fix(aws-eks): proxy support and allow assigning a security group to all cluster handler functions

packages/@aws-cdk/aws-eks/README.md

@@ -537,16 +537,21 @@ If the endpoint does not expose private access (via `EndpointAccess.PUBLIC`) **o
 
 #### Cluster Handler
 
-The `ClusterHandler` is a Lambda function responsible to interact with the EKS API in order to control the cluster lifecycle. To provision this function inside the VPC, set the `placeClusterHandlerInVpc` property to `true`. This will place the function inside the private subnets of the VPC based on the selection strategy specified in the [`vpcSubnets`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-eks.Cluster.html#vpcsubnetsspan-classapi-icon-api-icon-experimental-titlethis-api-element-is-experimental-it-may-change-without-noticespan) property.
+The `ClusterHandler` is a set of Lambda functions (`onEventHandler`, `isCompleteHandler`) responsible for interacting with the EKS API in order to control the cluster lifecycle. To provision these functions inside the VPC, set the `placeClusterHandlerInVpc` property to `true`. This will place the functions inside the private subnets of the VPC based on the selection strategy specified in the [`vpcSubnets`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-eks.Cluster.html#vpcsubnetsspan-classapi-icon-api-icon-experimental-titlethis-api-element-is-experimental-it-may-change-without-noticespan) property.
 
-You can configure the environment of this function by specifying it at cluster instantiation. For example, this can be useful in order to configure an http proxy:
+You can configure the environment of the Cluster Handler functions by specifying it at cluster instantiation. For example, this can be useful in order to configure an http proxy:
 
 ```ts
 const cluster = new eks.Cluster(this, 'hello-eks', {
   version: eks.KubernetesVersion.V1_21,
   clusterHandlerEnvironment: {
-    'http_proxy': 'http://proxy.myproxy.com'
-  }
+    http_proxy: 'http://proxy.myproxy.com'
+  },
+  /**
+   * If proxy is not open to public you may pass a security group to the
+   * Cluster Handler Lambdas.
+   */
+  clusterHandlerSecurityGroup: proxyInstanceSecurityGroup
 });
 ```
 

packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/common.ts

@@ -41,12 +41,6 @@ export abstract class ResourceHandler {
   }
 
   public onEvent() {
-    // eslint-disable-next-line @typescript-eslint/no-require-imports, import/no-extraneous-dependencies
-    const ProxyAgent: any = require('proxy-agent');
-    aws.config.update({
-      httpOptions: { agent: new ProxyAgent() },
-    });
-
     switch (this.requestType) {
       case 'Create': return this.onCreate();
       case 'Update': return this.onUpdate();

packages/@aws-cdk/aws-eks/lib/cluster-resource-handler/index.ts

@@ -8,7 +8,13 @@ import { EksClient } from './common';
 import * as consts from './consts';
 import { FargateProfileResourceHandler } from './fargate';
 
+// eslint-disable-next-line @typescript-eslint/no-require-imports, import/no-extraneous-dependencies
+const ProxyAgent = require('proxy-agent');
+
 aws.config.logger = console;
+aws.config.update({
+  httpOptions: { agent: new ProxyAgent() },
+});
 
 let eks: aws.EKS | undefined;
 

packages/@aws-cdk/aws-eks/lib/cluster-resource-provider.ts

@@ -40,7 +40,14 @@ export interface ClusterResourceProviderProps {
     *
     * If not defined, a default layer will be used.
     */
-  readonly onEventLayer?: lambda.ILayerVersion;
+  readonly proxyAgentLayer?: lambda.ILayerVersion;
+
+  /**
+   * The security group to associate with the functions.
+   *
+   * @default - No security group.
+   */
+  readonly securityGroup?: ec2.ISecurityGroup;
 }
 
 /**
@@ -66,6 +73,10 @@ export class ClusterResourceProvider extends NestedStack {
   private constructor(scope: Construct, id: string, props: ClusterResourceProviderProps) {
     super(scope as CoreConstruct, id);
 
+    // Allow user to override the layer. Layer must contain `proxy-agent` node_module which is required to proxy AWS SDK requests.
+    const proxyAgentLayer = props.proxyAgentLayer ? props.proxyAgentLayer : new NodeProxyAgentLayer(this, 'NodeProxyAgentLayer');
+
+    // This is the only Lambda that calls AWS's EKS API.
     const onEvent = new lambda.Function(this, 'OnEventHandler', {
       code: lambda.Code.fromAsset(HANDLER_DIR),
       description: 'onEvent handler for EKS cluster resource provider',
@@ -75,24 +86,21 @@ export class ClusterResourceProvider extends NestedStack {
       timeout: Duration.minutes(1),
       vpc: props.subnets ? props.vpc : undefined,
       vpcSubnets: props.subnets ? { subnets: props.subnets } : undefined,
+      securityGroups: props.securityGroup ? [props.securityGroup] : undefined,
+      layers: [proxyAgentLayer],
     });
 
