UNPKG

aws-cdk-lib

Version:

Version 2 of the AWS Cloud Development Kit library

github.com/aws/aws-cdk

aws/aws-cdk

2 lines (1 loc) 36.5 kB
1
2
"use strict";var __decorate=exports&&exports.__decorate||function(decorators,target,key,desc){var c=arguments.length,r=c<3?target:desc===null?desc=Object.getOwnPropertyDescriptor(target,key):desc,d;if(typeof Reflect=="object"&&typeof Reflect.decorate=="function")r=Reflect.decorate(decorators,target,key,desc);else for(var i=decorators.length-1;i>=0;i--)(d=decorators[i])&&(r=(c<3?d(r):c>3?d(target,key,r):d(target,key))||r);return c>3&&r&&Object.defineProperty(target,key,r),r},_a,_b,_c,_d;Object.defineProperty(exports,"__esModule",{value:!0}),exports.MachineImageType=exports.DefaultCapacityType=exports.CoreDnsComputeType=exports.CpuArch=exports.NodeType=exports.EksOptimizedImage=exports.Cluster=exports.AuthenticationMode=exports.IpFamily=exports.ClusterLoggingTypes=exports.KubernetesVersion=exports.EndpointAccess=void 0;var jsiiDeprecationWarnings=()=>{var tmp=require("../../.warnings.jsii.js");return jsiiDeprecationWarnings=()=>tmp,tmp};const JSII_RTTI_SYMBOL_1=Symbol.for("jsii.rtti");var fs=()=>{var tmp=require("fs");return fs=()=>tmp,tmp},path=()=>{var tmp=require("path");return path=()=>tmp,tmp},constructs_1=()=>{var tmp=require("constructs");return constructs_1=()=>tmp,tmp},YAML=()=>{var tmp=require("yaml");return YAML=()=>tmp,tmp},access_entry_1=()=>{var tmp=require("./access-entry");return access_entry_1=()=>tmp,tmp},addon_1=()=>{var tmp=require("./addon");return addon_1=()=>tmp,tmp},alb_controller_1=()=>{var tmp=require("./alb-controller");return alb_controller_1=()=>tmp,tmp},aws_auth_1=()=>{var tmp=require("./aws-auth");return aws_auth_1=()=>tmp,tmp},cluster_resource_1=()=>{var tmp=require("./cluster-resource");return cluster_resource_1=()=>tmp,tmp},fargate_profile_1=()=>{var tmp=require("./fargate-profile");return fargate_profile_1=()=>tmp,tmp},helm_chart_1=()=>{var tmp=require("./helm-chart");return helm_chart_1=()=>tmp,tmp},instance_types_1=()=>{var tmp=require("./instance-types");return instance_types_1=()=>tmp,tmp},k8s_manifest_1=()=>{var tmp=require("./k8s-manifest");return k8s_manifest_1=()=>tmp,tmp},k8s_object_value_1=()=>{var tmp=require("./k8s-object-value");return k8s_object_value_1=()=>tmp,tmp},k8s_patch_1=()=>{var tmp=require("./k8s-patch");return k8s_patch_1=()=>tmp,tmp},kubectl_provider_1=()=>{var tmp=require("./kubectl-provider");return kubectl_provider_1=()=>tmp,tmp},managed_nodegroup_1=()=>{var tmp=require("./managed-nodegroup");return managed_nodegroup_1=()=>tmp,tmp},oidc_provider_1=()=>{var tmp=require("./oidc-provider");return oidc_provider_1=()=>tmp,tmp},bottlerocket_1=()=>{var tmp=require("./private/bottlerocket");return bottlerocket_1=()=>tmp,tmp},service_account_1=()=>{var tmp=require("./service-account");return service_account_1=()=>tmp,tmp},user_data_1=()=>{var tmp=require("./user-data");return user_data_1=()=>tmp,tmp},autoscaling=()=>{var tmp=require("../../aws-autoscaling");return autoscaling=()=>tmp,tmp},ec2=()=>{var tmp=require("../../aws-ec2");return ec2=()=>tmp,tmp},network_util_1=()=>{var tmp=require("../../aws-ec2/lib/network-util");return network_util_1=()=>tmp,tmp},iam=()=>{var tmp=require("../../aws-iam");return iam=()=>tmp,tmp},ssm=()=>{var tmp=require("../../aws-ssm");return ssm=()=>tmp,tmp},core_1=()=>{var tmp=require("../../core");return core_1=()=>tmp,tmp},metadata_resource_1=()=>{var tmp=require("../../core/lib/metadata-resource");return metadata_resource_1=()=>tmp,tmp},prop_injectable_1=()=>{var tmp=require("../../core/lib/prop-injectable");return prop_injectable_1=()=>tmp,tmp};const DEFAULT_CAPACITY_COUNT=2,DEFAULT_CAPACITY_TYPE=ec2().InstanceType.of(ec2().InstanceClass.M5,ec2().InstanceSize.LARGE);class EndpointAccess{constructor(_config){if(this._config=_config,!_config.publicAccess&&_config.publicCidrs&&_config.publicCidrs.length>0)throw new(core_1()).UnscopedValidationError("CIDR blocks can only be configured when public access is enabled")}onlyFrom(...cidr){if(!this._config.privateAccess)throw new(core_1()).UnscopedValidationError("Cannot restric public access to endpoint when private access is disabled. Use PUBLIC_AND_PRIVATE.onlyFrom() instead.");return new EndpointAccess({...this._config,publicCidrs:cidr})}}exports.EndpointAccess=EndpointAccess,_a=JSII_RTTI_SYMBOL_1,EndpointAccess[_a]={fqn:"aws-cdk-lib.aws_eks.EndpointAccess",version:"2.202.0"},EndpointAccess.PUBLIC=new EndpointAccess({privateAccess:!1,publicAccess:!0}),EndpointAccess.PRIVATE=new