ref', + }, + { + Ref: 'referencetoStackVpcPrivate2Subnet2SubnetE42148C0Ref', + }, + ], + }, + })); + + test.done(); + }, + }, }; From 4a2b3fee38fe5c8e1b4d3fc7ef97416ebdeb6aa7 Mon Sep 17 00:00:00 2001 From: epolon Date: Mon, 27 Jul 2020 12:55:58 +0300 Subject: [PATCH 18/33] move patchEndpointAccess to parseProps --- .../lib/cluster-resource-handler/cluster.ts | 37 +++++++++---------- 1 file changed, 18 insertions(+), 19 deletions(-) diff --git a/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/cluster.ts b/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/cluster.ts index bc5c0ee09fbb6..48c7baa85ac6a 100644 --- a/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/cluster.ts +++ b/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/cluster.ts @@ -22,24 +22,8 @@ export class ClusterResourceHandler extends ResourceHandler { constructor(eks: EksClient, event: ResourceEvent) { super(eks, event); - function patchEndpointAccess(props: any) { - - // this is weird but these boolean properties are passed by CFN as a string, and we need them to be booleanic for the SDK. - // Otherwise it fails with 'Unexpected Parameter: params.resourcesVpcConfig.endpointPrivateAccess is expected to be a boolean' - - if (typeof(props.resourcesVpcConfig?.endpointPrivateAccess) === 'string') { - Object.assign(props.resourcesVpcConfig, { endpointPrivateAccess: props.resourcesVpcConfig.endpointPrivateAccess === 'true' }); - } - - if (typeof(props.resourcesVpcConfig?.endpointPublicAccess) === 'string') { - Object.assign(props.resourcesVpcConfig, { endpointPublicAccess: props.resourcesVpcConfig.endpointPublicAccess === 'true' }); - } - - return props; - } - - this.newProps = patchEndpointAccess(parseProps(this.event.ResourceProperties)); - this.oldProps = event.RequestType === 'Update' ? patchEndpointAccess(parseProps(event.OldResourceProperties)) : { }; + this.newProps = parseProps(this.event.ResourceProperties); + this.oldProps = event.RequestType === 'Update' ? parseProps(event.OldResourceProperties) : { }; } // ------ @@ -277,7 +261,22 @@ export class ClusterResourceHandler extends ResourceHandler { } function parseProps(props: any): aws.EKS.CreateClusterRequest { - return props?.Config ?? { }; + + const parsed = props?.Config ?? { }; + + // this is weird but these boolean properties are passed by CFN as a string, and we need them to be booleanic for the SDK. + // Otherwise it fails with 'Unexpected Parameter: params.resourcesVpcConfig.endpointPrivateAccess is expected to be a boolean' + + if (typeof(parsed.resourcesVpcConfig?.endpointPrivateAccess) === 'string') { + parsed.resourcesVpcConfig.endpointPrivateAccess = parsed.resourcesVpcConfig.endpointPrivateAccess === 'true'; + } + + if (typeof(parsed.resourcesVpcConfig?.endpointPublicAccess) === 'string') { + parsed.resourcesVpcConfig.endpointPublicAccess = parsed.resourcesVpcConfig.endpointPublicAccess === 'true'; + } + + return parsed; + } interface UpdateMap { From c5e25a14b6d1d88a6ee5479bcffe426046a5ae6f Mon Sep 17 00:00:00 2001 From: epolon Date: Mon, 27 Jul 2020 13:38:09 +0300 Subject: [PATCH 19/33] remove endpointAccessConfig nesting level --- .../@aws-cdk/aws-eks/lib/cluster-resource.ts | 19 ++++--------------- packages/@aws-cdk/aws-eks/lib/cluster.ts | 8 +++----- 2 files changed, 7 insertions(+), 20 deletions(-) diff --git a/packages/@aws-cdk/aws-eks/lib/cluster-resource.ts b/packages/@aws-cdk/aws-eks/lib/cluster-resource.ts index df7a371f53b4b..c885feaa476d2 100644 --- a/packages/@aws-cdk/aws-eks/lib/cluster-resource.ts +++ b/packages/@aws-cdk/aws-eks/lib/cluster-resource.ts @@ -4,10 +4,7 @@ import { CLUSTER_RESOURCE_TYPE } from './cluster-resource-handler/consts'; import { ClusterResourceProvider } from './cluster-resource-provider'; import { CfnClusterProps, CfnCluster } from './eks.generated'; -/** - * Cluster Endpoint access configuration. - */ -export interface EndpointAccessConfig { +export interface ClusterResourceProps extends CfnClusterProps { /** * Enable private endpoint access to the cluster. @@ -24,14 +21,6 @@ export interface EndpointAccessConfig { */ readonly publicAccessCidrs?: string[]; -} -export interface ClusterResourceProps extends CfnClusterProps { - - /** - * Endpoint access configuration. - */ - readonly endpointAccessConfig: EndpointAccessConfig - } /** @@ -157,9 +146,9 @@ export class ClusterResource extends Construct { resourcesVpcConfig: { subnetIds: (props.resourcesVpcConfig as CfnCluster.ResourcesVpcConfigProperty).subnetIds, securityGroupIds: (props.resourcesVpcConfig as CfnCluster.ResourcesVpcConfigProperty).securityGroupIds, - endpointPublicAccess: props.endpointAccessConfig.endpointPublicAccess, - endpointPrivateAccess: props.endpointAccessConfig.endpointPrivateAccess, - publicAccessCidrs: props.endpointAccessConfig.publicAccessCidrs, + endpointPublicAccess: props.endpointPublicAccess, + endpointPrivateAccess: props.endpointPrivateAccess, + publicAccessCidrs: props.publicAccessCidrs, }, }, AssumeRoleArn: this.creationRole.roleArn, diff --git a/packages/@aws-cdk/aws-eks/lib/cluster.ts b/packages/@aws-cdk/aws-eks/lib/cluster.ts index 85fba1e9de270..b369364f7909f 100644 --- a/packages/@aws-cdk/aws-eks/lib/cluster.ts +++ b/packages/@aws-cdk/aws-eks/lib/cluster.ts @@ -601,11 +601,9 @@ export class Cluster extends Resource implements ICluster { resource = new ClusterResource(this, 'Resource', { ...clusterProps, - endpointAccessConfig: { - endpointPrivateAccess: this.endpointAccess.endpointPrivateAccess, - endpointPublicAccess: this.endpointAccess.endpointPublicAccess, - publicAccessCidrs: this.endpointAccess.publicAccessCidrs, - }, + endpointPrivateAccess: this.endpointAccess.endpointPrivateAccess, + endpointPublicAccess: this.endpointAccess.endpointPublicAccess, + publicAccessCidrs: this.endpointAccess.publicAccessCidrs, }); this._clusterResource = resource; From 1139ffdbc40328968aa21535b73e308cda172068 Mon Sep 17 00:00:00 2001 From: epolon Date: Wed, 29 Jul 2020 12:25:23 +0300 Subject: [PATCH 20/33] integ expectations --- ...eks-cluster-private-endpoint.expected.json | 38 +++++++++---------- .../test/integ.eks-cluster.expected.json | 38 +++++++++---------- 2 files changed, 38 insertions(+), 38 deletions(-) diff --git a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster-private-endpoint.expected.json b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster-private-endpoint.expected.json index 42e1390bbae97..0889cc63a0237 100644 --- a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster-private-endpoint.expected.json +++ b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster-private-endpoint.expected.json @@ -1114,7 +1114,7 @@ }, "/", { - "Ref": "AssetParameters71844bd8bc4fc1081e3028a5c0efd7345bcdb4185daff9955359444c643aa2b4S3BucketE3798CD4" + "Ref": "AssetParameters3c8e15207108696f26eb3900c56b9ed4a81535ed7d0fdb4477972f1741ad9789S3BucketBC18629C" }, "/", { @@ -1124,7 +1124,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParameters71844bd8bc4fc1081e3028a5c0efd7345bcdb4185daff9955359444c643aa2b4S3VersionKey97783D11" + "Ref": "AssetParameters3c8e15207108696f26eb3900c56b9ed4a81535ed7d0fdb4477972f1741ad9789S3VersionKeyE68C888F" } ] } @@ -1137,7 +1137,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParameters71844bd8bc4fc1081e3028a5c0efd7345bcdb4185daff9955359444c643aa2b4S3VersionKey97783D11" + "Ref": "AssetParameters3c8e15207108696f26eb3900c56b9ed4a81535ed7d0fdb4477972f1741ad9789S3VersionKeyE68C888F" } ] } @@ -1147,11 +1147,11 @@ ] }, "Parameters": { - "referencetoawscdkeksclusterprivateendpointtestAssetParametersc53ce5256da21f646ed2f8a5db4fe604787205bea4eda5c3c5596983c135b71aS3BucketFDC1B6C7Ref": { - "Ref": "AssetParametersc53ce5256da21f646ed2f8a5db4fe604787205bea4eda5c3c5596983c135b71aS3Bucket5F33664E" + "referencetoawscdkeksclusterprivateendpointtestAssetParameters00ba02e613a29439c93f9aef4e82e253763eb70cd32026df071449485c692791S3Bucket87F4EA82Ref": { + "Ref": "AssetParameters00ba02e613a29439c93f9aef4e82e253763eb70cd32026df071449485c692791S3Bucket26C90BA0" }, - "referencetoawscdkeksclusterprivateendpointtestAssetParametersc53ce5256da21f646ed2f8a5db4fe604787205bea4eda5c3c5596983c135b71aS3VersionKey369B097DRef": { - "Ref": "AssetParametersc53ce5256da21f646ed2f8a5db4fe604787205bea4eda5c3c5596983c135b71aS3VersionKey5C517502" + "referencetoawscdkeksclusterprivateendpointtestAssetParameters00ba02e613a29439c93f9aef4e82e253763eb70cd32026df071449485c692791S3VersionKey3BEF8ACDRef": { + "Ref": "AssetParameters00ba02e613a29439c93f9aef4e82e253763eb70cd32026df071449485c692791S3VersionKeyD269C675" }, "referencetoawscdkeksclusterprivateendpointtestAssetParameters974a6fb29abbd1d98fce56346da3743e79277f0f52e0e2cdf3f1867ac5b1e74cS3Bucket7CB66361Ref": { "Ref": "AssetParameters974a6fb29abbd1d98fce56346da3743e79277f0f52e0e2cdf3f1867ac5b1e74cS3BucketF1BD2256" @@ -1282,17 +1282,17 @@ } }, "Parameters": { - "AssetParametersc53ce5256da21f646ed2f8a5db4fe604787205bea4eda5c3c5596983c135b71aS3Bucket5F33664E": { + "AssetParameters00ba02e613a29439c93f9aef4e82e253763eb70cd32026df071449485c692791S3Bucket26C90BA0": { "Type": "String", - "Description": "S3 bucket for asset \"c53ce5256da21f646ed2f8a5db4fe604787205bea4eda5c3c5596983c135b71a\"" + "Description": "S3 bucket for asset \"00ba02e613a29439c93f9aef4e82e253763eb70cd32026df071449485c692791\"" }, - "AssetParametersc53ce5256da21f646ed2f8a5db4fe604787205bea4eda5c3c5596983c135b71aS3VersionKey5C517502": { + "AssetParameters00ba02e613a29439c93f9aef4e82e253763eb70cd32026df071449485c692791S3VersionKeyD269C675": { "Type": "String", - "Description": "S3 key for asset version \"c53ce5256da21f646ed2f8a5db4fe604787205bea4eda5c3c5596983c135b71a\"" + "Description": "S3 key for asset version \"00ba02e613a29439c93f9aef4e82e253763eb70cd32026df071449485c692791\"" }, - "AssetParametersc53ce5256da21f646ed2f8a5db4fe604787205bea4eda5c3c5596983c135b71aArtifactHashFDE4A4C8": { + "AssetParameters00ba02e613a29439c93f9aef4e82e253763eb70cd32026df071449485c692791ArtifactHashAADC8B03": { "Type": "String", - "Description": "Artifact hash for asset \"c53ce5256da21f646ed2f8a5db4fe604787205bea4eda5c3c5596983c135b71a\"" + "Description": "Artifact hash for asset \"00ba02e613a29439c93f9aef4e82e253763eb70cd32026df071449485c692791\"" }, "AssetParameters974a6fb29abbd1d98fce56346da3743e79277f0f52e0e2cdf3f1867ac5b1e74cS3BucketF1BD2256": { "Type": "String", @@ -1318,17 +1318,17 @@ "Type": "String", "Description": "Artifact hash for asset \"649b09403c8414e624c965d6c2f0e41c341c2afa5d8e7bae4ac5746fe230f502\"" }, - "AssetParameters71844bd8bc4fc1081e3028a5c0efd7345bcdb4185daff9955359444c643aa2b4S3BucketE3798CD4": { + "AssetParameters3c8e15207108696f26eb3900c56b9ed4a81535ed7d0fdb4477972f1741ad9789S3BucketBC18629C": { "Type": "String", - "Description": "S3 bucket for asset \"71844bd8bc4fc1081e3028a5c0efd7345bcdb4185daff9955359444c643aa2b4\"" + "Description": "S3 bucket for asset \"3c8e15207108696f26eb3900c56b9ed4a81535ed7d0fdb4477972f1741ad9789\"" }, - "AssetParameters71844bd8bc4fc1081e3028a5c0efd7345bcdb4185daff9955359444c643aa2b4S3VersionKey97783D11": { + "AssetParameters3c8e15207108696f26eb3900c56b9ed4a81535ed7d0fdb4477972f1741ad9789S3VersionKeyE68C888F": { "Type": "String", - "Description": "S3 key for asset version \"71844bd8bc4fc1081e3028a5c0efd7345bcdb4185daff9955359444c643aa2b4\"" + "Description": "S3 key for asset version \"3c8e15207108696f26eb3900c56b9ed4a81535ed7d0fdb4477972f1741ad9789\"" }, - "AssetParameters71844bd8bc4fc1081e3028a5c0efd7345bcdb4185daff9955359444c643aa2b4ArtifactHash0561162E": { + "AssetParameters3c8e15207108696f26eb3900c56b9ed4a81535ed7d0fdb4477972f1741ad9789ArtifactHash026B7D88": { "Type": "String", - "Description": "Artifact hash for asset \"71844bd8bc4fc1081e3028a5c0efd7345bcdb4185daff9955359444c643aa2b4\"" + "Description": "Artifact hash for asset \"3c8e15207108696f26eb3900c56b9ed4a81535ed7d0fdb4477972f1741ad9789\"" }, "AssetParametersf2ad7629f5f54ad293dccc2fb60891424f9149f12d84f2f12728543b145962a0S3BucketACD6057C": { "Type": "String", diff --git a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.expected.json b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.expected.json index 14b0c3f79699a..2be0396673fb6 100644 --- a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.expected.json +++ b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.expected.json @@ -2857,7 +2857,7 @@ }, "/", { - "Ref": "AssetParameters4ac41744e40e9fb01a68874329c4296c842f5af6c18756f17de2b28820c488c9S3BucketCB5B94B8" + "Ref": "AssetParameterse8f5d2a182613ad64e98c81d59e2ad3ecb46c92c5b51c3612a5c614a0715e57bS3Bucket393DA96E" }, "/", { @@ -2867,7 +2867,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParameters4ac41744e40e9fb01a68874329c4296c842f5af6c18756f17de2b28820c488c9S3VersionKey144808A4" + "Ref": "AssetParameterse8f5d2a182613ad64e98c81d59e2ad3ecb46c92c5b51c3612a5c614a0715e57bS3VersionKey0633C6DF" } ] } @@ -2880,7 +2880,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParameters4ac41744e40e9fb01a68874329c4296c842f5af6c18756f17de2b28820c488c9S3VersionKey144808A4" + "Ref": "AssetParameterse8f5d2a182613ad64e98c81d59e2ad3ecb46c92c5b51c3612a5c614a0715e57bS3VersionKey0633C6DF" } ] } @@ -2890,11 +2890,11 @@ ] }, "Parameters": { - "referencetoawscdkeksclustertestAssetParametersc53ce5256da21f646ed2f8a5db4fe604787205bea4eda5c3c5596983c135b71aS3BucketDCEAA88FRef": { - "Ref": "AssetParametersc53ce5256da21f646ed2f8a5db4fe604787205bea4eda5c3c5596983c135b71aS3Bucket5F33664E" + "referencetoawscdkeksclustertestAssetParameters00ba02e613a29439c93f9aef4e82e253763eb70cd32026df071449485c692791S3Bucket363F6F79Ref": { + "Ref": "AssetParameters00ba02e613a29439c93f9aef4e82e253763eb70cd32026df071449485c692791S3Bucket26C90BA0" }, - "referencetoawscdkeksclustertestAssetParametersc53ce5256da21f646ed2f8a5db4fe604787205bea4eda5c3c5596983c135b71aS3VersionKey8FF788E1Ref": { - "Ref": "AssetParametersc53ce5256da21f646ed2f8a5db4fe604787205bea4eda5c3c5596983c135b71aS3VersionKey5C517502" + "referencetoawscdkeksclustertestAssetParameters00ba02e613a29439c93f9aef4e82e253763eb70cd32026df071449485c692791S3VersionKeyDC22C51CRef": { + "Ref": "AssetParameters00ba02e613a29439c93f9aef4e82e253763eb70cd32026df071449485c692791S3VersionKeyD269C675" }, "referencetoawscdkeksclustertestAssetParameters974a6fb29abbd1d98fce56346da3743e79277f0f52e0e2cdf3f1867ac5b1e74cS3BucketA9A24CF5Ref": { "Ref": "AssetParameters974a6fb29abbd1d98fce56346da3743e79277f0f52e0e2cdf3f1867ac5b1e74cS3BucketF1BD2256" @@ -3232,17 +3232,17 @@ } }, "Parameters": { - "AssetParametersc53ce5256da21f646ed2f8a5db4fe604787205bea4eda5c3c5596983c135b71aS3Bucket5F33664E": { + "AssetParameters00ba02e613a29439c93f9aef4e82e253763eb70cd32026df071449485c692791S3Bucket26C90BA0": { "Type": "String", - "Description": "S3 bucket for asset \"c53ce5256da21f646ed2f8a5db4fe604787205bea4eda5c3c5596983c135b71a\"" + "Description": "S3 bucket for asset \"00ba02e613a29439c93f9aef4e82e253763eb70cd32026df071449485c692791\"" }, - "AssetParametersc53ce5256da21f646ed2f8a5db4fe604787205bea4eda5c3c5596983c135b71aS3VersionKey5C517502": { + "AssetParameters00ba02e613a29439c93f9aef4e82e253763eb70cd32026df071449485c692791S3VersionKeyD269C675": { "Type": "String", - "Description": "S3 key for asset version \"c53ce5256da21f646ed2f8a5db4fe604787205bea4eda5c3c5596983c135b71a\"" + "Description": "S3 key for asset version \"00ba02e613a29439c93f9aef4e82e253763eb70cd32026df071449485c692791\"" }, - "AssetParametersc53ce5256da21f646ed2f8a5db4fe604787205bea4eda5c3c5596983c135b71aArtifactHashFDE4A4C8": { + "AssetParameters00ba02e613a29439c93f9aef4e82e253763eb70cd32026df071449485c692791ArtifactHashAADC8B03": { "Type": "String", - "Description": "Artifact hash for asset \"c53ce5256da21f646ed2f8a5db4fe604787205bea4eda5c3c5596983c135b71a\"" + "Description": "Artifact hash for asset \"00ba02e613a29439c93f9aef4e82e253763eb70cd32026df071449485c692791\"" }, "AssetParameters974a6fb29abbd1d98fce56346da3743e79277f0f52e0e2cdf3f1867ac5b1e74cS3BucketF1BD2256": { "Type": "String", @@ -3292,17 +3292,17 @@ "Type": "String", "Description": "Artifact hash for asset \"eb7a9b73a02dcd848325fc3abc22c1923c364d7480e06bd68a337dc3f33143d3\"" }, - "AssetParameters4ac41744e40e9fb01a68874329c4296c842f5af6c18756f17de2b28820c488c9S3BucketCB5B94B8": { + "AssetParameterse8f5d2a182613ad64e98c81d59e2ad3ecb46c92c5b51c3612a5c614a0715e57bS3Bucket393DA96E": { "Type": "String", - "Description": "S3 bucket for asset \"4ac41744e40e9fb01a68874329c4296c842f5af6c18756f17de2b28820c488c9\"" + "Description": "S3 bucket for asset \"e8f5d2a182613ad64e98c81d59e2ad3ecb46c92c5b51c3612a5c614a0715e57b\"" }, - "AssetParameters4ac41744e40e9fb01a68874329c4296c842f5af6c18756f17de2b28820c488c9S3VersionKey144808A4": { + "AssetParameterse8f5d2a182613ad64e98c81d59e2ad3ecb46c92c5b51c3612a5c614a0715e57bS3VersionKey0633C6DF": { "Type": "String", - "Description": "S3 key for asset version \"4ac41744e40e9fb01a68874329c4296c842f5af6c18756f17de2b28820c488c9\"" + "Description": "S3 key for asset version \"e8f5d2a182613ad64e98c81d59e2ad3ecb46c92c5b51c3612a5c614a0715e57b\"" }, - "AssetParameters4ac41744e40e9fb01a68874329c4296c842f5af6c18756f17de2b28820c488c9ArtifactHashD0D702C4": { + "AssetParameterse8f5d2a182613ad64e98c81d59e2ad3ecb46c92c5b51c3612a5c614a0715e57bArtifactHashA64B37F7": { "Type": "String", - "Description": "Artifact hash for asset \"4ac41744e40e9fb01a68874329c4296c842f5af6c18756f17de2b28820c488c9\"" + "Description": "Artifact hash for asset \"e8f5d2a182613ad64e98c81d59e2ad3ecb46c92c5b51c3612a5c614a0715e57b\"" }, "AssetParameters5db67dc64d67f3574c3c3e10970910e121e77f67974ab320c4dc47af2f88d2feS3Bucket864A12C7": { "Type": "String", From c635d42a9238437c1c34a7732046750f6eac6dd0 Mon Sep 17 00:00:00 2001 From: epolon Date: Wed, 29 Jul 2020 12:25:57 +0300 Subject: [PATCH 21/33] expose dns readonly properties on Vpc construct --- packages/@aws-cdk/aws-ec2/lib/vpc.ts | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/packages/@aws-cdk/aws-ec2/lib/vpc.ts b/packages/@aws-cdk/aws-ec2/lib/vpc.ts index 0b6ef2473b4db..665f58c27e81d 100644 --- a/packages/@aws-cdk/aws-ec2/lib/vpc.ts +++ b/packages/@aws-cdk/aws-ec2/lib/vpc.ts @@ -1100,6 +1100,16 @@ export class Vpc extends VpcBase { public readonly internetConnectivityEstablished: IDependable; + /** + * Indicates if instances launched in this VPC will have public DNS hostnames. + */ + public readonly dnsHostnamesEnabled: boolean; + + /** + * Indicates if DNS support is enabled for this VPC. + */ + public readonly dnsSupportEnabled: boolean; + /** * The VPC resource */ @@ -1140,16 +1150,16 @@ export class Vpc extends VpcBase { this.networkBuilder = new NetworkBuilder(cidrBlock); - const enableDnsHostnames = props.enableDnsHostnames == null ? true : props.enableDnsHostnames; - const enableDnsSupport = props.enableDnsSupport == null ? true : props.enableDnsSupport; + this.dnsHostnamesEnabled = props.enableDnsHostnames == null ? true : props.enableDnsHostnames; + this.dnsSupportEnabled = props.enableDnsSupport == null ? true : props.enableDnsSupport; const instanceTenancy = props.defaultInstanceTenancy || 'default'; this.internetConnectivityEstablished = this._internetConnectivityEstablished; // Define a VPC using the provided CIDR range this.resource = new CfnVPC(this, 'Resource', { cidrBlock, - enableDnsHostnames, - enableDnsSupport, + enableDnsHostnames: this.dnsHostnamesEnabled, + enableDnsSupport: this.dnsSupportEnabled, instanceTenancy, }); From 009ec2c26312e22caa7886d19373e22c0c5fde09 Mon Sep 17 00:00:00 2001 From: epolon Date: Wed, 29 Jul 2020 12:26:30 +0300 Subject: [PATCH 22/33] added validation that dns is configured properly on the VPC when using private endpoint access --- packages/@aws-cdk/aws-eks/lib/cluster.ts | 12 +++++--- .../@aws-cdk/aws-eks/test/test.cluster.ts | 30 +++++++++++++++++++ 2 files changed, 38 insertions(+), 4 deletions(-) diff --git a/packages/@aws-cdk/aws-eks/lib/cluster.ts b/packages/@aws-cdk/aws-eks/lib/cluster.ts index b369364f7909f..3a0719ceb2b83 100644 --- a/packages/@aws-cdk/aws-eks/lib/cluster.ts +++ b/packages/@aws-cdk/aws-eks/lib/cluster.ts @@ -122,10 +122,6 @@ export interface ClusterOptions { /** * The VPC in which to create the Cluster. * - * Note that if `endpointAccess` is configured to private only, the VPC must - * have `enableDnsHostnames` and `enableDnsSupport` set to true. - * In addition, the DHCP options set for your VPC must include 'AmazonProvidedDNS' in its domain name servers list. - * * @default - a VPC with default configuration will be created and can be accessed through `cluster.vpc`. */ readonly vpc?: ec2.IVpc; @@ -591,6 +587,14 @@ export class Cluster extends Resource implements ICluster { if (this.kubectlEnabled) { this.endpointAccess = props.endpointAccess ?? EndpointAccess.publicAndPrivate(); + + if (this.endpointAccess.endpointPrivateAccess && this.vpc instanceof ec2.Vpc) { + // validate VPC properties according to: https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html + if (!this.vpc.dnsHostnamesEnabled || !this.vpc.dnsSupportEnabled) { + throw new Error('Private endpoint access requires the VPC to have DNS support and DNS hostnames enabled. Use `enableDnsHostnames: true` and `enableDnsSupport: true` when creating the VPC.'); + } + } + this.kubctlProviderSecurityGroup = new ec2.SecurityGroup(this, 'KubectlProviderSecurityGroup', { vpc: this.vpc, description: 'Comminication between KubectlProvider and EKS Control Plane', diff --git a/packages/@aws-cdk/aws-eks/test/test.cluster.ts b/packages/@aws-cdk/aws-eks/test/test.cluster.ts index 1530867189a3c..a96a1d4972089 100644 --- a/packages/@aws-cdk/aws-eks/test/test.cluster.ts +++ b/packages/@aws-cdk/aws-eks/test/test.cluster.ts @@ -1611,5 +1611,35 @@ export = { test.done(); }, + 'throw when private access is configured without dns support enabled for the VPC'(test: Test) { + + const { stack } = testFixture(); + + test.throws(() => { + new eks.Cluster(stack, 'Cluster', { + vpc: new ec2.Vpc(stack, 'Vpc', { + enableDnsSupport: false, + }), + version: CLUSTER_VERSION, + }); + }, /Private endpoint access requires the VPC to have DNS support and DNS hostnames enabled/); + test.done(); + }, + + 'throw when private access is configured without dns hostnames enabled for the VPC'(test: Test) { + + const { stack } = testFixture(); + + test.throws(() => { + new