Skip to content

Commit

Permalink
fix(eks): creating a ServiceAccount in a different stack than the `…
Browse files Browse the repository at this point in the history
…Cluster` creates circular dependency between the two stacks (#9701)

This PR changes a few scenarios with regards to circular dependencies in cases where some resources are created in a different stack than the cluster stack.

> Reviewers, Please refer to this detail as a first response to PR questions :)

### ServiceAccount

Previously, the `ServiceAccount` construct used `cluster.addManifest` to deploy the necessary resource.

https://github.com/aws/aws-cdk/blob/25a9cc7fabbe3b70add48edfd01421f74429b97f/packages/%40aws-cdk/aws-eks/lib/service-account.ts#L81-L95

This means that the resource itself is added to the **cluster stack**. When the `ServiceAccount` is created in a different stack, it creates a dependency between the cluster stack and the service account stack.

Since `ServiceAccount` also depends on the cluster, it creates a dependency between the service account stack and the cluster stack. And hence a circular dependency is formed.

#### Solution

There is no inherent reason to always add the `ServiceAccount` resource to the cluster stack. If it was added to the service account stack, the circular dependency could be avoided. 

The solution is to use `new KubernetesManifest(this, ...)` instead of `cluster.addResource` - creating the manifest in the service account stack, which is perfectly fine since that direction of dependency is the intended one.

### AutoScalingGroup Capacity

When adding capacity to a cluster using an `AutoScalingGroup`, we add the role of the ASG to the `aws-auth` role mappings of the cluster:

https://github.com/aws/aws-cdk/blob/25a9cc7fabbe3b70add48edfd01421f74429b97f/packages/%40aws-cdk/aws-eks/lib/cluster.ts#L914-L923

The ASG depends on the cluster because, among others, it requires to have a tag with the cluster name:

https://github.com/aws/aws-cdk/blob/25a9cc7fabbe3b70add48edfd01421f74429b97f/packages/%40aws-cdk/aws-eks/lib/cluster.ts#L907-L909

This creates a dependency between the ASG stack and the cluster stack. In case the ASG role is defined in the ASG stack, the auth mapping now creates a dependency between the cluster stack and the ASG, forming a circular dependency between the stacks.

#### Solution

`AwsAuth` is a singleton of the cluster, which means it is always defined in the cluster stack. Since we have no control over the stack of the ASG and its role, a circular dependency may always be created. The solution is to simply disallow creating `userMappings` or `roleMappings` with a `User/Role` that is not part of the cluster stack.

This might be a little more restrictive than necessary, but it has less exposure potential to edge cases and complex dependency cycles. We can always be less restrictive down the road if needed.

--------------

Fixes #8884
Fixes #9325

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
  • Loading branch information
iliapolo authored Sep 2, 2020
1 parent 9edbec9 commit 1e96ebc
Show file tree
Hide file tree
Showing 7 changed files with 369 additions and 119 deletions.
10 changes: 9 additions & 1 deletion packages/@aws-cdk/aws-eks/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -269,6 +269,10 @@ the capacity.
The `KubernetesManifest` construct or `cluster.addManifest` method can be used
to apply Kubernetes resource manifests to this cluster.

> When using `cluster.addManifest`, the manifest construct is defined within the cluster's stack scope. If the manifest contains
> attributes from a different stack which depend on the cluster stack, a circular dependency will be created and you will get a synth time error.
> To avoid this, directly use `new KubernetesManifest` to create the manifest in the scope of the other stack.
The following examples will deploy the [paulbouwer/hello-kubernetes](https://github.com/paulbouwer/hello-kubernetes)
service on the cluster:

Expand Down Expand Up @@ -477,7 +481,7 @@ Kubernetes secrets using the AWS Key Management Service (AWS KMS) can be enabled
on [creating a cluster](https://docs.aws.amazon.com/eks/latest/userguide/create-cluster.html)
can provide more details about the customer master key (CMK) that can be used for the encryption.

You can use the `secretsEncryptionKey` to configure which key the cluster will use to encrypt Kubernetes secrets. By default, an AWS Managed key will be used.
You can use the `secretsEncryptionKey` to configure which key the cluster will use to encrypt Kubernetes secrets. By default, an AWS Managed key will be used.

> This setting can only be specified when the cluster is created and cannot be updated.
Expand Down Expand Up @@ -514,6 +518,10 @@ unfortunately beyond the scope of this documentation.
The `HelmChart` construct or `cluster.addChart` method can be used
to add Kubernetes resources to this cluster using Helm.

