diff --git a/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/cluster.ts b/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/cluster.ts index 0177a7e21b695..e6930b7844d32 100644 --- a/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/cluster.ts +++ b/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/cluster.ts @@ -136,10 +136,16 @@ export class ClusterResourceHandler extends ResourceHandler { return this.updateClusterVersion(this.newProps.version); } + if (updates.updateLogging && updates.updateAccess) { + throw new Error('Cannot update logging and access at the same time'); + } + if (updates.updateLogging || updates.updateAccess) { const config: aws.EKS.UpdateClusterConfigRequest = { name: this.clusterName, - logging: this.newProps.logging, + }; + if (updates.updateLogging) { + config.logging = this.newProps.logging; }; if (updates.updateAccess) { // Updating the cluster with securityGroupIds and subnetIds (as specified in the warning here: @@ -334,5 +340,5 @@ function analyzeUpdate(oldProps: Partial, newProps } function setsEqual(first: Set, second: Set) { - return first.size === second.size || [...first].every((e: string) => second.has(e)); + return first.size === second.size && [...first].every((e: string) => second.has(e)); } diff --git a/packages/@aws-cdk/aws-eks/test/cluster-resource-provider.test.ts b/packages/@aws-cdk/aws-eks/test/cluster-resource-provider.test.ts index 5bec15aaed2d8..f1ad11b562838 100644 --- a/packages/@aws-cdk/aws-eks/test/cluster-resource-provider.test.ts +++ b/packages/@aws-cdk/aws-eks/test/cluster-resource-provider.test.ts @@ -588,11 +588,16 @@ describe('cluster resource provider', () => { logging: undefined, resourcesVpcConfig: undefined, })); - - const resp = await handler.onEvent(); - expect(resp).toEqual({ EksUpdateId: mocks.MOCK_UPDATE_STATUS_ID }); - expect(mocks.actualRequest.updateClusterConfigRequest!).toEqual({ - name: 'physical-resource-id', + let error: any; + try { + await handler.onEvent(); + } catch (e) { + error = e; + } + expect(error.message).toEqual('Cannot update logging and access at the same time'); + }); + test('both logging and access defined and modify both of them', async () => { + const handler = new ClusterResourceHandler(mocks.client, mocks.newRequest('Update', { logging: { clusterLogging: [ { @@ -601,13 +606,99 @@ describe('cluster resource provider', () => { }, ], }, + resourcesVpcConfig: { + endpointPrivateAccess: true, + endpointPublicAccess: false, + publicAccessCidrs: ['0.0.0.0/0'], + }, + }, { + logging: { + clusterLogging: [ + { + types: ['api', 'audit', 'authenticator', 'controllerManager'], + enabled: true, + }, + ], + }, resourcesVpcConfig: { endpointPrivateAccess: true, endpointPublicAccess: true, publicAccessCidrs: ['0.0.0.0/0'], }, - }); - expect(mocks.actualRequest.createClusterRequest).toEqual(undefined); + })); + let error: any; + try { + await handler.onEvent(); + } catch (e) { + error = e; + } + expect(error.message).toEqual('Cannot update logging and access at the same time'); + }); + test('Given logging enabled and unchanged, updating the only publicAccessCidrs is allowed ', async () => { + const handler = new ClusterResourceHandler(mocks.client, mocks.newRequest('Update', { + logging: { + clusterLogging: [ + { + types: ['api', 'audit', 'authenticator', 'controllerManager', 'scheduler'], + enabled: true, + }, + ], + }, + resourcesVpcConfig: { + endpointPrivateAccess: true, + endpointPublicAccess: true, + publicAccessCidrs: ['1.2.3.4/32'], + }, + }, { + logging: { + clusterLogging: [ + { + types: ['api', 'audit', 'authenticator', 'controllerManager', 'scheduler'], + enabled: true, + }, + ], + }, + resourcesVpcConfig: { + endpointPrivateAccess: true, + endpointPublicAccess: true, + publicAccessCidrs: ['0.0.0.0/0'], + }, + })); + const resp = await handler.onEvent(); + expect(resp).toEqual({ EksUpdateId: 'MockEksUpdateStatusId' }); + }); + test('Given logging enabled and unchanged, updating publicAccessCidrs from one to multiple entries is allowed ', async () => { + const handler = new ClusterResourceHandler(mocks.client, mocks.newRequest('Update', { + logging: { + clusterLogging: [ + { + types: ['api', 'audit', 'authenticator', 'controllerManager', 'scheduler'], + enabled: true, + }, + ], + }, + resourcesVpcConfig: { + endpointPrivateAccess: true, + endpointPublicAccess: true, + publicAccessCidrs: ['2.4.6.0/24', '1.2.3.4/32', '3.3.3.3/32'], + }, + }, { + logging: { + clusterLogging: [ + { + types: ['api', 'audit', 'authenticator', 'controllerManager', 'scheduler'], + enabled: true, + }, + ], + }, + resourcesVpcConfig: { + endpointPrivateAccess: true, + endpointPublicAccess: true, + publicAccessCidrs: ['2.4.6.0/24'], + }, + })); + const resp = await handler.onEvent(); + expect(resp).toEqual({ EksUpdateId: 'MockEksUpdateStatusId' }); }); }); });