From 0d87a93ff3f7e80f6e8696d85912e6493edff8e4 Mon Sep 17 00:00:00 2001 From: Ryan Parker Date: Wed, 27 Oct 2021 15:29:01 -0700 Subject: [PATCH 01/15] Added layer to both cluster handler functions, renamed `onEventLayer` -> `proxyAgentLayer` --- package.json | 2 + packages/@aws-cdk/aws-eks/README.md | 13 ++- .../lib/cluster-resource-handler/common.ts | 6 -- .../lib/cluster-resource-handler/index.ts | 5 ++ .../aws-eks/lib/cluster-resource-provider.ts | 27 ++++-- .../@aws-cdk/aws-eks/lib/cluster-resource.ts | 6 +- packages/@aws-cdk/aws-eks/lib/cluster.ts | 90 ++++++++++++++----- .../@aws-cdk/aws-eks/lib/fargate-profile.ts | 2 +- .../@aws-cdk/aws-eks/test/cluster.test.ts | 34 +++++++ 9 files changed, 144 insertions(+), 41 deletions(-) diff --git a/package.json b/package.json index 6115ddc36950c..f9e393b3e07fa 100644 --- a/package.json +++ b/package.json @@ -105,6 +105,8 @@ "@aws-cdk/aws-ecr-assets/minimatch/**", "@aws-cdk/aws-eks/yaml", "@aws-cdk/aws-eks/yaml/**", + "@aws-cdk/aws-eks/proxy-agent", + "@aws-cdk/aws-eks/proxy-agent/**", "@aws-cdk/aws-events-targets/aws-sdk", "@aws-cdk/aws-events-targets/aws-sdk/**", "@aws-cdk/aws-s3-deployment/case", diff --git a/packages/@aws-cdk/aws-eks/README.md b/packages/@aws-cdk/aws-eks/README.md index 3b04f5d9e7f61..2121880746507 100644 --- a/packages/@aws-cdk/aws-eks/README.md +++ b/packages/@aws-cdk/aws-eks/README.md @@ -537,16 +537,23 @@ If the endpoint does not expose private access (via `EndpointAccess.PUBLIC`) **o #### Cluster Handler -The `ClusterHandler` is a Lambda function responsible to interact with the EKS API in order to control the cluster lifecycle. To provision this function inside the VPC, set the `placeClusterHandlerInVpc` property to `true`. This will place the function inside the private subnets of the VPC based on the selection strategy specified in the [`vpcSubnets`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-eks.Cluster.html#vpcsubnetsspan-classapi-icon-api-icon-experimental-titlethis-api-element-is-experimental-it-may-change-without-noticespan) property. +The `ClusterHandler` is a set of Lambda functions (`onEventHandler`, `isCompleteHandler`) responsible for interacting with the EKS API in order to control the cluster lifecycle. To provision these functions inside the VPC, set the `placeClusterHandlerInVpc` property to `true`. This will place the functions inside the private subnets of the VPC based on the selection strategy specified in the [`vpcSubnets`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-eks.Cluster.html#vpcsubnetsspan-classapi-icon-api-icon-experimental-titlethis-api-element-is-experimental-it-may-change-without-noticespan) property. -You can configure the environment of this function by specifying it at cluster instantiation. For example, this can be useful in order to configure an http proxy: +The `onEventHandler` Lambda is the only Lambda used for calling AWS's EKS API. + +You can configure the environment of the `onEventHandler` function by specifying it at cluster instantiation. For example, this can be useful in order to configure an http proxy: ```ts const cluster = new eks.Cluster(this, 'hello-eks', { version: eks.KubernetesVersion.V1_21, clusterHandlerEnvironment: { 'http_proxy': 'http://proxy.myproxy.com' - } + }, + /** + * If proxy is not open to public you may pass a security group to the + * `onEvent` cluster handler Lambda. + */ + clusterHandlerSecurityGroup: proxyInstanceSecurityGroup }); ``` diff --git a/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/common.ts b/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/common.ts index 8f563de833bf6..21cf958df5a68 100644 --- a/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/common.ts +++ b/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/common.ts @@ -41,12 +41,6 @@ export abstract class ResourceHandler { } public onEvent() { - // eslint-disable-next-line @typescript-eslint/no-require-imports, import/no-extraneous-dependencies - const ProxyAgent: any = require('proxy-agent'); - aws.config.update({ - httpOptions: { agent: new ProxyAgent() }, - }); - switch (this.requestType) { case 'Create': return this.onCreate(); case 'Update': return this.onUpdate(); diff --git a/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/index.ts b/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/index.ts index e7fc357846259..879625494d242 100644 --- a/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/index.ts +++ b/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/index.ts @@ -3,12 +3,17 @@ import { IsCompleteResponse } from '@aws-cdk/custom-resources/lib/provider-framework/types'; // eslint-disable-next-line import/no-extraneous-dependencies import * as aws from 'aws-sdk'; +// eslint-disable-next-line import/no-extraneous-dependencies +import * as ProxyAgent from 'proxy-agent'; import { ClusterResourceHandler } from './cluster'; import { EksClient } from './common'; import * as consts from './consts'; import { FargateProfileResourceHandler } from './fargate'; aws.config.logger = console; +aws.config.update({ + httpOptions: { agent: new ProxyAgent() }, +}); let eks: aws.EKS | undefined; diff --git a/packages/@aws-cdk/aws-eks/lib/cluster-resource-provider.ts b/packages/@aws-cdk/aws-eks/lib/cluster-resource-provider.ts index f425b0a1eaba6..f0f8f401b93a9 100644 --- a/packages/@aws-cdk/aws-eks/lib/cluster-resource-provider.ts +++ b/packages/@aws-cdk/aws-eks/lib/cluster-resource-provider.ts @@ -40,7 +40,14 @@ export interface ClusterResourceProviderProps { * * If not defined, a default layer will be used. */ - readonly onEventLayer?: lambda.ILayerVersion; + readonly proxyAgentLayer?: lambda.ILayerVersion; + + /** + * The security group to associate with the functions. + * + * @default - No security group. + */ + readonly securityGroup?: ec2.ISecurityGroup; } /** @@ -66,6 +73,10 @@ export class ClusterResourceProvider extends NestedStack { private constructor(scope: Construct, id: string, props: ClusterResourceProviderProps) { super(scope as CoreConstruct, id); + // Allow user to override the layer. Layer must contain `proxy-agent` node_module which is required to proxy AWS SDK requests. + const proxyAgentLayer = props.proxyAgentLayer ? props.proxyAgentLayer : new NodeProxyAgentLayer(this, 'NodeProxyAgentLayer'); + + // This is the only Lambda that calls AWS's EKS API. const onEvent = new lambda.Function(this, 'OnEventHandler', { code: lambda.Code.fromAsset(HANDLER_DIR), description: 'onEvent handler for EKS cluster resource provider', @@ -75,24 +86,21 @@ export class ClusterResourceProvider extends NestedStack { timeout: Duration.minutes(1), vpc: props.subnets ? props.vpc : undefined, vpcSubnets: props.subnets ? { subnets: props.subnets } : undefined, + securityGroups: props.securityGroup ? [props.securityGroup] : undefined, + layers: [proxyAgentLayer], }); - // Allow user to customize the layer - if (!props.onEventLayer) { - // `NodeProxyAgentLayer` provides `proxy-agent` which is needed to configure `aws-sdk-js` with a user provided proxy. - onEvent.addLayers(new NodeProxyAgentLayer(this, 'NodeProxyAgentLayer')); - } else { - onEvent.addLayers(props.onEventLayer); - } - const isComplete = new lambda.Function(this, 'IsCompleteHandler', { code: lambda.Code.fromAsset(HANDLER_DIR), description: 'isComplete handler for EKS cluster resource provider', runtime: HANDLER_RUNTIME, + environment: props.environment, handler: 'index.isComplete', timeout: Duration.minutes(1), vpc: props.subnets ? props.vpc : undefined, vpcSubnets: props.subnets ? { subnets: props.subnets } : undefined, + securityGroups: props.securityGroup ? [props.securityGroup] : undefined, + layers: [proxyAgentLayer], }); this.provider = new cr.Provider(this, 'Provider', { @@ -102,6 +110,7 @@ export class ClusterResourceProvider extends NestedStack { queryInterval: Duration.minutes(1), vpc: props.subnets ? props.vpc : undefined, vpcSubnets: props.subnets ? { subnets: props.subnets } : undefined, + securityGroups: props.securityGroup ? [props.securityGroup] : undefined, }); props.adminRole.grant(onEvent.role!, 'sts:AssumeRole'); diff --git a/packages/@aws-cdk/aws-eks/lib/cluster-resource.ts b/packages/@aws-cdk/aws-eks/lib/cluster-resource.ts index 88f3cd0138344..e24d988e79344 100644 --- a/packages/@aws-cdk/aws-eks/lib/cluster-resource.ts +++ b/packages/@aws-cdk/aws-eks/lib/cluster-resource.ts @@ -26,7 +26,8 @@ export interface ClusterResourceProps { readonly environment?: { [key: string]: string }; readonly subnets?: ec2.ISubnet[]; readonly secretsEncryptionKey?: kms.IKey; - readonly onEventLayer?: lambda.ILayerVersion; + readonly proxyAgentLayer?: lambda.ILayerVersion; + readonly clusterHandlerSecurityGroup?: ec2.ISecurityGroup; } /** @@ -65,7 +66,8 @@ export class ClusterResource extends CoreConstruct { subnets: props.subnets, vpc: props.vpc, environment: props.environment, - onEventLayer: props.onEventLayer, + proxyAgentLayer: props.proxyAgentLayer, + securityGroup: props.clusterHandlerSecurityGroup, }); const resource = new CustomResource(this, 'Resource', { diff --git a/packages/@aws-cdk/aws-eks/lib/cluster.ts b/packages/@aws-cdk/aws-eks/lib/cluster.ts index c1d00a9dcd767..8e3030821dbc4 100644 --- a/packages/@aws-cdk/aws-eks/lib/cluster.ts +++ b/packages/@aws-cdk/aws-eks/lib/cluster.ts @@ -66,6 +66,16 @@ export interface ICluster extends IResource, ec2.IConnectable { */ readonly clusterCertificateAuthorityData: string; + /** + * A security group to use for the Cluster Handler's `onEvent` Lambda. + * The `onEvent` Lambda is responsible for calling AWS's EKS API. + * + * Requires `placeClusterHandlerInVpc` to be set to true. + * + * @default - No security group. + */ + readonly clusterHandlerSecurityGroup?: ec2.ISecurityGroup; + /** * The id of the cluster security group that was created by Amazon EKS for the cluster. * @attribute @@ -134,7 +144,7 @@ export interface ICluster extends IResource, ec2.IConnectable { * * If not defined, a default layer will be used. */ - readonly onEventLayer?: lambda.ILayerVersion; + readonly proxyAgentLayer?: lambda.ILayerVersion; /** * Indicates whether Kubernetes resources can be automatically pruned. When @@ -311,15 +321,23 @@ export interface ClusterAttributes { /** * An AWS Lambda Layer which includes the NPM dependency `proxy-agent`. This layer - * is used by the onEvent handler to route AWS SDK requests through a proxy. - * + * is used by the Cluster Handler to route AWS SDK requests through a proxy. * The handler expects the layer to include the following node_modules: * * proxy-agent * * @default - a layer bundled with this module. */ - readonly onEventLayer?: lambda.ILayerVersion; + readonly proxyAgentLayer?: lambda.ILayerVersion; + + + /** + * A security group to use for the Cluster Handler's `onEvent` Lambda. + * The `onEvent` Lambda is responsible for calling AWS's EKS API. + * + * @default - No security group. + */ + readonly clusterHandlerSecurityGroupId?: string; /** * Indicates whether Kubernetes resources added through `addManifest()` can be @@ -459,6 +477,16 @@ export interface ClusterOptions extends CommonClusterOptions { */ readonly clusterHandlerEnvironment?: { [key: string]: string }; + /** + * A security group to use for the Cluster Handler's `onEvent` Lambda. + * The `onEvent` Lambda is responsible for calling AWS's EKS API. + * + * Requires `placeClusterHandlerInVpc` to be set to true. + * + * @default - No security group. + */ + readonly clusterHandlerSecurityGroup?: ec2.ISecurityGroup; + /** * An AWS Lambda Layer which includes `kubectl`, Helm and the AWS CLI. * @@ -497,20 +525,21 @@ export interface ClusterOptions extends CommonClusterOptions { * "aws-lambda-layer-node-proxy-agent" SAR application which is available in all * commercial regions. * - * To deploy the layer locally, visit - * https://github.com/aws-samples/aws-lambda-layer-node-proxy-agent/blob/master/cdk/README.md - * for instructions on how to prepare the .zip file and then define it in your - * app as follows: + * To deploy the layer locally define it in your app as follows: * * ```ts - * const layer = new lambda.LayerVersion(this, 'node-proxy-agent-layer', { + * const layer = new lambda.LayerVersion(this, 'proxy-agent-layer', { * code: lambda.Code.fromAsset(`${__dirname}/layer.zip`)), - * compatibleRuntimes: [lambda.Runtime.NODEJS_14_X] + * compatibleRuntimes: [lambda.Runtime.NODEJS_12_X] * }) * ``` + */ + readonly proxyAgentLayer?: lambda.ILayerVersion; + + /** + * Deprecated * - * @default - the layer provided by the `aws-lambda-layer-node-proxy-agent` SAR app. - * @see https://github.com/aws-samples/aws-lambda-layer-node-proxy-agent + * @deprecated use `proxyAgentLayer` instead */ readonly onEventLayer?: lambda.ILayerVersion; @@ -749,6 +778,7 @@ abstract class ClusterBase extends Resource implements ICluster { public abstract readonly kubectlSecurityGroup?: ec2.ISecurityGroup; public abstract readonly kubectlPrivateSubnets?: ec2.ISubnet[]; public abstract readonly kubectlMemory?: Size; + public abstract readonly clusterHandlerSecurityGroup?: ec2.ISecurityGroup; public abstract readonly prune: boolean; public abstract readonly openIdConnectProvider: iam.IOpenIdConnectProvider; public abstract readonly awsAuth: AwsAuth; @@ -902,7 +932,7 @@ abstract class ClusterBase extends Resource implements ICluster { // cluster or if `mapRole` is set to false. By default this should happen. let mapRole = options.mapRole ?? true; if (mapRole && !