diff --git a/packages/@aws-cdk/aws-eks/lib/cluster.ts b/packages/@aws-cdk/aws-eks/lib/cluster.ts index 361d396c9651a..517e5173deb3d 100644 --- a/packages/@aws-cdk/aws-eks/lib/cluster.ts +++ b/packages/@aws-cdk/aws-eks/lib/cluster.ts @@ -848,11 +848,6 @@ export class Cluster extends ClusterBase { description: 'EKS Control Plane Security Group', }); - this.connections = new ec2.Connections({ - securityGroups: [securityGroup], - defaultPort: ec2.Port.tcp(443), // Control Plane has an HTTPS API - }); - this.vpcSubnets = props.vpcSubnets ?? [{ subnetType: ec2.SubnetType.PUBLIC }, { subnetType: ec2.SubnetType.PRIVATE }]; // Get subnetIds for all selected subnets @@ -916,17 +911,9 @@ export class Cluster extends ClusterBase { this.kubectlPrivateSubnets = privateSubents; - this.kubectlSecurityGroup = new ec2.SecurityGroup(this, 'KubectlProviderSecurityGroup', { - vpc: this.vpc, - description: 'Comminication between KubectlProvider and EKS Control Plane', - }); - - // grant the kubectl provider access to the cluster control plane. - this.connections.allowFrom(this.kubectlSecurityGroup, this.connections.defaultPort!); - - // the security group and vpc must exist in order to properly delete the cluster (since we run `kubectl delete`). + // the vpc must exist in order to properly delete the cluster (since we run `kubectl delete`). // this ensures that. - this._clusterResource.node.addDependency(this.kubectlSecurityGroup, this.vpc); + this._clusterResource.node.addDependency(this.vpc); } this.adminRole = resource.adminRole; @@ -951,6 +938,17 @@ export class Cluster extends ClusterBase { this.clusterSecurityGroupId = resource.attrClusterSecurityGroupId; this.clusterEncryptionConfigKeyArn = resource.attrEncryptionConfigKeyArn; + const clusterSecurityGroup = ec2.SecurityGroup.fromSecurityGroupId(this, 'ClusterSecurityGroup', this.clusterSecurityGroupId); + + this.connections = new ec2.Connections({ + securityGroups: [clusterSecurityGroup, securityGroup], + defaultPort: ec2.Port.tcp(443), // Control Plane has an HTTPS API + }); + + // we can use the cluster security group since its already attached to the cluster + // and configured to allow connections from itself. + this.kubectlSecurityGroup = clusterSecurityGroup; + // use the cluster creation role to issue kubectl commands against the cluster because when the // cluster is first created, that's the only role that has "system:masters" permissions this.kubectlRole = this.adminRole; @@ -1595,6 +1593,10 @@ class ImportedCluster extends ClusterBase implements ICluster { this.connections.addSecurityGroup(ec2.SecurityGroup.fromSecurityGroupId(this, `SecurityGroup${i}`, sgid)); i++; } + + if (props.clusterSecurityGroupId) { + this.connections.addSecurityGroup(ec2.SecurityGroup.fromSecurityGroupId(this, 'ClusterSecurityGroup', props.clusterSecurityGroupId)); + } } public get vpc() { diff --git a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster-private-endpoint.expected.json b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster-private-endpoint.expected.json index 6f10ead0fe30d..13bba49cd6cf4 100644 --- a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster-private-endpoint.expected.json +++ b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster-private-endpoint.expected.json @@ -581,27 +581,6 @@ } } }, - "ClusterControlPlaneSecurityGroupfromawscdkeksclusterprivateendpointtestClusterKubectlProviderSecurityGroup6A0B729C443DF3A2707": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "IpProtocol": "tcp", - "Description": "from awscdkeksclusterprivateendpointtestClusterKubectlProviderSecurityGroup6A0B729C:443", - "FromPort": 443, - "GroupId": { - "Fn::GetAtt": [ - "ClusterControlPlaneSecurityGroupD274242C", - "GroupId" - ] - }, - "SourceSecurityGroupId": { - "Fn::GetAtt": [ - "ClusterKubectlProviderSecurityGroup2D90691C", - "GroupId" - ] - }, - "ToPort": 443 - } - }, "ClusterCreationRole360249B6": { "Type": "AWS::IAM::Role", "Properties": { @@ -630,7 +609,6 @@ } }, "DependsOn": [ - "ClusterKubectlProviderSecurityGroup2D90691C", "VpcIGWD7BA715C", "VpcPrivateSubnet1DefaultRouteBE02A9ED", "VpcPrivateSubnet1RouteTableB2C5B500", @@ -753,7 +731,6 @@ ] }, "DependsOn": [ - "ClusterKubectlProviderSecurityGroup2D90691C", "VpcIGWD7BA715C", "VpcPrivateSubnet1DefaultRouteBE02A9ED", "VpcPrivateSubnet1RouteTableB2C5B500", @@ -844,7 +821,6 @@ "AttributesRevision": 2 }, "DependsOn": [ - "ClusterKubectlProviderSecurityGroup2D90691C", "ClusterCreationRoleDefaultPolicyE8BDFC7B", "ClusterCreationRole360249B6", "VpcIGWD7BA715C", @@ -880,22 +856,6 @@ "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete" }, - "ClusterKubectlProviderSecurityGroup2D90691C": { - "Type": "AWS::EC2::SecurityGroup", - "Properties": { - "GroupDescription": "Comminication between KubectlProvider and EKS Control Plane", - "SecurityGroupEgress": [ - { - "CidrIp": "0.0.0.0/0", - "Description": "Allow all outbound traffic by default", - "IpProtocol": "-1" - } - ], - "VpcId": { - "Ref": "Vpc8378EB38" - } - } - }, "ClusterKubectlReadyBarrier200052AF": { "Type": "AWS::SSM::Parameter", "Properties": { @@ -1168,7 +1128,7 @@ }, "/", { - "Ref": "AssetParametersdaac37af2b50452c854a73ef7e2c57d5229667e390db39773ffb9dfb497bbd20S3Bucket12418C8C" + "Ref": "AssetParameterse843c57c7bcb07856b1680280dc9387725661764509856e890ae6e18a5e40796S3Bucket39E2BF35" }, "/", { @@ -1178,7 +1138,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParametersdaac37af2b50452c854a73ef7e2c57d5229667e390db39773ffb9dfb497bbd20S3VersionKey8C9B24CA" + "Ref": "AssetParameterse843c57c7bcb07856b1680280dc9387725661764509856e890ae6e18a5e40796S3VersionKey0218A255" } ] } @@ -1191,7 +1151,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParametersdaac37af2b50452c854a73ef7e2c57d5229667e390db39773ffb9dfb497bbd20S3VersionKey8C9B24CA" + "Ref": "AssetParameterse843c57c7bcb07856b1680280dc9387725661764509856e890ae6e18a5e40796S3VersionKey0218A255" } ] } @@ -1228,10 +1188,10 @@ "referencetoawscdkeksclusterprivateendpointtestVpcPrivateSubnet3SubnetC47FD39ARef": { "Ref": "VpcPrivateSubnet3SubnetF258B56E" }, - "referencetoawscdkeksclusterprivateendpointtestClusterKubectlProviderSecurityGroup67FA4325GroupId": { + "referencetoawscdkeksclusterprivateendpointtestClusterF4CF4FE8ClusterSecurityGroupId": { "Fn::GetAtt": [ - "ClusterKubectlProviderSecurityGroup2D90691C", - "GroupId" + "Cluster9EE0221C", + "ClusterSecurityGroupId" ] }, "referencetoawscdkeksclusterprivateendpointtestAssetParameters34131c2e554ab57ad3a47fc0a13173a5c2a4b65a7582fe9622277b3d04c8e1e1S3Bucket41FE7429Ref": { @@ -1335,17 +1295,17 @@ "Type": "String", "Description": "Artifact hash for asset \"570f91ed45d0c45e8ff145969f7499419312e806c83f009b76539ce989960e51\"" }, - "AssetParametersdaac37af2b50452c854a73ef7e2c57d5229667e390db39773ffb9dfb497bbd20S3Bucket12418C8C": { + "AssetParameterse843c57c7bcb07856b1680280dc9387725661764509856e890ae6e18a5e40796S3Bucket39E2BF35": { "Type": "String", - "Description": "S3 bucket for asset \"daac37af2b50452c854a73ef7e2c57d5229667e390db39773ffb9dfb497bbd20\"" + "Description": "S3 bucket for asset \"e843c57c7bcb07856b1680280dc9387725661764509856e890ae6e18a5e40796\"" }, - "AssetParametersdaac37af2b50452c854a73ef7e2c57d5229667e390db39773ffb9dfb497bbd20S3VersionKey8C9B24CA": { + "AssetParameterse843c57c7bcb07856b1680280dc9387725661764509856e890ae6e18a5e40796S3VersionKey0218A255": { "Type": "String", - "Description": "S3 key for asset version \"daac37af2b50452c854a73ef7e2c57d5229667e390db39773ffb9dfb497bbd20\"" + "Description": "S3 key for asset version \"e843c57c7bcb07856b1680280dc9387725661764509856e890ae6e18a5e40796\"" }, - "AssetParametersdaac37af2b50452c854a73ef7e2c57d5229667e390db39773ffb9dfb497bbd20ArtifactHash90BA6C4A": { + "AssetParameterse843c57c7bcb07856b1680280dc9387725661764509856e890ae6e18a5e40796ArtifactHash0AFD7EAC": { "Type": "String", - "Description": "Artifact hash for asset \"daac37af2b50452c854a73ef7e2c57d5229667e390db39773ffb9dfb497bbd20\"" + "Description": "Artifact hash for asset \"e843c57c7bcb07856b1680280dc9387725661764509856e890ae6e18a5e40796\"" } } } \ No newline at end of file diff --git a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.expected.json b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.expected.json index de3b921a2755b..b015b80826d45 100644 --- a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.expected.json +++ b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.expected.json @@ -4,24 +4,26 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Statement": [{ - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::12345678:root" + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::12345678:root" + ] ] - ] + } } } - }], + ], "Version": "2012-10-17" } } @@ -30,41 +32,43 @@ "Type": "AWS::KMS::Key", "Properties": { "KeyPolicy": { - "Statement": [{ - "Action": [ - "kms:Create*", - "kms:Describe*", - "kms:Enable*", - "kms:List*", - "kms:Put*", - "kms:Update*", - "kms:Revoke*", - "kms:Disable*", - "kms:Get*", - "kms:Delete*", - "kms:ScheduleKeyDeletion", - "kms:CancelKeyDeletion", - "kms:GenerateDataKey", - "kms:TagResource", - "kms:UntagResource" - ], - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::12345678:root" + "Statement": [ + { + "Action": [ + "kms:Create*", + "kms:Describe*", + "kms:Enable*", + "kms:List*", + "kms:Put*", + "kms:Update*", + "kms:Revoke*", + "kms:Disable*", + "kms:Get*", + "kms:Delete*", + "kms:ScheduleKeyDeletion", + "kms:CancelKeyDeletion", + "kms:GenerateDataKey", + "kms:TagResource", + "kms:UntagResource" + ], + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::12345678:root" + ] ] - ] - } - }, - "Resource": "*" - }], + } + }, + "Resource": "*" + } + ], "Version": "2012-10-17" } }, @@ -78,10 +82,12 @@ "EnableDnsHostnames": true, "EnableDnsSupport": true, "InstanceTenancy": "default", - "Tags": [{ - "Key": "Name", - "Value": "aws-cdk-eks-cluster-test/Vpc" - }] + "Tags": [ + { + "Key": "Name", + "Value": "aws-cdk-eks-cluster-test/Vpc" + } + ] } }, "VpcPublicSubnet1Subnet5C2D37C4": { @@ -93,7 +99,8 @@ }, "AvailabilityZone": "test-region-1a", "MapPublicIpOnLaunch": true, - "Tags": [{ + "Tags": [ + { "Key": "aws-cdk:subnet-name", "Value": "Public" }, @@ -118,7 +125,8 @@ "VpcId": { "Ref": "Vpc8378EB38" }, - "Tags": [{ + "Tags": [ + { "Key": "kubernetes.io/role/elb", "Value": "1" }, @@ -159,7 +167,8 @@ "Type": "AWS::EC2::EIP", "Properties": { "Domain": "vpc", - "Tags": [{ + "Tags": [ + { "Key": "kubernetes.io/role/elb", "Value": "1" }, @@ -182,7 +191,8 @@ "SubnetId": { "Ref": "VpcPublicSubnet1Subnet5C2D37C4" }, - "Tags": [{ + "Tags": [ + { "Key": "kubernetes.io/role/elb", "Value": "1" }, @@ -202,7 +212,8 @@ }, "AvailabilityZone": "test-region-1b", "MapPublicIpOnLaunch": true, - "Tags": [{ + "Tags": [ + { "Key": "aws-cdk:subnet-name", "Value": "Public" }, @@ -227,7 +238,8 @@ "VpcId": { "Ref": "Vpc8378EB38" }, - "Tags": [{ + "Tags": [ + { "Key": "kubernetes.io/role/elb", "Value": "1" }, @@ -273,7 +285,8 @@ }, "AvailabilityZone": "test-region-1c", "MapPublicIpOnLaunch": true, - "Tags": [{ + "Tags": [ + { "Key": "aws-cdk:subnet-name", "Value": "Public" }, @@ -298,7 +311,8 @@ "VpcId": { "Ref": "Vpc8378EB38" }, - "Tags": [{ + "Tags": [ + { "Key": "kubernetes.io/role/elb", "Value": "1" }, @@ -344,7 +358,8 @@ }, "AvailabilityZone": "test-region-1a", "MapPublicIpOnLaunch": false, - "Tags": [{ + "Tags": [ + { "Key": "aws-cdk:subnet-name", "Value": "Private" }, @@ -369,7 +384,8 @@ "VpcId": { "Ref": "Vpc8378EB38" }, - "Tags": [{ + "Tags": [ + { "Key": "kubernetes.io/role/internal-elb", "Value": "1" }, @@ -412,7 +428,8 @@ }, "AvailabilityZone": "test-region-1b", "MapPublicIpOnLaunch": false, - "Tags": [{ + "Tags": [ + { "Key": "aws-cdk:subnet-name", "Value": "Private" }, @@ -437,7 +454,8 @@ "VpcId": { "Ref": "Vpc8378EB38" }, - "Tags": [{ + "Tags": [ + { "Key": "kubernetes.io/role/internal-elb", "Value": "1" }, @@ -480,7 +498,8 @@ }, "AvailabilityZone": "test-region-1c", "MapPublicIpOnLaunch": false, - "Tags": [{ + "Tags": [ + { "Key": "aws-cdk:subnet-name", "Value": "Private" }, @@ -505,7 +524,8 @@ "VpcId": { "Ref": "Vpc8378EB38" }, - "Tags": [{ + "Tags": [ + { "Key": "kubernetes.io/role/internal-elb", "Value": "1" }, @@ -542,10 +562,12 @@ "VpcIGWD7BA715C": { "Type": "AWS::EC2::InternetGateway", "Properties": { - "Tags": [{ - "Key": "Name", - "Value": "aws-cdk-eks-cluster-test/Vpc" - }] + "Tags": [ + { + "Key": "Name", + "Value": "aws-cdk-eks-cluster-test/Vpc" + } + ] } }, "VpcVPCGWBF912B6E": { @@ -563,64 +585,49 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Statement": [{ - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "eks.amazonaws.com" + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "eks.amazonaws.com" + } } - }], + ], "Version": "2012-10-17" }, - "ManagedPolicyArns": [{ - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::aws:policy/AmazonEKSClusterPolicy" + "ManagedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/AmazonEKSClusterPolicy" + ] ] - ] - }] + } + ] } }, "ClusterControlPlaneSecurityGroupD274242C": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": "EKS Control Plane Security Group", - "SecurityGroupEgress": [{ - "CidrIp": "0.0.0.0/0", - "Description": "Allow all outbound traffic by default", - "IpProtocol": "-1" - }], + "SecurityGroupEgress": [ + { + "CidrIp": "0.0.0.0/0", + "Description": "Allow all outbound traffic by default", + "IpProtocol": "-1" + } + ], "VpcId": { "Ref": "Vpc8378EB38" } } }, - "ClusterControlPlaneSecurityGroupfromawscdkeksclustertestClusterKubectlProviderSecurityGroup0285626644359187EDA": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "IpProtocol": "tcp", - "Description": "from awscdkeksclustertestClusterKubectlProviderSecurityGroup02856266:443", - "FromPort": 443, - "GroupId": { - "Fn::GetAtt": [ - "ClusterControlPlaneSecurityGroupD274242C", - "GroupId" - ] - }, - "SourceSecurityGroupId": { - "Fn::GetAtt": [ - "ClusterKubectlProviderSecurityGroup2D90691C", - "GroupId" - ] - }, - "ToPort": 443 - } - }, "ClusterControlPlaneSecurityGroupfromawscdkeksclustertestClusterNodesInstanceSecurityGroupD0B64C54443795AF111": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { @@ -730,29 +737,30 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Statement": [{ - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::12345678:root" + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::12345678:root" + ] ] - ] + } } } - }], + ], "Version": "2012-10-17" } }, "DependsOn": [ - "ClusterKubectlProviderSecurityGroup2D90691C", "VpcIGWD7BA715C", "VpcPrivateSubnet1DefaultRouteBE02A9ED", "VpcPrivateSubnet1RouteTableB2C5B500", @@ -788,7 +796,8 @@ "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { - "Statement": [{ + "Statement": [ + { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { @@ -892,12 +901,13 @@ "Version": "2012-10-17" }, "PolicyName": "ClusterCreationRoleDefaultPolicyE8BDFC7B", - "Roles": [{ - "Ref": "ClusterCreationRole360249B6" - }] + "Roles": [ + { + "Ref": "ClusterCreationRole360249B6" + } + ] }, "DependsOn": [ - "ClusterKubectlProviderSecurityGroup2D90691C", "VpcIGWD7BA715C", "VpcPrivateSubnet1DefaultRouteBE02A9ED", "VpcPrivateSubnet1RouteTableB2C5B500", @@ -946,21 +956,24 @@ "Arn" ] }, - "encryptionConfig": [{ - "provider": { - "keyArn": { - "Fn::GetAtt": [ - "SecretsKey317DCF94", - "Arn" - ] - } - }, - "resources": [ - "secrets" - ] - }], + "encryptionConfig": [ + { + "provider": { + "keyArn": { + "Fn::GetAtt": [ + "SecretsKey317DCF94", + "Arn" + ] + } + }, + "resources": [ + "secrets" + ] + } + ], "resourcesVpcConfig": { - "subnetIds": [{ + "subnetIds": [ + { "Ref": "VpcPublicSubnet1Subnet5C2D37C4" }, { @@ -979,12 +992,14 @@ "Ref": "VpcPrivateSubnet3SubnetF258B56E" } ], - "securityGroupIds": [{ - "Fn::GetAtt": [ - "ClusterControlPlaneSecurityGroupD274242C", - "GroupId" - ] - }], + "securityGroupIds": [ + { + "Fn::GetAtt": [ + "ClusterControlPlaneSecurityGroupD274242C", + "GroupId" + ] + } + ], "endpointPublicAccess": true, "endpointPrivateAccess": true } @@ -998,7 +1013,6 @@ "AttributesRevision": 2 }, "DependsOn": [ - "ClusterKubectlProviderSecurityGroup2D90691C", "ClusterCreationRoleDefaultPolicyE8BDFC7B", "ClusterCreationRole360249B6", "VpcIGWD7BA715C", @@ -1034,20 +1048,6 @@ "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete" }, - "ClusterKubectlProviderSecurityGroup2D90691C": { - "Type": "AWS::EC2::SecurityGroup", - "Properties": { - "GroupDescription": "Comminication between KubectlProvider and EKS Control Plane", - "SecurityGroupEgress": [{ - "CidrIp": "0.0.0.0/0", - "Description": "Allow all outbound traffic by default", - "IpProtocol": "-1" - }], - "VpcId": { - "Ref": "Vpc8378EB38" - } - } - }, "ClusterKubectlReadyBarrier200052AF": { "Type": "AWS::SSM::Parameter", "Properties": { @@ -1062,6 +1062,111 @@ "Cluster9EE0221C" ] }, + "ClusterClusterSecurityGroupfromawscdkeksclustertestClusterNodesInstanceSecurityGroupD0B64C544432C10EDB4": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "IpProtocol": "tcp", + "Description": "from awscdkeksclustertestClusterNodesInstanceSecurityGroupD0B64C54:443", + "FromPort": 443, + "GroupId": { + "Fn::GetAtt": [ + "Cluster9EE0221C", + "ClusterSecurityGroupId" + ] + }, + "SourceSecurityGroupId": { + "Fn::GetAtt": [ + "ClusterNodesInstanceSecurityGroup899246BD", + "GroupId" + ] + }, + "ToPort": 443 + } + }, + "ClusterClusterSecurityGroupfromawscdkeksclustertestClusterNodesArmInstanceSecurityGroup52C45858443A88C1345": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "IpProtocol": "tcp", + "Description": "from awscdkeksclustertestClusterNodesArmInstanceSecurityGroup52C45858:443", + "FromPort": 443, + "GroupId": { + "Fn::GetAtt": [ + "Cluster9EE0221C", + "ClusterSecurityGroupId" + ] + }, + "SourceSecurityGroupId": { + "Fn::GetAtt": [ + "ClusterNodesArmInstanceSecurityGroup599F388B", + "GroupId" + ] + }, + "ToPort": 443 + } + }, + "ClusterClusterSecurityGroupfromawscdkeksclustertestClusterBottlerocketNodesInstanceSecurityGroup83FE7914443A80EB501": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "IpProtocol": "tcp", + "Description": "from awscdkeksclustertestClusterBottlerocketNodesInstanceSecurityGroup83FE7914:443", + "FromPort": 443, + "GroupId": { + "Fn::GetAtt": [ + "Cluster9EE0221C", + "ClusterSecurityGroupId" + ] + }, + "SourceSecurityGroupId": { + "Fn::GetAtt": [ + "ClusterBottlerocketNodesInstanceSecurityGroup3794A94B", + "GroupId" + ] + }, + "ToPort": 443 + } + }, + "ClusterClusterSecurityGroupfromawscdkeksclustertestClusterspotInstanceSecurityGroupF50F5D474432A818F38": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "IpProtocol": "tcp", + "Description": "from awscdkeksclustertestClusterspotInstanceSecurityGroupF50F5D47:443", + "FromPort": 443, + "GroupId": { + "Fn::GetAtt": [ + "Cluster9EE0221C", + "ClusterSecurityGroupId" + ] + }, + "SourceSecurityGroupId": { + "Fn::GetAtt": [ + "ClusterspotInstanceSecurityGroup01F7B1CE", + "GroupId" + ] + }, + "ToPort": 443 + } + }, + "ClusterClusterSecurityGroupfromawscdkeksclustertestClusterInferenceInstancesInstanceSecurityGroup42C57C5144320402117": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "IpProtocol": "tcp", + "Description": "from awscdkeksclustertestClusterInferenceInstancesInstanceSecurityGroup42C57C51:443", + "FromPort": 