fix(eks): KubectlProvider creates un-necessary security group (#13178)

Following #10200, our `KubectlProvider` functions are now provisioned inside a VPC when applicable. A somewhat unintended side effect is that the provider framework will **create** and use a dedicated security group for its functions. This can violate organizational policies that don't allow CDK to create security groups. We can easily avoid this by simply reusing the `kubectlSecurityGroup`, which must be defined in this case, and passing it to the provider. Fixes #12952 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · Feb 21, 2021 · c5e8b6d · c5e8b6d
1 parent 8f1cfe4
commit c5e8b6d
Show file tree

Hide file tree

Showing 8 changed files with 141 additions and 49 deletions.
diff --git a/packages/@aws-cdk/aws-eks/lib/kubectl-provider.ts b/packages/@aws-cdk/aws-eks/lib/kubectl-provider.ts
@@ -106,6 +106,7 @@ export class KubectlProvider extends NestedStack {
       onEventHandler: handler,
       vpc: cluster.kubectlPrivateSubnets ? cluster.vpc : undefined,
       vpcSubnets: cluster.kubectlPrivateSubnets ? { subnets: cluster.kubectlPrivateSubnets } : undefined,
+      securityGroups: cluster.kubectlSecurityGroup ? [cluster.kubectlSecurityGroup] : undefined,
     });
 
     this.serviceToken = provider.serviceToken;