(this instanceof Cluster)) { - // do the mapping... + // do the mapping... Annotations.of(autoScalingGroup).addWarning('Auto-mapping aws-auth role for imported cluster is not supported, please map role manually'); mapRole = false; } @@ -1100,10 +1130,21 @@ export class Cluster extends ClusterBase { public readonly kubectlMemory?: Size; /** - * The AWS Lambda layer that contains the NPM dependency `proxy-agent`. If - * undefined, a SAR app that contains this layer will be used. + * An AWS Lambda layer that includes the NPM dependency `proxy-agent`. + * + * If not defined, a default layer will be used. + */ + public readonly proxyAgentLayer?: lambda.ILayerVersion; + + /** + * A security group to use for the Cluster Handler's `onEvent` Lambda. + * The `onEvent` Lambda is responsible for calling AWS's EKS API. + * + * Requires `placeClusterHandlerInVpc` to be set to true. + * + * @default - No security group. */ - public readonly onEventLayer?: lambda.ILayerVersion; + public readonly clusterHandlerSecurityGroup?: ec2.ISecurityGroup; /** * Determines if Kubernetes resources can be pruned automatically. @@ -1188,9 +1229,11 @@ export class Cluster extends ClusterBase { this.endpointAccess = props.endpointAccess ?? EndpointAccess.PUBLIC_AND_PRIVATE; this.kubectlEnvironment = props.kubectlEnvironment; this.kubectlLayer = props.kubectlLayer; - this.onEventLayer = props.onEventLayer; this.kubectlMemory = props.kubectlMemory; + this.proxyAgentLayer = props.proxyAgentLayer; + this.clusterHandlerSecurityGroup = props.clusterHandlerSecurityGroup; + const privateSubnets = this.selectPrivateSubnets().slice(0, 16); const publicAccessDisabled = !this.endpointAccess._config.publicAccess; const publicAccessRestricted = !publicAccessDisabled @@ -1215,6 +1258,10 @@ export class Cluster extends ClusterBase { throw new Error('Cannot place cluster handler in the VPC since no private subnets could be selected'); } + if (props.clusterHandlerSecurityGroup && !placeClusterHandlerInVpc) { + throw new Error('Cannot specify clusterHandlerSecurityGroup without placeClusterHandlerInVpc set to true'); + } + const resource = this._clusterResource = new ClusterResource(this, 'Resource', { name: this.physicalName, environment: props.clusterHandlerEnvironment, @@ -1241,7 +1288,8 @@ export class Cluster extends ClusterBase { secretsEncryptionKey: props.secretsEncryptionKey, vpc: this.vpc, subnets: placeClusterHandlerInVpc ? privateSubnets : undefined, - onEventLayer: this.onEventLayer, + clusterHandlerSecurityGroup: this.clusterHandlerSecurityGroup, + proxyAgentLayer: this.proxyAgentLayer, }); if (this.endpointAccess._config.privateAccess && privateSubnets.length !== 0) { @@ -1827,8 +1875,9 @@ class ImportedCluster extends ClusterBase { public readonly kubectlSecurityGroup?: ec2.ISecurityGroup | undefined; public readonly kubectlPrivateSubnets?: ec2.ISubnet[] | undefined; public readonly kubectlLayer?: lambda.ILayerVersion; - public readonly onEventLayer?: lambda.ILayerVersion; public readonly kubectlMemory?: Size; + public readonly proxyAgentLayer?: lambda.ILayerVersion; + public readonly clusterHandlerSecurityGroup?: ec2.ISecurityGroup | undefined; public readonly prune: boolean; // so that `clusterSecurityGroup` on `ICluster` can be configured without optionality, avoiding users from having @@ -1845,8 +1894,9 @@ class ImportedCluster extends ClusterBase { this.kubectlEnvironment = props.kubectlEnvironment; this.kubectlPrivateSubnets = props.kubectlPrivateSubnetIds ? props.kubectlPrivateSubnetIds.map((subnetid, index) => ec2.Subnet.fromSubnetId(this, `KubectlSubnet${index}`, subnetid)) : undefined; this.kubectlLayer = props.kubectlLayer; - this.onEventLayer = props.onEventLayer; this.kubectlMemory = props.kubectlMemory; + this.proxyAgentLayer = props.proxyAgentLayer; + this.clusterHandlerSecurityGroup = props.clusterHandlerSecurityGroupId ? ec2.SecurityGroup.fromSecurityGroupId(this, 'ClusterHandlerSecurityGroup', props.clusterHandlerSecurityGroupId) : undefined; this.prune = props.prune ?? true; let i = 1; diff --git a/packages/@aws-cdk/aws-eks/lib/fargate-profile.ts b/packages/@aws-cdk/aws-eks/lib/fargate-profile.ts index 8d5b0301ff24b..390203c35f225 100644 --- a/packages/@aws-cdk/aws-eks/lib/fargate-profile.ts +++ b/packages/@aws-cdk/aws-eks/lib/fargate-profile.ts @@ -149,7 +149,7 @@ export class FargateProfile extends CoreConstruct implements ITaggable { const provider = ClusterResourceProvider.getOrCreate(this, { adminRole: props.cluster.adminRole, - onEventLayer: props.cluster.onEventLayer, + proxyAgentLayer: props.cluster.proxyAgentLayer, }); this.podExecutionRole = props.podExecutionRole ?? new iam.Role(this, 'PodExecutionRole', { diff --git a/packages/@aws-cdk/aws-eks/test/cluster.test.ts b/packages/@aws-cdk/aws-eks/test/cluster.test.ts index 295092509ffd2..63a17d9c5d64d 100644 --- a/packages/@aws-cdk/aws-eks/test/cluster.test.ts +++ b/packages/@aws-cdk/aws-eks/test/cluster.test.ts @@ -38,6 +38,25 @@ describe('cluster', () => { expect(template.Resources.OnEventHandler42BEBAE0.Properties.Environment).toEqual({ Variables: { foo: 'bar' } }); }); + test('can specify security group to cluster resource handler', () => { + const { stack, vpc } = testFixture(); + const securityGroup = new ec2.SecurityGroup(stack, 'ProxyInstanceSG', { + vpc, + allowAllOutbound: false, + }); + + new eks.Cluster(stack, 'Cluster', { + version: CLUSTER_VERSION, + placeClusterHandlerInVpc: true, + clusterHandlerSecurityGroup: securityGroup, + }); + + const nested = stack.node.tryFindChild('@aws-cdk/aws-eks.ClusterResourceProvider') as cdk.NestedStack; + + const template = SynthUtils.toCloudFormation(nested); + expect(template.Resources.OnEventHandler42BEBAE0.Properties.VpcConfig.SecurityGroupIds).toEqual([{ Ref: 'referencetoStackProxyInstanceSG80B79D87GroupId' }]); + }); + test('throws when trying to place cluster handlers in a vpc with no private subnets', () => { const { stack } = testFixture(); @@ -55,6 +74,21 @@ describe('cluster', () => { }); + test('throws when provided `clusterHandlerSecurityGroup` without `placeClusterHandlerInVpc: true`', () => { + const { stack, vpc } = testFixture(); + const securityGroup = new ec2.SecurityGroup(stack, 'ProxyInstanceSG', { + vpc, + allowAllOutbound: false, + }); + + expect(() => { + new eks.Cluster(stack, 'Cluster', { + version: CLUSTER_VERSION, + clusterHandlerSecurityGroup: securityGroup, + }); + }).toThrow(/Cannot specify clusterHandlerSecurityGroup without placeClusterHandlerInVpc set to true/); + }); + describe('imported Vpc from unparseable list tokens', () => { let stack: cdk.Stack; let vpc: ec2.IVpc; From dcfb7846cfea898922254bfeeee643b2d5e330d3 Mon Sep 17 00:00:00 2001 From: Ryan Parker Date: Wed, 27 Oct 2021 16:23:32 -0700 Subject: [PATCH 02/15] Corrected doc comments and reordered props to match --- package.json | 2 - packages/@aws-cdk/aws-eks/lib/cluster.ts | 93 ++++++++++++------------ 2 files changed, 46 insertions(+), 49 deletions(-) diff --git a/package.json b/package.json index f9e393b3e07fa..b395f9bfb0de0 100644 --- a/package.json +++ b/package.json @@ -103,8 +103,6 @@ "@aws-cdk/aws-cognito/punycode/**", "@aws-cdk/aws-ecr-assets/minimatch", "@aws-cdk/aws-ecr-assets/minimatch/**", - "@aws-cdk/aws-eks/yaml", - "@aws-cdk/aws-eks/yaml/**", "@aws-cdk/aws-eks/proxy-agent", "@aws-cdk/aws-eks/proxy-agent/**", "@aws-cdk/aws-events-targets/aws-sdk", diff --git a/packages/@aws-cdk/aws-eks/lib/cluster.ts b/packages/@aws-cdk/aws-eks/lib/cluster.ts index 8e3030821dbc4..ddc110a962832 100644 --- a/packages/@aws-cdk/aws-eks/lib/cluster.ts +++ b/packages/@aws-cdk/aws-eks/lib/cluster.ts @@ -66,16 +66,6 @@ export interface ICluster extends IResource, ec2.IConnectable { */ readonly clusterCertificateAuthorityData: string; - /** - * A security group to use for the Cluster Handler's `onEvent` Lambda. - * The `onEvent` Lambda is responsible for calling AWS's EKS API. - * - * Requires `placeClusterHandlerInVpc` to be set to true. - * - * @default - No security group. - */ - readonly clusterHandlerSecurityGroup?: ec2.ISecurityGroup; - /** * The id of the cluster security group that was created by Amazon EKS for the cluster. * @attribute @@ -139,6 +129,16 @@ export interface ICluster extends IResource, ec2.IConnectable { */ readonly kubectlMemory?: Size; + /** + * A security group to associate with the Cluster Handler's Lambdas. + * The Cluster Handler's Lambdas are responsible for calling AWS's EKS API. + * + * Requires `placeClusterHandlerInVpc` to be set to true. + * + * @default - No security group. + */ + readonly clusterHandlerSecurityGroup?: ec2.ISecurityGroup; + /** * An AWS Lambda layer that includes the NPM dependency `proxy-agent`. * @@ -319,6 +319,14 @@ export interface ClusterAttributes { */ readonly kubectlMemory?: Size; + /** + * A security group id to associate with the Cluster Handler's Lambdas. + * The Cluster Handler's Lambdas are responsible for calling AWS's EKS API. + * + * @default - No security group. + */ + readonly clusterHandlerSecurityGroupId?: string; + /** * An AWS Lambda Layer which includes the NPM dependency `proxy-agent`. This layer * is used by the Cluster Handler to route AWS SDK requests through a proxy. @@ -330,15 +338,6 @@ export interface ClusterAttributes { */ readonly proxyAgentLayer?: lambda.ILayerVersion; - - /** - * A security group to use for the Cluster Handler's `onEvent` Lambda. - * The `onEvent` Lambda is responsible for calling AWS's EKS API. - * - * @default - No security group. - */ - readonly clusterHandlerSecurityGroupId?: string; - /** * Indicates whether Kubernetes resources added through `addManifest()` can be * automatically pruned. When this is enabled (default), prune labels will be @@ -470,23 +469,6 @@ export interface ClusterOptions extends CommonClusterOptions { */ readonly kubectlEnvironment?: { [key: string]: string }; - /** - * Custom environment variables when interacting with the EKS endpoint to manage the cluster lifecycle. - * - * @default - No environment variables. - */ - readonly clusterHandlerEnvironment?: { [key: string]: string }; - - /** - * A security group to use for the Cluster Handler's `onEvent` Lambda. - * The `onEvent` Lambda is responsible for calling AWS's EKS API. - * - * Requires `placeClusterHandlerInVpc` to be set to true. - * - * @default - No security group. - */ - readonly clusterHandlerSecurityGroup?: ec2.ISecurityGroup; - /** * An AWS Lambda Layer which includes `kubectl`, Helm and the AWS CLI. * @@ -518,6 +500,23 @@ export interface ClusterOptions extends CommonClusterOptions { */ readonly kubectlMemory?: Size; + /** + * Custom environment variables when interacting with the EKS endpoint to manage the cluster lifecycle. + * + * @default - No environment variables. + */ + readonly clusterHandlerEnvironment?: { [key: string]: string }; + + /** + * A security group to associate with the Cluster Handler's Lambdas. + * The Cluster Handler's Lambdas are responsible for calling AWS's EKS API. + * + * Requires `placeClusterHandlerInVpc` to be set to true. + * + * @default - No security group. + */ + readonly clusterHandlerSecurityGroup?: ec2.ISecurityGroup; + /** * An AWS Lambda Layer which includes the NPM dependency `proxy-agent`. * @@ -1130,15 +1129,8 @@ export class Cluster extends ClusterBase { public readonly kubectlMemory?: Size; /** - * An AWS Lambda layer that includes the NPM dependency `proxy-agent`. - * - * If not defined, a default layer will be used. - */ - public readonly proxyAgentLayer?: lambda.ILayerVersion; - - /** - * A security group to use for the Cluster Handler's `onEvent` Lambda. - * The `onEvent` Lambda is responsible for calling AWS's EKS API. + * A security group to associate with the Cluster Handler's Lambdas. + * The Cluster Handler's Lambdas are responsible for calling AWS's EKS API. * * Requires `placeClusterHandlerInVpc` to be set to true. * @@ -1146,6 +1138,13 @@ export class Cluster extends ClusterBase { */ public readonly clusterHandlerSecurityGroup?: ec2.ISecurityGroup; + /** + * An AWS Lambda layer that includes the NPM dependency `proxy-agent`. + * + * If not defined, a default layer will be used. + */ + public readonly proxyAgentLayer?: lambda.ILayerVersion; + /** * Determines if Kubernetes resources can be pruned automatically. */ @@ -1876,8 +1875,8 @@ class ImportedCluster extends ClusterBase { public readonly kubectlPrivateSubnets?: ec2.ISubnet[] | undefined; public readonly kubectlLayer?: lambda.ILayerVersion; public readonly kubectlMemory?: Size; - public readonly proxyAgentLayer?: lambda.ILayerVersion; public readonly clusterHandlerSecurityGroup?: ec2.ISecurityGroup | undefined; + public readonly proxyAgentLayer?: lambda.ILayerVersion; public readonly prune: boolean; // so that `clusterSecurityGroup` on `ICluster` can be configured without optionality, avoiding users from having @@ -1895,8 +1894,8 @@ class ImportedCluster extends ClusterBase { this.kubectlPrivateSubnets = props.kubectlPrivateSubnetIds ? props.kubectlPrivateSubnetIds.map((subnetid, index) => ec2.Subnet.fromSubnetId(this, `KubectlSubnet${index}`, subnetid)) : undefined; this.kubectlLayer = props.kubectlLayer; this.kubectlMemory = props.kubectlMemory; - this.proxyAgentLayer = props.proxyAgentLayer; this.clusterHandlerSecurityGroup = props.clusterHandlerSecurityGroupId ? ec2.SecurityGroup.fromSecurityGroupId(this, 'ClusterHandlerSecurityGroup', props.clusterHandlerSecurityGroupId) : undefined; + this.proxyAgentLayer = props.proxyAgentLayer; this.prune = props.prune ?? true; let i = 1; From cd4578e2dac882e214a024430419cc535a5ea848 Mon Sep 17 00:00:00 2001 From: Ryan Parker Date: Wed, 27 Oct 2021 19:38:41 -0700 Subject: [PATCH 03/15] removed `@aws-cdk/aws-eks/proxy-agent` from root package.json --- package.json | 2 -- 1 file changed, 2 deletions(-) diff --git a/package.json b/package.json index b395f9bfb0de0..79a527849c53f 100644 --- a/package.json +++ b/package.json @@ -103,8 +103,6 @@ "@aws-cdk/aws-cognito/punycode/**", "@aws-cdk/aws-ecr-assets/minimatch", "@aws-cdk/aws-ecr-assets/minimatch/**", - "@aws-cdk/aws-eks/proxy-agent", - "@aws-cdk/aws-eks/proxy-agent/**", "@aws-cdk/aws-events-targets/aws-sdk", "@aws-cdk/aws-events-targets/aws-sdk/**", "@aws-cdk/aws-s3-deployment/case", From 