eks.Cluster(stack, 'Cluster', { + vpc: new ec2.Vpc(stack, 'Vpc', { + enableDnsHostnames: false, + }), + version: CLUSTER_VERSION, + }); + }, /Private endpoint access requires the VPC to have DNS support and DNS hostnames enabled/); + test.done(); + }, + }, }; From 5cdf55de24331703dc5c3cd07bf7b7f2e2be8e83 Mon Sep 17 00:00:00 2001 From: epolon Date: Wed, 29 Jul 2020 12:28:17 +0300 Subject: [PATCH 23/33] use concrete value as default for endpoint access --- packages/@aws-cdk/aws-eks/lib/cluster.ts | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/packages/@aws-cdk/aws-eks/lib/cluster.ts b/packages/@aws-cdk/aws-eks/lib/cluster.ts index 3a0719ceb2b83..cf154c0a79293 100644 --- a/packages/@aws-cdk/aws-eks/lib/cluster.ts +++ b/packages/@aws-cdk/aws-eks/lib/cluster.ts @@ -223,8 +223,7 @@ export interface ClusterOptions { * * @see https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html * - * @default - Private and Public. The cluster endpoint is accessible from outside of your VPC. - * Worker node traffic will leave your VPC to connect to the endpoint + * @default EndpointAccess.publicAndPrivate() */ readonly endpointAccess?: EndpointAccess; } From c4ebbcae114a9b7974f10dc07feeb2589bc2e3b0 Mon Sep 17 00:00:00 2001 From: epolon Date: Wed, 29 Jul 2020 14:27:36 +0300 Subject: [PATCH 24/33] added env variables to kubectl handler --- packages/@aws-cdk/aws-eks/lib/cluster.ts | 16 ++++++++- .../@aws-cdk/aws-eks/lib/kubectl-provider.ts | 6 ++++ .../@aws-cdk/aws-eks/test/test.cluster.ts | 35 +++++++++++++++++++ 3 files changed, 56 insertions(+), 1 deletion(-) diff --git a/packages/@aws-cdk/aws-eks/lib/cluster.ts b/packages/@aws-cdk/aws-eks/lib/cluster.ts index cf154c0a79293..367ecaacaa564 100644 --- a/packages/@aws-cdk/aws-eks/lib/cluster.ts +++ b/packages/@aws-cdk/aws-eks/lib/cluster.ts @@ -226,6 +226,15 @@ export interface ClusterOptions { * @default EndpointAccess.publicAndPrivate() */ readonly endpointAccess?: EndpointAccess; + + /** + * Environment for the kubectl execution. Only relevant for kubectl enabled clusters. + * + * These variables will be injected to the handler executing kubectl/helm commands. + * + * @default - No environment. + */ + readonly kubectlEnvironment?: { [key: string]: string } } /** @@ -513,6 +522,8 @@ export class Cluster extends Resource implements ICluster { private readonly vpcSubnets: ec2.SubnetSelection[]; + private readonly kubectlProviderEnv?: { [key: string]: string }; + private readonly version: KubernetesVersion; /** @@ -586,6 +597,7 @@ export class Cluster extends Resource implements ICluster { if (this.kubectlEnabled) { this.endpointAccess = props.endpointAccess ?? EndpointAccess.publicAndPrivate(); + this.kubectlProviderEnv = props.kubectlEnvironment; if (this.endpointAccess.endpointPrivateAccess && this.vpc instanceof ec2.Vpc) { // validate VPC properties according to: https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html @@ -1029,7 +1041,9 @@ export class Cluster extends Resource implements ICluster { if (!provider) { // create the provider. - let providerProps: KubectlProviderProps = {}; + let providerProps: KubectlProviderProps = { + env: this.kubectlProviderEnv, + }; if (!this.endpointAccess!.endpointPublicAccess) { // endpoint access is private only, we need to attach the diff --git a/packages/@aws-cdk/aws-eks/lib/kubectl-provider.ts b/packages/@aws-cdk/aws-eks/lib/kubectl-provider.ts index aa406d560ef36..2342e63a1734e 100644 --- a/packages/@aws-cdk/aws-eks/lib/kubectl-provider.ts +++ b/packages/@aws-cdk/aws-eks/lib/kubectl-provider.ts @@ -29,6 +29,11 @@ export interface KubectlProviderProps { */ readonly securityGroups?: ISecurityGroup[]; + /** + * Environment variables to inject to the provider function. + */ + readonly env?: { [key: string]: string }; + } export class KubectlProvider extends NestedStack { @@ -56,6 +61,7 @@ export class KubectlProvider extends NestedStack { vpc: props.vpc, securityGroups: props.securityGroups, vpcSubnets: props.vpcSubnets, + environment: props.env, }); this.provider = new cr.Provider(this, 'Provider', { diff --git a/packages/@aws-cdk/aws-eks/test/test.cluster.ts b/packages/@aws-cdk/aws-eks/test/test.cluster.ts index a96a1d4972089..5dd45da53546d 100644 --- a/packages/@aws-cdk/aws-eks/test/test.cluster.ts +++ b/packages/@aws-cdk/aws-eks/test/test.cluster.ts @@ -1611,6 +1611,41 @@ export = { test.done(); }, + 'kubectl provider accepts passes environment to lambda'(test: Test) { + + const { stack } = testFixture(); + + const cluster = new eks.Cluster(stack, 'Cluster1', { + version: CLUSTER_VERSION, endpointAccess: eks.EndpointAccess.private(), + kubectlEnvironment: { + Foo: 'Bar', + }, + }); + + cluster.addResource('resource', { + kind: 'ConfigMap', + apiVersion: 'v1', + data: { + hello: 'world', + }, + metadata: { + name: 'config-map', + }, + }); + + // the kubectl provider is inside a nested stack. + const nested = stack.node.tryFindChild('@aws-cdk/aws-eks.KubectlProvider') as cdk.NestedStack; + expect(nested).to(haveResource('AWS::Lambda::Function', { + Environment: { + Variables: { + Foo: 'Bar', + }, + }, + })); + + test.done(); + }, + 'throw when private access is configured without dns support enabled for the VPC'(test: Test) { const { stack } = testFixture(); From 39a2c3b3a3a6ed33555c2bea080a730193afcd5c Mon Sep 17 00:00:00 2001 From: epolon Date: Thu, 30 Jul 2020 19:24:48 +0300 Subject: [PATCH 25/33] use enum like classes instead of static methods to configure endpoint access --- packages/@aws-cdk/aws-eks/lib/cluster.ts | 63 ++++++++++--------- .../integ.eks-cluster-private-endpoint.ts | 2 +- .../@aws-cdk/aws-eks/test/test.cluster.ts | 12 ++-- 3 files changed, 40 insertions(+), 37 deletions(-) diff --git a/packages/@aws-cdk/aws-eks/lib/cluster.ts b/packages/@aws-cdk/aws-eks/lib/cluster.ts index 367ecaacaa564..3677481985b50 100644 --- a/packages/@aws-cdk/aws-eks/lib/cluster.ts +++ b/packages/@aws-cdk/aws-eks/lib/cluster.ts @@ -246,63 +246,65 @@ export class EndpointAccess { * The cluster endpoint is accessible from outside of your VPC. * Worker node traffic will leave your VPC to connect to the endpoint. * - * By default, the endpoint is exposed to all adresses. You can optionally limit the CIDR blocks that can access the public endpoint. + * By default, the endpoint is exposed to all adresses. You can optionally limit the CIDR blocks that can access the public endpoint using the `PUBLIC.onlyFrom` method. * If you limit access to specific CIDR blocks, you must ensure that the CIDR blocks that you * specify include the addresses that worker nodes and Fargate pods (if you use them) * access the public endpoint from. * * @param cidr The CIDR blocks. */ - public static public(...cidr: string[]) { - return new EndpointAccess(false, true, cidr); - } + public static readonly PUBLIC = new EndpointAccess(false, true); /** * The cluster endpoint is only accessible through your VPC. * Worker node traffic to the endpoint will stay within your VPC. */ - public static private() { - return new EndpointAccess(true, false, undefined); - } + public static readonly PRIVATE = new EndpointAccess(true, false); /** * The cluster endpoint is accessible from outside of your VPC. * Worker node traffic to the endpoint will stay within your VPC. * - * By default, the endpoint is exposed to all adresses. You can optionally limit the CIDR blocks that can access the public endpoint. + * By default, the endpoint is exposed