> When using `cluster.addChart`, the manifest construct is defined within the cluster's stack scope. If the manifest contains
> attributes from a different stack which depend on the cluster stack, a circular dependency will be created and you will get a synth time error.
> To avoid this, directly use `new HelmChart` to create the chart in the scope of the other stack.
The following example will install the [NGINX Ingress Controller](https://kubernetes.github.io/ingress-nginx/)
to your cluster using Helm.

Expand Down
17 changes: 16 additions & 1 deletion packages/@aws-cdk/aws-eks/lib/aws-auth.ts
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
import * as iam from '@aws-cdk/aws-iam';
import { Construct, Lazy, Stack } from '@aws-cdk/core';
import { Construct, Lazy, Stack, IConstruct } from '@aws-cdk/core';
import { AwsAuthMapping } from './aws-auth-mapping';
import { Cluster } from './cluster';
import { KubernetesManifest } from './k8s-manifest';
Expand Down Expand Up @@ -73,6 +73,7 @@ export class AwsAuth extends Construct {
* @param mapping Mapping to k8s user name and groups
*/
public addRoleMapping(role: iam.IRole, mapping: AwsAuthMapping) {
this.assertSameStack(role);
this.roleMappings.push({ role, mapping });
}

Expand All @@ -83,6 +84,7 @@ export class AwsAuth extends Construct {
* @param mapping Mapping to k8s user name and groups
*/
public addUserMapping(user: iam.IUser, mapping: AwsAuthMapping) {
this.assertSameStack(user);
this.userMappings.push({ user, mapping });
}

Expand All @@ -94,6 +96,19 @@ export class AwsAuth extends Construct {
this.accounts.push(accountId);
}

private assertSameStack(construct: IConstruct) {

const thisStack = Stack.of(this);

if (Stack.of(construct) !== thisStack) {
// aws-auth is always part of the cluster stack, and since resources commonly take
// a dependency on the cluster, allowing those resources to be in a different stack,
// will create a circular dependency. granted, it won't always be the case,
// but we opted for the more causious and restrictive approach for now.
throw new Error(`${construct.node.uniqueId} should be defined in the scope of the ${thisStack.stackName} stack to prevent circular dependencies`);
}
}

private synthesizeMapRoles() {
return Lazy.anyValue({
produce: () => this.stack.toJsonString(this.roleMappings.map(m => ({
Expand Down
33 changes: 21 additions & 12 deletions packages/@aws-cdk/aws-eks/lib/service-account.ts
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
import { AddToPrincipalPolicyResult, IPrincipal, IRole, OpenIdConnectPrincipal, PolicyStatement, PrincipalPolicyFragment, Role } from '@aws-cdk/aws-iam';
import { CfnJson, Construct } from '@aws-cdk/core';
import { Cluster } from './cluster';
import { KubernetesManifest } from './k8s-manifest';

/**
* Options for `ServiceAccount`
Expand Down Expand Up @@ -78,20 +79,28 @@ export class ServiceAccount extends Construct implements IPrincipal {
this.grantPrincipal = this.role.grantPrincipal;
this.policyFragment = this.role.policyFragment;

cluster.addManifest(`${id}ServiceAccountResource`, {
apiVersion: 'v1',
kind: 'ServiceAccount',
metadata: {
name: this.serviceAccountName,
namespace: this.serviceAccountNamespace,
labels: {
'app.kubernetes.io/name': this.serviceAccountName,
// Note that we cannot use `cluster.addManifest` here because that would create the manifest
// constrct in the scope of the cluster stack, which might be a different stack than this one.
// This means that the cluster stack would depend on this stack because of the role,
// and since this stack inherintely depends on the cluster stack, we will have a circular dependency.
new KubernetesManifest(this, `manifest-${id}ServiceAccountResource`, {
cluster,
manifest: [{
apiVersion: 'v1',
kind: 'ServiceAccount',
metadata: {
name: this.serviceAccountName,
namespace: this.serviceAccountNamespace,
labels: {
'app.kubernetes.io/name': this.serviceAccountName,
},
annotations: {
'eks.amazonaws.com/role-arn': this.role.roleArn,
},
},
annotations: {
'eks.amazonaws.com/role-arn': this.role.roleArn,
},
},
}],
});

