feat(eks): endpoint access customization

packages/@aws-cdk/aws-ec2/lib/vpc.ts

@@ -1107,6 +1107,16 @@ export class Vpc extends VpcBase {
 
   public readonly internetConnectivityEstablished: IDependable;
 
+  /**
+   * Indicates if instances launched in this VPC will have public DNS hostnames.
+   */
+  public readonly dnsHostnamesEnabled: boolean;
+
+  /**
+   * Indicates if DNS support is enabled for this VPC.
+   */
+  public readonly dnsSupportEnabled: boolean;
+
   /**
    * The VPC resource
    */
@@ -1147,16 +1157,16 @@ export class Vpc extends VpcBase {
 
     this.networkBuilder = new NetworkBuilder(cidrBlock);
 
-    const enableDnsHostnames = props.enableDnsHostnames == null ? true : props.enableDnsHostnames;
-    const enableDnsSupport = props.enableDnsSupport == null ? true : props.enableDnsSupport;
+    this.dnsHostnamesEnabled = props.enableDnsHostnames == null ? true : props.enableDnsHostnames;
+    this.dnsSupportEnabled = props.enableDnsSupport == null ? true : props.enableDnsSupport;
     const instanceTenancy = props.defaultInstanceTenancy || 'default';
     this.internetConnectivityEstablished = this._internetConnectivityEstablished;
 
     // Define a VPC using the provided CIDR range
     this.resource = new CfnVPC(this, 'Resource', {
       cidrBlock,
-      enableDnsHostnames,
-      enableDnsSupport,
+      enableDnsHostnames: this.dnsHostnamesEnabled,
+      enableDnsSupport: this.dnsSupportEnabled,
       instanceTenancy,
     });
 

packages/@aws-cdk/aws-ec2/test/vpc.test.ts

@@ -61,6 +61,46 @@ nodeunitShim({
       test.done();
     },
 
+    'dns getters correspond to CFN properties': (() => {
+
+      const tests: any = { };
+
+      const inputs = [
+        {dnsSupport: false, dnsHostnames: false},
+        // {dnsSupport: false, dnsHostnames: true} - this configuration is illegal so its not part of the permutations.
+        {dnsSupport: true, dnsHostnames: false},
+        {dnsSupport: true, dnsHostnames: true},
+      ];
+
+      for (const input of inputs) {
+
+        tests[`[dnsSupport=${input.dnsSupport},dnsHostnames=${input.dnsHostnames}]`] = (test: Test) => {
+
+          const stack = getTestStack();
+          const vpc = new Vpc(stack, 'TheVPC', {
+            cidr: '192.168.0.0/16',
+            enableDnsHostnames: input.dnsHostnames,
+            enableDnsSupport: input.dnsSupport,
+            defaultInstanceTenancy: DefaultInstanceTenancy.DEDICATED,
+          });
+
+          expect(stack).to(haveResource('AWS::EC2::VPC', {
+            CidrBlock: '192.168.0.0/16',
+            EnableDnsHostnames: input.dnsHostnames,
+            EnableDnsSupport: input.dnsSupport,
+            InstanceTenancy: DefaultInstanceTenancy.DEDICATED,
+          }));
+
+          test.equal(input.dnsSupport, vpc.dnsSupportEnabled);
+          test.equal(input.dnsHostnames, vpc.dnsHostnamesEnabled);
+          test.done();
+
+        };
+      }
+
+      return tests;
+    })(),
+
     'contains the correct number of subnets'(test: Test) {
       const stack = getTestStack();
       const vpc = new Vpc(stack, 'TheVPC');

packages/@aws-cdk/aws-eks/README.md

@@ -45,6 +45,20 @@ cluster.addResource('mypod', {
 });
 ```
 
+### Endpoint Access
+
+You can configure the [cluster endpoint access](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) by using the `endpointAccess` property:
+
+```typescript
+const cluster = new eks.Cluster(this, 'hello-eks', {
+  version: eks.KubernetesVersion.V1_16,
+  endpointAccess: eks.EndpointAccess.PRIVATE // No access outside of your VPC.
+});
+```
+
+The default value is `eks.EndpointAccess.PUBLIC_AND_PRIVATE`. Which means the cluster endpoint is accessible from outside of your VPC, and worker node traffic to the endpoint will stay within your VPC.
+
+
 ### Capacity
 
 By default, `eks.Cluster` is created with a managed nodegroup with x2 `m5.large` instances. You must specify the kubernetes version for the cluster with the `version` property.
@@ -78,7 +92,7 @@ new eks.Cluster(this, 'cluster', {
 To disable the default capacity, simply set `defaultCapacity` to `0`:
 
