fix(eks): missing VPC permissions for fargate profiles (#6074)

* Support customizable default profile * Fix typo (unrelated test, but hey, why not?) * Fix permission error Occurs when passing `vpc` to create Fargate Profile w/o providing subnets
aws · Feb 3, 2020 · 0a586fc · 0a586fc
1 parent b19d038
commit 0a586fc
Show file tree

Hide file tree

Showing 10 changed files with 130 additions and 9 deletions.
diff --git a/packages/@aws-cdk/aws-eks/lib/cluster-resource.ts b/packages/@aws-cdk/aws-eks/lib/cluster-resource.ts
@@ -69,6 +69,11 @@ export class ClusterResource extends Construct {
         : '*'
     });
 
+    this.creationRole.addToPolicy(new iam.PolicyStatement({
+      actions: [ 'ec2:DescribeSubnets' ],
+      resources: [ '*' ],
+    }));
+
     this.creationRole.addToPolicy(new iam.PolicyStatement({
       actions: [ 'eks:CreateCluster', 'eks:DescribeCluster', 'eks:DeleteCluster', 'eks:UpdateClusterVersion', 'eks:UpdateClusterConfig', 'eks:CreateFargateProfile' ],
       resources: [ resourceArn ]

diff --git a/packages/@aws-cdk/aws-eks/lib/fargate-cluster.ts b/packages/@aws-cdk/aws-eks/lib/fargate-cluster.ts
@@ -1,10 +1,18 @@
 import { Construct } from '@aws-cdk/core';
 import { Cluster, ClusterOptions, CoreDnsComputeType } from './cluster';
+import { FargateProfileOptions } from './fargate-profile';
 
 /**
  * Configuration props for EKS Fargate.
  */
 export interface FargateClusterProps extends ClusterOptions {
+  /**
+   * Fargate Profile to create along with the cluster.
+   *
+   * @default - A profile called "default" with 'default' and 'kube-system'
+   *            selectors will be created if this is left undefined.
+   */
+  readonly defaultProfile?: FargateProfileOptions;
 }
 
 /**
@@ -23,11 +31,14 @@ export class FargateCluster extends Cluster {
       coreDnsComputeType: props.coreDnsComputeType ?? CoreDnsComputeType.FARGATE
     });
 
-    this.addFargateProfile('default', {
-      selectors: [
-        { namespace: 'default' },
-        { namespace: 'kube-system' },
-      ]
-    });
+    this.addFargateProfile(
+      props.defaultProfile?.fargateProfileName ?? (props.defaultProfile ? 'custom' : 'default'),
+      props.defaultProfile ?? {
+        selectors: [
+          {namespace: 'default'},
+          {namespace: 'kube-system'},
+        ]
+      }
+    );
   }
-}
+}
diff --git a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.defaults.expected.json b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.defaults.expected.json
@@ -723,6 +723,11 @@
                 ]
               }
             },
+            {
+              "Action": "ec2:DescribeSubnets",
+              "Effect": "Allow",
+              "Resource": "*"
+            },
             {
               "Action": [
                 "eks:CreateCluster",

diff --git a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.lit.expected.json b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.lit.expected.json
@@ -723,6 +723,11 @@
                 ]
               }
             },
+            {
+              "Action": "ec2:DescribeSubnets",
+              "Effect": "Allow",
+              "Resource": "*"
+            },
             {
               "Action": [
                 "eks:CreateCluster",

diff --git a/packages/@aws-cdk/aws-eks/test/integ.eks-fargate.expected.json b/packages/@aws-cdk/aws-eks/test/integ.eks-fargate.expected.json
@@ -734,6 +734,11 @@
                 ]
               }
             },
+            {
+              "Action": "ec2:DescribeSubnets",
+              "Effect": "Allow",
+              "Resource": "*"
+            },
             {
               "Action": [
                 "eks:CreateCluster",

diff --git a/packages/@aws-cdk/aws-eks/test/integ.eks-helm.lit.expected.json b/packages/@aws-cdk/aws-eks/test/integ.eks-helm.lit.expected.json
@@ -587,6 +587,11 @@
                   ]
                 }
               },
+              {
+                "Action": "ec2:DescribeSubnets",
+                "Effect": "Allow",
+                "Resource": "*"
+              },
               {
                 "Action": [
                   "eks:CreateCluster",