-    // Allow user to customize the layer
-    if (!props.onEventLayer) {
-      // `NodeProxyAgentLayer` provides `proxy-agent` which is needed to configure `aws-sdk-js` with a user provided proxy.
-      onEvent.addLayers(new NodeProxyAgentLayer(this, 'NodeProxyAgentLayer'));
-    } else {
-      onEvent.addLayers(props.onEventLayer);
-    }
-
     const isComplete = new lambda.Function(this, 'IsCompleteHandler', {
       code: lambda.Code.fromAsset(HANDLER_DIR),
       description: 'isComplete handler for EKS cluster resource provider',
       runtime: HANDLER_RUNTIME,
+      environment: props.environment,
       handler: 'index.isComplete',
       timeout: Duration.minutes(1),
       vpc: props.subnets ? props.vpc : undefined,
       vpcSubnets: props.subnets ? { subnets: props.subnets } : undefined,
+      securityGroups: props.securityGroup ? [props.securityGroup] : undefined,
+      layers: [proxyAgentLayer],
     });
 
     this.provider = new cr.Provider(this, 'Provider', {
@@ -102,6 +110,7 @@ export class ClusterResourceProvider extends NestedStack {
       queryInterval: Duration.minutes(1),
       vpc: props.subnets ? props.vpc : undefined,
       vpcSubnets: props.subnets ? { subnets: props.subnets } : undefined,
+      securityGroups: props.securityGroup ? [props.securityGroup] : undefined,
     });
 
     props.adminRole.grant(onEvent.role!, 'sts:AssumeRole');

packages/@aws-cdk/aws-eks/lib/cluster-resource.ts

@@ -26,7 +26,8 @@ export interface ClusterResourceProps {
   readonly environment?: { [key: string]: string };
   readonly subnets?: ec2.ISubnet[];
   readonly secretsEncryptionKey?: kms.IKey;
-  readonly onEventLayer?: lambda.ILayerVersion;
+  readonly proxyAgentLayer?: lambda.ILayerVersion;
+  readonly clusterHandlerSecurityGroup?: ec2.ISecurityGroup;
 }
 
 /**
@@ -65,7 +66,8 @@ export class ClusterResource extends CoreConstruct {
       subnets: props.subnets,
       vpc: props.vpc,
       environment: props.environment,
-      onEventLayer: props.onEventLayer,
+      proxyAgentLayer: props.proxyAgentLayer,
+      securityGroup: props.clusterHandlerSecurityGroup,
     });
 
     const resource = new CustomResource(this, 'Resource', {

packages/@aws-cdk/aws-eks/lib/cluster.ts

@@ -129,12 +129,23 @@ export interface ICluster extends IResource, ec2.IConnectable {
    */
   readonly kubectlMemory?: Size;
 
+  /**
+   * A security group to associate with the Cluster Handler's Lambdas.
+   * The Cluster Handler's Lambdas are responsible for calling AWS's EKS API.
+   *
+   * Requires `placeClusterHandlerInVpc` to be set to true.
+   *
+   * @default - No security group.
+   * @attribute
+   */
+  readonly clusterHandlerSecurityGroup?: ec2.ISecurityGroup;
+
   /**
     * An AWS Lambda layer that includes the NPM dependency `proxy-agent`.
     *
-    * If not defined, a default layer will be used.
+    * @default - If not defined, a default layer will be used.
     */
-  readonly onEventLayer?: lambda.ILayerVersion;
+  readonly proxyAgentLayer?: lambda.ILayerVersion;
 
   /**
    * Indicates whether Kubernetes resources can be automatically pruned. When
@@ -310,16 +321,23 @@ export interface ClusterAttributes {
   readonly kubectlMemory?: Size;
 
   /**
-   * An AWS Lambda Layer which includes the NPM dependency `proxy-agent`. This layer
-   * is used by the onEvent handler to route AWS SDK requests through a proxy.
+   * A security group id to associate with the Cluster Handler's Lambdas.
+   * The Cluster Handler's Lambdas are responsible for calling AWS's EKS API.
    *
+   * @default - No security group.
+   */
+  readonly clusterHandlerSecurityGroupId?: string;
+
+  /**
+   * An AWS Lambda Layer which includes the NPM dependency `proxy-agent`. This layer
+   * is used by the Cluster Handler to route AWS SDK requests through a proxy.
    * The handler expects the layer to include the following node_modules:
    *
    *    proxy-agent
    *
    * @default - a layer bundled with this module.
    */
-  readonly onEventLayer?: lambda.ILayerVersion;
+  readonly proxyAgentLayer?: lambda.ILayerVersion;
 
