From 3bd7cf3c6e66296fbae444505a5ab3b3a5245379 Mon Sep 17 00:00:00 2001 From: epolon Date: Sun, 22 Nov 2020 12:06:49 +0200 Subject: [PATCH 1/3] added test --- .../@aws-cdk/aws-eks/test/test.cluster.ts | 67 +++++++++++++++++++ 1 file changed, 67 insertions(+) diff --git a/packages/@aws-cdk/aws-eks/test/test.cluster.ts b/packages/@aws-cdk/aws-eks/test/test.cluster.ts index 170273d0485fe..e43adada77e14 100644 --- a/packages/@aws-cdk/aws-eks/test/test.cluster.ts +++ b/packages/@aws-cdk/aws-eks/test/test.cluster.ts @@ -2106,6 +2106,73 @@ export = { test.done(); }, + 'private endpoint access selects only private subnets from looked up vpc with concrete subnet selection'(test: Test) { + + const vpcId = 'vpc-12345'; + // can't use the regular fixture because it also adds a VPC to the stack, which prevents + // us from setting context. + const stack = new cdk.Stack(new cdk.App(), 'Stack', { + env: { + account: '11112222', + region: 'us-east-1', + }, + }); + stack.node.setContext(`vpc-provider:account=${stack.account}:filter.vpc-id=${vpcId}:region=${stack.region}:returnAsymmetricSubnets=true`, { + vpcId: vpcId, + vpcCidrBlock: '10.0.0.0/16', + subnetGroups: [ + { + name: 'Private', + type: 'Private', + subnets: [ + { + subnetId: 'subnet-private-in-us-east-1a', + cidr: '10.0.1.0/24', + availabilityZone: 'us-east-1a', + routeTableId: 'rtb-06068e4c4049921ef', + }, + ], + }, + { + name: 'Public', + type: 'Public', + subnets: [ + { + subnetId: 'subnet-public-in-us-east-1c', + cidr: '10.0.0.0/24', + availabilityZone: 'us-east-1c', + routeTableId: 'rtb-0ff08e62195198dbb', + }, + ], + }, + ], + }); + const vpc = ec2.Vpc.fromLookup(stack, 'Vpc', { + vpcId: vpcId, + }); + + new eks.Cluster(stack, 'Cluster', { + vpc, + version: CLUSTER_VERSION, + endpointAccess: eks.EndpointAccess.PRIVATE, + vpcSubnets: [{ + subnets: [ + ec2.Subnet.fromSubnetId(stack, 'Private', 'subnet-private-in-us-east-1a'), + ec2.Subnet.fromSubnetId(stack, 'Public', 'subnet-public-in-us-east-1c'), + ], + }], + }); + + const nested = stack.node.tryFindChild('@aws-cdk/aws-eks.KubectlProvider') as cdk.NestedStack; + const template = expect(nested).value; + + test.deepEqual(template.Resources.Handler886CB40B.Properties.VpcConfig.SubnetIds, [ + 'subnet-private-in-us-east-1a', + ]); + + test.done(); + }, + 'private endpoint access considers specific subnet selection'(test: Test) { const { stack } = testFixture(); new eks.Cluster(stack, 'Cluster', { From 724eec49ed251226c5dae3fb98f601536294745e Mon Sep 17 00:00:00 2001 From: epolon Date: Sun, 22 Nov 2020 12:07:00 +0200 Subject: [PATCH 2/3] added fix --- packages/@aws-cdk/aws-eks/lib/cluster.ts | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/packages/@aws-cdk/aws-eks/lib/cluster.ts b/packages/@aws-cdk/aws-eks/lib/cluster.ts index ec6f048a4de58..7974f988aff33 100644 --- a/packages/@aws-cdk/aws-eks/lib/cluster.ts +++ b/packages/@aws-cdk/aws-eks/lib/cluster.ts @@ -1352,18 +1352,20 @@ export class Cluster extends ClusterBase { private selectPrivateSubnets(): ec2.ISubnet[] { const privateSubnets: ec2.ISubnet[] = []; + const vpcPrivateSubnetIds = this.vpc.privateSubnets.map(s => s.subnetId); + const vpcPublicSubnetIds = this.vpc.publicSubnets.map(s => s.subnetId); for (const placement of this.vpcSubnets) { for (const subnet of this.vpc.selectSubnets(placement).subnets) { - if (this.vpc.privateSubnets.includes(subnet)) { + if (vpcPrivateSubnetIds.includes(subnet.subnetId)) { // definitely private, take it. privateSubnets.push(subnet); continue; } - if (this.vpc.publicSubnets.includes(subnet)) { + if (vpcPublicSubnetIds.includes(subnet.subnetId)) { // definitely public, skip it. continue; } From 271608a20b1558c53000574080f60503d5741757 Mon Sep 17 00:00:00 2001 From: epolon Date: Sun, 22 Nov 2020 12:25:48 +0200 Subject: [PATCH 3/3] more tests --- .../@aws-cdk/aws-eks/test/test.cluster.ts | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/packages/@aws-cdk/aws-eks/test/test.cluster.ts b/packages/@aws-cdk/aws-eks/test/test.cluster.ts index e43adada77e14..facdf1880d426 100644 --- a/packages/@aws-cdk/aws-eks/test/test.cluster.ts +++ b/packages/@aws-cdk/aws-eks/test/test.cluster.ts @@ -2173,6 +2173,36 @@ export = { test.done(); }, + 'private endpoint access selects only private subnets from managed vpc with concrete subnet selection'(test: Test) { + + const { stack } = testFixture(); + + const vpc = new ec2.Vpc(stack, 'Vpc'); + + new eks.Cluster(stack, 'Cluster', { + vpc, + version: CLUSTER_VERSION, + endpointAccess: eks.EndpointAccess.PRIVATE, + vpcSubnets: [{ + subnets: [ + vpc.privateSubnets[0], + vpc.publicSubnets[1], + ec2.Subnet.fromSubnetId(stack, 'Private', 'subnet-unknown'), + ], + }], + }); + + const nested = stack.node.tryFindChild('@aws-cdk/aws-eks.KubectlProvider') as cdk.NestedStack; + const template = expect(nested).value; + + test.deepEqual(template.Resources.Handler886CB40B.Properties.VpcConfig.SubnetIds, [ + { Ref: 'referencetoStackVpcPrivateSubnet1Subnet8E6A14CBRef' }, + 'subnet-unknown', + ]); + + test.done(); + }, + 'private endpoint access considers specific subnet selection'(test: Test) { const { stack } = testFixture(); new eks.Cluster(stack, 'Cluster', {