to all adresses. You can optionally limit the CIDR blocks that can access the public endpoint using the `PUBLIC_AND_PRIVATE.onlyFrom` method. * If you limit access to specific CIDR blocks, you must ensure that the CIDR blocks that you * specify include the addresses that worker nodes and Fargate pods (if you use them) * access the public endpoint from. * * @param cidr The CIDR blocks. */ - public static publicAndPrivate(...cidr: string[]) { - return new EndpointAccess(true, true, cidr); - } + public static readonly PUBLIC_AND_PRIVATE = new EndpointAccess(true, true); - private constructor( + /** + * Public access is allowed only from these CIDR blocks. + * An empty array means access is open to any address. + */ + public readonly publicCidrs: string[] = []; + private constructor( /** - * Enable private endpoint access to the cluster. + * Indicates if private access is enabled. */ - public readonly endpointPrivateAccess: boolean, + public readonly privateAccess: boolean, /** - * Limit public address with CIDR blocks. + * Indicates if public access is enabled. */ - public readonly endpointPublicAccess: boolean, + public readonly publicAccess: boolean) {} - /** - * Enable public endpoint access to the cluster. - */ - public readonly publicAccessCidrs?: string[]) { - if (this.publicAccessCidrs && this.publicAccessCidrs.length === 0) { - // an empty array is an illegal value, set to undefined so it won't be specified at all. - this.publicAccessCidrs = undefined; + /** + * Restrict public access to specific CIDR blocks. + * If public access is disabled, this method will result in an error. + * + * @param cidr CIDR blocks. + */ + public onlyFrom(...cidr: string[]) { + if (!this.publicAccess) { + throw new Error('CIDR blocks can only be configured on public access endpoints'); } + this.publicCidrs.push(...cidr); + return this; } - } /** @@ -596,10 +598,10 @@ export class Cluster extends Resource implements ICluster { this.kubectlEnabled = props.kubectlEnabled === undefined ? true : props.kubectlEnabled; if (this.kubectlEnabled) { - this.endpointAccess = props.endpointAccess ?? EndpointAccess.publicAndPrivate(); + this.endpointAccess = props.endpointAccess ?? EndpointAccess.PUBLIC_AND_PRIVATE; this.kubectlProviderEnv = props.kubectlEnvironment; - if (this.endpointAccess.endpointPrivateAccess && this.vpc instanceof ec2.Vpc) { + if (this.endpointAccess.privateAccess && this.vpc instanceof ec2.Vpc) { // validate VPC properties according to: https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html if (!this.vpc.dnsHostnamesEnabled || !this.vpc.dnsSupportEnabled) { throw new Error('Private endpoint access requires the VPC to have DNS support and DNS hostnames enabled. Use `enableDnsHostnames: true` and `enableDnsSupport: true` when creating the VPC.'); @@ -616,9 +618,10 @@ export class Cluster extends Resource implements ICluster { resource = new ClusterResource(this, 'Resource', { ...clusterProps, - endpointPrivateAccess: this.endpointAccess.endpointPrivateAccess, - endpointPublicAccess: this.endpointAccess.endpointPublicAccess, - publicAccessCidrs: this.endpointAccess.publicAccessCidrs, + endpointPrivateAccess: this.endpointAccess.privateAccess, + endpointPublicAccess: this.endpointAccess.publicAccess, + // an empty array is invalid. + publicAccessCidrs: this.endpointAccess.publicCidrs.length > 0 ? this.endpointAccess.publicCidrs : undefined, }); this._clusterResource = resource; @@ -1045,7 +1048,7 @@ export class Cluster extends Resource implements ICluster { env: this.kubectlProviderEnv, }; - if (!this.endpointAccess!.endpointPublicAccess) { + if (!this.endpointAccess!.publicAccess) { // endpoint access is private only, we need to attach the // provider to the VPC so that it can access the cluster. providerProps = { diff --git a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster-private-endpoint.ts b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster-private-endpoint.ts index 756d9854e9e69..c8bcd43bdebfa 100644 --- a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster-private-endpoint.ts +++ b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster-private-endpoint.ts @@ -22,7 +22,7 @@ class EksClusterStack extends TestStack { mastersRole, defaultCapacity: 2, version: eks.KubernetesVersion.V1_16, - endpointAccess: eks.EndpointAccess.private(), + endpointAccess: eks.EndpointAccess.PRIVATE, }); // this is the valdiation. it won't work if the private access is not setup properly. diff --git a/packages/@aws-cdk/aws-eks/test/test.cluster.ts b/packages/@aws-cdk/aws-eks/test/test.cluster.ts index 5dd45da53546d..53c1d940e339f 100644 --- a/packages/@aws-cdk/aws-eks/test/test.cluster.ts +++ b/packages/@aws-cdk/aws-eks/test/test.cluster.ts @@ -1384,7 +1384,7 @@ export = { 'can configure private endpoint access'(test: Test) { // GIVEN const { stack } = testFixture(); - new eks.Cluster(stack, 'Cluster1', { version: CLUSTER_VERSION, endpointAccess: eks.EndpointAccess.private() }); + new eks.Cluster(stack, 'Cluster1', { version: CLUSTER_VERSION, endpointAccess: eks.EndpointAccess.PRIVATE }); expect(stack).to(haveResource('Custom::AWSCDK-EKS-Cluster', { Config: { @@ -1410,7 +1410,7 @@ export = { 'can configure cidr blocks in public endpoint access'(test: Test) { // GIVEN const { stack } = testFixture(); - new eks.Cluster(stack, 'Cluster1', { version: CLUSTER_VERSION, endpointAccess: eks.EndpointAccess.public('1.2.3.4/5') }); + new eks.Cluster(stack, 'Cluster1', { version: CLUSTER_VERSION, endpointAccess: eks.EndpointAccess.PUBLIC.onlyFrom('1.2.3.4/5') }); expect(stack).to(haveResource('Custom::AWSCDK-EKS-Cluster', { Config: { @@ -1454,7 +1454,7 @@ export = { }); const cluster = new eks.Cluster(stack, 'Cluster1', { - version: CLUSTER_VERSION, endpointAccess: eks.EndpointAccess.private(), + version: CLUSTER_VERSION, endpointAccess: eks.EndpointAccess.PRIVATE, vpc, }); @@ -1518,7 +1518,7 @@ export = { }); const cluster = new eks.Cluster(stack, 'Cluster1', { - version: CLUSTER_VERSION, endpointAccess: eks.EndpointAccess.private(), + version: CLUSTER_VERSION, endpointAccess: eks.EndpointAccess.PRIVATE, vpc: vpc2, }); @@ -1566,7 +1566,7 @@ export = { }); const cluster = new eks.Cluster(stack, 'Cluster1', { - version: CLUSTER_VERSION, endpointAccess: eks.EndpointAccess.private(), + version: CLUSTER_VERSION, endpointAccess: eks.EndpointAccess.PRIVATE, vpc: vpc2, vpcSubnets: [{subnetGroupName: 'Private1'}, {subnetGroupName: 'Private2'}], }); @@ -1616,7 +1616,7 @@ export = { const { stack } = testFixture(); const cluster = new eks.Cluster(stack, 'Cluster1', { - version: CLUSTER_VERSION, endpointAccess: eks.EndpointAccess.private(), + version: CLUSTER_VERSION, endpointAccess: eks.EndpointAccess.PRIVATE, kubectlEnvironment: { Foo: 'Bar', }, From 7424484bb4f39666431c05d0e810717991e545ea Mon Sep 17 00:00:00 2001 From: epolon Date: Thu, 30 Jul 2020 20:28:35 +0300 Subject: [PATCH 26/33] refactor tests --- packages/@aws-cdk/aws-eks/lib/cluster.ts | 26 +++++++++---------- .../@aws-cdk/aws-eks/test/test.cluster.ts | 12 +++++++++ 2 files changed, 24 insertions(+), 14 deletions(-) diff --git a/packages/@aws-cdk/aws-eks/lib/cluster.ts b/packages/@aws-cdk/aws-eks/lib/cluster.ts index 3677481985b50..f9c1239c2315c 100644 --- a/packages/@aws-cdk/aws-eks/lib/cluster.ts +++ b/packages/@aws-cdk/aws-eks/lib/cluster.ts @@ -274,12 +274,6 @@ export class EndpointAccess { */ public static readonly