0e0da6f875f3ca8e6f916c63bb7ab36df09824d4 Mon Sep 17 00:00:00 2001 From: Ryan Parker Date: Wed, 27 Oct 2021 19:39:37 -0700 Subject: [PATCH 04/15] revert remove yaml from root package.json --- package.json | 2 ++ 1 file changed, 2 insertions(+) diff --git a/package.json b/package.json index 79a527849c53f..6115ddc36950c 100644 --- a/package.json +++ b/package.json @@ -103,6 +103,8 @@ "@aws-cdk/aws-cognito/punycode/**", "@aws-cdk/aws-ecr-assets/minimatch", "@aws-cdk/aws-ecr-assets/minimatch/**", + "@aws-cdk/aws-eks/yaml", + "@aws-cdk/aws-eks/yaml/**", "@aws-cdk/aws-events-targets/aws-sdk", "@aws-cdk/aws-events-targets/aws-sdk/**", "@aws-cdk/aws-s3-deployment/case", From d5691761a8f10af9c259d27c558dbe067337e35b Mon Sep 17 00:00:00 2001 From: Ryan Parker Date: Wed, 27 Oct 2021 21:47:21 -0700 Subject: [PATCH 05/15] Using require to import `proxy-agent` - Otherwise tsconfig would need to enable `esModuleInterop` --- .../@aws-cdk/aws-eks/lib/cluster-resource-handler/index.ts | 5 +++-- packages/@aws-cdk/aws-eks/lib/cluster.ts | 6 +++++- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/index.ts b/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/index.ts index 879625494d242..258f5d8b04545 100644 --- a/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/index.ts +++ b/packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/index.ts @@ -3,13 +3,14 @@ import { IsCompleteResponse } from '@aws-cdk/custom-resources/lib/provider-framework/types'; // eslint-disable-next-line import/no-extraneous-dependencies import * as aws from 'aws-sdk'; -// eslint-disable-next-line import/no-extraneous-dependencies -import * as ProxyAgent from 'proxy-agent'; import { ClusterResourceHandler } from './cluster'; import { EksClient } from './common'; import * as consts from './consts'; import { FargateProfileResourceHandler } from './fargate'; +// eslint-disable-next-line @typescript-eslint/no-require-imports, import/no-extraneous-dependencies +const ProxyAgent = require('proxy-agent'); + aws.config.logger = console; aws.config.update({ httpOptions: { agent: new ProxyAgent() }, diff --git a/packages/@aws-cdk/aws-eks/lib/cluster.ts b/packages/@aws-cdk/aws-eks/lib/cluster.ts index ddc110a962832..58f96f06787b7 100644 --- a/packages/@aws-cdk/aws-eks/lib/cluster.ts +++ b/packages/@aws-cdk/aws-eks/lib/cluster.ts @@ -136,13 +136,14 @@ export interface ICluster extends IResource, ec2.IConnectable { * Requires `placeClusterHandlerInVpc` to be set to true. * * @default - No security group. + * @attribute */ readonly clusterHandlerSecurityGroup?: ec2.ISecurityGroup; /** * An AWS Lambda layer that includes the NPM dependency `proxy-agent`. * - * If not defined, a default layer will be used. + * @default - If not defined, a default layer will be used. */ readonly proxyAgentLayer?: lambda.ILayerVersion; @@ -532,12 +533,15 @@ export interface ClusterOptions extends CommonClusterOptions { * compatibleRuntimes: [lambda.Runtime.NODEJS_12_X] * }) * ``` + * + * @default - a layer bundled with this module. */ readonly proxyAgentLayer?: lambda.ILayerVersion; /** * Deprecated * + * @default - a layer bundled with this module. * @deprecated use `proxyAgentLayer` instead */ readonly onEventLayer?: lambda.ILayerVersion; From 520852635451feb2d0f75a87bb72cfbc069a112a Mon Sep 17 00:00:00 2001 From: Ryan Parker Date: Thu, 28 Oct 2021 12:36:35 -0700 Subject: [PATCH 06/15] docs: removed `onEvent` documentation --- packages/@aws-cdk/aws-eks/README.md | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/packages/@aws-cdk/aws-eks/README.md b/packages/@aws-cdk/aws-eks/README.md index 2121880746507..55717176e2f75 100644 --- a/packages/@aws-cdk/aws-eks/README.md +++ b/packages/@aws-cdk/aws-eks/README.md @@ -539,19 +539,17 @@ If the endpoint does not expose private access (via `EndpointAccess.PUBLIC`) **o The `ClusterHandler` is a set of Lambda functions (`onEventHandler`, `isCompleteHandler`) responsible for interacting with the EKS API in order to control the cluster lifecycle. To provision these functions inside the VPC, set the `placeClusterHandlerInVpc` property to `true`. This will place the functions inside the private subnets of the VPC based on the selection strategy specified in the [`vpcSubnets`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-eks.Cluster.html#vpcsubnetsspan-classapi-icon-api-icon-experimental-titlethis-api-element-is-experimental-it-may-change-without-noticespan) property. -The `onEventHandler` Lambda is the only Lambda used for calling AWS's EKS API. - -You can configure the environment of the `onEventHandler` function by specifying it at cluster instantiation. For example, this can be useful in order to configure an http proxy: +You can configure the environment of the Cluster Handler functions by specifying it at cluster instantiation. For example, this can be useful in order to configure an http proxy: ```ts const cluster = new eks.Cluster(this, 'hello-eks', { version: eks.KubernetesVersion.V1_21, clusterHandlerEnvironment: { - 'http_proxy': 'http://proxy.myproxy.com' + http_proxy: 'http://proxy.myproxy.com' }, /** * If proxy is not open to public you may pass a security group to the - * `onEvent` cluster handler Lambda. + * Cluster Handler Lambdas. */ clusterHandlerSecurityGroup: proxyInstanceSecurityGroup }); From dbfe9a6482e087aa13d5500b77ca463d089068a2 Mon Sep 17 00:00:00 2001 From: Ryan Parker Date: Thu, 28 Oct 2021 12:45:36 -0700 Subject: [PATCH 07/15] docs: removed incorrect code comment on onEvent --- packages/@aws-cdk/aws-eks/lib/cluster-resource-provider.ts | 1 - 1 file changed, 1 deletion(-) diff --git a/packages/@aws-cdk/aws-eks/lib/cluster-resource-provider.ts b/packages/@aws-cdk/aws-eks/lib/cluster-resource-provider.ts index f0f8f401b93a9..1bcccc6c2f277 100644 --- a/packages/@aws-cdk/aws-eks/lib/cluster-resource-provider.ts +++ b/packages/@aws-cdk/aws-eks/lib/cluster-resource-provider.ts @@ -76,7 +76,6 @@ export class ClusterResourceProvider extends NestedStack { // Allow user to override the layer. Layer must contain `proxy-agent` node_module which is required to proxy AWS SDK requests. const proxyAgentLayer = props.proxyAgentLayer ? props.proxyAgentLayer : new NodeProxyAgentLayer(this, 'NodeProxyAgentLayer'); - // This is the only Lambda that calls AWS's EKS API. const onEvent = new lambda.Function(this, 'OnEventHandler', { code: lambda.Code.fromAsset(HANDLER_DIR), description: 'onEvent handler for EKS cluster resource provider', From 92a6c3983fd5d674df43e7685838f7c7d3c4f98c Mon Sep 17 00:00:00 2001 From: Ryan Parker Date: Wed, 3 Nov 2021 13:52:19 -0700 Subject: [PATCH 08/15] docs(aws-eks/README): replaced `http_proxy` -> `https_proxy` --- packages/@aws-cdk/aws-eks/README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/packages/@aws-cdk/aws-eks/README.md b/packages/@aws-cdk/aws-eks/README.md index 55717176e2f75..79816a2b84ba1 100644 --- a/packages/@aws-cdk/aws-eks/README.md +++ b/packages/@aws-cdk/aws-eks/README.md @@ -102,8 +102,8 @@ The following is a qualitative diagram of the various possible components involv ```text +-----------------------------------------------+ +-----------------+ - | EKS Cluster | kubectl | | - |-----------------------------------------------|<-------------+| Kubectl Handler | + | EKS Cluster | kubectl | | + | ----------- |<-------------+| Kubectl Handler | | | | | | | +-----------------+ | +--------------------+ +-----------------+ | @@ -545,7 +545,7 @@ You can configure the environment of the Cluster Handler functions by specifying const cluster = new eks.Cluster(this, 'hello-eks', { version: eks.KubernetesVersion.V1_21, clusterHandlerEnvironment: { - http_proxy: 'http://proxy.myproxy.com' + https_proxy: 'http://proxy.myproxy.com' }, /** * If proxy is not open to public you may pass a security group to the From d3f71a76fed792dda77cdd792f69fc58579f2f45 Mon Sep 17 00:00:00 2001 From: Ryan Parker Date: Wed, 3 Nov 2021 16:57:49 -0700 Subject: [PATCH 09/15] Added deprecated flags next to old `onEvent` docs --- packages/@aws-cdk/aws-eks/lib/cluster.ts | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/packages/@aws-cdk/aws-eks/lib/cluster.ts b/packages/@aws-cdk/aws-eks/lib/cluster.ts index 58f96f06787b7..29cfb4b87d581 100644 --- a/packages/@aws-cdk/aws-eks/lib/cluster.ts +++ b/packages/@aws-cdk/aws-eks/lib/cluster.ts @@ -147,6 +147,14 @@ export interface ICluster extends IResource, ec2.IConnectable { */ readonly proxyAgentLayer?: lambda.ILayerVersion; + /** + * Deprecated + * + * @default - a layer bundled with this module. + * @deprecated use `proxyAgentLayer` instead + */ + readonly onEventLayer?: lambda.ILayerVersion; + /** * Indicates whether Kubernetes resources can be automatically pruned. When * this is enabled (default), prune labels will be allocated and injected to @@ -339,6 +347,14 @@ export interface ClusterAttributes { */ readonly proxyAgentLayer?: lambda.ILayerVersion; + /** + * Deprecated + * + * @default - a layer bundled with this module. + * @deprecated use `proxyAgentLayer` instead + */ + readonly onEventLayer?: lambda.ILayerVersion; + /** * Indicates whether Kubernetes resources added through `addManifest()` can be * automatically pruned. When this is enabled (default), prune labels will be @@ -1149,6 +1165,14 @@ export class Cluster extends ClusterBase { */ public readonly proxyAgentLayer?: lambda.ILayerVersion; + /** + * Deprecated + * + * @default - a layer bundled with this module. + * @deprecated use `proxyAgentLayer` instead + */ + readonly onEventLayer?: lambda.ILayerVersion; + /** * Determines if Kubernetes resources can be pruned automatically. */ From d4854305e1ec3aed5ac4783d72e194db9e8b712a Mon Sep 17 00:00:00 2001 From: Ryan Parker Date: Thu, 4 Nov 2021 12:53:00 -0700 Subject: [PATCH 10/15] Update packages/@aws-cdk/aws-eks/README.md Co-authored-by: Eli Polonsky --- packages/@aws-cdk/aws-eks/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/@aws-cdk/aws-eks/README.md b/packages/@aws-cdk/aws-eks/README.md index 57d66e5a6fea0..9eadbaf7fa30c 100644 --- a/packages/@aws-cdk/aws-eks/README.md +++ b/packages/@aws-cdk/aws-eks/README.md @@ -550,7 +550,7 @@ const cluster = new eks.Cluster(this, 'hello-eks', { https_proxy: 'http://proxy.myproxy.com' }, /** - * If proxy is not open to public you may pass a security group to the + * If the proxy is not open publicly, you can pass a security group to the * Cluster Handler Lambdas. */ clusterHandlerSecurityGroup: proxyInstanceSecurityGroup From 2949fbf13a1f81faf9aaf5231d37086a49c48f9f Mon Sep 17 00:00:00 2001 From: Ryan Parker Date: Thu, 4 Nov 2021 12:53:09 -0700 Subject: [PATCH 11/15] Update packages/@aws-cdk/aws-eks/README.md Co-authored-by: Eli Polonsky --- packages/@aws-cdk/aws-eks/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/@aws-cdk/aws-eks/README.md b/packages/@aws-cdk/aws-eks/README.md index 9eadbaf7fa30c..e1d78b774450d 100644 --- a/packages/@aws-cdk/aws-eks/README.md +++ b/packages/@aws-cdk/aws-eks/README.md @@ -551,7 +551,7 @@ const cluster = new eks.Cluster(this, 'hello-eks', { }, /** * If the proxy is not open publicly, you can pass a security group to the - * Cluster Handler Lambdas. + * Cluster Handler Lambdas so that it can reach the proxy. */ clusterHandlerSecurityGroup: proxyInstanceSecurityGroup }); From 68f76555f82766177bbf7e6ae516dcf21e26ffe2 Mon Sep 17 00:00:00 2001 From: Ryan Parker Date: Thu, 4 Nov 2021 14:30:27 -0700 Subject: [PATCH 12/15] revert: removed `proxyAgentLayer` and reconnected `onEventLayer` --- .../aws-eks/lib/cluster-resource-provider.ts | 17 +++--- .../@aws-cdk/aws-eks/lib/cluster-resource.ts | 4 +- packages/@aws-cdk/aws-eks/lib/cluster.ts | 54 ++++--------------- .../@aws-cdk/aws-eks/lib/fargate-profile.ts | 2 +- packages/@aws-cdk/aws-eks/package.json | 2 - 5 files changed, 22 insertions(+), 57 deletions(-) diff --git a/packages/@aws-cdk/aws-eks/lib/cluster-resource-provider.ts b/packages/@aws-cdk/aws-eks/lib/cluster-resource-provider.ts index 1bcccc6c2f277..8f6462df74a78 100644 --- a/packages/@aws-cdk/aws-eks/lib/cluster-resource-provider.ts +++ b/packages/@aws-cdk/aws-eks/lib/cluster-resource-provider.ts @@ -36,11 +36,11 @@ export interface ClusterResourceProviderProps { readonly environment?: { [key: string]: string }; /** - * An AWS Lambda layer that includes the NPM dependency `proxy-agent`. - * - * If not defined, a default layer will be used. - */ - readonly proxyAgentLayer?: lambda.ILayerVersion; + * An AWS Lambda layer that includes the NPM dependency `proxy-agent`. + * + * If not defined, a default layer will be used. + */ + readonly onEventLayer?: lambda.ILayerVersion; /** * The security group to associate with the functions. @@ -73,8 +73,6 @@ export class ClusterResourceProvider extends NestedStack { private constructor(scope: Construct, id: string, props: ClusterResourceProviderProps) { super(scope as CoreConstruct, id); - // Allow user to override the layer. Layer must contain `proxy-agent` node_module which is required to proxy AWS SDK requests. - const proxyAgentLayer = props.proxyAgentLayer ? props.proxyAgentLayer : new NodeProxyAgentLayer(this, 'NodeProxyAgentLayer'); const onEvent = new lambda.Function(this, 'OnEventHandler', { code: lambda.Code.fromAsset(HANDLER_DIR), @@ -86,7 +84,8 @@ export class ClusterResourceProvider extends NestedStack { vpc: props.subnets ? props.vpc : undefined, vpcSubnets: props.subnets ? { subnets: props.subnets } : undefined, securityGroups: props.securityGroup ? [props.securityGroup] : undefined, - layers: [proxyAgentLayer], + // Allow user to override the layer. Layer must contain `proxy-agent` node_module which is required to proxy AWS SDK requests. + layers: props.onEventLayer ? [props.onEventLayer] : [new NodeProxyAgentLayer(this, 'NodeProxyAgentLayer')], }); const isComplete = new lambda.Function(this, 'IsCompleteHandler', { @@ -99,7 +98,7 @@ export class ClusterResourceProvider extends