aws-quickstart · elamaran11 · Jun 28, 2023 · May 24, 2023 · May 25, 2023 · May 25, 2023
@@ -104,7 +104,7 @@ const clusterProvider = new blueprints.GenericClusterProvider({
     mastersRole: blueprints.getResource(context => {
         return new iam.Role(context.scope, 'AdminRole', { assumedBy: new AccountRootPrincipal() });
     }),
-    securityGroup: blueprints.getNamedResource("my-cluster-security-group"), // assumed to be register as a resource provider under name my-cluster-security-group
+    securityGroup: blueprints.getNamedResource("my-cluster-security-group") as ec2.ISecurityGroup, // assumed to be register as a resource provider under name my-cluster-security-group
     managedNodeGroups: [
         {
             id: "mng1",
@@ -119,7 +119,7 @@ const clusterProvider = new blueprints.GenericClusterProvider({
 EksBlueprint.builder()
     .resourceProvider("my-cluster-security-group", {
         provide(context: blueprints.ResourceContext) : ec2.ISecurityGroup {
-            return ec2.SecurityGroup.fromSecurityGroupId(this, 'SG', 'sg-12345', { mutable: false }); // example for look up
+            return ec2.SecurityGroup.fromSecurityGroupId(context.scope, 'SG', 'sg-12345', { mutable: false }); // example for look up
         }
     })
     .clusterProvider(clusterProvider)

@@ -30,7 +30,7 @@ export class TeamTroi implements Team {
         new cdk.CfnOutput(stack, this.name + '-sa-iam-role', { value: sa.role.roleArn });
     }
 
-    setupNamespacePolicies(cluster: eks.Cluster) : eks.KubernetesManifest {
+    setupNamespacePolicies(cluster: eks.ICluster) : eks.KubernetesManifest {
         const quotaName = this.name + "-quota";
         return cluster.addManifest(quotaName, {
             apiVersion: 'v1',

@@ -1,13 +1,16 @@
+import assert = require("assert");
 import { ClusterAddOn, ClusterInfo } from "../../spi";
 import { Stack } from "aws-cdk-lib";
+import { Cluster } from "aws-cdk-lib/aws-eks";
 import { CfnServiceLinkedRole, IRole, Role } from "aws-cdk-lib/aws-iam";
 import { Construct } from "constructs";
 
 const BATCH = 'aws-batch';
 
 export class AwsBatchAddOn implements ClusterAddOn {
   deploy(clusterInfo: ClusterInfo): Promise<Construct> {
-    const cluster = clusterInfo.cluster;
+    assert(clusterInfo.cluster instanceof Cluster, "AwsBatchAddOn cannot be used with imported clusters");
+    const cluster: Cluster = clusterInfo.cluster;
     const roleNameforBatch = 'AWSServiceRoleForBatch';
     const slrCheck = Role.fromRoleName(cluster.stack, 'BatchServiceLinkedRole', roleNameforBatch);
 

@@ -1,6 +1,6 @@
 import { AutoScalingGroup, LifecycleHook, LifecycleTransition } from 'aws-cdk-lib/aws-autoscaling';
 import { QueueHook } from 'aws-cdk-lib/aws-autoscaling-hooktargets';
-import { Cluster, ServiceAccount } from 'aws-cdk-lib/aws-eks';
+import { ICluster, ServiceAccount } from 'aws-cdk-lib/aws-eks';
 import { EventPattern, Rule } from 'aws-cdk-lib/aws-events';
 import { SqsQueue } from 'aws-cdk-lib/aws-events-targets';
 import * as iam from 'aws-cdk-lib/aws-iam';
@@ -122,7 +122,7 @@ export class AwsNodeTerminationHandlerAddOn extends HelmAddOn {
    * @param asgCapacity
    * @returns Helm values
    */
-    private configureQueueMode(cluster: Cluster, serviceAccount: ServiceAccount, asgCapacity: AutoScalingGroup[], karpenter: Promise<Construct> | undefined): any {
+    private configureQueueMode(cluster: ICluster, serviceAccount: ServiceAccount, asgCapacity: AutoScalingGroup[], karpenter: Promise<Construct> | undefined): any {
         const queue = new Queue(cluster.stack, "aws-nth-queue", {
             retentionPeriod: Duration.minutes(5)
         });