PUBLIC_AND_PRIVATE = new EndpointAccess(true, true); - /** - * Public access is allowed only from these CIDR blocks. - * An empty array means access is open to any address. - */ - public readonly publicCidrs: string[] = []; - private constructor( /** * Indicates if private access is enabled. @@ -289,7 +283,16 @@ export class EndpointAccess { /** * Indicates if public access is enabled. */ - public readonly publicAccess: boolean) {} + public readonly publicAccess: boolean, + /** + * Public access is allowed only from these CIDR blocks. + * An empty array means access is open to any address. + */ + public readonly publicCidrs?: string[]) { + if (!publicAccess && publicCidrs && publicCidrs.length > 0) { + throw new Error('CIDR blocks can only be configured when public access is enabled'); + } + } /** @@ -299,11 +302,7 @@ export class EndpointAccess { * @param cidr CIDR blocks. */ public onlyFrom(...cidr: string[]) { - if (!this.publicAccess) { - throw new Error('CIDR blocks can only be configured on public access endpoints'); - } - this.publicCidrs.push(...cidr); - return this; + return new EndpointAccess(this.privateAccess, this.publicAccess, cidr); } } @@ -620,8 +619,7 @@ export class Cluster extends Resource implements ICluster { ...clusterProps, endpointPrivateAccess: this.endpointAccess.privateAccess, endpointPublicAccess: this.endpointAccess.publicAccess, - // an empty array is invalid. - publicAccessCidrs: this.endpointAccess.publicCidrs.length > 0 ? this.endpointAccess.publicCidrs : undefined, + publicAccessCidrs: this.endpointAccess.publicCidrs, }); this._clusterResource = resource; diff --git a/packages/@aws-cdk/aws-eks/test/test.cluster.ts b/packages/@aws-cdk/aws-eks/test/test.cluster.ts index 53c1d940e339f..1f833792985f6 100644 --- a/packages/@aws-cdk/aws-eks/test/test.cluster.ts +++ b/packages/@aws-cdk/aws-eks/test/test.cluster.ts @@ -1381,6 +1381,10 @@ export = { test.done(); }, + }, + + 'endpoint access': { + 'can configure private endpoint access'(test: Test) { // GIVEN const { stack } = testFixture(); @@ -1676,5 +1680,13 @@ export = { test.done(); }, + 'throw when cidrs are configured without public access endpoint'(test: Test) { + + test.throws(() => { + eks.EndpointAccess.PRIVATE.onlyFrom('1.2.3.4/5'); + }, /CIDR blocks can only be configured when public access is enabled/); + test.done(); + }, + }, }; From 11753ee656edc3e1eff082d62cc75b7fab565615 Mon Sep 17 00:00:00 2001 From: epolon Date: Thu, 30 Jul 2020 20:31:16 +0300 Subject: [PATCH 27/33] move some tests around --- .../@aws-cdk/aws-eks/test/test.cluster.ts | 70 +++++++++---------- 1 file changed, 35 insertions(+), 35 deletions(-) diff --git a/packages/@aws-cdk/aws-eks/test/test.cluster.ts b/packages/@aws-cdk/aws-eks/test/test.cluster.ts index 1f833792985f6..58863772311c1 100644 --- a/packages/@aws-cdk/aws-eks/test/test.cluster.ts +++ b/packages/@aws-cdk/aws-eks/test/test.cluster.ts @@ -1383,6 +1383,41 @@ export = { }, + 'kubectl provider passes environment to lambda'(test: Test) { + + const { stack } = testFixture(); + + const cluster = new eks.Cluster(stack, 'Cluster1', { + version: CLUSTER_VERSION, endpointAccess: eks.EndpointAccess.PRIVATE, + kubectlEnvironment: { + Foo: 'Bar', + }, + }); + + cluster.addResource('resource', { + kind: 'ConfigMap', + apiVersion: 'v1', + data: { + hello: 'world', + }, + metadata: { + name: 'config-map', + }, + }); + + // the kubectl provider is inside a nested stack. + const nested = stack.node.tryFindChild('@aws-cdk/aws-eks.KubectlProvider') as cdk.NestedStack; + expect(nested).to(haveResource('AWS::Lambda::Function', { + Environment: { + Variables: { + Foo: 'Bar', + }, + }, + })); + + test.done(); + }, + 'endpoint access': { 'can configure private endpoint access'(test: Test) { @@ -1615,41 +1650,6 @@ export = { test.done(); }, - 'kubectl provider accepts passes environment to lambda'(test: Test) { - - const { stack } = testFixture(); - - const cluster = new eks.Cluster(stack, 'Cluster1', { - version: CLUSTER_VERSION, endpointAccess: eks.EndpointAccess.PRIVATE, - kubectlEnvironment: { - Foo: 'Bar', - }, - }); - - cluster.addResource('resource', { - kind: 'ConfigMap', - apiVersion: 'v1', - data: { - hello: 'world', - }, - metadata: { - name: 'config-map', - }, - }); - - // the kubectl provider is inside a nested stack. - const nested = stack.node.tryFindChild('@aws-cdk/aws-eks.KubectlProvider') as cdk.NestedStack; - expect(nested).to(haveResource('AWS::Lambda::Function', { - Environment: { - Variables: { - Foo: 'Bar', - }, - }, - })); - - test.done(); - }, - 'throw when private access is configured without dns support enabled for the VPC'(test: Test) { const { stack } = testFixture(); From 9d8b394ddd59131920c8f0370672d180f4fda90b Mon Sep 17 00:00:00 2001 From: epolon Date: Fri, 31 Jul 2020 11:29:24 +0300 Subject: [PATCH 28/33] rephrase deprecation notice --- packages/@aws-cdk/aws-eks/lib/cluster.ts | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/packages/@aws-cdk/aws-eks/lib/cluster.ts b/packages/@aws-cdk/aws-eks/lib/cluster.ts index f9c1239c2315c..186805e96697a 100644 --- a/packages/@aws-cdk/aws-eks/lib/cluster.ts +++ b/packages/@aws-cdk/aws-eks/lib/cluster.ts @@ -332,7 +332,7 @@ export interface ClusterProps extends ClusterOptions { * * * @default true The cluster can be managed by the AWS CDK application. - * @deprecated Omit this property as it wil be removed in future releases and enabled to all clusters. + * @deprecated Omit this property as kubectl will be enabled to all clusters. */ readonly kubectlEnabled?: boolean; @@ -553,6 +553,11 @@ export class Cluster extends Resource implements ICluster { physicalName: props.clusterName, }); + if (props.kubectlEnabled !== undefined) { + const depractionNotice = "'kubectlEnabled' property is depracated. In future releases, all clusters will have kubectl support enabled, please consider omitting this property."; + this.node.addWarning(depractionNotice); + } + const stack = Stack.of(this); this.vpc = props.vpc || new ec2.Vpc(this, 'DefaultVpc'); @@ -650,13 +655,11 @@ export class Cluster extends Resource implements ICluster { this._kubectlReadyBarrier.node.addDependency(this._clusterResource); } else { - const depractionNotice = 'Basic EKS clusters are depracated. Please consider omiting the property, as it will be removed in future releases.'; if (props.endpointAccess) { - throw new Error(`'endpointAccess' is not supported for basic clusters. ${depractionNotice}`); + throw new Error("'endpointAccess' is not supported for clusters without kubectl enabled."); } resource = new CfnCluster(this, 'Resource', clusterProps); - resource.node.addWarning(depractionNotice); } this.clusterName = this.getResourceNameAttribute(resource.ref); From 071105b884b6b9aa099081ddb815106004aedbd1 Mon Sep 17 00:00:00 2001 From: epolon Date: Tue, 4 Aug 2020 14:04:42 +0300 Subject: [PATCH 29/33] address review comments --- packages/@aws-cdk/aws-ec2/test/vpc.test.ts | 40 ++++++++++ packages/@aws-cdk/aws-eks/lib/cluster.ts | 75 ++++++++++++------- .../@aws-cdk/aws-eks/lib/kubectl-provider.ts | 2 +- 3 files changed, 89 insertions(+), 28 deletions(-) diff --git a/packages/@aws-cdk/aws-ec2/test/vpc.test.ts b/packages/@aws-cdk/aws-ec2/test/vpc.test.ts index b92ef155a5ccb..4e1ea8cdd0836 100644 --- a/packages/@aws-cdk/aws-ec2/test/vpc.test.ts +++ b/packages/@aws-cdk/aws-ec2/test/vpc.test.ts @@ -61,6 +61,46 @@ nodeunitShim({ test.done(); }, + 'dns getters