diff --git a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster-handlers-vpc.expected.json b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster-handlers-vpc.expected.json
@@ -1194,7 +1194,7 @@
               },
               "/",
               {
-                "Ref": "AssetParameters3a065cef8968eb7f7e62ccb379c68400a56c31aceb97265d4e8f5f4620452db9S3Bucket7930790A"
+                "Ref": "AssetParameters93bb4c1c6bbced2c1adce602d7643d5475c6e463f4f57f4cd863e064d82a3d82S3Bucket8670C328"
               },
               "/",
               {
@@ -1204,7 +1204,7 @@
                     "Fn::Split": [
                       "||",
                       {
-                        "Ref": "AssetParameters3a065cef8968eb7f7e62ccb379c68400a56c31aceb97265d4e8f5f4620452db9S3VersionKey648E56F4"
+                        "Ref": "AssetParameters93bb4c1c6bbced2c1adce602d7643d5475c6e463f4f57f4cd863e064d82a3d82S3VersionKeyCEFB3AF5"
                       }
                     ]
                   }
@@ -1217,7 +1217,7 @@
                     "Fn::Split": [
                       "||",
                       {
-                        "Ref": "AssetParameters3a065cef8968eb7f7e62ccb379c68400a56c31aceb97265d4e8f5f4620452db9S3VersionKey648E56F4"
+                        "Ref": "AssetParameters93bb4c1c6bbced2c1adce602d7643d5475c6e463f4f57f4cd863e064d82a3d82S3VersionKeyCEFB3AF5"
                       }
                     ]
                   }
@@ -1272,9 +1272,6 @@
           "referencetoawscdkekshandlersinvpctestAssetParameters844c1a4b13479b359ea0e607dccb4a04b73e22cf88cf9b64feed2c5f0de213c0S3VersionKeyCE91E7FDRef": {
             "Ref": "AssetParameters844c1a4b13479b359ea0e607dccb4a04b73e22cf88cf9b64feed2c5f0de213c0S3VersionKeyF55A2EA9"
           },
-          "referencetoawscdkekshandlersinvpctestEksAllHandlersInVpcStackDefaultVpcE40EA7ACRef": {
-            "Ref": "EksAllHandlersInVpcStackDefaultVpcBE11D4AE"
-          },
           "referencetoawscdkekshandlersinvpctestAssetParametersdaeb79e3cee39c9b902dc0d5c780223e227ed573ea60976252947adab5fb2be1S3Bucket9D7E9998Ref": {
             "Ref": "AssetParametersdaeb79e3cee39c9b902dc0d5c780223e227ed573ea60976252947adab5fb2be1S3BucketDC4B98B1"
           },
@@ -1400,17 +1397,17 @@
       "Type": "String",
       "Description": "Artifact hash for asset \"70396475d85a52e5c6ccad77894979d07433a207ea3c2668b929f3e70ffde081\""
     },
-    "AssetParameters3a065cef8968eb7f7e62ccb379c68400a56c31aceb97265d4e8f5f4620452db9S3Bucket7930790A": {
+    "AssetParameters93bb4c1c6bbced2c1adce602d7643d5475c6e463f4f57f4cd863e064d82a3d82S3Bucket8670C328": {
       "Type": "String",
-      "Description": "S3 bucket for asset \"3a065cef8968eb7f7e62ccb379c68400a56c31aceb97265d4e8f5f4620452db9\""
+      "Description": "S3 bucket for asset \"93bb4c1c6bbced2c1adce602d7643d5475c6e463f4f57f4cd863e064d82a3d82\""
     },
-    "AssetParameters3a065cef8968eb7f7e62ccb379c68400a56c31aceb97265d4e8f5f4620452db9S3VersionKey648E56F4": {
+    "AssetParameters93bb4c1c6bbced2c1adce602d7643d5475c6e463f4f57f4cd863e064d82a3d82S3VersionKeyCEFB3AF5": {
       "Type": "String",
-      "Description": "S3 key for asset version \"3a065cef8968eb7f7e62ccb379c68400a56c31aceb97265d4e8f5f4620452db9\""
+      "Description": "S3 key for asset version \"93bb4c1c6bbced2c1adce602d7643d5475c6e463f4f57f4cd863e064d82a3d82\""
     },
-    "AssetParameters3a065cef8968eb7f7e62ccb379c68400a56c31aceb97265d4e8f5f4620452db9ArtifactHash66195F00": {
+    "AssetParameters93bb4c1c6bbced2c1adce602d7643d5475c6e463f4f57f4cd863e064d82a3d82ArtifactHashBEC324DA": {
       "Type": "String",
-      "Description": "Artifact hash for asset \"3a065cef8968eb7f7e62ccb379c68400a56c31aceb97265d4e8f5f4620452db9\""
+      "Description": "Artifact hash for asset \"93bb4c1c6bbced2c1adce602d7643d5475c6e463f4f57f4cd863e064d82a3d82\""
     }
   }
 }