EndpointAccess({privateAccess:!0,publicAccess:!1}),EndpointAccess.PUBLIC_AND_PRIVATE=new EndpointAccess({privateAccess:!0,publicAccess:!0});class KubernetesVersion{static of(version){return new KubernetesVersion(version)}constructor(version){this.version=version}}exports.KubernetesVersion=KubernetesVersion,_b=JSII_RTTI_SYMBOL_1,KubernetesVersion[_b]={fqn:"aws-cdk-lib.aws_eks.KubernetesVersion",version:"2.202.0"},KubernetesVersion.V1_14=KubernetesVersion.of("1.14"),KubernetesVersion.V1_15=KubernetesVersion.of("1.15"),KubernetesVersion.V1_16=KubernetesVersion.of("1.16"),KubernetesVersion.V1_17=KubernetesVersion.of("1.17"),KubernetesVersion.V1_18=KubernetesVersion.of("1.18"),KubernetesVersion.V1_19=KubernetesVersion.of("1.19"),KubernetesVersion.V1_20=KubernetesVersion.of("1.20"),KubernetesVersion.V1_21=KubernetesVersion.of("1.21"),KubernetesVersion.V1_22=KubernetesVersion.of("1.22"),KubernetesVersion.V1_23=KubernetesVersion.of("1.23"),KubernetesVersion.V1_24=KubernetesVersion.of("1.24"),KubernetesVersion.V1_25=KubernetesVersion.of("1.25"),KubernetesVersion.V1_26=KubernetesVersion.of("1.26"),KubernetesVersion.V1_27=KubernetesVersion.of("1.27"),KubernetesVersion.V1_28=KubernetesVersion.of("1.28"),KubernetesVersion.V1_29=KubernetesVersion.of("1.29"),KubernetesVersion.V1_30=KubernetesVersion.of("1.30"),KubernetesVersion.V1_31=KubernetesVersion.of("1.31"),KubernetesVersion.V1_32=KubernetesVersion.of("1.32"),KubernetesVersion.V1_33=KubernetesVersion.of("1.33");var ClusterLoggingTypes;(function(ClusterLoggingTypes2){ClusterLoggingTypes2.API="api",ClusterLoggingTypes2.AUDIT="audit",ClusterLoggingTypes2.AUTHENTICATOR="authenticator",ClusterLoggingTypes2.CONTROLLER_MANAGER="controllerManager",ClusterLoggingTypes2.SCHEDULER="scheduler"})(ClusterLoggingTypes||(exports.ClusterLoggingTypes=ClusterLoggingTypes={}));var IpFamily;(function(IpFamily2){IpFamily2.IP_V4="ipv4",IpFamily2.IP_V6="ipv6"})(IpFamily||(exports.IpFamily=IpFamily={}));var AuthenticationMode;(function(AuthenticationMode2){AuthenticationMode2.CONFIG_MAP="CONFIG_MAP",AuthenticationMode2.API_AND_CONFIG_MAP="API_AND_CONFIG_MAP",AuthenticationMode2.API="API"})(AuthenticationMode||(exports.AuthenticationMode=AuthenticationMode={}));class ClusterBase extends core_1().Resource{addManifest(id,...manifest){return new(k8s_manifest_1()).KubernetesManifest(this,`manifest-${id}`,{cluster:this,manifest})}addHelmChart(id,options){return new(helm_chart_1()).HelmChart(this,`chart-${id}`,{cluster:this,...options})}addCdk8sChart(id,chart,options={}){const cdk8sChart=chart;if(typeof cdk8sChart.toJson!="function")throw new(core_1()).ValidationError(`Invalid cdk8s chart. Must contain a 'toJson' method, but found ${typeof cdk8sChart.toJson}`,this);return new(k8s_manifest_1()).KubernetesManifest(this,id,{cluster:this,manifest:cdk8sChart.toJson(),...options})}addServiceAccount(id,options={}){return new(service_account_1()).ServiceAccount(this,id,{...options,cluster:this})}addSpotInterruptHandler(){return this._spotInterruptHandler||(this._spotInterruptHandler=this.addHelmChart("spot-interrupt-handler",{chart:"aws-node-termination-handler",version:"0.27.0",repository:"oci://public.ecr.aws/aws-ec2/helm/aws-node-termination-handler",namespace:"kube-system",values:{nodeSelector:{lifecycle:user_data_1().LifecycleLabel.SPOT}}})),this._spotInterruptHandler}connectAutoScalingGroupCapacity(autoScalingGroup,options){autoScalingGroup.connections.allowInternally(ec2().Port.allTraffic()),autoScalingGroup.connections.allowFrom(this,ec2().Port.tcp(443)),autoScalingGroup.connections.allowFrom(this,ec2().Port.tcpRange(1025,65535)),autoScalingGroup.connections.allowTo(this,ec2().Port.tcp(443)),autoScalingGroup.connections.allowToAnyIpv4(ec2().Port.allTcp()),autoScalingGroup.connections.allowToAnyIpv4(ec2().Port.allUdp()),autoScalingGroup.connections.allowToAnyIpv4(ec2().Port.allIcmp()),autoScalingGroup.addSecurityGroup(this.clusterSecurityGroup);const bootstrapEnabled=options.bootstrapEnabled??!0;if(options.bootstrapOptions&&!bootstrapEnabled)throw new(core_1()).ValidationError('Cannot specify "bootstrapOptions" if "bootstrapEnabled" is false',this);if(bootstrapEnabled){const userData=options.machineImageType===MachineImageType.BOTTLEROCKET?