correspond to CFN properties': (() => { + + const tests: any = { }; + + const inputs = [ + {dnsSupport: false, dnsHostnames: false}, + // {dnsSupport: false, dnsHostnames: true} - this configuration is illegal so its not part of the permutations. + {dnsSupport: true, dnsHostnames: false}, + {dnsSupport: true, dnsHostnames: true}, + ]; + + for (const input of inputs) { + + tests[`[dnsSupport=${input.dnsSupport},dnsHostnames=${input.dnsHostnames}]`] = (test: Test) => { + + const stack = getTestStack(); + const vpc = new Vpc(stack, 'TheVPC', { + cidr: '192.168.0.0/16', + enableDnsHostnames: input.dnsHostnames, + enableDnsSupport: input.dnsSupport, + defaultInstanceTenancy: DefaultInstanceTenancy.DEDICATED, + }); + + expect(stack).to(haveResource('AWS::EC2::VPC', { + CidrBlock: '192.168.0.0/16', + EnableDnsHostnames: input.dnsHostnames, + EnableDnsSupport: input.dnsSupport, + InstanceTenancy: DefaultInstanceTenancy.DEDICATED, + })); + + test.equal(input.dnsSupport, vpc.dnsSupportEnabled); + test.equal(input.dnsHostnames, vpc.dnsHostnamesEnabled); + test.done(); + + }; + } + + return tests; + })(), + 'contains the correct number of subnets'(test: Test) { const stack = getTestStack(); const vpc = new Vpc(stack, 'TheVPC'); diff --git a/packages/@aws-cdk/aws-eks/lib/cluster.ts b/packages/@aws-cdk/aws-eks/lib/cluster.ts index 186805e96697a..ddf73f0df501b 100644 --- a/packages/@aws-cdk/aws-eks/lib/cluster.ts +++ b/packages/@aws-cdk/aws-eks/lib/cluster.ts @@ -228,13 +228,35 @@ export interface ClusterOptions { readonly endpointAccess?: EndpointAccess; /** - * Environment for the kubectl execution. Only relevant for kubectl enabled clusters. + * Environment variables for the kubectl execution. Only relevant for kubectl enabled clusters. * - * These variables will be injected to the handler executing kubectl/helm commands. + * @default - No environment variables. + */ + readonly kubectlEnvironment?: { [key: string]: string }; +} + +/** + * Group access configuration together. + */ +export interface EndpointAccessConfig { + + /** + * Indicates if private access is enabled. + */ + readonly privateAccess: boolean; + + /** + * Indicates if public access is enabled. + */ + readonly publicAccess: boolean; + /** + * Public access is allowed only from these CIDR blocks. + * An empty array means access is open to any address. * - * @default - No environment. + * @default - No restrictions. */ - readonly kubectlEnvironment?: { [key: string]: string } + readonly publicCidrs?: string[]; + } /** @@ -253,13 +275,13 @@ export class EndpointAccess { * * @param cidr The CIDR blocks. */ - public static readonly PUBLIC = new EndpointAccess(false, true); + public static readonly PUBLIC = new EndpointAccess({privateAccess: false, publicAccess: true}); /** * The cluster endpoint is only accessible through your VPC. * Worker node traffic to the endpoint will stay within your VPC. */ - public static readonly PRIVATE = new EndpointAccess(true, false); + public static readonly PRIVATE = new EndpointAccess({privateAccess: true, publicAccess: false}); /** * The cluster endpoint is accessible from outside of your VPC. @@ -272,24 +294,14 @@ export class EndpointAccess { * * @param cidr The CIDR blocks. */ - public static readonly PUBLIC_AND_PRIVATE = new EndpointAccess(true, true); + public static readonly PUBLIC_AND_PRIVATE = new EndpointAccess({privateAccess: true, publicAccess: true}); private constructor( /** - * Indicates if private access is enabled. - */ - public readonly privateAccess: boolean, - - /** - * Indicates if public access is enabled. + * Configuration properties. */ - public readonly publicAccess: boolean, - /** - * Public access is allowed only from these CIDR blocks. - * An empty array means access is open to any address. - */ - public readonly publicCidrs?: string[]) { - if (!publicAccess && publicCidrs && publicCidrs.length > 0) { + public readonly config: EndpointAccessConfig) { + if (!config.publicAccess && config.publicCidrs && config.publicCidrs.length > 0) { throw new Error('CIDR blocks can only be configured when public access is enabled'); } } @@ -302,7 +314,11 @@ export class EndpointAccess { * @param cidr CIDR blocks. */ public onlyFrom(...cidr: string[]) { - return new EndpointAccess(this.privateAccess, this.publicAccess, cidr); + return new EndpointAccess({ + ...this.config, + // override CIDR + publicCidrs: cidr, + }); } } @@ -583,7 +599,7 @@ export class Cluster extends Resource implements ICluster { defaultPort: ec2.Port.tcp(443), // Control Plane has an HTTPS API }); - this.vpcSubnets = props.vpcSubnets || [{ subnetType: ec2.SubnetType.PUBLIC }, { subnetType: ec2.SubnetType.PRIVATE }]; + this.vpcSubnets = props.vpcSubnets ?? [{ subnetType: ec2.SubnetType.PUBLIC }, { subnetType: ec2.SubnetType.PRIVATE }]; // Get subnetIds for all selected subnets const subnetIds = [...new Set(Array().concat(...this.vpcSubnets.map(s => this.vpc.selectSubnets(s).subnetIds)))]; @@ -605,7 +621,7 @@ export class Cluster extends Resource implements ICluster { this.endpointAccess = props.endpointAccess ?? EndpointAccess.PUBLIC_AND_PRIVATE; this.kubectlProviderEnv = props.kubectlEnvironment; - if (this.endpointAccess.privateAccess && this.vpc instanceof ec2.Vpc) { + if (this.endpointAccess.config.privateAccess && this.vpc instanceof ec2.Vpc) { // validate VPC properties according to: https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html if (!this.vpc.dnsHostnamesEnabled || !this.vpc.dnsSupportEnabled) { throw new Error('Private endpoint access requires the VPC to have DNS support and DNS hostnames enabled. Use `enableDnsHostnames: true` and `enableDnsSupport: true` when creating the VPC.'); @@ -622,9 +638,9 @@ export class Cluster extends Resource implements ICluster { resource = new ClusterResource(this, 'Resource', { ...clusterProps, - endpointPrivateAccess: this.endpointAccess.privateAccess, - endpointPublicAccess: this.endpointAccess.publicAccess, - publicAccessCidrs: this.endpointAccess.publicCidrs, + endpointPrivateAccess: this.endpointAccess.config.privateAccess, + endpointPublicAccess: this.endpointAccess.config.publicAccess, + publicAccessCidrs: this.endpointAccess.config.publicCidrs, }); this._clusterResource = resource; @@ -1049,7 +1065,12 @@ export class Cluster extends Resource implements ICluster { env: this.kubectlProviderEnv, }; - if (!this.endpointAccess!.publicAccess) { + if (!this.endpointAccess) { + // this should have been set on cluster instantiation for kubectl enabled clusters + throw new Error("Expected 'endpointAccess' to be defined for kubectl enabled clusters"); + } + + if (!this.endpointAccess.config.publicAccess) { // endpoint access is private only, we need to attach the // provider to the VPC so that it can access the cluster. providerProps = { diff --git a/packages/@aws-cdk/aws-eks/lib/kubectl-provider.ts b/packages/@aws-cdk/aws-eks/lib/kubectl-provider.ts index 2342e63a1734e..c7c845fefcb9b 100644 --- a/packages/@aws-cdk/aws-eks/lib/kubectl-provider.ts +++ b/packages/@aws-cdk/aws-eks/lib/kubectl-provider.ts @@ -47,7 +47,7 @@ export class KubectlProvider extends NestedStack { */ public readonly role: iam.IRole; - public constructor(scope: Construct, id: string, props: KubectlProviderProps) { + public constructor(scope: Construct, id: string, props: KubectlProviderProps = { }) { super(scope, id); const handler = new lambda.Function(this, 'Handler', { From 