diff --git a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster-private-endpoint.expected.json b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster-private-endpoint.expected.json
@@ -1115,7 +1115,7 @@
               },
               "/",
               {
-                "Ref": "AssetParameterseb49ce353c5ff251ebe2c3225fe00fb3e9a68fcd8b10207e63a36bfc6e981519S3Bucket686DCA97"
+                "Ref": "AssetParameters8d4ffe9194a1ca97e2e9377049ddbeb3adbdaa984c8a90c08a5d8d6b328bdf7cS3BucketFEA5F85E"
               },
               "/",
               {
@@ -1125,7 +1125,7 @@
                     "Fn::Split": [
                       "||",
                       {
-                        "Ref": "AssetParameterseb49ce353c5ff251ebe2c3225fe00fb3e9a68fcd8b10207e63a36bfc6e981519S3VersionKey7EDC0140"
+                        "Ref": "AssetParameters8d4ffe9194a1ca97e2e9377049ddbeb3adbdaa984c8a90c08a5d8d6b328bdf7cS3VersionKey226CF52C"
                       }
                     ]
                   }
@@ -1138,7 +1138,7 @@
                     "Fn::Split": [
                       "||",
                       {
-                        "Ref": "AssetParameterseb49ce353c5ff251ebe2c3225fe00fb3e9a68fcd8b10207e63a36bfc6e981519S3VersionKey7EDC0140"
+                        "Ref": "AssetParameters8d4ffe9194a1ca97e2e9377049ddbeb3adbdaa984c8a90c08a5d8d6b328bdf7cS3VersionKey226CF52C"
                       }
                     ]
                   }
@@ -1193,9 +1193,6 @@
           "referencetoawscdkeksclusterprivateendpointtestAssetParameters844c1a4b13479b359ea0e607dccb4a04b73e22cf88cf9b64feed2c5f0de213c0S3VersionKey548D79B4Ref": {
             "Ref": "AssetParameters844c1a4b13479b359ea0e607dccb4a04b73e22cf88cf9b64feed2c5f0de213c0S3VersionKeyF55A2EA9"
           },
-          "referencetoawscdkeksclusterprivateendpointtestVpcFCD064BFRef": {
-            "Ref": "Vpc8378EB38"
-          },
           "referencetoawscdkeksclusterprivateendpointtestAssetParametersdaeb79e3cee39c9b902dc0d5c780223e227ed573ea60976252947adab5fb2be1S3Bucket7DDAFC04Ref": {
             "Ref": "AssetParametersdaeb79e3cee39c9b902dc0d5c780223e227ed573ea60976252947adab5fb2be1S3BucketDC4B98B1"
           },
@@ -1321,17 +1318,17 @@
       "Type": "String",
       "Description": "Artifact hash for asset \"75667ab2bbef2c8efc57fb73bf352f345af1d471fb09cb11f5b7bc27d009b609\""
     },
-    "AssetParameterseb49ce353c5ff251ebe2c3225fe00fb3e9a68fcd8b10207e63a36bfc6e981519S3Bucket686DCA97": {
+    "AssetParameters8d4ffe9194a1ca97e2e9377049ddbeb3adbdaa984c8a90c08a5d8d6b328bdf7cS3BucketFEA5F85E": {
       "Type": "String",
-      "Description": "S3 bucket for asset \"eb49ce353c5ff251ebe2c3225fe00fb3e9a68fcd8b10207e63a36bfc6e981519\""
+      "Description": "S3 bucket for asset \"8d4ffe9194a1ca97e2e9377049ddbeb3adbdaa984c8a90c08a5d8d6b328bdf7c\""
     },
-    "AssetParameterseb49ce353c5ff251ebe2c3225fe00fb3e9a68fcd8b10207e63a36bfc6e981519S3VersionKey7EDC0140": {
+    "AssetParameters8d4ffe9194a1ca97e2e9377049ddbeb3adbdaa984c8a90c08a5d8d6b328bdf7cS3VersionKey226CF52C": {
       "Type": "String",
-      "Description": "S3 key for asset version \"eb49ce353c5ff251ebe2c3225fe00fb3e9a68fcd8b10207e63a36bfc6e981519\""
+      "Description": "S3 key for asset version \"8d4ffe9194a1ca97e2e9377049ddbeb3adbdaa984c8a90c08a5d8d6b328bdf7c\""
     },
-    "AssetParameterseb49ce353c5ff251ebe2c3225fe00fb3e9a68fcd8b10207e63a36bfc6e981519ArtifactHashE5817DEB": {
+    "AssetParameters8d4ffe9194a1ca97e2e9377049ddbeb3adbdaa984c8a90c08a5d8d6b328bdf7cArtifactHashA6BF0EB3": {
       "Type": "String",
-      "Description": "Artifact hash for asset \"eb49ce353c5ff251ebe2c3225fe00fb3e9a68fcd8b10207e63a36bfc6e981519\""
+      "Description": "Artifact hash for asset \"8d4ffe9194a1ca97e2e9377049ddbeb3adbdaa984c8a90c08a5d8d6b328bdf7c\""
     }
   }
 }
diff --git a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.expected.json b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.expected.json