(0,user_data_1().renderBottlerocketUserData)(this):(0,user_data_1().renderAmazonLinuxUserData)(this,autoScalingGroup,options.bootstrapOptions);autoScalingGroup.addUserData(...userData)}autoScalingGroup.role.addManagedPolicy(iam().ManagedPolicy.fromAwsManagedPolicyName("AmazonEKSWorkerNodePolicy")),autoScalingGroup.role.addManagedPolicy(iam().ManagedPolicy.fromAwsManagedPolicyName("AmazonEKS_CNI_Policy")),autoScalingGroup.role.addManagedPolicy(iam().ManagedPolicy.fromAwsManagedPolicyName("AmazonEC2ContainerRegistryReadOnly")),core_1().Tags.of(autoScalingGroup).add(`kubernetes.io/cluster/${this.clusterName}`,"owned",{applyToLaunchedInstances:!0,excludeResourceTypes:["AWS::EC2::SecurityGroup"]});let mapRole=options.mapRole??!0;mapRole&&!(this instanceof Cluster)&&(core_1().Annotations.of(autoScalingGroup).addWarningV2("@aws-cdk/aws-eks:clusterUnsupportedAutoMappingAwsAutoRole","Auto-mapping aws-auth role for imported cluster is not supported, please map role manually"),mapRole=!1),mapRole?this.awsAuth.addRoleMapping(autoScalingGroup.role,{username:"system:node:{{EC2PrivateDNSName}}",groups:["system:bootstrappers","system:nodes"]}):new(core_1()).CfnOutput(autoScalingGroup,"InstanceRoleARN",{value:autoScalingGroup.role.roleArn});const addSpotInterruptHandler=options.spotInterruptHandler??!0;autoScalingGroup.spotPrice&&addSpotInterruptHandler&&this.addSpotInterruptHandler(),this instanceof Cluster&&this.albController&&constructs_1().Node.of(this.albController).addDependency(autoScalingGroup)}}let Cluster=class Cluster2 extends ClusterBase{static fromClusterAttributes(scope,id,attrs){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_eks_ClusterAttributes(attrs)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.fromClusterAttributes),error}return new ImportedCluster(scope,id,attrs)}constructor(scope,id,props){super(scope,id,{physicalName:props.clusterName}),this.accessEntries=new Map,this._fargateProfiles=[];try{jsiiDeprecationWarnings().aws_cdk_lib_aws_eks_ClusterProps(props)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,Cluster2),error}(0,metadata_resource_1().addConstructMetadata)(this,props);const stack=core_1().Stack.of(this);this.prune=props.prune??!0,this.vpc=props.vpc||new(ec2()).Vpc(this,"DefaultVpc"),this.version=props.version,this.kubectlLambdaRole=props.kubectlLambdaRole?props.kubectlLambdaRole:new(iam()).Role(this,"KubectlHandlerRole",{assumedBy:new(iam()).ServicePrincipal("lambda.amazonaws.com"),managedPolicies:[iam().ManagedPolicy.fromAwsManagedPolicyName("service-role/AWSLambdaBasicExecutionRole")]}),this.tagSubnets(),this.role=props.role||new(iam()).Role(this,"Role",{assumedBy:new(iam()).ServicePrincipal("eks.amazonaws.com"),managedPolicies:[iam().ManagedPolicy.fromAwsManagedPolicyName("AmazonEKSClusterPolicy")]});const securityGroup=props.securityGroup||new(ec2()).SecurityGroup(this,"ControlPlaneSecurityGroup",{vpc:this.vpc,description:"EKS Control Plane Security Group"});this.vpcSubnets=props.vpcSubnets??[{subnetType:ec2().SubnetType.PUBLIC},{subnetType:ec2().SubnetType.PRIVATE_WITH_EGRESS}];const selectedSubnetIdsPerGroup=this.vpcSubnets.map(s=>this.vpc.selectSubnets(s).subnetIds);if(selectedSubnetIdsPerGroup.some(core_1().Token.isUnresolved)&&selectedSubnetIdsPerGroup.length>1)throw new(core_1()).ValidationError("eks.Cluster: cannot select multiple subnet groups from a VPC imported from list tokens with unknown length. Select only one subnet group, pass a length to Fn.split, or switch to Vpc.fromLookup.",this);const subnetIds=Array.from(new Set(flatten(selectedSubnetIdsPerGroup)));this.logging=props.clusterLogging?{clusterLogging:[{enabled:!0,types:Object.values(props.clusterLogging)}]}:void 0,this.endpointAccess=props.endpointAccess??EndpointAccess.PUBLIC_AND_PRIVATE,this.kubectlEnvironment=props.kubectlEnvironment,this.kubectlLayer=props.kubectlLayer,this.awscliLayer=props.awscliLayer,this.kubectlMemory=props.kubectlMemory,this.ipFamily=props.ipFamily??IpFamily.IP_V4,this.onEventLayer=props.onEventLayer,this.clusterHandlerSecurityGroup=props.clusterHandlerSecurityGroup;const privateSubnets=this.selectPrivateSubnets().slice(0,16),publicAccessDisabled=!this.endpointAccess._config.publicAccess,publicAccessRestricted=!publicAccessDisabled&&this.endpointAccess._config.publicCidrs&&this.endpointAccess._config.publicCidrs.length!