}

public addToPolicy(statement: PolicyStatement): boolean {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -1114,7 +1114,7 @@
},
"/",
{
"Ref": "AssetParameters5a6e80a336f1483948e6ea2840535cd58002e08674439e709be882d27ff6127fS3Bucket5F68514E"
"Ref": "AssetParametersa051650035cf7d135b3759ddae4dad362025e37cfe3419653b54100b5b10f8bcS3Bucket5741504D"
},
"/",
{
Expand All @@ -1124,7 +1124,7 @@
"Fn::Split": [
"||",
{
"Ref": "AssetParameters5a6e80a336f1483948e6ea2840535cd58002e08674439e709be882d27ff6127fS3VersionKeyBDAFCBA6"
"Ref": "AssetParametersa051650035cf7d135b3759ddae4dad362025e37cfe3419653b54100b5b10f8bcS3VersionKeyA53F3DF5"
}
]
}
Expand All @@ -1137,7 +1137,7 @@
"Fn::Split": [
"||",
{
"Ref": "AssetParameters5a6e80a336f1483948e6ea2840535cd58002e08674439e709be882d27ff6127fS3VersionKeyBDAFCBA6"
"Ref": "AssetParametersa051650035cf7d135b3759ddae4dad362025e37cfe3419653b54100b5b10f8bcS3VersionKeyA53F3DF5"
}
]
}
Expand All @@ -1147,17 +1147,17 @@
]
},
"Parameters": {
"referencetoawscdkeksclusterprivateendpointtestAssetParameters1ea72e469c0d3a62f2500d1c42aa05a5034a518637239066718928d7e6f748d3S3BucketB0853396Ref": {
"Ref": "AssetParameters1ea72e469c0d3a62f2500d1c42aa05a5034a518637239066718928d7e6f748d3S3BucketAEF9EB6C"
"referencetoawscdkeksclusterprivateendpointtestAssetParameters7997347617940455774a736af2df2e6238c13b755ad25353a3d081446cfc80a4S3Bucket4C62B914Ref": {
"Ref": "AssetParameters7997347617940455774a736af2df2e6238c13b755ad25353a3d081446cfc80a4S3Bucket086F94BB"
},
"referencetoawscdkeksclusterprivateendpointtestAssetParameters1ea72e469c0d3a62f2500d1c42aa05a5034a518637239066718928d7e6f748d3S3VersionKey89A51DCERef": {
"Ref": "AssetParameters1ea72e469c0d3a62f2500d1c42aa05a5034a518637239066718928d7e6f748d3S3VersionKey912C763C"
"referencetoawscdkeksclusterprivateendpointtestAssetParameters7997347617940455774a736af2df2e6238c13b755ad25353a3d081446cfc80a4S3VersionKey8874BF8DRef": {
"Ref": "AssetParameters7997347617940455774a736af2df2e6238c13b755ad25353a3d081446cfc80a4S3VersionKeyA4B5C598"
},
"referencetoawscdkeksclusterprivateendpointtestAssetParameters974a6fb29abbd1d98fce56346da3743e79277f0f52e0e2cdf3f1867ac5b1e74cS3Bucket7CB66361Ref": {
"Ref": "AssetParameters974a6fb29abbd1d98fce56346da3743e79277f0f52e0e2cdf3f1867ac5b1e74cS3BucketF1BD2256"
"referencetoawscdkeksclusterprivateendpointtestAssetParameters34131c2e554ab57ad3a47fc0a13173a5c2a4b65a7582fe9622277b3d04c8e1e1S3Bucket41FE7429Ref": {
"Ref": "AssetParameters34131c2e554ab57ad3a47fc0a13173a5c2a4b65a7582fe9622277b3d04c8e1e1S3BucketD25BCC90"
},
"referencetoawscdkeksclusterprivateendpointtestAssetParameters974a6fb29abbd1d98fce56346da3743e79277f0f52e0e2cdf3f1867ac5b1e74cS3VersionKeyF78CAD23Ref": {
"Ref": "AssetParameters974a6fb29abbd1d98fce56346da3743e79277f0f52e0e2cdf3f1867ac5b1e74cS3VersionKeyF47FA401"
"referencetoawscdkeksclusterprivateendpointtestAssetParameters34131c2e554ab57ad3a47fc0a13173a5c2a4b65a7582fe9622277b3d04c8e1e1S3VersionKeyE935A11ARef": {
"Ref": "AssetParameters34131c2e554ab57ad3a47fc0a13173a5c2a4b65a7582fe9622277b3d04c8e1e1S3VersionKey72DFE7A5"
}
}
}
Expand All @@ -1175,7 +1175,7 @@