@@ -3877,7 +3877,7 @@
               },
               "/",
               {
-                "Ref": "AssetParameters9f954a0baf5cb008231906c33569617ace43f4b2c804d16d0d4bae15fe9dfabcS3BucketF9C7C3C5"
+                "Ref": "AssetParameterse00474136b86298d67c0ad626f1dafe622c51168233097531c5ba6791d43aba3S3Bucket5829AD66"
               },
               "/",
               {
@@ -3887,7 +3887,7 @@
                     "Fn::Split": [
                       "||",
                       {
-                        "Ref": "AssetParameters9f954a0baf5cb008231906c33569617ace43f4b2c804d16d0d4bae15fe9dfabcS3VersionKey950894D5"
+                        "Ref": "AssetParameterse00474136b86298d67c0ad626f1dafe622c51168233097531c5ba6791d43aba3S3VersionKey44FDB4A8"
                       }
                     ]
                   }
@@ -3900,7 +3900,7 @@
                     "Fn::Split": [
                       "||",
                       {
-                        "Ref": "AssetParameters9f954a0baf5cb008231906c33569617ace43f4b2c804d16d0d4bae15fe9dfabcS3VersionKey950894D5"
+                        "Ref": "AssetParameterse00474136b86298d67c0ad626f1dafe622c51168233097531c5ba6791d43aba3S3VersionKey44FDB4A8"
                       }
                     ]
                   }
@@ -3955,9 +3955,6 @@
           "referencetoawscdkeksclustertestAssetParameters844c1a4b13479b359ea0e607dccb4a04b73e22cf88cf9b64feed2c5f0de213c0S3VersionKey1CADE360Ref": {
             "Ref": "AssetParameters844c1a4b13479b359ea0e607dccb4a04b73e22cf88cf9b64feed2c5f0de213c0S3VersionKeyF55A2EA9"
           },
-          "referencetoawscdkeksclustertestVpc9A302ADDRef": {
-            "Ref": "Vpc8378EB38"
-          },
           "referencetoawscdkeksclustertestAssetParametersdaeb79e3cee39c9b902dc0d5c780223e227ed573ea60976252947adab5fb2be1S3Bucket0815E7B5Ref": {
             "Ref": "AssetParametersdaeb79e3cee39c9b902dc0d5c780223e227ed573ea60976252947adab5fb2be1S3BucketDC4B98B1"
           },
@@ -4709,17 +4706,17 @@
       "Type": "String",
       "Description": "Artifact hash for asset \"264acf17cbf0c643f47bec1f4dbaed805e3bd1bad3f018c093d16fb936227daa\""
     },
-    "AssetParameters9f954a0baf5cb008231906c33569617ace43f4b2c804d16d0d4bae15fe9dfabcS3BucketF9C7C3C5": {
+    "AssetParameterse00474136b86298d67c0ad626f1dafe622c51168233097531c5ba6791d43aba3S3Bucket5829AD66": {
       "Type": "String",
-      "Description": "S3 bucket for asset \"9f954a0baf5cb008231906c33569617ace43f4b2c804d16d0d4bae15fe9dfabc\""
+      "Description": "S3 bucket for asset \"e00474136b86298d67c0ad626f1dafe622c51168233097531c5ba6791d43aba3\""
     },
-    "AssetParameters9f954a0baf5cb008231906c33569617ace43f4b2c804d16d0d4bae15fe9dfabcS3VersionKey950894D5": {
+    "AssetParameterse00474136b86298d67c0ad626f1dafe622c51168233097531c5ba6791d43aba3S3VersionKey44FDB4A8": {
       "Type": "String",
-      "Description": "S3 key for asset version \"9f954a0baf5cb008231906c33569617ace43f4b2c804d16d0d4bae15fe9dfabc\""
+      "Description": "S3 key for asset version \"e00474136b86298d67c0ad626f1dafe622c51168233097531c5ba6791d43aba3\""
     },
-    "AssetParameters9f954a0baf5cb008231906c33569617ace43f4b2c804d16d0d4bae15fe9dfabcArtifactHash5984E3CE": {
+    "AssetParameterse00474136b86298d67c0ad626f1dafe622c51168233097531c5ba6791d43aba3ArtifactHashB6A3908A": {
       "Type": "String",
-      "Description": "Artifact hash for asset \"9f954a0baf5cb008231906c33569617ace43f4b2c804d16d0d4bae15fe9dfabc\""
+      "Description": "Artifact hash for asset \"e00474136b86298d67c0ad626f1dafe622c51168233097531c5ba6791d43aba3\""
     },
     "SsmParameterValueawsserviceeksoptimizedami119amazonlinux2recommendedimageidC96584B6F00A464EAD1953AFF4B05118Parameter": {
       "Type": "AWS::SSM::Parameter::Value<String>",
@@ -4738,4 +4735,4 @@
       "Default": "/aws/service/eks/optimized-ami/1.19/amazon-linux-2-gpu/recommended/image_id"
     }
   }
-}
+}