==0,hasPendingLookup=this.vpcSubnets.some(placement=>this.vpc.selectSubnets(placement).isPendingLookup);if(!hasPendingLookup){if(privateSubnets.length===0&&publicAccessDisabled)throw new(core_1()).ValidationError("Vpc must contain private subnets when public endpoint access is disabled",this);if(privateSubnets.length===0&&publicAccessRestricted)throw new(core_1()).ValidationError("Vpc must contain private subnets when public endpoint access is restricted",this)}const placeClusterHandlerInVpc=props.placeClusterHandlerInVpc??!1;if(!hasPendingLookup&&placeClusterHandlerInVpc&&privateSubnets.length===0)throw new(core_1()).ValidationError("Cannot place cluster handler in the VPC since no private subnets could be selected",this);if(props.clusterHandlerSecurityGroup&&!placeClusterHandlerInVpc)throw new(core_1()).ValidationError("Cannot specify clusterHandlerSecurityGroup without placeClusterHandlerInVpc set to true",this);if(props.serviceIpv4Cidr&&props.ipFamily==IpFamily.IP_V6)throw new(core_1()).ValidationError("Cannot specify serviceIpv4Cidr with ipFamily equal to IpFamily.IP_V6",this);if(!core_1().Token.isUnresolved(this.physicalName)&&this.physicalName.length>100)throw new(core_1()).ValidationError("Cluster name cannot be more than 100 characters",this);this.validateRemoteNetworkConfig(props),this.authenticationMode=props.authenticationMode;const resource=this._clusterResource=new(cluster_resource_1()).ClusterResource(this,"Resource",{name:this.physicalName,environment:props.clusterHandlerEnvironment,roleArn:this.role.roleArn,version:props.version.version,accessconfig:{authenticationMode:props.authenticationMode,bootstrapClusterCreatorAdminPermissions:props.bootstrapClusterCreatorAdminPermissions},...props.remoteNodeNetworks?{remoteNetworkConfig:{remoteNodeNetworks:props.remoteNodeNetworks,...props.remotePodNetworks?{remotePodNetworks:props.remotePodNetworks}:{}}}:{},resourcesVpcConfig:{securityGroupIds:[securityGroup.securityGroupId],subnetIds},...props.secretsEncryptionKey?{encryptionConfig:[{provider:{keyArn:props.secretsEncryptionKey.keyArn},resources:["secrets"]}]}:{},kubernetesNetworkConfig:{ipFamily:this.ipFamily,serviceIpv4Cidr:props.serviceIpv4Cidr},endpointPrivateAccess:this.endpointAccess._config.privateAccess,endpointPublicAccess:this.endpointAccess._config.publicAccess,publicAccessCidrs:this.endpointAccess._config.publicCidrs,secretsEncryptionKey:props.secretsEncryptionKey,vpc:this.vpc,subnets:placeClusterHandlerInVpc?privateSubnets:void 0,clusterHandlerSecurityGroup:this.clusterHandlerSecurityGroup,onEventLayer:this.onEventLayer,tags:props.tags,logging:this.logging,bootstrapSelfManagedAddons:props.bootstrapSelfManagedAddons});if(this.endpointAccess._config.privateAccess&&privateSubnets.length!==0){if(this.vpc instanceof ec2().Vpc&&!(this.vpc.dnsHostnamesEnabled&&this.vpc.dnsSupportEnabled))throw new(core_1()).ValidationError("Private endpoint access requires the VPC to have DNS support and DNS hostnames enabled. Use `enableDnsHostnames: true` and `enableDnsSupport: true` when creating the VPC.",this);this.kubectlPrivateSubnets=privateSubnets,this._clusterResource.node.addDependency(this.vpc)}this.adminRole=resource.adminRole,this._kubectlReadyBarrier=new(core_1()).CfnResource(this,"KubectlReadyBarrier",{type:"AWS::SSM::Parameter",properties:{Type:"String",Value:"aws:cdk:eks:kubectl-ready"}}),this._kubectlReadyBarrier.node.addDependency(this._clusterResource),this.clusterName=this.getResourceNameAttribute(resource.ref),this.clusterArn=this.getResourceArnAttribute(resource.attrArn,(0,cluster_resource_1().clusterArnComponents)(this.physicalName)),this.clusterEndpoint=resource.attrEndpoint,this.clusterCertificateAuthorityData=resource.attrCertificateAuthorityData,this.clusterSecurityGroupId=resource.attrClusterSecurityGroupId,this.clusterEncryptionConfigKeyArn=resource.attrEncryptionConfigKeyArn,this.clusterSecurityGroup=ec2().SecurityGroup.fromSecurityGroupId(this,"ClusterSecurityGroup",this.clusterSecurityGroupId),this.connections=new(ec2()).Connections({securityGroups:[this.clusterSecurityGroup,securityGroup],defaultPort:ec2().Port.tcp(443)}),this.kubectlSecurityGroup=this.clusterSecurityGroup,this.adminRole.assumeRolePolicy?.addStatements(new(iam()).PolicyStatement({actions:["sts:AssumeRole"],principals:[this.kubectlLambdaRole]})),this.kubectlRole=this.adminRole,this._kubectlResourceProvider=this.defineKubectlProvider();const updateConfigCommandPrefix=`aws eks update-kubeconfig --name ${this.clusterName}`,getTokenCommandPrefix=`aws eks get-token --cluster-name ${this.clusterName}`,commonCommandOptions=[`--region ${stack.region}`];props.outputClusterName&&new(core_1()).CfnOutput(this,"ClusterName",{value:this.clusterName});const supportAuthenticationApi=this.authenticationMode===AuthenticationMode.API||this.authenticationMode===AuthenticationMode.API_AND_CONFIG_MAP;if(props.mastersRole){const