},
"/",
{
"Ref": "AssetParameters742639efa420e236373ec969a3b6acfe6585597ddbfb4553e02bf7bc32d423bdS3BucketA257B564"
"Ref": "AssetParameters70799104badfb18ed9b1e10a42c2c545816c9e025396015cb69e3bb77c717712S3Bucket4B579817"
},
"/",
{
Expand All @@ -1185,7 +1185,7 @@
"Fn::Split": [
"||",
{
"Ref": "AssetParameters742639efa420e236373ec969a3b6acfe6585597ddbfb4553e02bf7bc32d423bdS3VersionKey3F8059DC"
"Ref": "AssetParameters70799104badfb18ed9b1e10a42c2c545816c9e025396015cb69e3bb77c717712S3VersionKey5397E774"
}
]
}
Expand All @@ -1198,7 +1198,7 @@
"Fn::Split": [
"||",
{
"Ref": "AssetParameters742639efa420e236373ec969a3b6acfe6585597ddbfb4553e02bf7bc32d423bdS3VersionKey3F8059DC"
"Ref": "AssetParameters70799104badfb18ed9b1e10a42c2c545816c9e025396015cb69e3bb77c717712S3VersionKey5397E774"
}
]
}
Expand Down Expand Up @@ -1229,11 +1229,11 @@
"GroupId"
]
},
"referencetoawscdkeksclusterprivateendpointtestAssetParameters974a6fb29abbd1d98fce56346da3743e79277f0f52e0e2cdf3f1867ac5b1e74cS3Bucket7CB66361Ref": {
"Ref": "AssetParameters974a6fb29abbd1d98fce56346da3743e79277f0f52e0e2cdf3f1867ac5b1e74cS3BucketF1BD2256"
"referencetoawscdkeksclusterprivateendpointtestAssetParameters34131c2e554ab57ad3a47fc0a13173a5c2a4b65a7582fe9622277b3d04c8e1e1S3Bucket41FE7429Ref": {
"Ref": "AssetParameters34131c2e554ab57ad3a47fc0a13173a5c2a4b65a7582fe9622277b3d04c8e1e1S3BucketD25BCC90"
},
"referencetoawscdkeksclusterprivateendpointtestAssetParameters974a6fb29abbd1d98fce56346da3743e79277f0f52e0e2cdf3f1867ac5b1e74cS3VersionKeyF78CAD23Ref": {
"Ref": "AssetParameters974a6fb29abbd1d98fce56346da3743e79277f0f52e0e2cdf3f1867ac5b1e74cS3VersionKeyF47FA401"
"referencetoawscdkeksclusterprivateendpointtestAssetParameters34131c2e554ab57ad3a47fc0a13173a5c2a4b65a7582fe9622277b3d04c8e1e1S3VersionKeyE935A11ARef": {
"Ref": "AssetParameters34131c2e554ab57ad3a47fc0a13173a5c2a4b65a7582fe9622277b3d04c8e1e1S3VersionKey72DFE7A5"
}
}
}
Expand Down Expand Up @@ -1282,29 +1282,29 @@
}
},
"Parameters": {
"AssetParameters1ea72e469c0d3a62f2500d1c42aa05a5034a518637239066718928d7e6f748d3S3BucketAEF9EB6C": {
"AssetParameters7997347617940455774a736af2df2e6238c13b755ad25353a3d081446cfc80a4S3Bucket086F94BB": {
"Type": "String",
"Description": "S3 bucket for asset \"1ea72e469c0d3a62f2500d1c42aa05a5034a518637239066718928d7e6f748d3\""
"Description": "S3 bucket for asset \"7997347617940455774a736af2df2e6238c13b755ad25353a3d081446cfc80a4\""
},
"AssetParameters1ea72e469c0d3a62f2500d1c42aa05a5034a518637239066718928d7e6f748d3S3VersionKey912C763C": {
"AssetParameters7997347617940455774a736af2df2e6238c13b755ad25353a3d081446cfc80a4S3VersionKeyA4B5C598": {
"Type": "String",
"Description": "S3 key for asset version \"1ea72e469c0d3a62f2500d1c42aa05a5034a518637239066718928d7e6f748d3\""
"Description": "S3 key for asset version \"7997347617940455774a736af2df2e6238c13b755ad25353a3d081446cfc80a4\""
},
"AssetParameters1ea72e469c0d3a62f2500d1c42aa05a5034a518637239066718928d7e6f748d3ArtifactHashD59B0951": {
"AssetParameters7997347617940455774a736af2df2e6238c13b755ad25353a3d081446cfc80a4ArtifactHash9B26D532": {
"Type": "String",