diff --git a/packages/@aws-cdk/aws-eks/test/integ.fargate-cluster.expected.json b/packages/@aws-cdk/aws-eks/test/integ.fargate-cluster.expected.json
@@ -1192,7 +1192,7 @@
               },
               "/",
               {
-                "Ref": "AssetParameters37d93b8a35af568f83ecce5e05c6f06adaa06c68b84dfad9c3d82f57cd54ff13S3BucketDCD73A4E"
+                "Ref": "AssetParametersedcd50bb250cf7cf664a737720e623ad66ada9b9e609205686c476e516cf2f23S3Bucket586F6135"
               },
               "/",
               {
@@ -1202,7 +1202,7 @@
                     "Fn::Split": [
                       "||",
                       {
-                        "Ref": "AssetParameters37d93b8a35af568f83ecce5e05c6f06adaa06c68b84dfad9c3d82f57cd54ff13S3VersionKey796F5C1B"
+                        "Ref": "AssetParametersedcd50bb250cf7cf664a737720e623ad66ada9b9e609205686c476e516cf2f23S3VersionKey6EFBFC1D"
                       }
                     ]
                   }
@@ -1215,7 +1215,7 @@
                     "Fn::Split": [
                       "||",
                       {
-                        "Ref": "AssetParameters37d93b8a35af568f83ecce5e05c6f06adaa06c68b84dfad9c3d82f57cd54ff13S3VersionKey796F5C1B"
+                        "Ref": "AssetParametersedcd50bb250cf7cf664a737720e623ad66ada9b9e609205686c476e516cf2f23S3VersionKey6EFBFC1D"
                       }
                     ]
                   }
@@ -1270,9 +1270,6 @@
           "referencetoawscdkeksfargateclustertestAssetParameters844c1a4b13479b359ea0e607dccb4a04b73e22cf88cf9b64feed2c5f0de213c0S3VersionKeyFE6D1F78Ref": {
             "Ref": "AssetParameters844c1a4b13479b359ea0e607dccb4a04b73e22cf88cf9b64feed2c5f0de213c0S3VersionKeyF55A2EA9"
           },
-          "referencetoawscdkeksfargateclustertestFargateClusterDefaultVpcBD3C976FRef": {
-            "Ref": "FargateClusterDefaultVpcE69D3A13"
-          },
           "referencetoawscdkeksfargateclustertestAssetParametersdaeb79e3cee39c9b902dc0d5c780223e227ed573ea60976252947adab5fb2be1S3Bucket8EEF0922Ref": {
             "Ref": "AssetParametersdaeb79e3cee39c9b902dc0d5c780223e227ed573ea60976252947adab5fb2be1S3BucketDC4B98B1"
           },
@@ -1398,17 +1395,17 @@
       "Type": "String",
       "Description": "Artifact hash for asset \"3d252d05ccf0ae2934dd20707e8a709b466b2b8ea00c04ee8735667f90b17ac1\""
     },
-    "AssetParameters37d93b8a35af568f83ecce5e05c6f06adaa06c68b84dfad9c3d82f57cd54ff13S3BucketDCD73A4E": {
+    "AssetParametersedcd50bb250cf7cf664a737720e623ad66ada9b9e609205686c476e516cf2f23S3Bucket586F6135": {
       "Type": "String",
-      "Description": "S3 bucket for asset \"37d93b8a35af568f83ecce5e05c6f06adaa06c68b84dfad9c3d82f57cd54ff13\""
+      "Description": "S3 bucket for asset \"edcd50bb250cf7cf664a737720e623ad66ada9b9e609205686c476e516cf2f23\""
     },
-    "AssetParameters37d93b8a35af568f83ecce5e05c6f06adaa06c68b84dfad9c3d82f57cd54ff13S3VersionKey796F5C1B": {
+    "AssetParametersedcd50bb250cf7cf664a737720e623ad66ada9b9e609205686c476e516cf2f23S3VersionKey6EFBFC1D": {
       "Type": "String",
-      "Description": "S3 key for asset version \"37d93b8a35af568f83ecce5e05c6f06adaa06c68b84dfad9c3d82f57cd54ff13\""
+      "Description": "S3 key for asset version \"edcd50bb250cf7cf664a737720e623ad66ada9b9e609205686c476e516cf2f23\""
     },
-    "AssetParameters37d93b8a35af568f83ecce5e05c6f06adaa06c68b84dfad9c3d82f57cd54ff13ArtifactHash8F2277C1": {
+    "AssetParametersedcd50bb250cf7cf664a737720e623ad66ada9b9e609205686c476e516cf2f23ArtifactHashB34EB8FE": {
       "Type": "String",
-      "Description": "Artifact hash for asset \"37d93b8a35af568f83ecce5e05c6f06adaa06c68b84dfad9c3d82f57cd54ff13\""
+      "Description": "Artifact hash for asset \"edcd50bb250cf7cf664a737720e623ad66ada9b9e609205686c476e516cf2f23\""
     }
   }
 }
diff --git a/packages/@aws-cdk/aws-eks/test/test.cluster.ts b/packages/@aws-cdk/aws-eks/test/test.cluster.ts
@@ -2083,6 +2083,27 @@ export = {
 