 ```ts
-new eks.Cluster(this, 'cluster-with-no-capacity', { 
+new eks.Cluster(this, 'cluster-with-no-capacity', {
   defaultCapacity: 0,
   version: eks.KubernetesVersion.V1_16,
 });
@@ -105,8 +119,8 @@ cluster.addCapacity('frontend-nodes', {
 
 ### Managed Node Groups
 
-Amazon EKS managed node groups automate the provisioning and lifecycle management of nodes (Amazon EC2 instances) 
-for Amazon EKS Kubernetes clusters. By default, `eks.Nodegroup` create a nodegroup with x2 `t3.medium` instances. 
+Amazon EKS managed node groups automate the provisioning and lifecycle management of nodes (Amazon EC2 instances)
+for Amazon EKS Kubernetes clusters. By default, `eks.Nodegroup` create a nodegroup with x2 `t3.medium` instances.
 
 ```ts
 new eks.Nodegroup(stack, 'nodegroup', { cluster });
@@ -128,7 +142,7 @@ AWS Fargate is a technology that provides on-demand, right-sized compute
 capacity for containers. With AWS Fargate, you no longer have to provision,
 configure, or scale groups of virtual machines to run containers. This removes
 the need to choose server types, decide when to scale your node groups, or
-optimize cluster packing. 
+optimize cluster packing.
 
 You can control which pods start on Fargate and how they run with Fargate
 Profiles, which are defined as part of your Amazon EKS cluster.
@@ -348,6 +362,20 @@ new KubernetesResource(this, 'hello-kub', {
 cluster.addResource('hello-kub', service, deployment);
 ```
 
+##### Kubectl Environment
+
+The resources are created in the cluster by running `kubectl apply` from a python lambda function. You can configure the environment of this function by specifying it at cluster instantiation. For example, this can useful in order to configure an http proxy:
+
+```typescript
+const cluster = new eks.Cluster(this, 'hello-eks', {
+  version: eks.KubernetesVersion.V1_16,
+  kubectlEnvironment: {
+    'http_proxy': 'http://proxy.myproxy.com'
+  }
+});
+
+```
+
 #### Adding resources from a URL
 
 The following example will deploy the resource manifest hosting on remote server:

packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/cluster.ts

@@ -261,7 +261,22 @@ export class ClusterResourceHandler extends ResourceHandler {
 }
 
 function parseProps(props: any): aws.EKS.CreateClusterRequest {
-  return props?.Config ?? { };
+
+  const parsed = props?.Config ?? { };
+
+  // this is weird but these boolean properties are passed by CFN as a string, and we need them to be booleanic for the SDK.
+  // Otherwise it fails with 'Unexpected Parameter: params.resourcesVpcConfig.endpointPrivateAccess is expected to be a boolean'
+
+  if (typeof(parsed.resourcesVpcConfig?.endpointPrivateAccess) === 'string') {
+    parsed.resourcesVpcConfig.endpointPrivateAccess = parsed.resourcesVpcConfig.endpointPrivateAccess === 'true';
+  }
+
+  if (typeof(parsed.resourcesVpcConfig?.endpointPublicAccess) === 'string') {
+    parsed.resourcesVpcConfig.endpointPublicAccess = parsed.resourcesVpcConfig.endpointPublicAccess === 'true';
+  }
+
+  return parsed;
+
 }
 
 interface UpdateMap {
@@ -280,16 +295,24 @@ function analyzeUpdate(oldProps: Partial<aws.EKS.CreateClusterRequest>, newProps
   const newVpcProps = newProps.resourcesVpcConfig || { };
   const oldVpcProps = oldProps.resourcesVpcConfig || { };
 