   /**
    * Indicates whether Kubernetes resources added through `addManifest()` can be
@@ -452,13 +470,6 @@ export interface ClusterOptions extends CommonClusterOptions {
    */
   readonly kubectlEnvironment?: { [key: string]: string };
 
-  /**
-   * Custom environment variables when interacting with the EKS endpoint to manage the cluster lifecycle.
-   *
-   * @default - No environment variables.
-   */
-  readonly clusterHandlerEnvironment?: { [key: string]: string };
-
   /**
    * An AWS Lambda Layer which includes `kubectl`, Helm and the AWS CLI.
    *
@@ -490,27 +501,48 @@ export interface ClusterOptions extends CommonClusterOptions {
    */
   readonly kubectlMemory?: Size;
 
+  /**
+   * Custom environment variables when interacting with the EKS endpoint to manage the cluster lifecycle.
+   *
+   * @default - No environment variables.
+   */
+  readonly clusterHandlerEnvironment?: { [key: string]: string };
+
+  /**
+   * A security group to associate with the Cluster Handler's Lambdas.
+   * The Cluster Handler's Lambdas are responsible for calling AWS's EKS API.
+   *
+   * Requires `placeClusterHandlerInVpc` to be set to true.
+   *
+   * @default - No security group.
+   */
+  readonly clusterHandlerSecurityGroup?: ec2.ISecurityGroup;
+
   /**
    * An AWS Lambda Layer which includes the NPM dependency `proxy-agent`.
    *
    * By default, the provider will use the layer included in the
    * "aws-lambda-layer-node-proxy-agent" SAR application which is available in all
    * commercial regions.
    *
-   * To deploy the layer locally, visit
-   * https://github.com/aws-samples/aws-lambda-layer-node-proxy-agent/blob/master/cdk/README.md
-   * for instructions on how to prepare the .zip file and then define it in your
-   * app as follows:
+   * To deploy the layer locally define it in your app as follows:
    *
    * ```ts
-   * const layer = new lambda.LayerVersion(this, 'node-proxy-agent-layer', {
+   * const layer = new lambda.LayerVersion(this, 'proxy-agent-layer', {
    *   code: lambda.Code.fromAsset(`${__dirname}/layer.zip`)),
-   *   compatibleRuntimes: [lambda.Runtime.NODEJS_14_X]
+   *   compatibleRuntimes: [lambda.Runtime.NODEJS_12_X]
    * })
    * ```
    *
-   * @default - the layer provided by the `aws-lambda-layer-node-proxy-agent` SAR app.
-   * @see https://github.com/aws-samples/aws-lambda-layer-node-proxy-agent
+   * @default - a layer bundled with this module.
+   */
+  readonly proxyAgentLayer?: lambda.ILayerVersion;
+
+  /**
+   * Deprecated
+   *
+   * @default - a layer bundled with this module.
+   * @deprecated use `proxyAgentLayer` instead
    */
   readonly onEventLayer?: lambda.ILayerVersion;
 
@@ -749,6 +781,7 @@ abstract class ClusterBase extends Resource implements ICluster {
   public abstract readonly kubectlSecurityGroup?: ec2.ISecurityGroup;
   public abstract readonly kubectlPrivateSubnets?: ec2.ISubnet[];
   public abstract readonly kubectlMemory?: Size;
+  public abstract readonly clusterHandlerSecurityGroup?: ec2.ISecurityGroup;
   public abstract readonly prune: boolean;
   public abstract readonly openIdConnectProvider: iam.IOpenIdConnectProvider;
   public abstract readonly awsAuth: AwsAuth;
@@ -902,7 +935,7 @@ abstract class ClusterBase extends Resource implements ICluster {
     // cluster or if `mapRole` is set to false. By default this should happen.
     let mapRole = options.mapRole ?? true;
     if (mapRole && !(this instanceof Cluster)) {
-    // do the mapping...
+      // do the mapping...
       Annotations.of(autoScalingGroup).addWarning('Auto-mapping aws-auth role for imported cluster is not supported, please map role manually');
       mapRole = false;
     }
@@ -1100,10 +1133,21 @@ export class Cluster extends ClusterBase {
   public readonly kubectlMemory?: Size;
 
   /**
-   * The AWS Lambda layer that contains the NPM dependency `proxy-agent`. If
-   * undefined, a SAR app that contains this layer will be used.
+   * A security group to associate with the Cluster Handler's Lambdas.
+   * The Cluster Handler's Lambdas are responsible for calling AWS's EKS API.
+   *
+   * Requires `placeClusterHandlerInVpc` to be set to true.
+   *
+   * @default - No security group.
    */
-  public readonly onEventLayer?: lambda.ILayerVersion;
+  public readonly clusterHandlerSecurityGroup?: ec2.ISecurityGroup;
+
+  /**
+    * An AWS Lambda layer that includes the NPM dependency `proxy-agent`.
+    *
+    * If not defined, a default layer will be used.
+    */
+  public readonly proxyAgentLayer?: lambda.ILayerVersion;
 