mastersRole=props.mastersRole;supportAuthenticationApi?this.grantAccess("mastersRoleAccess",props.mastersRole.roleArn,[access_entry_1().AccessPolicy.fromAccessPolicyName("AmazonEKSClusterAdminPolicy",{accessScopeType:access_entry_1().AccessScopeType.CLUSTER})]):this.awsAuth.addMastersRole(mastersRole),props.outputMastersRoleArn&&new(core_1()).CfnOutput(this,"MastersRoleArn",{value:mastersRole.roleArn}),commonCommandOptions.push(`--role-arn ${mastersRole.roleArn}`)}props.albController&&(this.albController=alb_controller_1().AlbController.create(this,{...props.albController,cluster:this}));const minCapacity=props.defaultCapacity??DEFAULT_CAPACITY_COUNT;if(minCapacity>0){const instanceType=props.defaultCapacityInstance||DEFAULT_CAPACITY_TYPE;this.defaultCapacity=props.defaultCapacityType===DefaultCapacityType.EC2?this.addAutoScalingGroupCapacity("DefaultCapacity",{instanceType,minCapacity}):void 0,this.defaultNodegroup=props.defaultCapacityType!==DefaultCapacityType.EC2?this.addNodegroupCapacity("DefaultCapacity",{instanceTypes:[instanceType],minSize:minCapacity}):void 0}if(props.outputConfigCommand&&!props.mastersRole&&core_1().Annotations.of(this).addWarningV2("@aws-cdk/aws-eks:clusterMastersroleNotSpecified","'outputConfigCommand' will be ignored as 'mastersRole' has not been specified."),(props.outputConfigCommand??!0)&&props.mastersRole){const postfix=commonCommandOptions.join(" ");new(core_1()).CfnOutput(this,"ConfigCommand",{value:`${updateConfigCommandPrefix} ${postfix}`}),new(core_1()).CfnOutput(this,"GetTokenCommand",{value:`${getTokenCommandPrefix} ${postfix}`})}this.defineCoreDnsComputeType(props.coreDnsComputeType??CoreDnsComputeType.EC2)}grantAccess(id,principal,accessPolicies){this.addToAccessEntry(id,principal,accessPolicies)}getServiceLoadBalancerAddress(serviceName,options={}){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_eks_ServiceLoadBalancerAddressOptions(options)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.getServiceLoadBalancerAddress),error}return new(k8s_object_value_1()).KubernetesObjectValue(this,`${serviceName}LoadBalancerAddress`,{cluster:this,objectType:"service",objectName:serviceName,objectNamespace:options.namespace,jsonPath:".status.loadBalancer.ingress[0].hostname",timeout:options.timeout}).value}getIngressLoadBalancerAddress(ingressName,options={}){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_eks_IngressLoadBalancerAddressOptions(options)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.getIngressLoadBalancerAddress),error}return new(k8s_object_value_1()).KubernetesObjectValue(this,`${ingressName}LoadBalancerAddress`,{cluster:this,objectType:"ingress",objectName:ingressName,objectNamespace:options.namespace,jsonPath:".status.loadBalancer.ingress[0].hostname",timeout:options.timeout}).value}addAutoScalingGroupCapacity(id,options){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_eks_AutoScalingGroupCapacityOptions(options)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.addAutoScalingGroupCapacity),error}if(options.machineImageType===MachineImageType.BOTTLEROCKET&&options.bootstrapOptions!==void 0)throw new(core_1()).ValidationError("bootstrapOptions is not supported for Bottlerocket",this);const asg=new(autoscaling()).AutoScalingGroup(this,id,{...options,vpc:this.vpc,machineImage:options.machineImageType===MachineImageType.BOTTLEROCKET?new(bottlerocket_1()).BottleRocketImage({kubernetesVersion:this.version.version}):new EksOptimizedImage({nodeType:nodeTypeForInstanceType(options.instanceType),cpuArch:cpuArchForInstanceType(options.instanceType),kubernetesVersion:this.version.version})});return this.connectAutoScalingGroupCapacity(asg,{mapRole:options.mapRole,bootstrapOptions:options.bootstrapOptions,bootstrapEnabled:options.bootstrapEnabled,machineImageType:options.machineImageType,spotInterruptHandler:options.spotInterruptHandler}),(nodeTypeForInstanceType(options.instanceType)===NodeType.INFERENTIA||nodeTypeForInstanceType(options.instanceType)===NodeType.TRAINIUM)&&this.addNeuronDevicePlugin(),asg}addNodegroupCapacity(id,options){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_eks_NodegroupOptions(options)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.addNodegroupCapacity),error}return[options?.instanceType,...options?.instanceTypes??