0f496a0d1d3d1b94ba9ccdc52d03f73151c8c09a Mon Sep 17 00:00:00 2001 From: epolon Date: Tue, 4 Aug 2020 14:14:14 +0300 Subject: [PATCH 30/33] fix README and added section about kubectl environment --- packages/@aws-cdk/aws-eks/README.md | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/packages/@aws-cdk/aws-eks/README.md b/packages/@aws-cdk/aws-eks/README.md index 9463858f321ff..776f8e41f6879 100644 --- a/packages/@aws-cdk/aws-eks/README.md +++ b/packages/@aws-cdk/aws-eks/README.md @@ -52,11 +52,11 @@ You can configure the [cluster endpoint access](https://docs.aws.amazon.com/eks/ ```typescript const cluster = new eks.Cluster(this, 'hello-eks', { version: eks.KubernetesVersion.V1_16, - endpointAccess: eks.EndpointAccess.private() // No access outside of your VPC. + endpointAccess: eks.EndpointAccess.PRIVATE // No access outside of your VPC. }); ``` -The default value is `eks.EndpointAccess.publicAndPrivate()`. Which means the cluster endpoint is accessible from outside of your VPC, and worker node traffic to the endpoint will stay within your VPC. +The default value is `eks.EndpointAccess.PUBLIC_AND_PRIVATE`. Which means the cluster endpoint is accessible from outside of your VPC, and worker node traffic to the endpoint will stay within your VPC. ### Capacity @@ -362,6 +362,20 @@ new KubernetesResource(this, 'hello-kub', { cluster.addResource('hello-kub', service, deployment); ``` +##### Kubectl Environment + +The resources are created in the cluster by running `kubectl apply` from a python lambda function. You can configure the environment of this function by specifying it at cluster instantiation. For example, this can useful in order to configure an http proxy: + +```typescript +const cluster = new eks.Cluster(this, 'hello-eks', { + version: eks.KubernetesVersion.V1_16, + kubectlEnvironment: { + 'http_proxy': 'http://proxy.myproxy.com' + } +}); + +``` + #### Adding resources from a URL The following example will deploy the resource manifest hosting on remote server: From 36f9567a3e41c6f73603807781030e15b0e9a920 Mon Sep 17 00:00:00 2001 From: epolon Date: Tue, 4 Aug 2020 14:33:29 +0300 Subject: [PATCH 31/33] fix default value --- packages/@aws-cdk/aws-eks/lib/cluster.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/@aws-cdk/aws-eks/lib/cluster.ts b/packages/@aws-cdk/aws-eks/lib/cluster.ts index ddf73f0df501b..2542db561607d 100644 --- a/packages/@aws-cdk/aws-eks/lib/cluster.ts +++ b/packages/@aws-cdk/aws-eks/lib/cluster.ts @@ -223,7 +223,7 @@ export interface ClusterOptions { * * @see https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html * - * @default EndpointAccess.publicAndPrivate() + * @default EndpointAccess.PUBLIC_AND_PRIVATE */ readonly endpointAccess?: EndpointAccess; From f6c9b9fc5c9dd079096bea229aebf71254f86cf3 Mon Sep 17 00:00:00 2001 From: epolon Date: Wed, 5 Aug 2020 11:48:22 +0300 Subject: [PATCH 32/33] make EndpointAccessConfig private --- packages/@aws-cdk/aws-eks/lib/cluster.ts | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/packages/@aws-cdk/aws-eks/lib/cluster.ts b/packages/@aws-cdk/aws-eks/lib/cluster.ts index 2542db561607d..23582688216dc 100644 --- a/packages/@aws-cdk/aws-eks/lib/cluster.ts +++ b/packages/@aws-cdk/aws-eks/lib/cluster.ts @@ -238,7 +238,7 @@ export interface ClusterOptions { /** * Group access configuration together. */ -export interface EndpointAccessConfig { +interface EndpointAccessConfig { /** * Indicates if private access is enabled. @@ -299,9 +299,11 @@ export class EndpointAccess { private constructor( /** * Configuration properties. + * + * @internal */ - public readonly config: EndpointAccessConfig) { - if (!config.publicAccess && config.publicCidrs && config.publicCidrs.length > 0) { + public readonly _config: EndpointAccessConfig) { + if (!_config.publicAccess && _config.publicCidrs && _config.publicCidrs.length > 0) { throw new Error('CIDR blocks can only be configured when public access is enabled'); } } @@ -315,7 +317,7 @@ export class EndpointAccess { */ public onlyFrom(...cidr: string[]) { return new EndpointAccess({ - ...this.config, + ...this._config, // override CIDR publicCidrs: cidr, }); @@ -621,7 +623,7 @@ export class Cluster extends Resource implements ICluster { this.endpointAccess = props.endpointAccess ?? EndpointAccess.PUBLIC_AND_PRIVATE; this.kubectlProviderEnv = props.kubectlEnvironment; - if (this.endpointAccess.config.privateAccess && this.vpc instanceof ec2.Vpc) { + if (this.endpointAccess._config.privateAccess && this.vpc instanceof ec2.Vpc) { // validate VPC properties according to: https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html if (!this.vpc.dnsHostnamesEnabled || !this.vpc.dnsSupportEnabled) { throw new Error('Private endpoint access requires the VPC to have DNS support and DNS hostnames enabled. Use `enableDnsHostnames: true` and `enableDnsSupport: true` when creating the VPC.'); @@ -638,9 +640,9 @@ export class Cluster extends Resource implements ICluster { resource = new ClusterResource(this, 'Resource', { ...clusterProps, - endpointPrivateAccess: this.endpointAccess.config.privateAccess, - endpointPublicAccess: this.endpointAccess.config.publicAccess, - publicAccessCidrs: this.endpointAccess.config.publicCidrs, + endpointPrivateAccess: this.endpointAccess._config.privateAccess, + endpointPublicAccess: this.endpointAccess._config.publicAccess, + publicAccessCidrs: this.endpointAccess._config.publicCidrs, }); this._clusterResource = resource; @@ -1070,7 +1072,7 @@ export class Cluster extends Resource implements ICluster { throw new Error("Expected 'endpointAccess' to be defined for kubectl enabled clusters"); } - if (!this.endpointAccess.config.publicAccess) { + if (!this.endpointAccess._config.publicAccess) { // endpoint access is private only, we need to attach the // provider to the VPC so that it can access the cluster. providerProps = { From cc812598670a7ca5ea6fcea31b8872c822fae544 Mon Sep 17 00:00:00 2001 From: epolon Date: Wed, 5 Aug 2020 11:49:18 +0300 Subject: [PATCH 33/33] remove depracation notices for 'kubectlEnabled' for now - needs further discussion --- packages/@aws-cdk/aws-eks/lib/cluster.ts | 7 ------- 1 file changed, 7 deletions(-) diff --git a/packages/@aws-cdk/aws-eks/lib/cluster.ts b/packages/@aws-cdk/aws-eks/lib/cluster.ts index 23582688216dc..3ddee2f54434b 100644 --- a/packages/@aws-cdk/aws-eks/lib/cluster.ts +++ b/packages/@aws-cdk/aws-eks/lib/cluster.ts @@ -350,7 +350,6 @@ export interface ClusterProps extends ClusterOptions { * * * @default true The cluster can be managed by the AWS CDK application. - * @deprecated Omit this property as kubectl will be enabled to all clusters. */ readonly kubectlEnabled?: boolean; @@ -493,7 +492,6 @@ export class Cluster extends Resource implements ICluster { /** * Indicates if `kubectl` related operations can be performed on this cluster. * - * @deprecated Will always be true in future releases. */ public readonly kubectlEnabled: boolean; @@ -571,11 +569,6 @@ export class Cluster extends Resource implements ICluster { physicalName: props.clusterName, }); - if (props.kubectlEnabled !== undefined) { - const depractionNotice = "'kubectlEnabled' property is depracated. In future releases, all clusters will have kubectl support enabled, please consider omitting this property."; - this.node.addWarning(depractionNotice); - } - const stack = Stack.of(this); this.vpc = props.vpc || new ec2.Vpc(this, 'DefaultVpc');