   /**
    * Determines if Kubernetes resources can be pruned automatically.
@@ -1188,9 +1232,11 @@ export class Cluster extends ClusterBase {
     this.endpointAccess = props.endpointAccess ?? EndpointAccess.PUBLIC_AND_PRIVATE;
     this.kubectlEnvironment = props.kubectlEnvironment;
     this.kubectlLayer = props.kubectlLayer;
-    this.onEventLayer = props.onEventLayer;
     this.kubectlMemory = props.kubectlMemory;
 
+    this.proxyAgentLayer = props.proxyAgentLayer;
+    this.clusterHandlerSecurityGroup = props.clusterHandlerSecurityGroup;
+
     const privateSubnets = this.selectPrivateSubnets().slice(0, 16);
     const publicAccessDisabled = !this.endpointAccess._config.publicAccess;
     const publicAccessRestricted = !publicAccessDisabled
@@ -1215,6 +1261,10 @@ export class Cluster extends ClusterBase {
       throw new Error('Cannot place cluster handler in the VPC since no private subnets could be selected');
     }
 
+    if (props.clusterHandlerSecurityGroup && !placeClusterHandlerInVpc) {
+      throw new Error('Cannot specify clusterHandlerSecurityGroup without placeClusterHandlerInVpc set to true');
+    }
+
     const resource = this._clusterResource = new ClusterResource(this, 'Resource', {
       name: this.physicalName,
       environment: props.clusterHandlerEnvironment,
@@ -1241,7 +1291,8 @@ export class Cluster extends ClusterBase {
       secretsEncryptionKey: props.secretsEncryptionKey,
       vpc: this.vpc,
       subnets: placeClusterHandlerInVpc ? privateSubnets : undefined,
-      onEventLayer: this.onEventLayer,
+      clusterHandlerSecurityGroup: this.clusterHandlerSecurityGroup,
+      proxyAgentLayer: this.proxyAgentLayer,
     });
 
     if (this.endpointAccess._config.privateAccess && privateSubnets.length !== 0) {
@@ -1827,8 +1878,9 @@ class ImportedCluster extends ClusterBase {
   public readonly kubectlSecurityGroup?: ec2.ISecurityGroup | undefined;
   public readonly kubectlPrivateSubnets?: ec2.ISubnet[] | undefined;
   public readonly kubectlLayer?: lambda.ILayerVersion;
-  public readonly onEventLayer?: lambda.ILayerVersion;
   public readonly kubectlMemory?: Size;
+  public readonly clusterHandlerSecurityGroup?: ec2.ISecurityGroup | undefined;
+  public readonly proxyAgentLayer?: lambda.ILayerVersion;
   public readonly prune: boolean;
 
   // so that `clusterSecurityGroup` on `ICluster` can be configured without optionality, avoiding users from having
@@ -1845,8 +1897,9 @@ class ImportedCluster extends ClusterBase {
     this.kubectlEnvironment = props.kubectlEnvironment;
     this.kubectlPrivateSubnets = props.kubectlPrivateSubnetIds ? props.kubectlPrivateSubnetIds.map((subnetid, index) => ec2.Subnet.fromSubnetId(this, `KubectlSubnet${index}`, subnetid)) : undefined;
     this.kubectlLayer = props.kubectlLayer;
-    this.onEventLayer = props.onEventLayer;
     this.kubectlMemory = props.kubectlMemory;
+    this.clusterHandlerSecurityGroup = props.clusterHandlerSecurityGroupId ? ec2.SecurityGroup.fromSecurityGroupId(this, 'ClusterHandlerSecurityGroup', props.clusterHandlerSecurityGroupId) : undefined;
+    this.proxyAgentLayer = props.proxyAgentLayer;
     this.prune = props.prune ?? true;
 
     let i = 1;

packages/@aws-cdk/aws-eks/lib/fargate-profile.ts

@@ -149,7 +149,7 @@ export class FargateProfile extends CoreConstruct implements ITaggable {
 
     const provider = ClusterResourceProvider.getOrCreate(this, {
       adminRole: props.cluster.adminRole,
-      onEventLayer: props.cluster.onEventLayer,
+      proxyAgentLayer: props.cluster.proxyAgentLayer,
     });
 
     this.podExecutionRole = props.podExecutionRole ?? new iam.Role(this, 'PodExecutionRole', {