UNPKG

aws-cdk-lib

Version:

Version 2 of the AWS Cloud Development Kit library

github.com/aws/aws-cdk

aws/aws-cdk

2 lines (1 loc) 4.63 kB
1
2
"use strict";Object.defineProperty(exports,"__esModule",{value:!0}),exports.ClusterResource=void 0,exports.clusterArnComponents=clusterArnComponents;var constructs_1=()=>{var tmp=require("constructs");return constructs_1=()=>tmp,tmp},consts_1=()=>{var tmp=require("./cluster-resource-handler/consts");return consts_1=()=>tmp,tmp},cluster_resource_provider_1=()=>{var tmp=require("./cluster-resource-provider");return cluster_resource_provider_1=()=>tmp,tmp},iam=()=>{var tmp=require("../../aws-iam");return iam=()=>tmp,tmp},core_1=()=>{var tmp=require("../../core");return core_1=()=>tmp,tmp};class ClusterResource extends constructs_1().Construct{constructor(scope,id,props){if(super(scope,id),!props.roleArn)throw new(core_1()).ValidationError('"roleArn" is required',this);const provider=cluster_resource_provider_1().ClusterResourceProvider.getOrCreate(this,{subnets:props.subnets,vpc:props.vpc,environment:props.environment,onEventLayer:props.onEventLayer,securityGroup:props.clusterHandlerSecurityGroup});this.adminRole=this.createAdminRole(provider,props);const resource=new(core_1()).CustomResource(this,"Resource",{resourceType:consts_1().CLUSTER_RESOURCE_TYPE,serviceToken:provider.serviceToken,properties:{Config:{name:props.name,version:props.version,roleArn:props.roleArn,encryptionConfig:props.encryptionConfig,kubernetesNetworkConfig:props.kubernetesNetworkConfig,resourcesVpcConfig:{subnetIds:props.resourcesVpcConfig.subnetIds,securityGroupIds:props.resourcesVpcConfig.securityGroupIds,endpointPublicAccess:props.endpointPublicAccess,endpointPrivateAccess:props.endpointPrivateAccess,publicAccessCidrs:props.publicAccessCidrs},tags:props.tags,logging:props.logging,accessConfig:props.accessconfig,remoteNetworkConfig:props.remoteNetworkConfig,bootstrapSelfManagedAddons:props.bootstrapSelfManagedAddons},AssumeRoleArn:this.adminRole.roleArn,AttributesRevision:5}});resource.node.addDependency(this.adminRole),this.ref=resource.ref,this.attrEndpoint=core_1().Token.asString(resource.getAtt("Endpoint")),this.attrArn=core_1().Token.asString(resource.getAtt("Arn")),this.attrCertificateAuthorityData=core_1().Token.asString(resource.getAtt("CertificateAuthorityData")),this.attrClusterSecurityGroupId=core_1().Token.asString(resource.getAtt("ClusterSecurityGroupId")),this.attrEncryptionConfigKeyArn=core_1().Token.asString(resource.getAtt("EncryptionConfigKeyArn")),this.attrOpenIdConnectIssuerUrl=core_1().Token.asString(resource.getAtt("OpenIdConnectIssuerUrl")),this.attrOpenIdConnectIssuer=core_1().Token.asString(resource.getAtt("OpenIdConnectIssuer"))}createAdminRole(provider,props){const stack=core_1().Stack.of(this),creationRole=new(iam()).Role(this,"CreationRole",{assumedBy:new(iam()).CompositePrincipal(provider.provider.onEventHandler.role,provider.provider.isCompleteHandler.role)});creationRole.addToPolicy(new(iam()).PolicyStatement({actions:["iam:PassRole"],resources:[props.roleArn]}));const resourceArns=core_1().Lazy.list({produce:()=>{const arn=stack.formatArn(clusterArnComponents(stack.resolve(props.name)));return stack.resolve(props.name)?[arn,`${arn}/*`]:["*"]}}),fargateProfileResourceArn=core_1().Lazy.string({produce:()=>stack.resolve(props.name)?stack.formatArn({service:"eks",resource:"fargateprofile",resourceName:stack.resolve(props.name)+"/*"}):"*"});return creationRole.addToPolicy(new(iam()).PolicyStatement({actions:["eks:CreateCluster","eks:DescribeCluster","eks:DescribeUpdate","eks:DeleteCluster","eks:UpdateClusterVersion","eks:UpdateClusterConfig","eks:CreateFargateProfile","eks:TagResource","eks:UntagResource"],resources:resourceArns})),creationRole.addToPolicy(new(iam()).PolicyStatement({actions:["eks:DescribeFargateProfile","eks:DeleteFargateProfile"],resources:[fargateProfileResourceArn]})),creationRole.addToPolicy(new(iam()).PolicyStatement({actions:["iam:GetRole","iam:listAttachedRolePolicies"],resources:["*"]})),creationRole.addToPolicy(new(iam()).PolicyStatement({actions:["iam:CreateServiceLinkedRole"],resources:["*"]})),creationRole.addToPolicy(new(iam()).PolicyStatement({actions:["ec2:DescribeInstances","ec2:DescribeNetworkInterfaces","ec2:DescribeSecurityGroups","ec2:DescribeSubnets","ec2:DescribeRouteTables","ec2:DescribeDhcpOptions","ec2:DescribeVpcs"],resources:["*"]})),props.secretsEncryptionKey&&creationRole.addToPolicy(new(iam()).PolicyStatement({actions:["kms:Encrypt","kms:Decrypt","kms:DescribeKey","kms:CreateGrant"],resources:[props.secretsEncryptionKey.keyArn]})),creationRole}}exports.ClusterResource=ClusterResource;function clusterArnComponents(clusterName){return{service:"eks",resource:"cluster",resourceName:clusterName}}