   },
 
+  'kubectl provider passes security group to provider'(test: Test) {
+
+    const { stack } = testFixture();
+
+    new eks.Cluster(stack, 'Cluster1', {
+      version: CLUSTER_VERSION,
+      prune: false,
+      endpointAccess: eks.EndpointAccess.PRIVATE,
+      kubectlEnvironment: {
+        Foo: 'Bar',
+      },
+    });
+
+    // the kubectl provider is inside a nested stack.
+    const nested = stack.node.tryFindChild('@aws-cdk/aws-eks.KubectlProvider') as cdk.NestedStack;
+    test.deepEqual(expect(nested).value.Resources.ProviderframeworkonEvent83C1D0A7.Properties.VpcConfig.SecurityGroupIds,
+      [{ Ref: 'referencetoStackCluster18DFEAC17ClusterSecurityGroupId' }]);
+
+    test.done();
+  },
+
   'kubectl provider passes environment to lambda'(test: Test) {
 
     const { stack } = testFixture();

diff --git a/packages/@aws-cdk/custom-resources/lib/provider-framework/provider.ts b/packages/@aws-cdk/custom-resources/lib/provider-framework/provider.ts
@@ -93,6 +93,16 @@ export interface ProviderProps {
    */
   readonly vpcSubnets?: ec2.SubnetSelection;
 
+  /**
+   * Security groups to attach to the provider functions.
+   *
+   * Only used if 'vpc' is supplied
+   *
+   * @default - If `vpc` is not supplied, no security groups are attached. Otherwise, a dedicated security
+   * group is created for each function.
+   */
+  readonly securityGroups?: ec2.ISecurityGroup[];
+
 }
 
 /**
@@ -122,6 +132,7 @@ export class Provider extends CoreConstruct implements cfn.ICustomResourceProvid
   private readonly logRetention?: logs.RetentionDays;
   private readonly vpc?: ec2.IVpc;
   private readonly vpcSubnets?: ec2.SubnetSelection;
+  private readonly securityGroups?: ec2.ISecurityGroup[];
 
   constructor(scope: Construct, id: string, props: ProviderProps) {
     super(scope, id);
@@ -137,6 +148,7 @@ export class Provider extends CoreConstruct implements cfn.ICustomResourceProvid
     this.logRetention = props.logRetention;
     this.vpc = props.vpc;
     this.vpcSubnets = props.vpcSubnets;
+    this.securityGroups = props.securityGroups;
 
     const onEventFunction = this.createFunction(consts.FRAMEWORK_ON_EVENT_HANDLER_NAME);
 
@@ -182,6 +194,7 @@ export class Provider extends CoreConstruct implements cfn.ICustomResourceProvid
       logRetention: this.logRetention,
       vpc: this.vpc,
       vpcSubnets: this.vpcSubnets,
+      securityGroups: this.securityGroups,
     });
 
     fn.addEnvironment(consts.USER_ON_EVENT_FUNCTION_ARN_ENV, this.onEventHandler.functionArn);