"Description": "Artifact hash for asset \"1ea72e469c0d3a62f2500d1c42aa05a5034a518637239066718928d7e6f748d3\""
"Description": "Artifact hash for asset \"7997347617940455774a736af2df2e6238c13b755ad25353a3d081446cfc80a4\""
},
"AssetParameters974a6fb29abbd1d98fce56346da3743e79277f0f52e0e2cdf3f1867ac5b1e74cS3BucketF1BD2256": {
"AssetParameters34131c2e554ab57ad3a47fc0a13173a5c2a4b65a7582fe9622277b3d04c8e1e1S3BucketD25BCC90": {
"Type": "String",
"Description": "S3 bucket for asset \"974a6fb29abbd1d98fce56346da3743e79277f0f52e0e2cdf3f1867ac5b1e74c\""
"Description": "S3 bucket for asset \"34131c2e554ab57ad3a47fc0a13173a5c2a4b65a7582fe9622277b3d04c8e1e1\""
},
"AssetParameters974a6fb29abbd1d98fce56346da3743e79277f0f52e0e2cdf3f1867ac5b1e74cS3VersionKeyF47FA401": {
"AssetParameters34131c2e554ab57ad3a47fc0a13173a5c2a4b65a7582fe9622277b3d04c8e1e1S3VersionKey72DFE7A5": {
"Type": "String",
"Description": "S3 key for asset version \"974a6fb29abbd1d98fce56346da3743e79277f0f52e0e2cdf3f1867ac5b1e74c\""
"Description": "S3 key for asset version \"34131c2e554ab57ad3a47fc0a13173a5c2a4b65a7582fe9622277b3d04c8e1e1\""
},
"AssetParameters974a6fb29abbd1d98fce56346da3743e79277f0f52e0e2cdf3f1867ac5b1e74cArtifactHash5C0B1EA0": {
"AssetParameters34131c2e554ab57ad3a47fc0a13173a5c2a4b65a7582fe9622277b3d04c8e1e1ArtifactHashAA0236EE": {
"Type": "String",
"Description": "Artifact hash for asset \"974a6fb29abbd1d98fce56346da3743e79277f0f52e0e2cdf3f1867ac5b1e74c\""
"Description": "Artifact hash for asset \"34131c2e554ab57ad3a47fc0a13173a5c2a4b65a7582fe9622277b3d04c8e1e1\""
},
"AssetParametersb7d8a9750f8bfded8ac76be100e3bee1c3d4824df006766110d023f42952f5c2S3Bucket9ABBD5A2": {
"Type": "String",
Expand All @@ -1318,29 +1318,29 @@
"Type": "String",
"Description": "Artifact hash for asset \"b7d8a9750f8bfded8ac76be100e3bee1c3d4824df006766110d023f42952f5c2\""
},
"AssetParameters5a6e80a336f1483948e6ea2840535cd58002e08674439e709be882d27ff6127fS3Bucket5F68514E": {
"AssetParametersa051650035cf7d135b3759ddae4dad362025e37cfe3419653b54100b5b10f8bcS3Bucket5741504D": {
"Type": "String",
"Description": "S3 bucket for asset \"5a6e80a336f1483948e6ea2840535cd58002e08674439e709be882d27ff6127f\""
"Description": "S3 bucket for asset \"a051650035cf7d135b3759ddae4dad362025e37cfe3419653b54100b5b10f8bc\""
},
"AssetParameters5a6e80a336f1483948e6ea2840535cd58002e08674439e709be882d27ff6127fS3VersionKeyBDAFCBA6": {
"AssetParametersa051650035cf7d135b3759ddae4dad362025e37cfe3419653b54100b5b10f8bcS3VersionKeyA53F3DF5": {
"Type": "String",
"Description": "S3 key for asset version \"5a6e80a336f1483948e6ea2840535cd58002e08674439e709be882d27ff6127f\""
"Description": "S3 key for asset version \"a051650035cf7d135b3759ddae4dad362025e37cfe3419653b54100b5b10f8bc\""
},
"AssetParameters5a6e80a336f1483948e6ea2840535cd58002e08674439e709be882d27ff6127fArtifactHashE8539D9F": {
"AssetParametersa051650035cf7d135b3759ddae4dad362025e37cfe3419653b54100b5b10f8bcArtifactHash73453B59": {
"Type": "String",
"Description": "Artifact hash for asset \"5a6e80a336f1483948e6ea2840535cd58002e08674439e709be882d27ff6127f\""