443, + "GroupId": { + "Fn::GetAtt": [ + "Cluster9EE0221C", + "ClusterSecurityGroupId" + ] + }, + "SourceSecurityGroupId": { + "Fn::GetAtt": [ + "ClusterInferenceInstancesInstanceSecurityGroupECB3FC45", + "GroupId" + ] + }, + "ToPort": 443 + } + }, "ClusterAwsAuthmanifestFE51F8AE": { "Type": "Custom::AWSCDK-EKS-KubernetesResource", "Properties": { @@ -1183,26 +1288,29 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Statement": [{ - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": { - "Fn::Join": [ - "", - [ - "ec2.", - { - "Ref": "AWS::URLSuffix" - } + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": { + "Fn::Join": [ + "", + [ + "ec2.", + { + "Ref": "AWS::URLSuffix" + } + ] ] - ] + } } } - }], + ], "Version": "2012-10-17" }, - "ManagedPolicyArns": [{ + "ManagedPolicyArns": [ + { "Fn::Join": [ "", [ @@ -1253,7 +1361,8 @@ "Arn" ] }, - "Subnets": [{ + "Subnets": [ + { "Ref": "VpcPrivateSubnet1Subnet536B997A" }, { @@ -1279,27 +1388,31 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Statement": [{ - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "eks-fargate-pods.amazonaws.com" + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "eks-fargate-pods.amazonaws.com" + } } - }], + ], "Version": "2012-10-17" }, - "ManagedPolicyArns": [{ - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy" + "ManagedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy" + ] ] - ] - }] + } + ] } }, "ClusterfargateprofiledefaultEFC59F14": { @@ -1327,9 +1440,11 @@ "Arn" ] }, - "selectors": [{ - "namespace": "default" - }] + "selectors": [ + { + "namespace": "default" + } + ] } }, "UpdateReplacePolicy": "Delete", @@ -1339,12 +1454,15 @@ "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": "aws-cdk-eks-cluster-test/Cluster/Nodes/InstanceSecurityGroup", - "SecurityGroupEgress": [{ - "CidrIp": "0.0.0.0/0", - "Description": "Allow all outbound traffic by default", - "IpProtocol": "-1" - }], - "Tags": [{ + "SecurityGroupEgress": [ + { + "CidrIp": "0.0.0.0/0", + "Description": "Allow all outbound traffic by default", + "IpProtocol": "-1" + } + ], + "Tags": [ + { "Key": { "Fn::Join": [ "", @@ -1387,6 +1505,27 @@ } } }, + "ClusterNodesInstanceSecurityGroupfromawscdkeksclustertestClusterClusterSecurityGroupF7265A32443DC7FAF39": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "IpProtocol": "tcp", + "Description": "from awscdkeksclustertestClusterClusterSecurityGroupF7265A32:443", + "FromPort": 443, + "GroupId": { + "Fn::GetAtt": [ + "ClusterNodesInstanceSecurityGroup899246BD", + "GroupId" + ] + }, + "SourceSecurityGroupId": { + "Fn::GetAtt": [ + "Cluster9EE0221C", + "ClusterSecurityGroupId" + ] + }, + "ToPort": 443 + } + }, "ClusterNodesInstanceSecurityGroupfromawscdkeksclustertestClusterControlPlaneSecurityGroup2F130134443AE10EB12": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { @@ -1408,6 +1547,27 @@ "ToPort": 443 } }, + "ClusterNodesInstanceSecurityGroupfromawscdkeksclustertestClusterClusterSecurityGroupF7265A32102565535D6A46ADB": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "IpProtocol": "tcp", + "Description": "from awscdkeksclustertestClusterClusterSecurityGroupF7265A32:1025-65535", + "FromPort": 1025, + "GroupId": { + "Fn::GetAtt": [ + "ClusterNodesInstanceSecurityGroup899246BD", + "GroupId" + ] + }, + "SourceSecurityGroupId": { + "Fn::GetAtt": [ + "Cluster9EE0221C", + "ClusterSecurityGroupId" + ] + }, + "ToPort": 65535 + } + }, "ClusterNodesInstanceSecurityGroupfromawscdkeksclustertestClusterControlPlaneSecurityGroup2F1301341025655359F401D0D": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { @@ -1433,26 +1593,29 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Statement": [{ - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": { - "Fn::Join": [ - "", - [ - "ec2.", - { - "Ref": "AWS::URLSuffix" - } + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": { + "Fn::Join": [ + "", + [ + "ec2.", + { + "Ref": "AWS::URLSuffix" + } + ] ] - ] + } } } - }], + ], "Version": "2012-10-17" }, - "ManagedPolicyArns": [{ + "ManagedPolicyArns": [ + { "Fn::Join": [ "", [ @@ -1489,7 +1652,8 @@ ] } ], - "Tags": [{ + "Tags": [ + { "Key": { "Fn::Join": [ "", @@ -1513,9 +1677,11 @@ "ClusterNodesInstanceProfileF2DD0E21": { "Type": "AWS::IAM::InstanceProfile", "Properties": { - "Roles": [{ - "Ref": "ClusterNodesInstanceRoleC3C01328" - }] + "Roles": [ + { + "Ref": "ClusterNodesInstanceRoleC3C01328" + } + ] } }, "ClusterNodesLaunchConfig7C420A27": { @@ -1528,12 +1694,14 @@ "IamInstanceProfile": { "Ref": "ClusterNodesInstanceProfileF2DD0E21" }, - "SecurityGroups": [{ - "Fn::GetAtt": [ - "ClusterNodesInstanceSecurityGroup899246BD", - "GroupId" - ] - }], + "SecurityGroups": [ + { + "Fn::GetAtt": [ + "ClusterNodesInstanceSecurityGroup899246BD", + "GroupId" + ] + } + ], "UserData": { "Fn::Base64": { "Fn::Join": [ @@ -1561,7 +1729,8 @@ "LaunchConfigurationName": { "Ref": "ClusterNodesLaunchConfig7C420A27" }, - "Tags": [{ + "Tags": [ + { "Key": { "Fn::Join": [ "", @@ -1582,7 +1751,8 @@ "Value": "aws-cdk-eks-cluster-test/Cluster/Nodes" } ], - "VPCZoneIdentifier": [{ + "VPCZoneIdentifier": [ + { "Ref": "VpcPrivateSubnet1Subnet536B997A" }, { @@ -1603,12 +1773,15 @@ "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": "aws-cdk-eks-cluster-test/Cluster/NodesArm/InstanceSecurityGroup", - "SecurityGroupEgress": [{ - "CidrIp": "0.0.0.0/0", - "Description": "Allow all outbound traffic by default", - "IpProtocol": "-1" - }], - "Tags": [{ + "SecurityGroupEgress": [ + { + "CidrIp": "0.0.0.0/0", + "Description": "Allow all outbound traffic by default", + "IpProtocol": "-1" + } + ], + "Tags": [ + { "Key": { "Fn::Join": [ "", @@ -1651,6 +1824,27 @@ } } }, + "ClusterNodesArmInstanceSecurityGroupfromawscdkeksclustertestClusterClusterSecurityGroupF7265A32443AC8AE5BF": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "IpProtocol": "tcp", + "Description": "from awscdkeksclustertestClusterClusterSecurityGroupF7265A32:443", + "FromPort": 443, + "GroupId": { + "Fn::GetAtt": [ + "ClusterNodesArmInstanceSecurityGroup599F388B", + "GroupId" + ] + }, + "SourceSecurityGroupId": { + "Fn::GetAtt": [ + "Cluster9EE0221C", + "ClusterSecurityGroupId" + ] + }, + "ToPort": 443 + } + }, "ClusterNodesArmInstanceSecurityGroupfromawscdkeksclustertestClusterControlPlaneSecurityGroup2F13013444328ED4211": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { @@ -1672,6 +1866,27 @@ "ToPort": 443 } }, + "ClusterNodesArmInstanceSecurityGroupfromawscdkeksclustertestClusterClusterSecurityGroupF7265A32102565535F5718241": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "IpProtocol": "tcp", + "Description": "from awscdkeksclustertestClusterClusterSecurityGroupF7265A32:1025-65535", + "FromPort": 1025, + "GroupId": { + "Fn::GetAtt": [ + "ClusterNodesArmInstanceSecurityGroup599F388B", + "GroupId" + ] + }, + "SourceSecurityGroupId": { + "Fn::GetAtt": [ + "Cluster9EE0221C", + "ClusterSecurityGroupId" + ] + }, + "ToPort": 65535 + } + }, "ClusterNodesArmInstanceSecurityGroupfromawscdkeksclustertestClusterControlPlaneSecurityGroup2F13013410256553586052D07": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { @@ -1697,26 +1912,29 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Statement": [{ - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": { - "Fn::Join": [ - "", - [ - "ec2.", - { - "Ref": "AWS::URLSuffix" - } + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": { + "Fn::Join": [ + "", + [ + "ec2.", + { + "Ref": "AWS::URLSuffix" + } + ] ] - ] + } } } - }], + ], "Version": "2012-10-17" }, - "ManagedPolicyArns": [{ + "ManagedPolicyArns": [ + { "Fn::Join": [ "", [ @@ -1753,7 +1971,8 @@ ] } ], - "Tags": [{ + "Tags": [ + { "Key": { "Fn::Join": [ "", @@ -1777,9 +1996,11 @@ "ClusterNodesArmInstanceProfile158C5C9F": { "Type": "AWS::IAM::InstanceProfile", "Properties": { - "Roles": [{ - "Ref": "ClusterNodesArmInstanceRoleB93D3298" - }] + "Roles": [ + { + "Ref": "ClusterNodesArmInstanceRoleB93D3298" + } + ] } }, "ClusterNodesArmLaunchConfigAAF61344": { @@ -1792,12 +2013,14 @@ "IamInstanceProfile": { "Ref": "ClusterNodesArmInstanceProfile158C5C9F" }, - "SecurityGroups": [{ - "Fn::GetAtt": [ - "ClusterNodesArmInstanceSecurityGroup599F388B", - "GroupId" - ] - }], + "SecurityGroups": [ + { + "Fn::GetAtt": [ + "ClusterNodesArmInstanceSecurityGroup599F388B", + "GroupId" + ] + } + ], "UserData": { "Fn::Base64": { "Fn::Join": [ @@ -1825,7 +2048,8 @@ "LaunchConfigurationName": { "Ref": "ClusterNodesArmLaunchConfigAAF61344" }, - "Tags": [{ + "Tags": [ + { "Key": { "Fn::Join": [ "", @@ -1846,7 +2070,8 @@ "Value": "aws-cdk-eks-cluster-test/Cluster/NodesArm" } ], - "VPCZoneIdentifier": [{ + "VPCZoneIdentifier": [ + { "Ref": "VpcPrivateSubnet1Subnet536B997A" }, { @@ -1867,12 +2092,15 @@ "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": "aws-cdk-eks-cluster-test/Cluster/BottlerocketNodes/InstanceSecurityGroup", - "SecurityGroupEgress": [{ - "CidrIp": "0.0.0.0/0", - "Description": "Allow all outbound traffic by default", - "IpProtocol": "-1" - }], - "Tags": [{ + "SecurityGroupEgress": [ + { + "CidrIp": "0.0.0.0/0", + "Description": "Allow all outbound traffic by default", + "IpProtocol": "-1" + } + ], + "Tags": [ + { "Key": { "Fn::Join": [ "", @@ -1915,6 +2143,27 @@ } } }, + "ClusterBottlerocketNodesInstanceSecurityGroupfromawscdkeksclustertestClusterClusterSecurityGroupF7265A32443D1686B16": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "IpProtocol": "tcp", + "Description": "from awscdkeksclustertestClusterClusterSecurityGroupF7265A32:443", + "FromPort": 443, + "GroupId": { + "Fn::GetAtt": [ + "ClusterBottlerocketNodesInstanceSecurityGroup3794A94B", + "GroupId" + ] + }, + "SourceSecurityGroupId": { + "Fn::GetAtt": [ + "Cluster9EE0221C", + "ClusterSecurityGroupId" + ] + }, + "ToPort": 443 + } + }, "ClusterBottlerocketNodesInstanceSecurityGroupfromawscdkeksclustertestClusterControlPlaneSecurityGroup2F130134443A6D43789": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { @@ -1936,6 +2185,27 @@ "ToPort": 443 } }, + "ClusterBottlerocketNodesInstanceSecurityGroupfromawscdkeksclustertestClusterClusterSecurityGroupF7265A32102565535674E85A7": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "IpProtocol": "tcp", + "Description": "from awscdkeksclustertestClusterClusterSecurityGroupF7265A32:1025-65535", + "FromPort": 1025, + "GroupId": { + "Fn::GetAtt": [ + "ClusterBottlerocketNodesInstanceSecurityGroup3794A94B", + "GroupId" + ] + }, + "SourceSecurityGroupId": { + "Fn::GetAtt": [ + "Cluster9EE0221C", + "ClusterSecurityGroupId" + ] + }, + "ToPort": 65535 + } + }, "ClusterBottlerocketNodesInstanceSecurityGroupfromawscdkeksclustertestClusterControlPlaneSecurityGroup2F1301341025655352CE8AD9A": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { @@ -1961,26 +2231,29 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Statement": [{ - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": { - "Fn::Join": [ - "", - [ - "ec2.", - { - "Ref": "AWS::URLSuffix" - } + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": { + "Fn::Join": [ + "", + [ + "ec2.", + { + "Ref": "AWS::URLSuffix" + } + ] ] - ] + } } } - }], + ], "Version": "2012-10-17" }, - "ManagedPolicyArns": [{ + "ManagedPolicyArns": [ + { "Fn::Join": [ "", [ @@ -2017,7 +2290,8 @@ ] } ], - "Tags": [{ + "Tags": [ + { "Key": { "Fn::Join": [ "", @@ -2041,9 +2315,11 @@ "ClusterBottlerocketNodesInstanceProfileB6E2F25A": { "Type": "AWS::IAM::InstanceProfile", "Properties": { - "Roles": [{ - "Ref": "ClusterBottlerocketNodesInstanceRole68E4BCFB" - }] + "Roles": [ + { + "Ref": "ClusterBottlerocketNodesInstanceRole68E4BCFB" + } + ] } }, "ClusterBottlerocketNodesLaunchConfig76D7BEBE": { @@ -2056,12 +2332,14 @@ "IamInstanceProfile": { "Ref": "ClusterBottlerocketNodesInstanceProfileB6E2F25A" }, - "SecurityGroups": [{ - "Fn::GetAtt": [ - "ClusterBottlerocketNodesInstanceSecurityGroup3794A94B", - "GroupId" - ] - }], + "SecurityGroups": [ + { + "Fn::GetAtt": [ + "ClusterBottlerocketNodesInstanceSecurityGroup3794A94B", + "GroupId" + ] + } + ], "UserData": { "Fn::Base64": { "Fn::Join": [ @@ -2103,7 +2381,8 @@ "LaunchConfigurationName": { "Ref": "ClusterBottlerocketNodesLaunchConfig76D7BEBE" }, - "Tags": [{ + "Tags": [ + { "Key": { "Fn::Join": [ "", @@ -2124,7 +2403,8 @@ "Value": "aws-cdk-eks-cluster-test/Cluster/BottlerocketNodes" } ], - "VPCZoneIdentifier": [{ + "VPCZoneIdentifier": [ + { "Ref": "VpcPrivateSubnet1Subnet536B997A" }, { @@ -2145,12 +2425,15 @@ "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": "aws-cdk-eks-cluster-test/Cluster/spot/InstanceSecurityGroup", - "SecurityGroupEgress": [{ - "CidrIp": "0.0.0.0/0", - "Description": "Allow all outbound traffic by default", - "IpProtocol": "-1" - }], - "Tags": [{ + "SecurityGroupEgress": [ + { + "CidrIp": "0.0.0.0/0", + "Description": "Allow all outbound traffic by default", + "IpProtocol": "-1" + } + ], + "Tags": [ + { "Key": { "Fn::Join": [ "", @@ -2187,10 +2470,31 @@ }, "SourceSecurityGroupId": { "Fn::GetAtt": [ - "ClusterspotInstanceSecurityGroup01F7B1CE", - "GroupId" + "ClusterspotInstanceSecurityGroup01F7B1CE", + "GroupId" + ] + } + } + }, + "ClusterspotInstanceSecurityGroupfromawscdkeksclustertestClusterClusterSecurityGroupF7265A324438F751704": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "IpProtocol": "tcp", + "Description": "from awscdkeksclustertestClusterClusterSecurityGroupF7265A32:443", + "FromPort": 443, + "GroupId": { + "Fn::GetAtt": [ + "ClusterspotInstanceSecurityGroup01F7B1CE", + "GroupId" + ] + }, + "SourceSecurityGroupId": { + "Fn::GetAtt": [ + "Cluster9EE0221C", + "ClusterSecurityGroupId" ] - } + }, + "ToPort": 443 } }, "ClusterspotInstanceSecurityGroupfromawscdkeksclustertestClusterControlPlaneSecurityGroup2F1301344430650F325": { @@ -2214,6 +2518,27 @@ "ToPort": 443 } }, + "ClusterspotInstanceSecurityGroupfromawscdkeksclustertestClusterClusterSecurityGroupF7265A321025655350D837827": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "IpProtocol": "tcp", + "Description": "from awscdkeksclustertestClusterClusterSecurityGroupF7265A32:1025-65535", + "FromPort": 1025, + "GroupId": { + "Fn::GetAtt": [ + "ClusterspotInstanceSecurityGroup01F7B1CE", + "GroupId" + ] + }, + "SourceSecurityGroupId": { + "Fn::GetAtt": [ + "Cluster9EE0221C", + "ClusterSecurityGroupId" + ] + }, + "ToPort": 65535 + } + }, "ClusterspotInstanceSecurityGroupfromawscdkeksclustertestClusterControlPlaneSecurityGroup2F130134102565535C7203235": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { @@ -2239,26 +2564,29 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Statement": [{ - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": { - "Fn::Join": [ - "", - [ - "ec2.", - { - "Ref": "AWS::URLSuffix" - } + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": { + "Fn::Join": [ + "", + [ + "ec2.", + { + "Ref": "AWS::URLSuffix" + } + ] ] - ] + } } } - }], + ], "Version": "2012-10-17" }, - "ManagedPolicyArns": [{ + "ManagedPolicyArns": [ + { "Fn::Join": [ "", [ @@ -2295,7 +2623,8 @@ ] } ], - "Tags": [{ + "Tags": [ + { "Key": { "Fn::Join": [ "", @@ -2319,9 +2648,11 @@ "ClusterspotInstanceProfileAB88D077": { "Type": "AWS::IAM::InstanceProfile", "Properties": { - "Roles": [{ - "Ref": "ClusterspotInstanceRole39043830" - }] + "Roles": [ + { + "Ref": "ClusterspotInstanceRole39043830" + } + ] } }, "ClusterspotLaunchConfigCC19F2E6": { @@ -2334,12 +2665,14 @@ "IamInstanceProfile": { "Ref": "ClusterspotInstanceProfileAB88D077" }, - "SecurityGroups": [{ - "Fn::GetAtt": [ - "ClusterspotInstanceSecurityGroup01F7B1CE", - "GroupId" - ] - }], + "SecurityGroups": [ + { + "Fn::GetAtt": [ + "ClusterspotInstanceSecurityGroup01F7B1CE", + "GroupId" + ] + } + ], "SpotPrice": "0.1094", "UserData": { "Fn::Base64": { @@ -2368,7 +2701,8 @@ "LaunchConfigurationName": { "Ref": "ClusterspotLaunchConfigCC19F2E6" }, - "Tags": [{ + "Tags": [ + { "Key": { "Fn::Join": [ "", @@ -2389,7 +2723,8 @@ "Value": "aws-cdk-eks-cluster-test/Cluster/spot" } ], - "VPCZoneIdentifier": [{ + "VPCZoneIdentifier": [ + { "Ref": "VpcPrivateSubnet1Subnet536B997A" }, { @@ -2442,12 +2777,15 @@ "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": "aws-cdk-eks-cluster-test/Cluster/InferenceInstances/InstanceSecurityGroup", - "SecurityGroupEgress": [{ - "CidrIp": "0.0.0.0/0", - "Description": "Allow all outbound traffic by default", - "IpProtocol": "-1" - }], - "Tags": [{ + "SecurityGroupEgress": [ + { + "CidrIp": "0.0.0.0/0", + "Description": "Allow all outbound traffic by default", + "IpProtocol": "-1" + } + ], + "Tags": [ + { "Key": { "Fn::Join": [ "", @@ -2490,6 +2828,27 @@ } } }, + "ClusterInferenceInstancesInstanceSecurityGroupfromawscdkeksclustertestClusterClusterSecurityGroupF7265A32443F6A7B9A5": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "IpProtocol": "tcp", + "Description": "from awscdkeksclustertestClusterClusterSecurityGroupF7265A32:443", + "FromPort": 443, + "GroupId": { + "Fn::GetAtt": [ + "ClusterInferenceInstancesInstanceSecurityGroupECB3FC45", + "GroupId" + ] + }, + "SourceSecurityGroupId": { + "Fn::GetAtt": [ + "Cluster9EE0221C", + "ClusterSecurityGroupId" + ] + }, + "ToPort": 443 + } + }, "ClusterInferenceInstancesInstanceSecurityGroupfromawscdkeksclustertestClusterControlPlaneSecurityGroup2F1301344437B48FD33": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { @@ -2511,6 +2870,27 @@ "ToPort": 443 } }, + "ClusterInferenceInstancesInstanceSecurityGroupfromawscdkeksclustertestClusterClusterSecurityGroupF7265A321025655351C7B1E72": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "IpProtocol": "tcp", + "Description": "from awscdkeksclustertestClusterClusterSecurityGroupF7265A32:1025-65535", + "FromPort": 1025, + "GroupId": { + "Fn::GetAtt": [ + "ClusterInferenceInstancesInstanceSecurityGroupECB3FC45", + "GroupId" + ] + }, + "SourceSecurityGroupId": { + "Fn::GetAtt": [ + "Cluster9EE0221C", + "ClusterSecurityGroupId" + ] + }, + "ToPort": 65535 + } + }, "ClusterInferenceInstancesInstanceSecurityGroupfromawscdkeksclustertestClusterControlPlaneSecurityGroup2F130134102565535A460F673": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { @@ -2536,26 +2916,29 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Statement": [{ - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": { - "Fn::Join": [ - "", - [ - "ec2.", - { - "Ref": "AWS::URLSuffix" - } + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": { + "Fn::Join": [ + "", + [ + "ec2.", + { + "Ref": "AWS::URLSuffix" + } + ] ] - ] + } } } - }], + ], "Version": "2012-10-17" }, - "ManagedPolicyArns": [{ + "ManagedPolicyArns": [ + { "Fn::Join": [ "", [ @@ -2592,7 +2975,8 @@ ] } ], - "Tags": [{ + "Tags": [ + { "Key": { "Fn::Join": [ "", @@ -2616,9 +3000,11 @@ "ClusterInferenceInstancesInstanceProfile5A1209B4": { "Type": "AWS::IAM::InstanceProfile", "Properties": { - "Roles": [{ - "Ref": "ClusterInferenceInstancesInstanceRole59AC6F56" - }] + "Roles": [ + { + "Ref": "ClusterInferenceInstancesInstanceRole59AC6F56" + } + ] } }, "ClusterInferenceInstancesLaunchConfig03BF48FE": { @@ -2631,12 +3017,14 @@ "IamInstanceProfile": { "Ref": "ClusterInferenceInstancesInstanceProfile5A1209B4" }, - "SecurityGroups": [{ - "Fn::GetAtt": [ - "ClusterInferenceInstancesInstanceSecurityGroupECB3FC45", - "GroupId" - ] - }], + "SecurityGroups": [ + { + "Fn::GetAtt": [ + "ClusterInferenceInstancesInstanceSecurityGroupECB3FC45", + "GroupId" + ] + } + ], "UserData": { "Fn::Base64": { "Fn::Join": [ @@ -2664,7 +3052,8 @@ "LaunchConfigurationName": { "Ref": "ClusterInferenceInstancesLaunchConfig03BF48FE" }, - "Tags": [{ + "Tags": [ + { "Key": { "Fn::Join": [ "", @@ -2685,7 +3074,8 @@ "Value": "aws-cdk-eks-cluster-test/Cluster/InferenceInstances" } ], - "VPCZoneIdentifier": [{ + "VPCZoneIdentifier": [ + { "Ref": "VpcPrivateSubnet1Subnet536B997A" }, { @@ -2732,26 +3122,29 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Statement": [{ - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": { - "Fn::Join": [ - "", - [ - "ec2.", - { - "Ref": "AWS::URLSuffix" - } + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": { + "Fn::Join": [ + "", + [ + "ec2.", + { + "Ref": "AWS::URLSuffix" + } + ] ] - ] + } } } - }], + ], "Version": "2012-10-17" }, - "ManagedPolicyArns": [{ + "ManagedPolicyArns": [ + { "Fn::Join": [ "", [ @@ -2802,7 +3195,8 @@ "Arn" ] }, - "Subnets": [{ + "Subnets": [ + { "Ref": "VpcPrivateSubnet1Subnet536B997A" }, { @@ -2828,26 +3222,29 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Statement": [{ - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": { - "Fn::Join": [ - "", - [ - "ec2.", - { - "Ref": "AWS::URLSuffix" - } + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": { + "Fn::Join": [ + "", + [ + "ec2.", + { + "Ref": "AWS::URLSuffix" + } + ] ] - ] + } } } - }], + ], "Version": "2012-10-17" }, - "ManagedPolicyArns": [{ + "ManagedPolicyArns": [ + { "Fn::Join": [ "", [ @@ -2898,7 +3295,8 @@ "Arn" ] }, - "Subnets": [{ + "Subnets": [ + { "Ref": "VpcPrivateSubnet1Subnet536B997A" }, { @@ -2932,7 +3330,8 @@ "Arn" ] }, - "Subnets": [{ + "Subnets": [ + { "Ref": "VpcPrivateSubnet1Subnet536B997A" }, { @@ -3114,23 +3513,25 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Statement": [{ - "Action": "sts:AssumeRoleWithWebIdentity", - "Condition": { - "StringEquals": { - "Fn::GetAtt": [ - "ClusterMyServiceAccountConditionJson671C0633", - "Value" - ] - } - }, - "Effect": "Allow", - "Principal": { - "Federated": { - "Ref": "ClusterOpenIdConnectProviderE7EB0530" + "Statement": [ + { + "Action": "sts:AssumeRoleWithWebIdentity", + "Condition": { + "StringEquals": { + "Fn::GetAtt": [ + "ClusterMyServiceAccountConditionJson671C0633", + "Value" + ] + } + }, + "Effect": "Allow", + "Principal": { + "Federated": { + "Ref": "ClusterOpenIdConnectProviderE7EB0530" + } } } - }], + ], "Version": "2012-10-17" } } @@ -3376,7 +3777,7 @@ }, "/", { - "Ref": "AssetParametersa298dd278c9ef814ebac4c9d8b2dc8e1b8374a14c5b7d0e79f041a296668f5dcS3BucketCA7ADF01" + "Ref": "AssetParameters215e9f40bd76e7102c690b24b0922eb4963d2d24938eec175e107db683455d11S3BucketC456B560" }, "/", { @@ -3386,7 +3787,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParametersa298dd278c9ef814ebac4c9d8b2dc8e1b8374a14c5b7d0e79f041a296668f5dcS3VersionKey822F0346" + "Ref": "AssetParameters215e9f40bd76e7102c690b24b0922eb4963d2d24938eec175e107db683455d11S3VersionKeyA1DAD649" } ] } @@ -3399,7 +3800,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParametersa298dd278c9ef814ebac4c9d8b2dc8e1b8374a14c5b7d0e79f041a296668f5dcS3VersionKey822F0346" + "Ref": "AssetParameters215e9f40bd76e7102c690b24b0922eb4963d2d24938eec175e107db683455d11S3VersionKeyA1DAD649" } ] } @@ -3436,10 +3837,10 @@ "referencetoawscdkeksclustertestVpcPrivateSubnet3Subnet7F5D6918Ref": { "Ref": "VpcPrivateSubnet3SubnetF258B56E" }, - "referencetoawscdkeksclustertestClusterKubectlProviderSecurityGroupD167EE6BGroupId": { + "referencetoawscdkeksclustertestClusterD76DFF87ClusterSecurityGroupId": { "Fn::GetAtt": [ - "ClusterKubectlProviderSecurityGroup2D90691C", - "GroupId" + "Cluster9EE0221C", + "ClusterSecurityGroupId" ] }, "referencetoawscdkeksclustertestAssetParameters34131c2e554ab57ad3a47fc0a13173a5c2a4b65a7582fe9622277b3d04c8e1e1S3Bucket85526CA7Ref": { @@ -3480,17 +3881,21 @@ "Properties": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", - "Statement": [{ - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "lambda.amazonaws.com" + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + } } - }] + ] }, - "ManagedPolicyArns": [{ - "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - }] + "ManagedPolicyArns": [ + { + "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + } + ] } }, "AWSCDKCfnUtilsProviderCustomResourceProviderHandlerCF82AA57": { @@ -3503,7 +3908,8 @@ "S3Key": { "Fn::Join": [ "", - [{ + [ + { "Fn::Select": [ 0, { @@ -3553,34 +3959,42 @@ "Properties": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", - "Statement": [{ - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "lambda.amazonaws.com" - } - }] - }, - "ManagedPolicyArns": [{ - "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - }], - "Policies": [{ - "PolicyName": "Inline", - "PolicyDocument": { - "Version": "2012-10-17", - "Statement": [{ + "Statement": [ + { + "Action": "sts:AssumeRole", "Effect": "Allow", - "Resource": "*", - "Action": [ - "iam:CreateOpenIDConnectProvider", - "iam:DeleteOpenIDConnectProvider", - "iam:UpdateOpenIDConnectProviderThumbprint", - "iam:AddClientIDToOpenIDConnectProvider", - "iam:RemoveClientIDFromOpenIDConnectProvider" + "Principal": { + "Service": "lambda.amazonaws.com" + } + } + ] + }, + "ManagedPolicyArns": [ + { + "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + } + ], + "Policies": [ + { + "PolicyName": "Inline", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Resource": "*", + "Action": [ + "iam:CreateOpenIDConnectProvider", + "iam:DeleteOpenIDConnectProvider", + "iam:UpdateOpenIDConnectProviderThumbprint", + "iam:AddClientIDToOpenIDConnectProvider", + "iam:RemoveClientIDFromOpenIDConnectProvider" + ] + } ] - }] + } } - }] + ] } }, "CustomAWSCDKOpenIdConnectProviderCustomResourceProviderHandlerF2C543E0": { @@ -3593,7 +4007,8 @@ "S3Key": { "Fn::Join": [ "", - [{ + [ + { "Fn::Select": [ 0, { @@ -3642,11 +4057,13 @@ "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": "aws-cdk-eks-cluster-test/WebServiceSecurityGroup", - "SecurityGroupEgress": [{ - "CidrIp": "0.0.0.0/0", - "Description": "Allow all outbound traffic by default", - "IpProtocol": "-1" - }], + "SecurityGroupEgress": [ + { + "CidrIp": "0.0.0.0/0", + "Description": "Allow all outbound traffic by default", + "IpProtocol": "-1" + } + ], "VpcId": { "Ref": "Vpc8378EB38" } @@ -3677,16 +4094,19 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Statement": [{ - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "lambda.amazonaws.com" + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + } } - }], + ], "Version": "2012-10-17" }, - "ManagedPolicyArns": [{ + "ManagedPolicyArns": [ + { "Fn::Join": [ "", [ @@ -3723,7 +4143,8 @@ "S3Key": { "Fn::Join": [ "", - [{ + [ + { "Fn::Select": [ 0, { @@ -3763,13 +4184,16 @@ "Runtime": "python3.6", "Timeout": 600, "VpcConfig": { - "SecurityGroupIds": [{ - "Fn::GetAtt": [ - "WebServiceSecurityGroupA556AEB5", - "GroupId" - ] - }], - "SubnetIds": [{ + "SecurityGroupIds": [ + { + "Fn::GetAtt": [ + "WebServiceSecurityGroupA556AEB5", + "GroupId" + ] + } + ], + "SubnetIds": [ + { "Ref": "VpcPrivateSubnet1Subnet536B997A" }, { @@ -3789,49 +4213,57 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Statement": [{ - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "lambda.amazonaws.com" + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + } } - }], + ], "Version": "2012-10-17" }, - "ManagedPolicyArns": [{ - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + "ManagedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ] ] - ] - }] + } + ] } }, "ServicePingerProviderframeworkonEventServiceRoleDefaultPolicyD142E8F7": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { - "Statement": [{ - "Action": "lambda:InvokeFunction", - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "ServicePingerFunctionADF51BAF", - "Arn" - ] + "Statement": [ + { + "Action": "lambda:InvokeFunction", + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "ServicePingerFunctionADF51BAF", + "Arn" + ] + } } - }], + ], "Version": "2012-10-17" }, "PolicyName": "ServicePingerProviderframeworkonEventServiceRoleDefaultPolicyD142E8F7", - "Roles": [{ - "Ref": "ServicePingerProviderframeworkonEventServiceRole3DB083B7" - }] + "Roles": [ + { + "Ref": "ServicePingerProviderframeworkonEventServiceRole3DB083B7" + } + ] } }, "ServicePingerProviderframeworkonEventEC59DE20": { @@ -3844,7 +4276,8 @@ "S3Key": { "Fn::Join": [ "", - [{ + [ + { "Fn::Select": [ 0, { @@ -4109,17 +4542,17 @@ "Type": "String", "Description": "Artifact hash for asset \"04fa2d485a51abd8261468eb6fa053d3a72242fc068fa75683232a52960b30cf\"" }, - "AssetParametersa298dd278c9ef814ebac4c9d8b2dc8e1b8374a14c5b7d0e79f041a296668f5dcS3BucketCA7ADF01": { + "AssetParameters215e9f40bd76e7102c690b24b0922eb4963d2d24938eec175e107db683455d11S3BucketC456B560": { "Type": "String", - "Description": "S3 bucket for asset \"a298dd278c9ef814ebac4c9d8b2dc8e1b8374a14c5b7d0e79f041a296668f5dc\"" + "Description": "S3 bucket for asset \"215e9f40bd76e7102c690b24b0922eb4963d2d24938eec175e107db683455d11\"" }, - "AssetParametersa298dd278c9ef814ebac4c9d8b2dc8e1b8374a14c5b7d0e79f041a296668f5dcS3VersionKey822F0346": { + "AssetParameters215e9f40bd76e7102c690b24b0922eb4963d2d24938eec175e107db683455d11S3VersionKeyA1DAD649": { "Type": "String", - "Description": "S3 key for asset version \"a298dd278c9ef814ebac4c9d8b2dc8e1b8374a14c5b7d0e79f041a296668f5dc\"" + "Description": "S3 key for asset version \"215e9f40bd76e7102c690b24b0922eb4963d2d24938eec175e107db683455d11\"" }, - "AssetParametersa298dd278c9ef814ebac4c9d8b2dc8e1b8374a14c5b7d0e79f041a296668f5dcArtifactHashA688F4F0": { + "AssetParameters215e9f40bd76e7102c690b24b0922eb4963d2d24938eec175e107db683455d11ArtifactHash95B6846D": { "Type": "String", - "Description": "Artifact hash for asset \"a298dd278c9ef814ebac4c9d8b2dc8e1b8374a14c5b7d0e79f041a296668f5dc\"" + "Description": "Artifact hash for asset \"215e9f40bd76e7102c690b24b0922eb4963d2d24938eec175e107db683455d11\"" }, "SsmParameterValueawsserviceeksoptimizedami117amazonlinux2recommendedimageidC96584B6F00A464EAD1953AFF4B05118Parameter": { "Type": "AWS::SSM::Parameter::Value", @@ -4142,4 +4575,4 @@ "Default": "/aws/service/eks/optimized-ami/1.14/amazon-linux-2/recommended/image_id" } } -} +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-eks/test/test.cluster.ts b/packages/@aws-cdk/aws-eks/test/test.cluster.ts index 15875190fc877..21570dd2b437c 100644 --- a/packages/@aws-cdk/aws-eks/test/test.cluster.ts +++ b/packages/@aws-cdk/aws-eks/test/test.cluster.ts @@ -20,6 +20,61 @@ const CLUSTER_VERSION = eks.KubernetesVersion.V1_16; export = { + 'cluster connections include both control plane and cluster security group'(test: Test) { + + const { stack } = testFixture(); + + const cluster = new eks.Cluster(stack, 'Cluster', { + version: eks.KubernetesVersion.V1_17, + }); + + test.deepEqual(cluster.connections.securityGroups.map(sg => stack.resolve(sg.securityGroupId)), [ + { 'Fn::GetAtt': ['Cluster9EE0221C', 'ClusterSecurityGroupId'] }, + { 'Fn::GetAtt': ['ClusterControlPlaneSecurityGroupD274242C', 'GroupId'] }, + ]); + + test.done(); + + }, + + 'can declare a security group from a different stack'(test: Test) { + + class ClusterStack extends cdk.Stack { + public eksCluster: eks.Cluster; + + constructor(scope: cdk.Construct, id: string, props: { sg: ec2.ISecurityGroup, vpc: ec2.IVpc }) { + super(scope, id); + this.eksCluster = new eks.Cluster(this, 'Cluster', { + version: eks.KubernetesVersion.V1_17, + securityGroup: props.sg, + vpc: props.vpc, + }); + } + } + + class NetworkStack extends cdk.Stack { + + public readonly securityGroup: ec2.ISecurityGroup; + public readonly vpc: ec2.IVpc; + + constructor(scope: cdk.Construct, id: string) { + super(scope, id); + this.vpc = new ec2.Vpc(this, 'Vpc'); + this.securityGroup = new ec2.SecurityGroup(this, 'SecurityGroup', { vpc: this.vpc }); + } + + } + + const { app } = testFixture(); + const networkStack = new NetworkStack(app, 'NetworkStack'); + new ClusterStack(app, 'ClusterStack', { sg: networkStack.securityGroup, vpc: networkStack.vpc }); + + // make sure we can synth (no circular dependencies between the stacks) + app.synth(); + + test.done(); + }, + 'can declare a manifest with a token from a different stack than the cluster that depends on the cluster stack'(test: Test) { class ClusterStack extends cdk.Stack { @@ -1987,7 +2042,7 @@ export = { VpcConfig: { SecurityGroupIds: [ { - Ref: 'referencetoStackCluster1KubectlProviderSecurityGroupDF05D03AGroupId', + Ref: 'referencetoStackCluster18DFEAC17ClusterSecurityGroupId', }, ], SubnetIds: [ @@ -2102,7 +2157,7 @@ export = { VpcConfig: { SecurityGroupIds: [ { - Ref: 'referencetoStackCluster1KubectlProviderSecurityGroupDF05D03AGroupId', + Ref: 'referencetoStackCluster18DFEAC17ClusterSecurityGroupId', }, ], SubnetIds: [