[]].some(i=>i&&(nodeTypeForInstanceType(i)===NodeType.INFERENTIA||nodeTypeForInstanceType(i)===NodeType.TRAINIUM))&&this.addNeuronDevicePlugin(),new(managed_nodegroup_1()).Nodegroup(this,`Nodegroup${id}`,{cluster:this,...options})}get awsAuth(){return this._awsAuth||(this._awsAuth=new(aws_auth_1()).AwsAuth(this,"AwsAuth",{cluster:this})),this._awsAuth}get clusterOpenIdConnectIssuerUrl(){return this._clusterResource.attrOpenIdConnectIssuerUrl}get clusterOpenIdConnectIssuer(){return this._clusterResource.attrOpenIdConnectIssuer}get openIdConnectProvider(){return this._openIdConnectProvider||(this._openIdConnectProvider=new(oidc_provider_1()).OpenIdConnectProvider(this,"OpenIdConnectProvider",{url:this.clusterOpenIdConnectIssuerUrl})),this._openIdConnectProvider}get eksPodIdentityAgent(){return this._eksPodIdentityAgent||(this._eksPodIdentityAgent=new(addon_1()).Addon(this,"EksPodIdentityAgentAddon",{cluster:this,addonName:"eks-pod-identity-agent"})),this._eksPodIdentityAgent}addFargateProfile(id,options){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_eks_FargateProfileOptions(options)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.addFargateProfile),error}return new(fargate_profile_1()).FargateProfile(this,`fargate-profile-${id}`,{...options,cluster:this})}_attachFargateProfile(fargateProfile){return this._fargateProfiles.push(fargateProfile),this._kubectlReadyBarrier.node.addDependency(fargateProfile),this._fargateProfiles}_attachKubectlResourceScope(resourceScope){return constructs_1().Node.of(resourceScope).addDependency(this._kubectlReadyBarrier),this._kubectlResourceProvider}addToAccessEntry(id,principal,policies){const entry=this.accessEntries.get(principal);if(entry)entry.addAccessPolicies(policies);else{const newEntry=new(access_entry_1()).AccessEntry(this,id,{principal,cluster:this,accessPolicies:policies});this.accessEntries.set(principal,newEntry)}}defineKubectlProvider(){const uid="@aws-cdk/aws-eks.KubectlProvider";if(this.stack.node.tryFindChild(uid))throw new(core_1()).ValidationError("Only a single EKS cluster can be defined within a CloudFormation stack",this);return new(kubectl_provider_1()).KubectlProvider(this.stack,uid,{cluster:this})}selectPrivateSubnets(){const privateSubnets=[],vpcPrivateSubnetIds=this.vpc.privateSubnets.map(s=>s.subnetId),vpcPublicSubnetIds=this.vpc.publicSubnets.map(s=>s.subnetId);for(const placement of this.vpcSubnets)for(const subnet of this.vpc.selectSubnets(placement).subnets){if(vpcPrivateSubnetIds.includes(subnet.subnetId)){privateSubnets.push(subnet);continue}vpcPublicSubnetIds.includes(subnet.subnetId)||privateSubnets.push(subnet)}return privateSubnets}addNeuronDevicePlugin(){if(!this._neuronDevicePlugin){const fileContents=fs().readFileSync(path().join(__dirname,"addons","neuron-device-plugin.yaml"),"utf8"),sanitized=YAML().parse(fileContents);this._neuronDevicePlugin=this.addManifest("NeuronDevicePlugin",sanitized)}return this._neuronDevicePlugin}tagSubnets(){const tagAllSubnets=(type,subnets,tag)=>{for(const subnet of subnets){if(!ec2().Subnet.isVpcSubnet(subnet)){const subnetID=core_1().Token.isUnresolved(subnet.subnetId)||core_1().Token.isUnresolved([subnet.subnetId])?"":` ${subnet.subnetId}`;core_1().Annotations.of(this).addWarningV2("@aws-cdk/aws-eks:clusterMustManuallyTagSubnet",`Could not auto-tag ${type} subnet${subnetID} with "${tag}=1", please remember to do this manually`);continue}core_1().Tags.of(subnet).add(tag,"1")}};tagAllSubnets("private",this.vpc.privateSubnets,"kubernetes.io/role/internal-elb"),tagAllSubnets("public",this.vpc.publicSubnets,"kubernetes.io/role/elb")}defineCoreDnsComputeType(type){if(type===CoreDnsComputeType.EC2)return;const renderPatch=computeType=>({spec:{template:{metadata:{annotations:{"eks.amazonaws.com/compute-type":computeType}}}}});new(k8s_patch_1()).KubernetesPatch(this,"CoreDnsComputeTypePatch",{cluster:this,resourceName:"deployment/coredns",resourceNamespace:"kube-system",applyPatch:renderPatch(CoreDnsComputeType.FARGATE),restorePatch:renderPatch(CoreDnsComputeType.EC2)})}validateRemoteNetworkConfig(props){if(props.remoteNodeNetworks&&(props.remoteNodeNetworks.forEach((network,index)=>{const{cidrs}=network;cidrs.length>1&&cidrs.forEach((cidr1,j)=>{if(cidrs.slice(j+1).some(cidr2=>validateCidrPairOverlap(cidr1,cidr2)))throw new(core_1()).ValidationError(`CIDR ${cidr1} should not overlap with another CIDR in remote node network #${index+1}`,this)})}),props.remoteNodeNetworks.forEach((network1,i)=>{props.remoteNodeNetworks.slice(i+1).forEach((network2,j)=>{const[overlap,remoteNodeCidr1,remoteNodeCidr2]=validateCidrBlocksOverlap(network1.cidrs,network2.cidrs);if(overlap)throw new(core_1()).ValidationError(`CIDR block ${remoteNodeCidr1} in remote node network #${i+1} should not overlap with CIDR block ${remoteNodeCidr2} in remote node network #${i+j+2}`,this)})}),props.remotePodNetworks)){props.remotePodNetworks.forEach((network,index)=>{const{cidrs}=network;cidrs.length>1&&cidrs.forEach((cidr1,j)=>{if(cidrs.slice(j+1).some(cidr2=>validateCidrPairOverlap(cidr1,cidr2)))throw new(core_1()).ValidationError(`CIDR ${cidr1} should not overlap with another CIDR in remote pod network #${index+1}`,this)})}),props.remotePodNetworks.forEach((network1,i)=>{props.remotePodNetworks.slice(i+1).forEach((network2,j)=>{const[overlap,remotePodCidr1,remotePodCidr2]=validateCidrBlocksOverlap(network1.cidrs,network2.cidrs);if(overlap)throw new(core_1()).ValidationError(`CIDR block ${remotePodCidr1} in remote pod network #${i+1} should not overlap with CIDR block ${remotePodCidr2} in remote pod network #${i+j+2}`,this)})});for(const nodeNetwork of props.remoteNodeNetworks)for(const podNetwork of props.remotePodNetworks){const[overlap,remoteNodeCidr,remotePodCidr]=validateCidrBlocksOverlap(nodeNetwork.cidrs,podNetwork.cidrs);if(overlap)throw new(core_1()).ValidationError(`Remote node network CIDR block ${remoteNodeCidr} should not overlap with remote pod network CIDR block ${remotePodCidr}`,this)}}}};exports.Cluster=Cluster,_c=JSII_RTTI_SYMBOL_1,Cluster[_c]={fqn:"aws-cdk-lib.aws_eks.Cluster",version:"2.202.0"},Cluster.PROPERTY_INJECTION_ID="aws-cdk-lib.aws-eks.Cluster",__decorate([(0,metadata_resource_1().MethodMetadata)()],Cluster.prototype,"grantAccess",null),__decorate([(0,metadata_resource_1().MethodMetadata)()],Cluster.prototype,"getServiceLoadBalancerAddress",null),__decorate([(0,metadata_resource_1().MethodMetadata)()],Cluster.prototype,"getIngressLoadBalancerAddress",null),__decorate([(0,metadata_resource_1().MethodMetadata)()],Cluster.prototype,"addAutoScalingGroupCapacity",null),__decorate([(0,metadata_resource_1().MethodMetadata)()],Cluster.prototype,"addNodegroupCapacity",null),__decorate([(0,metadata_resource_1().MethodMetadata)()],Cluster.prototype,"addFargateProfile",null),exports.Cluster=Cluster=__decorate([prop_injectable_1().propertyInjectable],Cluster);let ImportedCluster=class extends ClusterBase{constructor(scope,id,props){super(scope,id),this.props=props,this.connections=new(ec2()).Connections,(0,metadata_resource_1().addConstructMetadata)(this,props),this.clusterName=props.clusterName,this.clusterArn=this.stack.formatArn((0,cluster_resource_1().clusterArnComponents)(props.clusterName)),this.kubectlRole=props.kubectlRoleArn?iam().Role.fromRoleArn(this,"KubectlRole",props.kubectlRoleArn):void 0,this.kubectlLambdaRole=props.kubectlLambdaRole,this.kubectlSecurityGroup=props.kubectlSecurityGroupId?ec2().SecurityGroup.fromSecurityGroupId(this,"KubectlSecurityGroup",props.kubectlSecurityGroupId):void 0,this.kubectlEnvironment=props.kubectlEnvironment,this.kubectlPrivateSubnets=props.kubectlPrivateSubnetIds?props.kubectlPrivateSubnetIds.map((subnetid,index)=>ec2().Subnet.fromSubnetId(this,`KubectlSubnet${index}`,subnetid)):void 0,this.kubectlLayer=props.kubectlLayer,this.ipFamily=props.ipFamily,this.awscliLayer=props.awscliLayer,this.kubectlMemory=props.kubectlMemory,this.clusterHandlerSecurityGroup=props.clusterHandlerSecurityGroupId?ec2().SecurityGroup.fromSecurityGroupId(this,"ClusterHandlerSecurityGroup",props.clusterHandlerSecurityGroupId):void 0,this.kubectlProvider=props.kubectlProvider,this.onEventLayer=props.onEventLayer,this.prune=props.prune??!0;let i=1;for(const sgid of props.securityGroupIds??[])this.connections.addSecurityGroup(ec2().SecurityGroup.fromSecurityGroupId(this,`SecurityGroup${i}`,sgid)),i++;props.clusterSecurityGroupId&&(this._clusterSecurityGroup=ec2().SecurityGroup.fromSecurityGroupId(this,"ClusterSecurityGroup",this.clusterSecurityGroupId),this.connections.addSecurityGroup(this._clusterSecurityGroup))}get vpc(){if(!this.props.vpc)throw new(core_1()).ValidationError('"vpc" is not defined for this imported cluster',this);return this.props.vpc}get clusterSecurityGroup(){if(!this._clusterSecurityGroup)throw new(core_1()).ValidationError('"clusterSecurityGroup" is not defined for this imported cluster',this);return this._clusterSecurityGroup}get clusterSecurityGroupId(){if(!this.props.clusterSecurityGroupId)throw new(core_1()).ValidationError('"clusterSecurityGroupId" is not defined for this imported cluster',this);return this.props.clusterSecurityGroupId}get clusterEndpoint(){if(!this.props.clusterEndpoint)throw new(core_1()).ValidationError('"clusterEndpoint" is not defined for this imported cluster',this);return this.props.clusterEndpoint}get clusterCertificateAuthorityData(){if(!this.props.clusterCertificateAuthorityData)throw