Merge branch 'master' into master

aws · May 22, 2020 · 6e6d2e4 · 6e6d2e4
2 parents f875446 + 8b19453
commit 6e6d2e4
Show file tree

Hide file tree

Showing 5 changed files with 52 additions and 15 deletions.
diff --git a/packages/@aws-cdk/aws-eks/lib/cluster.ts b/packages/@aws-cdk/aws-eks/lib/cluster.ts
@@ -510,8 +510,6 @@ export class Cluster extends Resource implements ICluster {
    * @param options options for creating a new nodegroup
    */
   public addNodegroup(id: string, options?: NodegroupOptions): Nodegroup {
-    // initialize the awsAuth for this cluster
-    this._awsAuth = this._awsAuth ?? this.awsAuth;
     return new Nodegroup(this, `Nodegroup${id}`, {
       cluster: this,
       ...options,

diff --git a/packages/@aws-cdk/aws-eks/test/test.cluster.ts b/packages/@aws-cdk/aws-eks/test/test.cluster.ts
@@ -856,18 +856,6 @@ export = {
                 ],
               },
             },
-            {
-              Action: 'sts:AssumeRole',
-              Effect: 'Allow',
-              Principal: {
-                AWS: {
-                  'Fn::GetAtt': [
-                    'awscdkawseksKubectlProviderNestedStackawscdkawseksKubectlProviderNestedStackResourceA7AEBA6B',
-                    'Outputs.StackawscdkawseksKubectlProviderHandlerServiceRole2C52B3ECArn',
-                  ],
-                },
-              },
-            },
           ],
           Version: '2012-10-17',
         },

diff --git a/packages/@aws-cdk/aws-eks/test/test.nodegroup.ts b/packages/@aws-cdk/aws-eks/test/test.nodegroup.ts
@@ -1,4 +1,4 @@
-import { expect, haveResource, haveResourceLike } from '@aws-cdk/assert';
+import { countResources, expect, haveResource, haveResourceLike } from '@aws-cdk/assert';
 import * as ec2 from '@aws-cdk/aws-ec2';
 import * as cdk from '@aws-cdk/core';
 import { Test } from 'nodeunit';
@@ -90,6 +90,18 @@ export = {
     ));
     test.done();
   },
+  'create nodegroups with kubectlEnabled is false'(test: Test) {
+    // GIVEN
+    const { stack, vpc } = testFixture();
+
+    // WHEN
+    const cluster = new eks.Cluster(stack, 'Cluster', { vpc, kubectlEnabled: false, defaultCapacity: 2 });
+    // add a extra nodegroup
+    cluster.addNodegroup('extra-ng');
+    // THEN
+    expect(stack).to(countResources('AWS::EKS::Nodegroup', 2));
+    test.done();
+  },
   'create nodegroup with instanceType provided'(test: Test) {
     // GIVEN
     const { stack, vpc } = testFixture();

diff --git a/packages/@aws-cdk/aws-lambda/README.md b/packages/@aws-cdk/aws-lambda/README.md
@@ -49,6 +49,39 @@ to our CDK project directory. This is especially important when we want to share
 this construct through a library. Different programming languages will have
 different techniques for bundling resources into libraries.
 
+### Execution Role
+
+Lambda functions assume an IAM role during execution. In CDK by default, Lambda
+functions will use an autogenerated Role if one is not provided.
+
+The autogenerated Role is automatically given permissions to execute the Lambda
+function. To reference the autogenerated Role:
+
+```ts
+const fn = new lambda.Function(this, 'MyFunction', {
+  runtime: lambda.Runtime.NODEJS_10_X,
+  handler: 'index.handler',
+  code: lambda.Code.fromAsset(path.join(__dirname, 'lambda-handler')),
+
+fn.role // the Role
+```
+
+You can also provide your own IAM role. Provided IAM roles will not automatically
+be given permissions to execute the Lambda function. To provide a role and grant
+it appropriate permissions:
+
+```ts
+const fn = new lambda.Function(this, 'MyFunction', {
+  runtime: lambda.Runtime.NODEJS_10_X,
+  handler: 'index.handler',
+  code: lambda.Code.fromAsset(path.join(__dirname, 'lambda-handler')),
+  role: myRole // user-provided role
+});
+
+myRole.addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName("service-role/AWSLambdaBasicExecutionRole"));
+myRole.addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName("service-role/AWSLambdaVPCAccessExecutionRole")); // only required if your function lives in a VPC
+```
+
 ### Versions and Aliases
 
 You can use

diff --git a/packages/@aws-cdk/aws-lambda/lib/function.ts b/packages/@aws-cdk/aws-lambda/lib/function.ts
@@ -99,6 +99,12 @@ export interface FunctionOptions extends EventInvokeConfigOptions {
    * It controls the permissions that the function will have. The Role must
    * be assumable by the 'lambda.amazonaws.com' service principal.
    *
+   * The default Role automatically has permissions granted for Lambda execution. If you
+   * provide a Role, you must add the relevant AWS managed policies yourself.
+   *
+   * The relevant managed policies are "service-role/AWSLambdaBasicExecutionRole" and
+   * "service-role/AWSLambdaVPCAccessExecutionRole".
+   *
    * @default - A unique role will be generated for this lambda function.
    * Both supplied and generated roles can always be changed by calling `addToRolePolicy`.
    */