diff --git a/packages/@aws-cdk/aws-eks/test/integ.eks-kubectl.lit.expected.json b/packages/@aws-cdk/aws-eks/test/integ.eks-kubectl.lit.expected.json
@@ -587,6 +587,11 @@
                   ]
                 }
               },
+              {
+                "Action": "ec2:DescribeSubnets",
+                "Effect": "Allow",
+                "Resource": "*"
+              },
               {
                 "Action": [
                   "eks:CreateCluster",

diff --git a/packages/@aws-cdk/aws-eks/test/integ.eks-spot.expected.json b/packages/@aws-cdk/aws-eks/test/integ.eks-spot.expected.json
@@ -561,6 +561,11 @@
                 ]
               }
             },
+            {
+              "Action": "ec2:DescribeSubnets",
+              "Effect": "Allow",
+              "Resource": "*"
+            },
             {
               "Action": [
                 "eks:CreateCluster",

diff --git a/packages/@aws-cdk/aws-eks/test/test.cluster.ts b/packages/@aws-cdk/aws-eks/test/test.cluster.ts
@@ -669,6 +669,11 @@ export = {
               ]
             }
           },
+          {
+            Action: "ec2:DescribeSubnets",
+            Effect: "Allow",
+            Resource: "*",
+          },
           {
             Action: [
               "eks:CreateCluster",
@@ -757,6 +762,11 @@ export = {
               ]
             }
           },
+          {
+            Action: "ec2:DescribeSubnets",
+            Effect: "Allow",
+            Resource: "*",
+          },
           {
             Action: [
               "eks:CreateCluster",

diff --git a/packages/@aws-cdk/aws-eks/test/test.fargate.ts b/packages/@aws-cdk/aws-eks/test/test.fargate.ts
@@ -129,7 +129,7 @@ export = {
     test.done();
   },
 
-  'fails if therer are no selectors or if there are more than 5'(test: Test) {
+  'fails if there are no selectors or if there are more than 5'(test: Test) {
     // GIVEN
     const stack = new Stack();
     const cluster = new eks.Cluster(stack, 'MyCluster');
@@ -185,5 +185,70 @@ export = {
       }
     }));
     test.done();
+  },
+
+  'can create FargateCluster with a custom profile'(test: Test) {
+    // GIVEN
+    const stack = new Stack();
+
+    // WHEN
+    new eks.FargateCluster(stack, 'FargateCluster', {
+      defaultProfile: {
+        fargateProfileName: 'my-app', selectors: [{namespace: 'foo'}, {namespace: 'bar'}]
+      }
+    });
+
+    // THEN
+    expect(stack).to(haveResource('Custom::AWSCDK-EKS-FargateProfile', {
+      Config: {
+        clusterName: {
+          Ref: "FargateCluster019F03E8"
+        },
+        fargateProfileName: "my-app",
+        podExecutionRoleArn: {
+          "Fn::GetAtt": [
+            "FargateClusterfargateprofilemyappPodExecutionRole875B4635",
+            "Arn"
+          ]
+        },
+        selectors: [
+          { namespace: "foo" },
+          { namespace: "bar" }
+        ]
+      }
+    }));
+    test.done();
+  },
+
+  'custom profile name is "custom" if no custom profile name is provided'(test: Test) {
+    // GIVEN
+    const stack = new Stack();
+
+    // WHEN
+    new eks.FargateCluster(stack, 'FargateCluster', {
+      defaultProfile: {
+        selectors: [{namespace: 'foo'}, {namespace: 'bar'}]
+      }
+    });
+
+    // THEN
+    expect(stack).to(haveResource('Custom::AWSCDK-EKS-FargateProfile', {
+      Config: {
+        clusterName: {
+          Ref: "FargateCluster019F03E8"
+        },
+        podExecutionRoleArn: {
+          "Fn::GetAtt": [
+            "FargateClusterfargateprofilecustomPodExecutionRoleDB415F19",
+            "Arn"
+          ]
+        },
+        selectors: [
+          { namespace: "foo" },
+          { namespace: "bar" }
+        ]
+      }
+    }));
+    test.done();
   }
-};
+};