NestedStack { vpc: props.subnets ? props.vpc : undefined, vpcSubnets: props.subnets ? { subnets: props.subnets } : undefined, securityGroups: props.securityGroup ? [props.securityGroup] : undefined, - layers: [proxyAgentLayer], + layers: [new NodeProxyAgentLayer(this, 'NodeProxyAgentLayer')], }); this.provider = new cr.Provider(this, 'Provider', { diff --git a/packages/@aws-cdk/aws-eks/lib/cluster-resource.ts b/packages/@aws-cdk/aws-eks/lib/cluster-resource.ts index e24d988e79344..ed0852338a527 100644 --- a/packages/@aws-cdk/aws-eks/lib/cluster-resource.ts +++ b/packages/@aws-cdk/aws-eks/lib/cluster-resource.ts @@ -26,7 +26,7 @@ export interface ClusterResourceProps { readonly environment?: { [key: string]: string }; readonly subnets?: ec2.ISubnet[]; readonly secretsEncryptionKey?: kms.IKey; - readonly proxyAgentLayer?: lambda.ILayerVersion; + readonly onEventLayer?: lambda.ILayerVersion; readonly clusterHandlerSecurityGroup?: ec2.ISecurityGroup; } @@ -66,7 +66,7 @@ export class ClusterResource extends CoreConstruct { subnets: props.subnets, vpc: props.vpc, environment: props.environment, - proxyAgentLayer: props.proxyAgentLayer, + onEventLayer: props.onEventLayer, securityGroup: props.clusterHandlerSecurityGroup, }); diff --git a/packages/@aws-cdk/aws-eks/lib/cluster.ts b/packages/@aws-cdk/aws-eks/lib/cluster.ts index 29cfb4b87d581..6da19bbb28703 100644 --- a/packages/@aws-cdk/aws-eks/lib/cluster.ts +++ b/packages/@aws-cdk/aws-eks/lib/cluster.ts @@ -141,17 +141,10 @@ export interface ICluster extends IResource, ec2.IConnectable { readonly clusterHandlerSecurityGroup?: ec2.ISecurityGroup; /** - * An AWS Lambda layer that includes the NPM dependency `proxy-agent`. - * - * @default - If not defined, a default layer will be used. - */ - readonly proxyAgentLayer?: lambda.ILayerVersion; - - /** - * Deprecated + * An AWS Lambda Layer which includes the NPM dependency `proxy-agent`. This layer + * is used by the onEvent handler to route AWS SDK requests through a proxy. * * @default - a layer bundled with this module. - * @deprecated use `proxyAgentLayer` instead */ readonly onEventLayer?: lambda.ILayerVersion; @@ -338,20 +331,9 @@ export interface ClusterAttributes { /** * An AWS Lambda Layer which includes the NPM dependency `proxy-agent`. This layer - * is used by the Cluster Handler to route AWS SDK requests through a proxy. - * The handler expects the layer to include the following node_modules: - * - * proxy-agent - * - * @default - a layer bundled with this module. - */ - readonly proxyAgentLayer?: lambda.ILayerVersion; - - /** - * Deprecated + * is used by the onEvent handler to route AWS SDK requests through a proxy. * * @default - a layer bundled with this module. - * @deprecated use `proxyAgentLayer` instead */ readonly onEventLayer?: lambda.ILayerVersion; @@ -535,7 +517,8 @@ export interface ClusterOptions extends CommonClusterOptions { readonly clusterHandlerSecurityGroup?: ec2.ISecurityGroup; /** - * An AWS Lambda Layer which includes the NPM dependency `proxy-agent`. + * An AWS Lambda Layer which includes the NPM dependency `proxy-agent`. This layer + * is used by the onEvent handler to route AWS SDK requests through a proxy. * * By default, the provider will use the layer included in the * "aws-lambda-layer-node-proxy-agent" SAR application which is available in all @@ -552,14 +535,6 @@ export interface ClusterOptions extends CommonClusterOptions { * * @default - a layer bundled with this module. */ - readonly proxyAgentLayer?: lambda.ILayerVersion; - - /** - * Deprecated - * - * @default - a layer bundled with this module. - * @deprecated use `proxyAgentLayer` instead - */ readonly onEventLayer?: lambda.ILayerVersion; /** @@ -1159,17 +1134,10 @@ export class Cluster extends ClusterBase { public readonly clusterHandlerSecurityGroup?: ec2.ISecurityGroup; /** - * An AWS Lambda layer that includes the NPM dependency `proxy-agent`. - * - * If not defined, a default layer will be used. - */ - public readonly proxyAgentLayer?: lambda.ILayerVersion; - - /** - * Deprecated + * An AWS Lambda Layer which includes the NPM dependency `proxy-agent`. This layer + * is used by the onEvent handler to route AWS SDK requests through a proxy. * * @default - a layer bundled with this module. - * @deprecated use `proxyAgentLayer` instead */ readonly onEventLayer?: lambda.ILayerVersion; @@ -1258,7 +1226,7 @@ export class Cluster extends ClusterBase { this.kubectlLayer = props.kubectlLayer; this.kubectlMemory = props.kubectlMemory; - this.proxyAgentLayer = props.proxyAgentLayer; + this.onEventLayer = props.onEventLayer; this.clusterHandlerSecurityGroup = props.clusterHandlerSecurityGroup; const privateSubnets = this.selectPrivateSubnets().slice(0, 16); @@ -1316,7 +1284,7 @@ export class Cluster extends ClusterBase { vpc: this.vpc, subnets: placeClusterHandlerInVpc ? privateSubnets : undefined, clusterHandlerSecurityGroup: this.clusterHandlerSecurityGroup, - proxyAgentLayer: this.proxyAgentLayer, + onEventLayer: this.onEventLayer, }); if (this.endpointAccess._config.privateAccess && privateSubnets.length !== 0) { @@ -1904,7 +1872,7 @@ class ImportedCluster extends ClusterBase { public readonly kubectlLayer?: lambda.ILayerVersion; public readonly kubectlMemory?: Size; public readonly clusterHandlerSecurityGroup?: ec2.ISecurityGroup | undefined; - public readonly proxyAgentLayer?: lambda.ILayerVersion; + public readonly onEventLayer?: lambda.ILayerVersion; public readonly prune: boolean; // so that `clusterSecurityGroup` on `ICluster` can be configured without optionality, avoiding users from having @@ -1923,7 +1891,7 @@ class ImportedCluster extends ClusterBase { this.kubectlLayer = props.kubectlLayer; this.kubectlMemory = props.kubectlMemory; this.clusterHandlerSecurityGroup = props.clusterHandlerSecurityGroupId ? ec2.SecurityGroup.fromSecurityGroupId(this, 'ClusterHandlerSecurityGroup', props.clusterHandlerSecurityGroupId) : undefined; - this.proxyAgentLayer = props.proxyAgentLayer; + this.onEventLayer = props.onEventLayer; this.prune = props.prune ?? true; let i = 1; diff --git a/packages/@aws-cdk/aws-eks/lib/fargate-profile.ts b/packages/@aws-cdk/aws-eks/lib/fargate-profile.ts index 390203c35f225..8d5b0301ff24b 100644 --- a/packages/@aws-cdk/aws-eks/lib/fargate-profile.ts +++ b/packages/@aws-cdk/aws-eks/lib/fargate-profile.ts @@ -149,7 +149,7 @@ export class FargateProfile extends CoreConstruct implements ITaggable { const provider = ClusterResourceProvider.getOrCreate(this, { adminRole: props.cluster.adminRole, - proxyAgentLayer: props.cluster.proxyAgentLayer, + onEventLayer: props.cluster.onEventLayer, }); this.podExecutionRole = props.podExecutionRole ?? new iam.Role(this, 'PodExecutionRole', { diff --git a/packages/@aws-cdk/aws-eks/package.json b/packages/@aws-cdk/aws-eks/package.json index e5c7869f9bc13..35db07123cae8 100644 --- a/packages/@aws-cdk/aws-eks/package.json +++ b/packages/@aws-cdk/aws-eks/package.json @@ -93,7 +93,6 @@ "@aws-cdk/aws-iam": "0.0.0", "@aws-cdk/aws-kms": "0.0.0", "@aws-cdk/aws-lambda": "0.0.0", - "@aws-cdk/aws-lambda-nodejs": "0.0.0", "@aws-cdk/aws-ssm": "0.0.0", "@aws-cdk/core": "0.0.0", "@aws-cdk/custom-resources": "0.0.0", @@ -113,7 +112,6 @@ "@aws-cdk/aws-iam": "0.0.0", "@aws-cdk/aws-kms": "0.0.0", "@aws-cdk/aws-lambda": "0.0.0", - "@aws-cdk/aws-lambda-nodejs": "0.0.0", "@aws-cdk/aws-ssm": "0.0.0", "@aws-cdk/core": "0.0.0", "@aws-cdk/custom-resources": "0.0.0", From 65933480e12eeab30229b59006f375435411fc73 Mon Sep 17 00:00:00 2001 From: Ryan Parker Date: Thu, 4 Nov 2021 15:03:31 -0700 Subject: [PATCH 13/15] fix: using unique name for each `NodeProxyAgentLayer` --- packages/@aws-cdk/aws-eks/lib/cluster-resource-provider.ts | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/packages/@aws-cdk/aws-eks/lib/cluster-resource-provider.ts b/packages/@aws-cdk/aws-eks/lib/cluster-resource-provider.ts index 8f6462df74a78..7b650bb2ebf9b 100644 --- a/packages/@aws-cdk/aws-eks/lib/cluster-resource-provider.ts +++ b/packages/@aws-cdk/aws-eks/lib/cluster-resource-provider.ts @@ -73,7 +73,6 @@ export class ClusterResourceProvider extends NestedStack { private constructor(scope: Construct, id: string, props: ClusterResourceProviderProps) { super(scope as CoreConstruct, id); - const onEvent = new lambda.Function(this, 'OnEventHandler', { code: lambda.Code.fromAsset(HANDLER_DIR), description: 'onEvent handler for EKS cluster resource provider', @@ -85,7 +84,7 @@ export class ClusterResourceProvider extends NestedStack { vpcSubnets: props.subnets ? { subnets: props.subnets } : undefined, securityGroups: props.securityGroup ? [props.securityGroup] : undefined, // Allow user to override the layer. Layer must contain `proxy-agent` node_module which is required to proxy AWS SDK requests. - layers: props.onEventLayer ? [props.onEventLayer] : [new NodeProxyAgentLayer(this, 'NodeProxyAgentLayer')], + layers: props.onEventLayer ? [props.onEventLayer] : [new NodeProxyAgentLayer(this, 'OnEventNodeProxyAgentLayer')], }); const isComplete = new lambda.Function(this, 'IsCompleteHandler', { @@ -98,7 +97,7 @@ export class ClusterResourceProvider extends NestedStack { vpc: props.subnets ? props.vpc : undefined, vpcSubnets: props.subnets ? { subnets: props.subnets } : undefined, securityGroups: props.securityGroup ? [props.securityGroup] : undefined, - layers: [new NodeProxyAgentLayer(this, 'NodeProxyAgentLayer')], + layers: [new NodeProxyAgentLayer(this, 'IsCompleteNodeProxyAgentLayer')], }); this.provider = new cr.Provider(this, 'Provider', { From 223e6fb85b7e3ae89f788c9e0b81c134afce01d5 Mon Sep 17 00:00:00 2001 From: Ryan Parker Date: Thu, 4 Nov 2021 15:18:52 -0700 Subject: [PATCH 14/15] clean: referencing same NodeProxyAgentLayer instead of creating multiples --- .../@aws-cdk/aws-eks/lib/cluster-resource-provider.ts | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/packages/@aws-cdk/aws-eks/lib/cluster-resource-provider.ts b/packages/@aws-cdk/aws-eks/lib/cluster-resource-provider.ts index 7b650bb2ebf9b..9bb65be4f56b2 100644 --- a/packages/@aws-cdk/aws-eks/lib/cluster-resource-provider.ts +++ b/packages/@aws-cdk/aws-eks/lib/cluster-resource-provider.ts @@ -73,6 +73,9 @@ export class ClusterResourceProvider extends NestedStack { private constructor(scope: Construct, id: string, props: ClusterResourceProviderProps) { super(scope as CoreConstruct, id); + // The NPM dependency proxy-agent is required in order to support proxy routing with the AWS JS SDK. + const nodeProxyAgentLayer = new NodeProxyAgentLayer(this, 'NodeProxyAgentLayer'); + const onEvent = new lambda.Function(this, 'OnEventHandler', { code: lambda.Code.fromAsset(HANDLER_DIR), description: 'onEvent handler for EKS cluster resource provider', @@ -83,8 +86,8 @@ export class ClusterResourceProvider extends NestedStack { vpc: props.subnets ? props.vpc : undefined, vpcSubnets: props.subnets ? { subnets: props.subnets } : undefined, securityGroups: props.securityGroup ? [props.securityGroup] : undefined, - // Allow user to override the layer. Layer must contain `proxy-agent` node_module which is required to proxy AWS SDK requests. - layers: props.onEventLayer ? [props.onEventLayer] : [new NodeProxyAgentLayer(this, 'OnEventNodeProxyAgentLayer')], + // Allow user to override the layer. + layers: props.onEventLayer ? [props.onEventLayer] : [nodeProxyAgentLayer], }); const isComplete = new lambda.Function(this, 'IsCompleteHandler', { @@ -97,7 +100,7 @@ export class ClusterResourceProvider extends NestedStack { vpc: props.subnets ? props.vpc : undefined, vpcSubnets: props.subnets ? { subnets: props.subnets } : undefined, securityGroups: props.securityGroup ? [props.securityGroup] : undefined, - layers: [new NodeProxyAgentLayer(this, 'IsCompleteNodeProxyAgentLayer')], + layers: [nodeProxyAgentLayer], }); this.provider = new cr.Provider(this, 'Provider', { From 1d3a3b8cd49de7d91e3a99ab56de483d1cd999f5 Mon Sep 17 00:00:00 2001 From: Ryan Parker Date: Thu, 4 Nov 2021 15:42:30 -0700 Subject: [PATCH 15/15] clean: removed unnecessary doc changes to `onEventLayer` --- packages/@aws-cdk/aws-eks/lib/cluster.ts | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/packages/@aws-cdk/aws-eks/lib/cluster.ts b/packages/@aws-cdk/aws-eks/lib/cluster.ts index 6da19bbb28703..2c762ab666327 100644 --- a/packages/@aws-cdk/aws-eks/lib/cluster.ts +++ b/packages/@aws-cdk/aws-eks/lib/cluster.ts @@ -141,10 +141,9 @@ export interface ICluster extends IResource, ec2.IConnectable { readonly clusterHandlerSecurityGroup?: ec2.ISecurityGroup; /** - * An AWS Lambda Layer which includes the NPM dependency `proxy-agent`. This layer - * is used by the onEvent handler to route AWS SDK requests through a proxy. + * An AWS Lambda layer that includes the NPM dependency `proxy-agent`. * - * @default - a layer bundled with this module. + * If not defined, a default layer will be used. */ readonly onEventLayer?: lambda.ILayerVersion; @@ -333,6 +332,10 @@ export interface ClusterAttributes { * An AWS Lambda Layer which includes the NPM dependency `proxy-agent`. This layer * is used by the onEvent handler to route AWS SDK requests through a proxy. * + * The handler expects the layer to include the following node_modules: + * + * proxy-agent + * * @default - a layer bundled with this module. */ readonly onEventLayer?: lambda.ILayerVersion; @@ -1134,10 +1137,8 @@ export class Cluster extends ClusterBase { public readonly clusterHandlerSecurityGroup?: ec2.ISecurityGroup; /** - * An AWS Lambda Layer which includes the NPM dependency `proxy-agent`. This layer - * is used by the onEvent handler to route AWS SDK requests through a proxy. - * - * @default - a layer bundled with this module. + * The AWS Lambda layer that contains the NPM dependency `proxy-agent`. If + * undefined, a SAR app that contains this layer will be used. */ readonly onEventLayer?: lambda.ILayerVersion;