Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws-eks: Can't create a cluster in a looked up VPC with PRIVATE endpoint access and selected subnet group name #28146

Open
Artemigos opened this issue Nov 27, 2023 · 1 comment
Open

aws-eks: Can't create a cluster in a looked up VPC with PRIVATE endpoint access and selected subnet group name #28146

Artemigos opened this issue Nov 27, 2023 · 1 comment
Labels
@aws-cdk/aws-eks Related to Amazon Elastic Kubernetes Service bug This issue is a bug. p1

Comments

@Artemigos
Copy link

Describe the bug

When creating an EKS cluster with EndpointAccess.PRIVATE and vpcSubnets: [{ subnetGroupName: 'workload-private' }] in a VPC that originates from Vpc.fromLookup(...) the synthesis stage fails.

Expected Behavior

The synthesis finishes successfully and the control plane of the cluster is put into selected subnets.

Current Behavior

Error: Vpc must contain private subnets when public endpoint access is disabled
    at new Cluster (/home/lklimek/git/eks-cdk/shs-blueprint/node_modules/aws-cdk-lib/aws-eks/lib/cluster.js:1:10664)
    at new DummyStack (/home/lklimek/git/eks-cdk/shs-blueprint/lib/why.ts:29:21)
    at Object.<anonymous> (/home/lklimek/git/eks-cdk/shs-blueprint/bin/shs-blueprint.ts:22:1)
    at Module._compile (node:internal/modules/cjs/loader:1256:14)
    at Module.m._compile (/home/lklimek/git/eks-cdk/shs-blueprint/node_modules/ts-node/src/index.ts:1618:23)
    at Module._extensions..js (node:internal/modules/cjs/loader:1310:10)
    at Object.require.extensions.<computed> [as .ts] (/home/lklimek/git/eks-cdk/shs-blueprint/node_modules/ts-node/src/index.ts:1621:12)
    at Module.load (node:internal/modules/cjs/loader:1119:32)
    at Function.Module._load (node:internal/modules/cjs/loader:960:12)
    at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:81:12)

Subprocess exited with error 1

Reproduction Steps

import * as cdk from "aws-cdk-lib";
import { Construct } from "constructs";

export class DummyStack extends cdk.Stack {
  constructor(scope: Construct, id: string, props: cdk.StackProps) {
    super(scope, id, props);

    const vpc = cdk.aws_ec2.Vpc.fromLookup(this, 'the-vpc', {
      vpcId: '<VPC ID>',
    });

    const cluster = new cdk.aws_eks.Cluster(this, 'the-cluster', {
      version: cdk.aws_eks.KubernetesVersion.V1_27,
      vpc,
      vpcSubnets: [{ subnetGroupName: 'workload-private' }],
      endpointAccess: cdk.aws_eks.EndpointAccess.PRIVATE,
    });
  }
}

Substitute the <VPC ID> with a VPC that has a private subnet group called workload-private.

Possible Solution

It's possible to get around the problem by letting CDK populate cdk.context.json without creating the cluster. First, comment out the cluster, then run synth - CDK will correctly fill cdk.context.json with data about the VPC. After that the cluster can be uncommented and from that point on synth works as expected.

Additional Information/Context

This issue affects EKS blueprints - that's where I encountered it before diving into the problem and figuring out the minimal repro in clean CDK.

According to my investigation it's related to #19425 - the dummy VPC injected during lookup doesn't have private subnets with a name that matches my arbitrary name. Cluster's code has an assertion that subnets like that exist and it fails during that stage.

CDK CLI Version

2.99.1 (build b2a895e)

Framework Version

No response

Node.js Version

v18.17.0

OS

Ubuntu 22.04.3 LTS

Language

TypeScript

Language Version

5.2.2

Other information

No response
@Artemigos Artemigos added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Nov 27, 2023
@github-actions github-actions bot added the @aws-cdk/aws-eks Related to Amazon Elastic Kubernetes Service label Nov 27, 2023
@pahud pahud self-assigned this Nov 27, 2023
@pahud pahud added the investigating This issue is being investigated and/or work is in progress to resolve the issue. label Nov 27, 2023
@pahud
Copy link
Contributor

pahud commented Nov 27, 2023
edited
Loading

Looks like if you use subnetGroupName as the filter name for SubnetSelection, the cdk.context.json must be generated first. However, if you use SubnetType as the filter ie:

{ subnetType: SubnetType.PRIVATE_WITH_EGRESS }

It would work. We'll review this issue this week.

@pahud pahud removed their assignment Nov 27, 2023
@pahud pahud removed needs-triage This issue or PR still needs to be triaged. investigating This issue is being investigated and/or work is in progress to resolve the issue. needs-review labels Nov 27, 2023
@github-actions github-actions bot mentioned this issue Dec 1, 2023
Closed
@pahud pahud mentioned this issue Jan 29, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-eks Related to Amazon Elastic Kubernetes Service bug This issue is a bug. p1
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pahud @Artemigos