new(core_1()).ValidationError('"clusterCertificateAuthorityData" is not defined for this imported cluster',this);return this.props.clusterCertificateAuthorityData}get clusterEncryptionConfigKeyArn(){if(!this.props.clusterEncryptionConfigKeyArn)throw new(core_1()).ValidationError('"clusterEncryptionConfigKeyArn" is not defined for this imported cluster',this);return this.props.clusterEncryptionConfigKeyArn}get openIdConnectProvider(){if(!this.props.openIdConnectProvider)throw new(core_1()).ValidationError('"openIdConnectProvider" is not defined for this imported cluster',this);return this.props.openIdConnectProvider}get awsAuth(){throw new(core_1()).ValidationError('"awsAuth" is not supported on imported clusters',this)}};ImportedCluster.PROPERTY_INJECTION_ID="aws-cdk-lib.aws-eks.ImportedCluster",ImportedCluster=__decorate([prop_injectable_1().propertyInjectable],ImportedCluster);class EksOptimizedImage{constructor(props={}){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_eks_EksOptimizedImageProps(props)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,EksOptimizedImage),error}this.nodeType=props.nodeType??NodeType.STANDARD,this.cpuArch=props.cpuArch??CpuArch.X86_64,this.kubernetesVersion=props.kubernetesVersion??LATEST_KUBERNETES_VERSION,this.amiParameterName=`/aws/service/eks/optimized-ami/${this.kubernetesVersion}/`+(this.nodeType===NodeType.STANDARD?this.cpuArch===CpuArch.X86_64?"amazon-linux-2/":"amazon-linux-2-arm64/":"")+(this.nodeType===NodeType.GPU?"amazon-linux-2-gpu/":"")+(this.nodeType===NodeType.INFERENTIA?"amazon-linux-2-gpu/":"")+(this.nodeType===NodeType.TRAINIUM?"amazon-linux-2-gpu/":"")+"recommended/image_id"}getImage(scope){return{imageId:ssm().StringParameter.valueForStringParameter(scope,this.amiParameterName),osType:ec2().OperatingSystemType.LINUX,userData:ec2().UserData.forLinux()}}}exports.EksOptimizedImage=EksOptimizedImage,_d=JSII_RTTI_SYMBOL_1,EksOptimizedImage[_d]={fqn:"aws-cdk-lib.aws_eks.EksOptimizedImage",version:"2.202.0"};const LATEST_KUBERNETES_VERSION="1.24";var NodeType;(function(NodeType2){NodeType2.STANDARD="Standard",NodeType2.GPU="GPU",NodeType2.INFERENTIA="INFERENTIA",NodeType2.TRAINIUM="TRAINIUM"})(NodeType||(exports.NodeType=NodeType={}));var CpuArch;(function(CpuArch2){CpuArch2.ARM_64="arm64",CpuArch2.X86_64="x86_64"})(CpuArch||(exports.CpuArch=CpuArch={}));var CoreDnsComputeType;(function(CoreDnsComputeType2){CoreDnsComputeType2.EC2="ec2",CoreDnsComputeType2.FARGATE="fargate"})(CoreDnsComputeType||(exports.CoreDnsComputeType=CoreDnsComputeType={}));var DefaultCapacityType;(function(DefaultCapacityType2){DefaultCapacityType2[DefaultCapacityType2.NODEGROUP=0]="NODEGROUP",DefaultCapacityType2[DefaultCapacityType2.EC2=1]="EC2"})(DefaultCapacityType||(exports.DefaultCapacityType=DefaultCapacityType={}));var MachineImageType;(function(MachineImageType2){MachineImageType2[MachineImageType2.AMAZON_LINUX_2=0]="AMAZON_LINUX_2",MachineImageType2[MachineImageType2.BOTTLEROCKET=1]="BOTTLEROCKET"})(MachineImageType||(exports.MachineImageType=MachineImageType={}));function nodeTypeForInstanceType(instanceType){return instance_types_1().INSTANCE_TYPES.gpu.includes(instanceType.toString().substring(0,2))?NodeType.GPU:instance_types_1().INSTANCE_TYPES.inferentia.includes(instanceType.toString().substring(0,4))?NodeType.INFERENTIA:instance_types_1().INSTANCE_TYPES.trainium.includes(instanceType.toString().substring(0,4))?NodeType.TRAINIUM:NodeType.STANDARD}function cpuArchForInstanceType(instanceType){return instance_types_1().INSTANCE_TYPES.graviton2.includes(instanceType.toString().substring(0,3))||instance_types_1().INSTANCE_TYPES.graviton3.includes(instanceType.toString().substring(0,3))||instance_types_1().INSTANCE_TYPES.graviton.includes(instanceType.toString().substring(0,2))?CpuArch.ARM_64:CpuArch.X86_64}function flatten(xss){return Array.prototype.concat.call([],...xss)}function validateCidrBlocksOverlap(cidrBlocks1,cidrBlocks2){for(const cidr1 of cidrBlocks1)for(const cidr2 of cidrBlocks2)if(validateCidrPairOverlap(cidr1,cidr2))return[!0,cidr1,cidr2];return[!1,"",""]}function validateCidrPairOverlap(cidr1,cidr2){const cidr1Range=new(network_util_1()).CidrBlock(cidr1),cidr1IpRange=[cidr1Range.minIp(),cidr1Range.maxIp()],cidr2Range=new(network_util_1()).CidrBlock(cidr2),cidr2IpRange=[cidr2Range.minIp(),cidr2Range.maxIp()];return rangesOverlap(cidr1IpRange,cidr2IpRange)}function rangesOverlap(range1,range2){const[start1,end1]=range1,[start2,end2]=range2;return start1<=end2&&start2<=end1}