"Description": "Artifact hash for asset \"a051650035cf7d135b3759ddae4dad362025e37cfe3419653b54100b5b10f8bc\""
},
"AssetParameters742639efa420e236373ec969a3b6acfe6585597ddbfb4553e02bf7bc32d423bdS3BucketA257B564": {
"AssetParameters70799104badfb18ed9b1e10a42c2c545816c9e025396015cb69e3bb77c717712S3Bucket4B579817": {
"Type": "String",
"Description": "S3 bucket for asset \"742639efa420e236373ec969a3b6acfe6585597ddbfb4553e02bf7bc32d423bd\""
"Description": "S3 bucket for asset \"70799104badfb18ed9b1e10a42c2c545816c9e025396015cb69e3bb77c717712\""
},
"AssetParameters742639efa420e236373ec969a3b6acfe6585597ddbfb4553e02bf7bc32d423bdS3VersionKey3F8059DC": {
"AssetParameters70799104badfb18ed9b1e10a42c2c545816c9e025396015cb69e3bb77c717712S3VersionKey5397E774": {
"Type": "String",
"Description": "S3 key for asset version \"742639efa420e236373ec969a3b6acfe6585597ddbfb4553e02bf7bc32d423bd\""
"Description": "S3 key for asset version \"70799104badfb18ed9b1e10a42c2c545816c9e025396015cb69e3bb77c717712\""
},
"AssetParameters742639efa420e236373ec969a3b6acfe6585597ddbfb4553e02bf7bc32d423bdArtifactHash15503EA1": {
"AssetParameters70799104badfb18ed9b1e10a42c2c545816c9e025396015cb69e3bb77c717712ArtifactHash5248B0FD": {
"Type": "String",
"Description": "Artifact hash for asset \"742639efa420e236373ec969a3b6acfe6585597ddbfb4553e02bf7bc32d423bd\""
"Description": "Artifact hash for asset \"70799104badfb18ed9b1e10a42c2c545816c9e025396015cb69e3bb77c717712\""
}
}
}
52 changes: 26 additions & 26 deletions packages/@aws-cdk/aws-eks/test/integ.eks-cluster.expected.json
Original file line number Diff line number Diff line change
Expand Up @@ -2812,32 +2812,7 @@
}
}
},
"ClusterOpenIdConnectProviderE7EB0530": {
"Type": "Custom::AWSCDKOpenIdConnectProvider",
"Properties": {
"ServiceToken": {
"Fn::GetAtt": [
"CustomAWSCDKOpenIdConnectProviderCustomResourceProviderHandlerF2C543E0",
"Arn"
]
},
"ClientIDList": [
"sts.amazonaws.com"
],
"ThumbprintList": [
"9e99a48a9960b14926bb7f3b02e22da2b0ab7280"
],
"Url": {
"Fn::GetAtt": [
"Cluster9EE0221C",
"OpenIdConnectIssuerUrl"
]
}
},
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete"
},
"ClustermanifestMyServiceAccountServiceAccountResource0EC03615": {
"ClusterMyServiceAccountmanifestMyServiceAccountServiceAccountResource67018F11": {
"Type": "Custom::AWSCDK-EKS-KubernetesResource",
"Properties": {
"ServiceToken": {
Expand Down Expand Up @@ -2877,6 +2852,31 @@
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete"
},
"ClusterOpenIdConnectProviderE7EB0530": {
"Type": "Custom::AWSCDKOpenIdConnectProvider",
"Properties": {
"ServiceToken": {
"Fn::GetAtt": [
"CustomAWSCDKOpenIdConnectProviderCustomResourceProviderHandlerF2C543E0",
"Arn"
]
},
"ClientIDList": [
"sts.amazonaws.com"
],
"ThumbprintList": [
"9e99a48a9960b14926bb7f3b02e22da2b0ab7280"
],
"Url": {
"Fn::GetAtt": [
"Cluster9EE0221C",
"OpenIdConnectIssuerUrl"
]
}
},
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete"
},
"ClustermanifestsimplewebpodC2D35484": {
"Type": "Custom::AWSCDK-EKS-KubernetesResource",
"Properties": {
Expand Down
Loading

0 comments on commit 1e96ebc

Please sign in to comment.