+  const oldPublicAccessCidrs = new Set(oldVpcProps.publicAccessCidrs ?? []);
+  const newPublicAccessCidrs = new Set(newVpcProps.publicAccessCidrs ?? []);
+
   return {
     replaceName: newProps.name !== oldProps.name,
     replaceVpc:
       JSON.stringify(newVpcProps.subnetIds) !== JSON.stringify(oldVpcProps.subnetIds) ||
       JSON.stringify(newVpcProps.securityGroupIds) !== JSON.stringify(oldVpcProps.securityGroupIds),
     updateAccess:
       newVpcProps.endpointPrivateAccess !== oldVpcProps.endpointPrivateAccess ||
-      newVpcProps.endpointPublicAccess !== oldVpcProps.endpointPublicAccess,
+      newVpcProps.endpointPublicAccess !== oldVpcProps.endpointPublicAccess ||
+      !setsEqual(newPublicAccessCidrs, oldPublicAccessCidrs),
     replaceRole: newProps.roleArn !== oldProps.roleArn,
     updateVersion: newProps.version !== oldProps.version,
     updateLogging: JSON.stringify(newProps.logging) !== JSON.stringify(oldProps.logging),
   };
 }
+
+function setsEqual(first: Set<string>, second: Set<string>) {
+  return first.size === second.size || [...first].every((e: string) => second.has(e));
+}

packages/@aws-cdk/aws-eks/lib/cluster-resource.ts

@@ -2,7 +2,26 @@ import * as iam from '@aws-cdk/aws-iam';
 import { ArnComponents, Construct, CustomResource, Lazy, Stack, Token } from '@aws-cdk/core';
 import { CLUSTER_RESOURCE_TYPE } from './cluster-resource-handler/consts';
 import { ClusterResourceProvider } from './cluster-resource-provider';
-import { CfnClusterProps } from './eks.generated';
+import { CfnClusterProps, CfnCluster } from './eks.generated';
+
+export interface ClusterResourceProps extends CfnClusterProps {
+
+  /**
+   * Enable private endpoint access to the cluster.
+   */
+  readonly endpointPrivateAccess: boolean;
+
+  /**
+   * Enable public endpoint access to the cluster.
+   */
+  readonly endpointPublicAccess: boolean;
+
+  /**
+   * Limit public address with CIDR blocks.
+   */
+  readonly publicAccessCidrs?: string[];
+
+}
 
 /**
  * A low-level CFN resource Amazon EKS cluster implemented through a custom
@@ -32,7 +51,7 @@ export class ClusterResource extends Construct {
 
   private readonly trustedPrincipals: string[] = [];
 
-  constructor(scope: Construct, id: string, props: CfnClusterProps) {
+  constructor(scope: Construct, id: string, props: ClusterResourceProps) {
     super(scope, id);
 
     const stack = Stack.of(this);
@@ -117,7 +136,21 @@ export class ClusterResource extends Construct {
       resourceType: CLUSTER_RESOURCE_TYPE,
       serviceToken: provider.serviceToken,
       properties: {
-        Config: props,
+        // the structure of config needs to be that of 'aws.EKS.CreateClusterRequest' since its passed as is
+        // to the eks.createCluster sdk invocation.
+        Config: {
+          name: props.name,
+          version: props.version,
+          roleArn: props.roleArn,
+          encryptionConfig: props.encryptionConfig,
+          resourcesVpcConfig: {
+            subnetIds: (props.resourcesVpcConfig as CfnCluster.ResourcesVpcConfigProperty).subnetIds,
+            securityGroupIds: (props.resourcesVpcConfig as CfnCluster.ResourcesVpcConfigProperty).securityGroupIds,
+            endpointPublicAccess: props.endpointPublicAccess,
+            endpointPrivateAccess: props.endpointPrivateAccess,
+            publicAccessCidrs: props.publicAccessCidrs,
+          },
+        },
         AssumeRoleArn: this.creationRole.roleArn,
 
         // IMPORTANT: increment this number when you add new attributes to the