From 857acbbb7f26feecca938dc881add57fe5cae7e4 Mon Sep 17 00:00:00 2001 From: Eli Polonsky Date: Tue, 15 Sep 2020 01:04:15 +0300 Subject: [PATCH] fix(eks): circular dependencies when security groups from other stacks are used (#10339) @eladb While working on this for the `aws-eks-next` module, i've started to second guess whether we really need to force cluster replacement. This little PR fixes all the circular dependency issues as well as corrects the `cluster.connections` to include the EKS managed cluster security group. **It does not require cluster replacement**. Merging this PR will leave two quirks/limitations: - The cluster will have a redundant control plane security group, just like it has now. While redundant, it doesn't hurt, and doesn't really justify a cluster replacement. - One cluster per stack, just like we have now. I think we've already agreed that this limitation also does not justify cluster replacement, and the only reason we wanted to implement it is because we wanted to piggy back on the previous argument, which I now believe is not strong enough. WDYT? -------- This PR resolves a few problem related to circular dependencies when the cluster is configured with security groups from other stacks. ## Problem Currently, the cluster creates a dedicated security group for the `KubectlProvider` and configures the main control plane security group to allow connections from it: https://github.com/aws/aws-cdk/blob/f5c5d060ffee19ac3daa47cbf6df8d3563133433/packages/%40aws-cdk/aws-eks/lib/cluster.ts#L918-L924 This eventually creates ingress rules in the stack of control plane security group. These ingress rules refer to the `KubectlProvider` creates in the cluster stack, hence, a dependency if formed between the control plane security group stack, and the cluster stack. `Control Plane Security Group Stack => Cluster Stack` (Control plane sg needs to allow connections from kubectl sg) On the other hand, the cluster stack naturally depends on the control plane security group stack because the cluster needs the security group when its created. And so: `Cluster Stack => Control Plane Security Group Stack` (Cluster needs the security group) When these two stacks are different, a circular dependency is created. ## Solution Do not create a security group for the `KubectlProvider` at all, and simply re-use the EKS managed security group. This security group is already configured to allow connections to the control plane, so if we simply attach it to the `KubectlProvider`, everything should work. This avoids the creation of the first dependency direction. Fixes #9754 Fixes #10020 Fixes #9536 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- packages/@aws-cdk/aws-eks/lib/cluster.ts | 32 +- ...eks-cluster-private-endpoint.expected.json | 64 +- .../test/integ.eks-cluster.expected.json | 1475 +++++++++++------ .../@aws-cdk/aws-eks/test/test.cluster.ts | 59 +- 4 files changed, 1040 insertions(+), 590 deletions(-) diff --git a/packages/@aws-cdk/aws-eks/lib/cluster.ts b/packages/@aws-cdk/aws-eks/lib/cluster.ts index 361d396c9651a..517e5173deb3d 100644 --- a/packages/@aws-cdk/aws-eks/lib/cluster.ts +++ b/packages/@aws-cdk/aws-eks/lib/cluster.ts @@ -848,11 +848,6 @@ export class Cluster extends ClusterBase { description: 'EKS Control Plane Security Group', }); - this.connections = new ec2.Connections({ - securityGroups: [securityGroup], - defaultPort: ec2.Port.tcp(443), // Control Plane has an HTTPS API - }); - this.vpcSubnets = props.vpcSubnets ?? [{ subnetType: ec2.SubnetType.PUBLIC }, { subnetType: ec2.SubnetType.PRIVATE }]; // Get subnetIds for all selected subnets @@ -916,17 +911,9 @@ export class Cluster extends ClusterBase { this.kubectlPrivateSubnets = privateSubents; - this.kubectlSecurityGroup = new ec2.SecurityGroup(this, 'KubectlProviderSecurityGroup', { - vpc: this.vpc, - description: 'Comminication between KubectlProvider and EKS Control Plane', - }); - - // grant the kubectl provider access to the cluster control plane. - this.connections.allowFrom(this.kubectlSecurityGroup, this.connections.defaultPort!); - - // the security group and vpc must exist in order to properly delete the cluster (since we run `kubectl delete`). + // the vpc must exist in order to properly delete the cluster (since we run `kubectl delete`). // this ensures that. - this._clusterResource.node.addDependency(this.kubectlSecurityGroup, this.vpc); + this._clusterResource.node.addDependency(this.vpc); } this.adminRole = resource.adminRole; @@ -951,6 +938,17 @@ export class Cluster extends ClusterBase { this.clusterSecurityGroupId = resource.attrClusterSecurityGroupId; this.clusterEncryptionConfigKeyArn = resource.attrEncryptionConfigKeyArn; + const clusterSecurityGroup = ec2.SecurityGroup.fromSecurityGroupId(this, 'ClusterSecurityGroup', this.clusterSecurityGroupId); + + this.connections = new ec2.Connections({ + securityGroups: [clusterSecurityGroup, securityGroup], + defaultPort: ec2.Port.tcp(443), // Control Plane has an HTTPS API + }); + + // we can use the cluster security group since its already attached to the cluster + // and configured to allow connections from itself. + this.kubectlSecurityGroup = clusterSecurityGroup; + // use the cluster creation role to issue kubectl commands against the cluster because when the // cluster is first created, that's the only role that has "system:masters" permissions this.kubectlRole = this.adminRole; @@ -1595,6 +1593,10 @@ class ImportedCluster extends ClusterBase implements ICluster { this.connections.addSecurityGroup(ec2.SecurityGroup.fromSecurityGroupId(this, `SecurityGroup${i}`, sgid)); i++; } + + if (props.clusterSecurityGroupId) { + this.connections.addSecurityGroup(ec2.SecurityGroup.fromSecurityGroupId(this, 'ClusterSecurityGroup', props.clusterSecurityGroupId)); + } } public get vpc() { diff --git a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster-private-endpoint.expected.json b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster-private-endpoint.expected.json index 6f10ead0fe30d..13bba49cd6cf4 100644 --- a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster-private-endpoint.expected.json +++ b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster-private-endpoint.expected.json @@ -581,27 +581,6 @@ } } }, - "ClusterControlPlaneSecurityGroupfromawscdkeksclusterprivateendpointtestClusterKubectlProviderSecurityGroup6A0B729C443DF3A2707": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "IpProtocol": "tcp", - "Description": "from awscdkeksclusterprivateendpointtestClusterKubectlProviderSecurityGroup6A0B729C:443", - "FromPort": 443, - "GroupId": { - "Fn::GetAtt": [ - "ClusterControlPlaneSecurityGroupD274242C", - "GroupId" - ] - }, - "SourceSecurityGroupId": { - "Fn::GetAtt": [ - "ClusterKubectlProviderSecurityGroup2D90691C", - "GroupId" - ] - }, - "ToPort": 443 - } - }, "ClusterCreationRole360249B6": { "Type": "AWS::IAM::Role", "Properties": { @@ -630,7 +609,6 @@ } }, "DependsOn": [ - "ClusterKubectlProviderSecurityGroup2D90691C", "VpcIGWD7BA715C", "VpcPrivateSubnet1DefaultRouteBE02A9ED", "VpcPrivateSubnet1RouteTableB2C5B500", @@ -753,7 +731,6 @@ ] }, "DependsOn": [ - "ClusterKubectlProviderSecurityGroup2D90691C", "VpcIGWD7BA715C", "VpcPrivateSubnet1DefaultRouteBE02A9ED", "VpcPrivateSubnet1RouteTableB2C5B500", @@ -844,7 +821,6 @@ "AttributesRevision": 2 }, "DependsOn": [ - "ClusterKubectlProviderSecurityGroup2D90691C", "ClusterCreationRoleDefaultPolicyE8BDFC7B", "ClusterCreationRole360249B6", "VpcIGWD7BA715C", @@ -880,22 +856,6 @@ "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete" }, - "ClusterKubectlProviderSecurityGroup2D90691C": { - "Type": "AWS::EC2::SecurityGroup", - "Properties": { - "GroupDescription": "Comminication between KubectlProvider and EKS Control Plane", - "SecurityGroupEgress": [ - { - "CidrIp": "0.0.0.0/0", - "Description": "Allow all outbound traffic by default", - "IpProtocol": "-1" - } - ], - "VpcId": { - "Ref": "Vpc8378EB38" - } - } - }, "ClusterKubectlReadyBarrier200052AF": { "Type": "AWS::SSM::Parameter", "Properties": { @@ -1168,7 +1128,7 @@ }, "/", { - "Ref": "AssetParametersdaac37af2b50452c854a73ef7e2c57d5229667e390db39773ffb9dfb497bbd20S3Bucket12418C8C" + "Ref": "AssetParameterse843c57c7bcb07856b1680280dc9387725661764509856e890ae6e18a5e40796S3Bucket39E2BF35" }, "/", { @@ -1178,7 +1138,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParametersdaac37af2b50452c854a73ef7e2c57d5229667e390db39773ffb9dfb497bbd20S3VersionKey8C9B24CA" + "Ref": "AssetParameterse843c57c7bcb07856b1680280dc9387725661764509856e890ae6e18a5e40796S3VersionKey0218A255" } ] } @@ -1191,7 +1151,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParametersdaac37af2b50452c854a73ef7e2c57d5229667e390db39773ffb9dfb497bbd20S3VersionKey8C9B24CA" + "Ref": "AssetParameterse843c57c7bcb07856b1680280dc9387725661764509856e890ae6e18a5e40796S3VersionKey0218A255" } ] } @@ -1228,10 +1188,10 @@ "referencetoawscdkeksclusterprivateendpointtestVpcPrivateSubnet3SubnetC47FD39ARef": { "Ref": "VpcPrivateSubnet3SubnetF258B56E" }, - "referencetoawscdkeksclusterprivateendpointtestClusterKubectlProviderSecurityGroup67FA4325GroupId": { + "referencetoawscdkeksclusterprivateendpointtestClusterF4CF4FE8ClusterSecurityGroupId": { "Fn::GetAtt": [ - "ClusterKubectlProviderSecurityGroup2D90691C", - "GroupId" + "Cluster9EE0221C", + "ClusterSecurityGroupId" ] }, "referencetoawscdkeksclusterprivateendpointtestAssetParameters34131c2e554ab57ad3a47fc0a13173a5c2a4b65a7582fe9622277b3d04c8e1e1S3Bucket41FE7429Ref": { @@ -1335,17 +1295,17 @@ "Type": "String", "Description": "Artifact hash for asset \"570f91ed45d0c45e8ff145969f7499419312e806c83f009b76539ce989960e51\"" }, - "AssetParametersdaac37af2b50452c854a73ef7e2c57d5229667e390db39773ffb9dfb497bbd20S3Bucket12418C8C": { + "AssetParameterse843c57c7bcb07856b1680280dc9387725661764509856e890ae6e18a5e40796S3Bucket39E2BF35": { "Type": "String", - "Description": "S3 bucket for asset \"daac37af2b50452c854a73ef7e2c57d5229667e390db39773ffb9dfb497bbd20\"" + "Description": "S3 bucket for asset \"e843c57c7bcb07856b1680280dc9387725661764509856e890ae6e18a5e40796\"" }, - "AssetParametersdaac37af2b50452c854a73ef7e2c57d5229667e390db39773ffb9dfb497bbd20S3VersionKey8C9B24CA": { + "AssetParameterse843c57c7bcb07856b1680280dc9387725661764509856e890ae6e18a5e40796S3VersionKey0218A255": { "Type": "String", - "Description": "S3 key for asset version \"daac37af2b50452c854a73ef7e2c57d5229667e390db39773ffb9dfb497bbd20\"" + "Description": "S3 key for asset version \"e843c57c7bcb07856b1680280dc9387725661764509856e890ae6e18a5e40796\"" }, - "AssetParametersdaac37af2b50452c854a73ef7e2c57d5229667e390db39773ffb9dfb497bbd20ArtifactHash90BA6C4A": { + "AssetParameterse843c57c7bcb07856b1680280dc9387725661764509856e890ae6e18a5e40796ArtifactHash0AFD7EAC": { "Type": "String", - "Description": "Artifact hash for asset \"daac37af2b50452c854a73ef7e2c57d5229667e390db39773ffb9dfb497bbd20\"" + "Description": "Artifact hash for asset \"e843c57c7bcb07856b1680280dc9387725661764509856e890ae6e18a5e40796\"" } } } \ No newline at end of file diff --git a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.expected.json b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.expected.json index de3b921a2755b..b015b80826d45 100644 --- a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.expected.json +++ b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.expected.json @@ -4,24 +4,26 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Statement": [{ - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::12345678:root" + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::12345678:root" + ] ] - ] + } } } - }], + ], "Version": "2012-10-17" } } @@ -30,41 +32,43 @@ "Type": "AWS::KMS::Key", "Properties": { "KeyPolicy": { - "Statement": [{ - "Action": [ - "kms:Create*", - "kms:Describe*", - "kms:Enable*", - "kms:List*", - "kms:Put*", - "kms:Update*", - "kms:Revoke*", - "kms:Disable*", - "kms:Get*", - "kms:Delete*", - "kms:ScheduleKeyDeletion", - "kms:CancelKeyDeletion", - "kms:GenerateDataKey", - "kms:TagResource", - "kms:UntagResource" - ], - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::12345678:root" + "Statement": [ + { + "Action": [ + "kms:Create*", + "kms:Describe*", + "kms:Enable*", + "kms:List*", + "kms:Put*", + "kms:Update*", + "kms:Revoke*", + "kms:Disable*", + "kms:Get*", + "kms:Delete*", + "kms:ScheduleKeyDeletion", + "kms:CancelKeyDeletion", + "kms:GenerateDataKey", + "kms:TagResource", + "kms:UntagResource" + ], + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::12345678:root" + ] ] - ] - } - }, - "Resource": "*" - }], + } + }, + "Resource": "*" + } + ], "Version": "2012-10-17" } }, @@ -78,10 +82,12 @@ "EnableDnsHostnames": true, "EnableDnsSupport": true, "InstanceTenancy": "default", - "Tags": [{ - "Key": "Name", - "Value": "aws-cdk-eks-cluster-test/Vpc" - }] + "Tags": [ + { + "Key": "Name", + "Value": "aws-cdk-eks-cluster-test/Vpc" + } + ] } }, "VpcPublicSubnet1Subnet5C2D37C4": { @@ -93,7 +99,8 @@ }, "AvailabilityZone": "test-region-1a", "MapPublicIpOnLaunch": true, - "Tags": [{ + "Tags": [ + { "Key": "aws-cdk:subnet-name", "Value": "Public" }, @@ -118,7 +125,8 @@ "VpcId": { "Ref": "Vpc8378EB38" }, - "Tags": [{ + "Tags": [ + { "Key": "kubernetes.io/role/elb", "Value": "1" }, @@ -159,7 +167,8 @@ "Type": "AWS::EC2::EIP", "Properties": { "Domain": "vpc", - "Tags": [{ + "Tags": [ + { "Key": "kubernetes.io/role/elb", "Value": "1" }, @@ -182,7 +191,8 @@ "SubnetId": { "Ref": "VpcPublicSubnet1Subnet5C2D37C4" }, - "Tags": [{ + "Tags": [ + { "Key": "kubernetes.io/role/elb", "Value": "1" }, @@ -202,7 +212,8 @@ }, "AvailabilityZone": "test-region-1b", "MapPublicIpOnLaunch": true, - "Tags": [{ + "Tags": [ + { "Key": "aws-cdk:subnet-name", "Value": "Public" }, @@ -227,7 +238,8 @@ "VpcId": { "Ref": "Vpc8378EB38" }, - "Tags": [{ + "Tags": [ + { "Key": "kubernetes.io/role/elb", "Value": "1" }, @@ -273,7 +285,8 @@ }, "AvailabilityZone": "test-region-1c", "MapPublicIpOnLaunch": true, - "Tags": [{ + "Tags": [ + { "Key": "aws-cdk:subnet-name", "Value": "Public" }, @@ -298,7 +311,8 @@ "VpcId": { "Ref": "Vpc8378EB38" }, - "Tags": [{ + "Tags": [ + { "Key": "kubernetes.io/role/elb", "Value": "1" }, @@ -344,7 +358,8 @@ }, "AvailabilityZone": "test-region-1a", "MapPublicIpOnLaunch": false, - "Tags": [{ + "Tags": [ + { "Key": "aws-cdk:subnet-name", "Value": "Private" }, @@ -369,7 +384,8 @@ "VpcId": { "Ref": "Vpc8378EB38" }, - "Tags": [{ + "Tags": [ + { "Key": "kubernetes.io/role/internal-elb", "Value": "1" }, @@ -412,7 +428,8 @@ }, "AvailabilityZone": "test-region-1b", "MapPublicIpOnLaunch": false, - "Tags": [{ + "Tags": [ + { "Key": "aws-cdk:subnet-name", "Value": "Private" }, @@ -437,7 +454,8 @@ "VpcId": { "Ref": "Vpc8378EB38" }, - "Tags": [{ + "Tags": [ + { "Key": "kubernetes.io/role/internal-elb", "Value": "1" }, @@ -480,7 +498,8 @@ }, "AvailabilityZone": "test-region-1c", "MapPublicIpOnLaunch": false, - "Tags": [{ + "Tags": [ + { "Key": "aws-cdk:subnet-name", "Value": "Private" }, @@ -505,7 +524,8 @@ "VpcId": { "Ref": "Vpc8378EB38" }, - "Tags": [{ + "Tags": [ + { "Key": "kubernetes.io/role/internal-elb", "Value": "1" }, @@ -542,10 +562,12 @@ "VpcIGWD7BA715C": { "Type": "AWS::EC2::InternetGateway", "Properties": { - "Tags": [{ - "Key": "Name", - "Value": "aws-cdk-eks-cluster-test/Vpc" - }] + "Tags": [ + { + "Key": "Name", + "Value": "aws-cdk-eks-cluster-test/Vpc" + } + ] } }, "VpcVPCGWBF912B6E": { @@ -563,64 +585,49 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Statement": [{ - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "eks.amazonaws.com" + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "eks.amazonaws.com" + } } - }], + ], "Version": "2012-10-17" }, - "ManagedPolicyArns": [{ - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::aws:policy/AmazonEKSClusterPolicy" + "ManagedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/AmazonEKSClusterPolicy" + ] ] - ] - }] + } + ] } }, "ClusterControlPlaneSecurityGroupD274242C": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": "EKS Control Plane Security Group", - "SecurityGroupEgress": [{ - "CidrIp": "0.0.0.0/0", - "Description": "Allow all outbound traffic by default", - "IpProtocol": "-1" - }], + "SecurityGroupEgress": [ + { + "CidrIp": "0.0.0.0/0", + "Description": "Allow all outbound traffic by default", + "IpProtocol": "-1" + } + ], "VpcId": { "Ref": "Vpc8378EB38" } } }, - "ClusterControlPlaneSecurityGroupfromawscdkeksclustertestClusterKubectlProviderSecurityGroup0285626644359187EDA": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "IpProtocol": "tcp", - "Description": "from awscdkeksclustertestClusterKubectlProviderSecurityGroup02856266:443", - "FromPort": 443, - "GroupId": { - "Fn::GetAtt": [ - "ClusterControlPlaneSecurityGroupD274242C", - "GroupId" - ] - }, - "SourceSecurityGroupId": { - "Fn::GetAtt": [ - "ClusterKubectlProviderSecurityGroup2D90691C", - "GroupId" - ] - }, - "ToPort": 443 - } - }, "ClusterControlPlaneSecurityGroupfromawscdkeksclustertestClusterNodesInstanceSecurityGroupD0B64C54443795AF111": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { @@ -730,29 +737,30 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Statement": [{ - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::12345678:root" + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::12345678:root" + ] ] - ] + } } } - }], + ], "Version": "2012-10-17" } }, "DependsOn": [ - "ClusterKubectlProviderSecurityGroup2D90691C", "VpcIGWD7BA715C", "VpcPrivateSubnet1DefaultRouteBE02A9ED", "VpcPrivateSubnet1RouteTableB2C5B500", @@ -788,7 +796,8 @@ "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { - "Statement": [{ + "Statement": [ + { "Action": "iam:PassRole", "Effect": "Allow", "Resource": { @@ -892,12 +901,13 @@ "Version": "2012-10-17" }, "PolicyName": "ClusterCreationRoleDefaultPolicyE8BDFC7B", - "Roles": [{ - "Ref": "ClusterCreationRole360249B6" - }] + "Roles": [ + { + "Ref": "ClusterCreationRole360249B6" + } + ] }, "DependsOn": [ - "ClusterKubectlProviderSecurityGroup2D90691C", "VpcIGWD7BA715C", "VpcPrivateSubnet1DefaultRouteBE02A9ED", "VpcPrivateSubnet1RouteTableB2C5B500", @@ -946,21 +956,24 @@ "Arn" ] }, - "encryptionConfig": [{ - "provider": { - "keyArn": { - "Fn::GetAtt": [ - "SecretsKey317DCF94", - "Arn" - ] - } - }, - "resources": [ - "secrets" - ] - }], + "encryptionConfig": [ + { + "provider": { + "keyArn": { + "Fn::GetAtt": [ + "SecretsKey317DCF94", + "Arn" + ] + } + }, + "resources": [ + "secrets" + ] + } + ], "resourcesVpcConfig": { - "subnetIds": [{ + "subnetIds": [ + { "Ref": "VpcPublicSubnet1Subnet5C2D37C4" }, { @@ -979,12 +992,14 @@ "Ref": "VpcPrivateSubnet3SubnetF258B56E" } ], - "securityGroupIds": [{ - "Fn::GetAtt": [ - "ClusterControlPlaneSecurityGroupD274242C", - "GroupId" - ] - }], + "securityGroupIds": [ + { + "Fn::GetAtt": [ + "ClusterControlPlaneSecurityGroupD274242C", + "GroupId" + ] + } + ], "endpointPublicAccess": true, "endpointPrivateAccess": true } @@ -998,7 +1013,6 @@ "AttributesRevision": 2 }, "DependsOn": [ - "ClusterKubectlProviderSecurityGroup2D90691C", "ClusterCreationRoleDefaultPolicyE8BDFC7B", "ClusterCreationRole360249B6", "VpcIGWD7BA715C", @@ -1034,20 +1048,6 @@ "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete" }, - "ClusterKubectlProviderSecurityGroup2D90691C": { - "Type": "AWS::EC2::SecurityGroup", - "Properties": { - "GroupDescription": "Comminication between KubectlProvider and EKS Control Plane", - "SecurityGroupEgress": [{ - "CidrIp": "0.0.0.0/0", - "Description": "Allow all outbound traffic by default", - "IpProtocol": "-1" - }], - "VpcId": { - "Ref": "Vpc8378EB38" - } - } - }, "ClusterKubectlReadyBarrier200052AF": { "Type": "AWS::SSM::Parameter", "Properties": { @@ -1062,6 +1062,111 @@ "Cluster9EE0221C" ] }, + "ClusterClusterSecurityGroupfromawscdkeksclustertestClusterNodesInstanceSecurityGroupD0B64C544432C10EDB4": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "IpProtocol": "tcp", + "Description": "from awscdkeksclustertestClusterNodesInstanceSecurityGroupD0B64C54:443", + "FromPort": 443, + "GroupId": { + "Fn::GetAtt": [ + "Cluster9EE0221C", + "ClusterSecurityGroupId" + ] + }, + "SourceSecurityGroupId": { + "Fn::GetAtt": [ + "ClusterNodesInstanceSecurityGroup899246BD", + "GroupId" + ] + }, + "ToPort": 443 + } + }, + "ClusterClusterSecurityGroupfromawscdkeksclustertestClusterNodesArmInstanceSecurityGroup52C45858443A88C1345": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "IpProtocol": "tcp", + "Description": "from awscdkeksclustertestClusterNodesArmInstanceSecurityGroup52C45858:443", + "FromPort": 443, + "GroupId": { + "Fn::GetAtt": [ + "Cluster9EE0221C", + "ClusterSecurityGroupId" + ] + }, + "SourceSecurityGroupId": { + "Fn::GetAtt": [ + "ClusterNodesArmInstanceSecurityGroup599F388B", + "GroupId" + ] + }, + "ToPort": 443 + } + }, + "ClusterClusterSecurityGroupfromawscdkeksclustertestClusterBottlerocketNodesInstanceSecurityGroup83FE7914443A80EB501": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "IpProtocol": "tcp", + "Description": "from awscdkeksclustertestClusterBottlerocketNodesInstanceSecurityGroup83FE7914:443", + "FromPort": 443, + "GroupId": { + "Fn::GetAtt": [ + "Cluster9EE0221C", + "ClusterSecurityGroupId" + ] + }, + "SourceSecurityGroupId": { + "Fn::GetAtt": [ + "ClusterBottlerocketNodesInstanceSecurityGroup3794A94B", + "GroupId" + ] + }, + "ToPort": 443 + } + }, + "ClusterClusterSecurityGroupfromawscdkeksclustertestClusterspotInstanceSecurityGroupF50F5D474432A818F38": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "IpProtocol": "tcp", + "Description": "from awscdkeksclustertestClusterspotInstanceSecurityGroupF50F5D47:443", + "FromPort": 443, + "GroupId": { + "Fn::GetAtt": [ + "Cluster9EE0221C", + "ClusterSecurityGroupId" + ] + }, + "SourceSecurityGroupId": { + "Fn::GetAtt": [ + "ClusterspotInstanceSecurityGroup01F7B1CE", + "GroupId" + ] + }, + "ToPort": 443 + } + }, + "ClusterClusterSecurityGroupfromawscdkeksclustertestClusterInferenceInstancesInstanceSecurityGroup42C57C5144320402117": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "IpProtocol": "tcp", + "Description": "from awscdkeksclustertestClusterInferenceInstancesInstanceSecurityGroup42C57C51:443", + "FromPort": 443, + "GroupId": { + "Fn::GetAtt": [ + "Cluster9EE0221C", + "ClusterSecurityGroupId" + ] + }, + "SourceSecurityGroupId": { + "Fn::GetAtt": [ + "ClusterInferenceInstancesInstanceSecurityGroupECB3FC45", + "GroupId" + ] + }, + "ToPort": 443 + } + }, "ClusterAwsAuthmanifestFE51F8AE": { "Type": "Custom::AWSCDK-EKS-KubernetesResource", "Properties": { @@ -1183,26 +1288,29 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Statement": [{ - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": { - "Fn::Join": [ - "", - [ - "ec2.", - { - "Ref": "AWS::URLSuffix" - } + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": { + "Fn::Join": [ + "", + [ + "ec2.", + { + "Ref": "AWS::URLSuffix" + } + ] ] - ] + } } } - }], + ], "Version": "2012-10-17" }, - "ManagedPolicyArns": [{ + "ManagedPolicyArns": [ + { "Fn::Join": [ "", [ @@ -1253,7 +1361,8 @@ "Arn" ] }, - "Subnets": [{ + "Subnets": [ + { "Ref": "VpcPrivateSubnet1Subnet536B997A" }, { @@ -1279,27 +1388,31 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Statement": [{ - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "eks-fargate-pods.amazonaws.com" + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "eks-fargate-pods.amazonaws.com" + } } - }], + ], "Version": "2012-10-17" }, - "ManagedPolicyArns": [{ - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy" + "ManagedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy" + ] ] - ] - }] + } + ] } }, "ClusterfargateprofiledefaultEFC59F14": { @@ -1327,9 +1440,11 @@ "Arn" ] }, - "selectors": [{ - "namespace": "default" - }] + "selectors": [ + { + "namespace": "default" + } + ] } }, "UpdateReplacePolicy": "Delete", @@ -1339,12 +1454,15 @@ "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": "aws-cdk-eks-cluster-test/Cluster/Nodes/InstanceSecurityGroup", - "SecurityGroupEgress": [{ - "CidrIp": "0.0.0.0/0", - "Description": "Allow all outbound traffic by default", - "IpProtocol": "-1" - }], - "Tags": [{ + "SecurityGroupEgress": [ + { + "CidrIp": "0.0.0.0/0", + "Description": "Allow all outbound traffic by default", + "IpProtocol": "-1" + } + ], + "Tags": [ + { "Key": { "Fn::Join": [ "", @@ -1387,6 +1505,27 @@ } } }, + "ClusterNodesInstanceSecurityGroupfromawscdkeksclustertestClusterClusterSecurityGroupF7265A32443DC7FAF39": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "IpProtocol": "tcp", + "Description": "from awscdkeksclustertestClusterClusterSecurityGroupF7265A32:443", + "FromPort": 443, + "GroupId": { + "Fn::GetAtt": [ + "ClusterNodesInstanceSecurityGroup899246BD", + "GroupId" + ] + }, + "SourceSecurityGroupId": { + "Fn::GetAtt": [ + "Cluster9EE0221C", + "ClusterSecurityGroupId" + ] + }, + "ToPort": 443 + } + }, "ClusterNodesInstanceSecurityGroupfromawscdkeksclustertestClusterControlPlaneSecurityGroup2F130134443AE10EB12": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { @@ -1408,6 +1547,27 @@ "ToPort": 443 } }, + "ClusterNodesInstanceSecurityGroupfromawscdkeksclustertestClusterClusterSecurityGroupF7265A32102565535D6A46ADB": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "IpProtocol": "tcp", + "Description": "from awscdkeksclustertestClusterClusterSecurityGroupF7265A32:1025-65535", + "FromPort": 1025, + "GroupId": { + "Fn::GetAtt": [ + "ClusterNodesInstanceSecurityGroup899246BD", + "GroupId" + ] + }, + "SourceSecurityGroupId": { + "Fn::GetAtt": [ + "Cluster9EE0221C", + "ClusterSecurityGroupId" + ] + }, + "ToPort": 65535 + } + }, "ClusterNodesInstanceSecurityGroupfromawscdkeksclustertestClusterControlPlaneSecurityGroup2F1301341025655359F401D0D": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { @@ -1433,26 +1593,29 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Statement": [{ - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": { - "Fn::Join": [ - "", - [ - "ec2.", - { - "Ref": "AWS::URLSuffix" - } + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": { + "Fn::Join": [ + "", + [ + "ec2.", + { + "Ref": "AWS::URLSuffix" + } + ] ] - ] + } } } - }], + ], "Version": "2012-10-17" }, - "ManagedPolicyArns": [{ + "ManagedPolicyArns": [ + { "Fn::Join": [ "", [ @@ -1489,7 +1652,8 @@ ] } ], - "Tags": [{ + "Tags": [ + { "Key": { "Fn::Join": [ "", @@ -1513,9 +1677,11 @@ "ClusterNodesInstanceProfileF2DD0E21": { "Type": "AWS::IAM::InstanceProfile", "Properties": { - "Roles": [{ - "Ref": "ClusterNodesInstanceRoleC3C01328" - }] + "Roles": [ + { + "Ref": "ClusterNodesInstanceRoleC3C01328" + } + ] } }, "ClusterNodesLaunchConfig7C420A27": { @@ -1528,12 +1694,14 @@ "IamInstanceProfile": { "Ref": "ClusterNodesInstanceProfileF2DD0E21" }, - "SecurityGroups": [{ - "Fn::GetAtt": [ - "ClusterNodesInstanceSecurityGroup899246BD", - "GroupId" - ] - }], + "SecurityGroups": [ + { + "Fn::GetAtt": [ + "ClusterNodesInstanceSecurityGroup899246BD", + "GroupId" + ] + } + ], "UserData": { "Fn::Base64": { "Fn::Join": [ @@ -1561,7 +1729,8 @@ "LaunchConfigurationName": { "Ref": "ClusterNodesLaunchConfig7C420A27" }, - "Tags": [{ + "Tags": [ + { "Key": { "Fn::Join": [ "", @@ -1582,7 +1751,8 @@ "Value": "aws-cdk-eks-cluster-test/Cluster/Nodes" } ], - "VPCZoneIdentifier": [{ + "VPCZoneIdentifier": [ + { "Ref": "VpcPrivateSubnet1Subnet536B997A" }, { @@ -1603,12 +1773,15 @@ "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": "aws-cdk-eks-cluster-test/Cluster/NodesArm/InstanceSecurityGroup", - "SecurityGroupEgress": [{ - "CidrIp": "0.0.0.0/0", - "Description": "Allow all outbound traffic by default", - "IpProtocol": "-1" - }], - "Tags": [{ + "SecurityGroupEgress": [ + { + "CidrIp": "0.0.0.0/0", + "Description": "Allow all outbound traffic by default", + "IpProtocol": "-1" + } + ], + "Tags": [ + { "Key": { "Fn::Join": [ "", @@ -1651,6 +1824,27 @@ } } }, + "ClusterNodesArmInstanceSecurityGroupfromawscdkeksclustertestClusterClusterSecurityGroupF7265A32443AC8AE5BF": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "IpProtocol": "tcp", + "Description": "from awscdkeksclustertestClusterClusterSecurityGroupF7265A32:443", + "FromPort": 443, + "GroupId": { + "Fn::GetAtt": [ + "ClusterNodesArmInstanceSecurityGroup599F388B", + "GroupId" + ] + }, + "SourceSecurityGroupId": { + "Fn::GetAtt": [ + "Cluster9EE0221C", + "ClusterSecurityGroupId" + ] + }, + "ToPort": 443 + } + }, "ClusterNodesArmInstanceSecurityGroupfromawscdkeksclustertestClusterControlPlaneSecurityGroup2F13013444328ED4211": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { @@ -1672,6 +1866,27 @@ "ToPort": 443 } }, + "ClusterNodesArmInstanceSecurityGroupfromawscdkeksclustertestClusterClusterSecurityGroupF7265A32102565535F5718241": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "IpProtocol": "tcp", + "Description": "from awscdkeksclustertestClusterClusterSecurityGroupF7265A32:1025-65535", + "FromPort": 1025, + "GroupId": { + "Fn::GetAtt": [ + "ClusterNodesArmInstanceSecurityGroup599F388B", + "GroupId" + ] + }, + "SourceSecurityGroupId": { + "Fn::GetAtt": [ + "Cluster9EE0221C", + "ClusterSecurityGroupId" + ] + }, + "ToPort": 65535 + } + }, "ClusterNodesArmInstanceSecurityGroupfromawscdkeksclustertestClusterControlPlaneSecurityGroup2F13013410256553586052D07": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { @@ -1697,26 +1912,29 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Statement": [{ - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": { - "Fn::Join": [ - "", - [ - "ec2.", - { - "Ref": "AWS::URLSuffix" - } + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": { + "Fn::Join": [ + "", + [ + "ec2.", + { + "Ref": "AWS::URLSuffix" + } + ] ] - ] + } } } - }], + ], "Version": "2012-10-17" }, - "ManagedPolicyArns": [{ + "ManagedPolicyArns": [ + { "Fn::Join": [ "", [ @@ -1753,7 +1971,8 @@ ] } ], - "Tags": [{ + "Tags": [ + { "Key": { "Fn::Join": [ "", @@ -1777,9 +1996,11 @@ "ClusterNodesArmInstanceProfile158C5C9F": { "Type": "AWS::IAM::InstanceProfile", "Properties": { - "Roles": [{ - "Ref": "ClusterNodesArmInstanceRoleB93D3298" - }] + "Roles": [ + { + "Ref": "ClusterNodesArmInstanceRoleB93D3298" + } + ] } }, "ClusterNodesArmLaunchConfigAAF61344": { @@ -1792,12 +2013,14 @@ "IamInstanceProfile": { "Ref": "ClusterNodesArmInstanceProfile158C5C9F" }, - "SecurityGroups": [{ - "Fn::GetAtt": [ - "ClusterNodesArmInstanceSecurityGroup599F388B", - "GroupId" - ] - }], + "SecurityGroups": [ + { + "Fn::GetAtt": [ + "ClusterNodesArmInstanceSecurityGroup599F388B", + "GroupId" + ] + } + ], "UserData": { "Fn::Base64": { "Fn::Join": [ @@ -1825,7 +2048,8 @@ "LaunchConfigurationName": { "Ref": "ClusterNodesArmLaunchConfigAAF61344" }, - "Tags": [{ + "Tags": [ + { "Key": { "Fn::Join": [ "", @@ -1846,7 +2070,8 @@ "Value": "aws-cdk-eks-cluster-test/Cluster/NodesArm" } ], - "VPCZoneIdentifier": [{ + "VPCZoneIdentifier": [ + { "Ref": "VpcPrivateSubnet1Subnet536B997A" }, { @@ -1867,12 +2092,15 @@ "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": "aws-cdk-eks-cluster-test/Cluster/BottlerocketNodes/InstanceSecurityGroup", - "SecurityGroupEgress": [{ - "CidrIp": "0.0.0.0/0", - "Description": "Allow all outbound traffic by default", - "IpProtocol": "-1" - }], - "Tags": [{ + "SecurityGroupEgress": [ + { + "CidrIp": "0.0.0.0/0", + "Description": "Allow all outbound traffic by default", + "IpProtocol": "-1" + } + ], + "Tags": [ + { "Key": { "Fn::Join": [ "", @@ -1915,6 +2143,27 @@ } } }, + "ClusterBottlerocketNodesInstanceSecurityGroupfromawscdkeksclustertestClusterClusterSecurityGroupF7265A32443D1686B16": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "IpProtocol": "tcp", + "Description": "from awscdkeksclustertestClusterClusterSecurityGroupF7265A32:443", + "FromPort": 443, + "GroupId": { + "Fn::GetAtt": [ + "ClusterBottlerocketNodesInstanceSecurityGroup3794A94B", + "GroupId" + ] + }, + "SourceSecurityGroupId": { + "Fn::GetAtt": [ + "Cluster9EE0221C", + "ClusterSecurityGroupId" + ] + }, + "ToPort": 443 + } + }, "ClusterBottlerocketNodesInstanceSecurityGroupfromawscdkeksclustertestClusterControlPlaneSecurityGroup2F130134443A6D43789": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { @@ -1936,6 +2185,27 @@ "ToPort": 443 } }, + "ClusterBottlerocketNodesInstanceSecurityGroupfromawscdkeksclustertestClusterClusterSecurityGroupF7265A32102565535674E85A7": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "IpProtocol": "tcp", + "Description": "from awscdkeksclustertestClusterClusterSecurityGroupF7265A32:1025-65535", + "FromPort": 1025, + "GroupId": { + "Fn::GetAtt": [ + "ClusterBottlerocketNodesInstanceSecurityGroup3794A94B", + "GroupId" + ] + }, + "SourceSecurityGroupId": { + "Fn::GetAtt": [ + "Cluster9EE0221C", + "ClusterSecurityGroupId" + ] + }, + "ToPort": 65535 + } + }, "ClusterBottlerocketNodesInstanceSecurityGroupfromawscdkeksclustertestClusterControlPlaneSecurityGroup2F1301341025655352CE8AD9A": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { @@ -1961,26 +2231,29 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Statement": [{ - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": { - "Fn::Join": [ - "", - [ - "ec2.", - { - "Ref": "AWS::URLSuffix" - } + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": { + "Fn::Join": [ + "", + [ + "ec2.", + { + "Ref": "AWS::URLSuffix" + } + ] ] - ] + } } } - }], + ], "Version": "2012-10-17" }, - "ManagedPolicyArns": [{ + "ManagedPolicyArns": [ + { "Fn::Join": [ "", [ @@ -2017,7 +2290,8 @@ ] } ], - "Tags": [{ + "Tags": [ + { "Key": { "Fn::Join": [ "", @@ -2041,9 +2315,11 @@ "ClusterBottlerocketNodesInstanceProfileB6E2F25A": { "Type": "AWS::IAM::InstanceProfile", "Properties": { - "Roles": [{ - "Ref": "ClusterBottlerocketNodesInstanceRole68E4BCFB" - }] + "Roles": [ + { + "Ref": "ClusterBottlerocketNodesInstanceRole68E4BCFB" + } + ] } }, "ClusterBottlerocketNodesLaunchConfig76D7BEBE": { @@ -2056,12 +2332,14 @@ "IamInstanceProfile": { "Ref": "ClusterBottlerocketNodesInstanceProfileB6E2F25A" }, - "SecurityGroups": [{ - "Fn::GetAtt": [ - "ClusterBottlerocketNodesInstanceSecurityGroup3794A94B", - "GroupId" - ] - }], + "SecurityGroups": [ + { + "Fn::GetAtt": [ + "ClusterBottlerocketNodesInstanceSecurityGroup3794A94B", + "GroupId" + ] + } + ], "UserData": { "Fn::Base64": { "Fn::Join": [ @@ -2103,7 +2381,8 @@ "LaunchConfigurationName": { "Ref": "ClusterBottlerocketNodesLaunchConfig76D7BEBE" }, - "Tags": [{ + "Tags": [ + { "Key": { "Fn::Join": [ "", @@ -2124,7 +2403,8 @@ "Value": "aws-cdk-eks-cluster-test/Cluster/BottlerocketNodes" } ], - "VPCZoneIdentifier": [{ + "VPCZoneIdentifier": [ + { "Ref": "VpcPrivateSubnet1Subnet536B997A" }, { @@ -2145,12 +2425,15 @@ "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": "aws-cdk-eks-cluster-test/Cluster/spot/InstanceSecurityGroup", - "SecurityGroupEgress": [{ - "CidrIp": "0.0.0.0/0", - "Description": "Allow all outbound traffic by default", - "IpProtocol": "-1" - }], - "Tags": [{ + "SecurityGroupEgress": [ + { + "CidrIp": "0.0.0.0/0", + "Description": "Allow all outbound traffic by default", + "IpProtocol": "-1" + } + ], + "Tags": [ + { "Key": { "Fn::Join": [ "", @@ -2187,10 +2470,31 @@ }, "SourceSecurityGroupId": { "Fn::GetAtt": [ - "ClusterspotInstanceSecurityGroup01F7B1CE", - "GroupId" + "ClusterspotInstanceSecurityGroup01F7B1CE", + "GroupId" + ] + } + } + }, + "ClusterspotInstanceSecurityGroupfromawscdkeksclustertestClusterClusterSecurityGroupF7265A324438F751704": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "IpProtocol": "tcp", + "Description": "from awscdkeksclustertestClusterClusterSecurityGroupF7265A32:443", + "FromPort": 443, + "GroupId": { + "Fn::GetAtt": [ + "ClusterspotInstanceSecurityGroup01F7B1CE", + "GroupId" + ] + }, + "SourceSecurityGroupId": { + "Fn::GetAtt": [ + "Cluster9EE0221C", + "ClusterSecurityGroupId" ] - } + }, + "ToPort": 443 } }, "ClusterspotInstanceSecurityGroupfromawscdkeksclustertestClusterControlPlaneSecurityGroup2F1301344430650F325": { @@ -2214,6 +2518,27 @@ "ToPort": 443 } }, + "ClusterspotInstanceSecurityGroupfromawscdkeksclustertestClusterClusterSecurityGroupF7265A321025655350D837827": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "IpProtocol": "tcp", + "Description": "from awscdkeksclustertestClusterClusterSecurityGroupF7265A32:1025-65535", + "FromPort": 1025, + "GroupId": { + "Fn::GetAtt": [ + "ClusterspotInstanceSecurityGroup01F7B1CE", + "GroupId" + ] + }, + "SourceSecurityGroupId": { + "Fn::GetAtt": [ + "Cluster9EE0221C", + "ClusterSecurityGroupId" + ] + }, + "ToPort": 65535 + } + }, "ClusterspotInstanceSecurityGroupfromawscdkeksclustertestClusterControlPlaneSecurityGroup2F130134102565535C7203235": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { @@ -2239,26 +2564,29 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Statement": [{ - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": { - "Fn::Join": [ - "", - [ - "ec2.", - { - "Ref": "AWS::URLSuffix" - } + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": { + "Fn::Join": [ + "", + [ + "ec2.", + { + "Ref": "AWS::URLSuffix" + } + ] ] - ] + } } } - }], + ], "Version": "2012-10-17" }, - "ManagedPolicyArns": [{ + "ManagedPolicyArns": [ + { "Fn::Join": [ "", [ @@ -2295,7 +2623,8 @@ ] } ], - "Tags": [{ + "Tags": [ + { "Key": { "Fn::Join": [ "", @@ -2319,9 +2648,11 @@ "ClusterspotInstanceProfileAB88D077": { "Type": "AWS::IAM::InstanceProfile", "Properties": { - "Roles": [{ - "Ref": "ClusterspotInstanceRole39043830" - }] + "Roles": [ + { + "Ref": "ClusterspotInstanceRole39043830" + } + ] } }, "ClusterspotLaunchConfigCC19F2E6": { @@ -2334,12 +2665,14 @@ "IamInstanceProfile": { "Ref": "ClusterspotInstanceProfileAB88D077" }, - "SecurityGroups": [{ - "Fn::GetAtt": [ - "ClusterspotInstanceSecurityGroup01F7B1CE", - "GroupId" - ] - }], + "SecurityGroups": [ + { + "Fn::GetAtt": [ + "ClusterspotInstanceSecurityGroup01F7B1CE", + "GroupId" + ] + } + ], "SpotPrice": "0.1094", "UserData": { "Fn::Base64": { @@ -2368,7 +2701,8 @@ "LaunchConfigurationName": { "Ref": "ClusterspotLaunchConfigCC19F2E6" }, - "Tags": [{ + "Tags": [ + { "Key": { "Fn::Join": [ "", @@ -2389,7 +2723,8 @@ "Value": "aws-cdk-eks-cluster-test/Cluster/spot" } ], - "VPCZoneIdentifier": [{ + "VPCZoneIdentifier": [ + { "Ref": "VpcPrivateSubnet1Subnet536B997A" }, { @@ -2442,12 +2777,15 @@ "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": "aws-cdk-eks-cluster-test/Cluster/InferenceInstances/InstanceSecurityGroup", - "SecurityGroupEgress": [{ - "CidrIp": "0.0.0.0/0", - "Description": "Allow all outbound traffic by default", - "IpProtocol": "-1" - }], - "Tags": [{ + "SecurityGroupEgress": [ + { + "CidrIp": "0.0.0.0/0", + "Description": "Allow all outbound traffic by default", + "IpProtocol": "-1" + } + ], + "Tags": [ + { "Key": { "Fn::Join": [ "", @@ -2490,6 +2828,27 @@ } } }, + "ClusterInferenceInstancesInstanceSecurityGroupfromawscdkeksclustertestClusterClusterSecurityGroupF7265A32443F6A7B9A5": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "IpProtocol": "tcp", + "Description": "from awscdkeksclustertestClusterClusterSecurityGroupF7265A32:443", + "FromPort": 443, + "GroupId": { + "Fn::GetAtt": [ + "ClusterInferenceInstancesInstanceSecurityGroupECB3FC45", + "GroupId" + ] + }, + "SourceSecurityGroupId": { + "Fn::GetAtt": [ + "Cluster9EE0221C", + "ClusterSecurityGroupId" + ] + }, + "ToPort": 443 + } + }, "ClusterInferenceInstancesInstanceSecurityGroupfromawscdkeksclustertestClusterControlPlaneSecurityGroup2F1301344437B48FD33": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { @@ -2511,6 +2870,27 @@ "ToPort": 443 } }, + "ClusterInferenceInstancesInstanceSecurityGroupfromawscdkeksclustertestClusterClusterSecurityGroupF7265A321025655351C7B1E72": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "IpProtocol": "tcp", + "Description": "from awscdkeksclustertestClusterClusterSecurityGroupF7265A32:1025-65535", + "FromPort": 1025, + "GroupId": { + "Fn::GetAtt": [ + "ClusterInferenceInstancesInstanceSecurityGroupECB3FC45", + "GroupId" + ] + }, + "SourceSecurityGroupId": { + "Fn::GetAtt": [ + "Cluster9EE0221C", + "ClusterSecurityGroupId" + ] + }, + "ToPort": 65535 + } + }, "ClusterInferenceInstancesInstanceSecurityGroupfromawscdkeksclustertestClusterControlPlaneSecurityGroup2F130134102565535A460F673": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { @@ -2536,26 +2916,29 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Statement": [{ - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": { - "Fn::Join": [ - "", - [ - "ec2.", - { - "Ref": "AWS::URLSuffix" - } + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": { + "Fn::Join": [ + "", + [ + "ec2.", + { + "Ref": "AWS::URLSuffix" + } + ] ] - ] + } } } - }], + ], "Version": "2012-10-17" }, - "ManagedPolicyArns": [{ + "ManagedPolicyArns": [ + { "Fn::Join": [ "", [ @@ -2592,7 +2975,8 @@ ] } ], - "Tags": [{ + "Tags": [ + { "Key": { "Fn::Join": [ "", @@ -2616,9 +3000,11 @@ "ClusterInferenceInstancesInstanceProfile5A1209B4": { "Type": "AWS::IAM::InstanceProfile", "Properties": { - "Roles": [{ - "Ref": "ClusterInferenceInstancesInstanceRole59AC6F56" - }] + "Roles": [ + { + "Ref": "ClusterInferenceInstancesInstanceRole59AC6F56" + } + ] } }, "ClusterInferenceInstancesLaunchConfig03BF48FE": { @@ -2631,12 +3017,14 @@ "IamInstanceProfile": { "Ref": "ClusterInferenceInstancesInstanceProfile5A1209B4" }, - "SecurityGroups": [{ - "Fn::GetAtt": [ - "ClusterInferenceInstancesInstanceSecurityGroupECB3FC45", - "GroupId" - ] - }], + "SecurityGroups": [ + { + "Fn::GetAtt": [ + "ClusterInferenceInstancesInstanceSecurityGroupECB3FC45", + "GroupId" + ] + } + ], "UserData": { "Fn::Base64": { "Fn::Join": [ @@ -2664,7 +3052,8 @@ "LaunchConfigurationName": { "Ref": "ClusterInferenceInstancesLaunchConfig03BF48FE" }, - "Tags": [{ + "Tags": [ + { "Key": { "Fn::Join": [ "", @@ -2685,7 +3074,8 @@ "Value": "aws-cdk-eks-cluster-test/Cluster/InferenceInstances" } ], - "VPCZoneIdentifier": [{ + "VPCZoneIdentifier": [ + { "Ref": "VpcPrivateSubnet1Subnet536B997A" }, { @@ -2732,26 +3122,29 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Statement": [{ - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": { - "Fn::Join": [ - "", - [ - "ec2.", - { - "Ref": "AWS::URLSuffix" - } + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": { + "Fn::Join": [ + "", + [ + "ec2.", + { + "Ref": "AWS::URLSuffix" + } + ] ] - ] + } } } - }], + ], "Version": "2012-10-17" }, - "ManagedPolicyArns": [{ + "ManagedPolicyArns": [ + { "Fn::Join": [ "", [ @@ -2802,7 +3195,8 @@ "Arn" ] }, - "Subnets": [{ + "Subnets": [ + { "Ref": "VpcPrivateSubnet1Subnet536B997A" }, { @@ -2828,26 +3222,29 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Statement": [{ - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": { - "Fn::Join": [ - "", - [ - "ec2.", - { - "Ref": "AWS::URLSuffix" - } + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": { + "Fn::Join": [ + "", + [ + "ec2.", + { + "Ref": "AWS::URLSuffix" + } + ] ] - ] + } } } - }], + ], "Version": "2012-10-17" }, - "ManagedPolicyArns": [{ + "ManagedPolicyArns": [ + { "Fn::Join": [ "", [ @@ -2898,7 +3295,8 @@ "Arn" ] }, - "Subnets": [{ + "Subnets": [ + { "Ref": "VpcPrivateSubnet1Subnet536B997A" }, { @@ -2932,7 +3330,8 @@ "Arn" ] }, - "Subnets": [{ + "Subnets": [ + { "Ref": "VpcPrivateSubnet1Subnet536B997A" }, { @@ -3114,23 +3513,25 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Statement": [{ - "Action": "sts:AssumeRoleWithWebIdentity", - "Condition": { - "StringEquals": { - "Fn::GetAtt": [ - "ClusterMyServiceAccountConditionJson671C0633", - "Value" - ] - } - }, - "Effect": "Allow", - "Principal": { - "Federated": { - "Ref": "ClusterOpenIdConnectProviderE7EB0530" + "Statement": [ + { + "Action": "sts:AssumeRoleWithWebIdentity", + "Condition": { + "StringEquals": { + "Fn::GetAtt": [ + "ClusterMyServiceAccountConditionJson671C0633", + "Value" + ] + } + }, + "Effect": "Allow", + "Principal": { + "Federated": { + "Ref": "ClusterOpenIdConnectProviderE7EB0530" + } } } - }], + ], "Version": "2012-10-17" } } @@ -3376,7 +3777,7 @@ }, "/", { - "Ref": "AssetParametersa298dd278c9ef814ebac4c9d8b2dc8e1b8374a14c5b7d0e79f041a296668f5dcS3BucketCA7ADF01" + "Ref": "AssetParameters215e9f40bd76e7102c690b24b0922eb4963d2d24938eec175e107db683455d11S3BucketC456B560" }, "/", { @@ -3386,7 +3787,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParametersa298dd278c9ef814ebac4c9d8b2dc8e1b8374a14c5b7d0e79f041a296668f5dcS3VersionKey822F0346" + "Ref": "AssetParameters215e9f40bd76e7102c690b24b0922eb4963d2d24938eec175e107db683455d11S3VersionKeyA1DAD649" } ] } @@ -3399,7 +3800,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParametersa298dd278c9ef814ebac4c9d8b2dc8e1b8374a14c5b7d0e79f041a296668f5dcS3VersionKey822F0346" + "Ref": "AssetParameters215e9f40bd76e7102c690b24b0922eb4963d2d24938eec175e107db683455d11S3VersionKeyA1DAD649" } ] } @@ -3436,10 +3837,10 @@ "referencetoawscdkeksclustertestVpcPrivateSubnet3Subnet7F5D6918Ref": { "Ref": "VpcPrivateSubnet3SubnetF258B56E" }, - "referencetoawscdkeksclustertestClusterKubectlProviderSecurityGroupD167EE6BGroupId": { + "referencetoawscdkeksclustertestClusterD76DFF87ClusterSecurityGroupId": { "Fn::GetAtt": [ - "ClusterKubectlProviderSecurityGroup2D90691C", - "GroupId" + "Cluster9EE0221C", + "ClusterSecurityGroupId" ] }, "referencetoawscdkeksclustertestAssetParameters34131c2e554ab57ad3a47fc0a13173a5c2a4b65a7582fe9622277b3d04c8e1e1S3Bucket85526CA7Ref": { @@ -3480,17 +3881,21 @@ "Properties": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", - "Statement": [{ - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "lambda.amazonaws.com" + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + } } - }] + ] }, - "ManagedPolicyArns": [{ - "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - }] + "ManagedPolicyArns": [ + { + "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + } + ] } }, "AWSCDKCfnUtilsProviderCustomResourceProviderHandlerCF82AA57": { @@ -3503,7 +3908,8 @@ "S3Key": { "Fn::Join": [ "", - [{ + [ + { "Fn::Select": [ 0, { @@ -3553,34 +3959,42 @@ "Properties": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", - "Statement": [{ - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "lambda.amazonaws.com" - } - }] - }, - "ManagedPolicyArns": [{ - "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - }], - "Policies": [{ - "PolicyName": "Inline", - "PolicyDocument": { - "Version": "2012-10-17", - "Statement": [{ + "Statement": [ + { + "Action": "sts:AssumeRole", "Effect": "Allow", - "Resource": "*", - "Action": [ - "iam:CreateOpenIDConnectProvider", - "iam:DeleteOpenIDConnectProvider", - "iam:UpdateOpenIDConnectProviderThumbprint", - "iam:AddClientIDToOpenIDConnectProvider", - "iam:RemoveClientIDFromOpenIDConnectProvider" + "Principal": { + "Service": "lambda.amazonaws.com" + } + } + ] + }, + "ManagedPolicyArns": [ + { + "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + } + ], + "Policies": [ + { + "PolicyName": "Inline", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Resource": "*", + "Action": [ + "iam:CreateOpenIDConnectProvider", + "iam:DeleteOpenIDConnectProvider", + "iam:UpdateOpenIDConnectProviderThumbprint", + "iam:AddClientIDToOpenIDConnectProvider", + "iam:RemoveClientIDFromOpenIDConnectProvider" + ] + } ] - }] + } } - }] + ] } }, "CustomAWSCDKOpenIdConnectProviderCustomResourceProviderHandlerF2C543E0": { @@ -3593,7 +4007,8 @@ "S3Key": { "Fn::Join": [ "", - [{ + [ + { "Fn::Select": [ 0, { @@ -3642,11 +4057,13 @@ "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": "aws-cdk-eks-cluster-test/WebServiceSecurityGroup", - "SecurityGroupEgress": [{ - "CidrIp": "0.0.0.0/0", - "Description": "Allow all outbound traffic by default", - "IpProtocol": "-1" - }], + "SecurityGroupEgress": [ + { + "CidrIp": "0.0.0.0/0", + "Description": "Allow all outbound traffic by default", + "IpProtocol": "-1" + } + ], "VpcId": { "Ref": "Vpc8378EB38" } @@ -3677,16 +4094,19 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Statement": [{ - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "lambda.amazonaws.com" + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + } } - }], + ], "Version": "2012-10-17" }, - "ManagedPolicyArns": [{ + "ManagedPolicyArns": [ + { "Fn::Join": [ "", [ @@ -3723,7 +4143,8 @@ "S3Key": { "Fn::Join": [ "", - [{ + [ + { "Fn::Select": [ 0, { @@ -3763,13 +4184,16 @@ "Runtime": "python3.6", "Timeout": 600, "VpcConfig": { - "SecurityGroupIds": [{ - "Fn::GetAtt": [ - "WebServiceSecurityGroupA556AEB5", - "GroupId" - ] - }], - "SubnetIds": [{ + "SecurityGroupIds": [ + { + "Fn::GetAtt": [ + "WebServiceSecurityGroupA556AEB5", + "GroupId" + ] + } + ], + "SubnetIds": [ + { "Ref": "VpcPrivateSubnet1Subnet536B997A" }, { @@ -3789,49 +4213,57 @@ "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { - "Statement": [{ - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "lambda.amazonaws.com" + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + } } - }], + ], "Version": "2012-10-17" }, - "ManagedPolicyArns": [{ - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + "ManagedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ] ] - ] - }] + } + ] } }, "ServicePingerProviderframeworkonEventServiceRoleDefaultPolicyD142E8F7": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { - "Statement": [{ - "Action": "lambda:InvokeFunction", - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "ServicePingerFunctionADF51BAF", - "Arn" - ] + "Statement": [ + { + "Action": "lambda:InvokeFunction", + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "ServicePingerFunctionADF51BAF", + "Arn" + ] + } } - }], + ], "Version": "2012-10-17" }, "PolicyName": "ServicePingerProviderframeworkonEventServiceRoleDefaultPolicyD142E8F7", - "Roles": [{ - "Ref": "ServicePingerProviderframeworkonEventServiceRole3DB083B7" - }] + "Roles": [ + { + "Ref": "ServicePingerProviderframeworkonEventServiceRole3DB083B7" + } + ] } }, "ServicePingerProviderframeworkonEventEC59DE20": { @@ -3844,7 +4276,8 @@ "S3Key": { "Fn::Join": [ "", - [{ + [ + { "Fn::Select": [ 0, { @@ -4109,17 +4542,17 @@ "Type": "String", "Description": "Artifact hash for asset \"04fa2d485a51abd8261468eb6fa053d3a72242fc068fa75683232a52960b30cf\"" }, - "AssetParametersa298dd278c9ef814ebac4c9d8b2dc8e1b8374a14c5b7d0e79f041a296668f5dcS3BucketCA7ADF01": { + "AssetParameters215e9f40bd76e7102c690b24b0922eb4963d2d24938eec175e107db683455d11S3BucketC456B560": { "Type": "String", - "Description": "S3 bucket for asset \"a298dd278c9ef814ebac4c9d8b2dc8e1b8374a14c5b7d0e79f041a296668f5dc\"" + "Description": "S3 bucket for asset \"215e9f40bd76e7102c690b24b0922eb4963d2d24938eec175e107db683455d11\"" }, - "AssetParametersa298dd278c9ef814ebac4c9d8b2dc8e1b8374a14c5b7d0e79f041a296668f5dcS3VersionKey822F0346": { + "AssetParameters215e9f40bd76e7102c690b24b0922eb4963d2d24938eec175e107db683455d11S3VersionKeyA1DAD649": { "Type": "String", - "Description": "S3 key for asset version \"a298dd278c9ef814ebac4c9d8b2dc8e1b8374a14c5b7d0e79f041a296668f5dc\"" + "Description": "S3 key for asset version \"215e9f40bd76e7102c690b24b0922eb4963d2d24938eec175e107db683455d11\"" }, - "AssetParametersa298dd278c9ef814ebac4c9d8b2dc8e1b8374a14c5b7d0e79f041a296668f5dcArtifactHashA688F4F0": { + "AssetParameters215e9f40bd76e7102c690b24b0922eb4963d2d24938eec175e107db683455d11ArtifactHash95B6846D": { "Type": "String", - "Description": "Artifact hash for asset \"a298dd278c9ef814ebac4c9d8b2dc8e1b8374a14c5b7d0e79f041a296668f5dc\"" + "Description": "Artifact hash for asset \"215e9f40bd76e7102c690b24b0922eb4963d2d24938eec175e107db683455d11\"" }, "SsmParameterValueawsserviceeksoptimizedami117amazonlinux2recommendedimageidC96584B6F00A464EAD1953AFF4B05118Parameter": { "Type": "AWS::SSM::Parameter::Value", @@ -4142,4 +4575,4 @@ "Default": "/aws/service/eks/optimized-ami/1.14/amazon-linux-2/recommended/image_id" } } -} +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-eks/test/test.cluster.ts b/packages/@aws-cdk/aws-eks/test/test.cluster.ts index 15875190fc877..21570dd2b437c 100644 --- a/packages/@aws-cdk/aws-eks/test/test.cluster.ts +++ b/packages/@aws-cdk/aws-eks/test/test.cluster.ts @@ -20,6 +20,61 @@ const CLUSTER_VERSION = eks.KubernetesVersion.V1_16; export = { + 'cluster connections include both control plane and cluster security group'(test: Test) { + + const { stack } = testFixture(); + + const cluster = new eks.Cluster(stack, 'Cluster', { + version: eks.KubernetesVersion.V1_17, + }); + + test.deepEqual(cluster.connections.securityGroups.map(sg => stack.resolve(sg.securityGroupId)), [ + { 'Fn::GetAtt': ['Cluster9EE0221C', 'ClusterSecurityGroupId'] }, + { 'Fn::GetAtt': ['ClusterControlPlaneSecurityGroupD274242C', 'GroupId'] }, + ]); + + test.done(); + + }, + + 'can declare a security group from a different stack'(test: Test) { + + class ClusterStack extends cdk.Stack { + public eksCluster: eks.Cluster; + + constructor(scope: cdk.Construct, id: string, props: { sg: ec2.ISecurityGroup, vpc: ec2.IVpc }) { + super(scope, id); + this.eksCluster = new eks.Cluster(this, 'Cluster', { + version: eks.KubernetesVersion.V1_17, + securityGroup: props.sg, + vpc: props.vpc, + }); + } + } + + class NetworkStack extends cdk.Stack { + + public readonly securityGroup: ec2.ISecurityGroup; + public readonly vpc: ec2.IVpc; + + constructor(scope: cdk.Construct, id: string) { + super(scope, id); + this.vpc = new ec2.Vpc(this, 'Vpc'); + this.securityGroup = new ec2.SecurityGroup(this, 'SecurityGroup', { vpc: this.vpc }); + } + + } + + const { app } = testFixture(); + const networkStack = new NetworkStack(app, 'NetworkStack'); + new ClusterStack(app, 'ClusterStack', { sg: networkStack.securityGroup, vpc: networkStack.vpc }); + + // make sure we can synth (no circular dependencies between the stacks) + app.synth(); + + test.done(); + }, + 'can declare a manifest with a token from a different stack than the cluster that depends on the cluster stack'(test: Test) { class ClusterStack extends cdk.Stack { @@ -1987,7 +2042,7 @@ export = { VpcConfig: { SecurityGroupIds: [ { - Ref: 'referencetoStackCluster1KubectlProviderSecurityGroupDF05D03AGroupId', + Ref: 'referencetoStackCluster18DFEAC17ClusterSecurityGroupId', }, ], SubnetIds: [ @@ -2102,7 +2157,7 @@ export = { VpcConfig: { SecurityGroupIds: [ { - Ref: 'referencetoStackCluster1KubectlProviderSecurityGroupDF05D03AGroupId', + Ref: 'referencetoStackCluster18DFEAC17ClusterSecurityGroupId', }, ], SubnetIds: [