@@ -7,7 +7,7 @@ import { getEbsDriverPolicyDocument } from "./iam-policy";
 /**
  * Interface for EBS CSI Driver EKS add-on options
  */
-interface EbsCsiDriverAddOnProps {
+export interface EbsCsiDriverAddOnProps {
     /**
      * Version of the driver to deploy
      */

@@ -1,12 +1,14 @@
+import assert = require("assert");
 import { ClusterAddOn, ClusterInfo } from "../../spi";
 import { Stack } from "aws-cdk-lib";
+import { Cluster } from "aws-cdk-lib/aws-eks";
 import { CfnServiceLinkedRole, IRole, Role } from "aws-cdk-lib/aws-iam";
 import { Construct } from "constructs";
 
 export class EmrEksAddOn implements ClusterAddOn {
   deploy(clusterInfo: ClusterInfo): Promise<Construct> {
-    const cluster = clusterInfo.cluster;
-
+    assert(clusterInfo.cluster instanceof Cluster, "EmrEksAddOn cannot be used with imported clusters as it requires changes to the cluster authentication.");
+    const cluster: Cluster = clusterInfo.cluster;
 
     /*
     * Create the service role used by EMR on EKS 
@@ -35,6 +37,5 @@ export class EmrEksAddOn implements ClusterAddOn {
     );
 
     return Promise.resolve(emrOnEksSlr);
-
   }
 }
@@ -137,7 +137,8 @@ export class KarpenterAddOn extends HelmAddOn {
 
     @conflictsWith('ClusterAutoScalerAddOn')
     deploy(clusterInfo: ClusterInfo): Promise<Construct> {
-        const cluster = clusterInfo.cluster;
+        assert(clusterInfo.cluster instanceof Cluster, "KarpenterAddOn cannot be used with imported clusters as it requires changes to the cluster authentication.");
+        const cluster : Cluster = clusterInfo.cluster;
         const endpoint = cluster.clusterEndpoint;
         const name = cluster.clusterName;
 

@@ -180,6 +180,12 @@ export interface VpcCniAddOnProps {
    * 
    */
   serviceAccountPolicies?: iam.IManagedPolicy[];
+
+  /**
+   * Version of the add-on to use. Must match the version of the cluster where it
+   * will be deployed.
+   */
+  version?: string;
 }
 
 

@@ -21,6 +21,31 @@ export function clusterBuilder() {
     return new ClusterBuilder();
 }
 
+/**
+ * Function that contains logic to map the correct kunbectl layer based on the passed in version. 
+ * @param scope in whch the kubectl layer must be created
+ * @param version EKS version
+ * @returns ILayerVersion or undefined
+ */
+export function selectKubectlLayer(scope: Construct, version: eks.KubernetesVersion): ILayerVersion | undefined {
+    switch(version) {
+        case eks.KubernetesVersion.V1_23:
+            return new KubectlV23Layer(scope, "kubectllayer23");
+        case eks.KubernetesVersion.V1_24:
+            return new KubectlV24Layer(scope, "kubectllayer24");
+        case eks.KubernetesVersion.V1_25:
+            return new KubectlV25Layer(scope, "kubectllayer25");
+        case eks.KubernetesVersion.V1_26:
+                return new KubectlV26Layer(scope, "kubectllayer26");
+    }
+
+    const minor = version.version.split('.')[1];
+
+    if(minor && parseInt(minor, 10) > 26) {
+        return new KubectlV26Layer(scope, "kubectllayer26"); // for all versions above 1.25 use 1.25 kubectl (unless explicitly supported in CDK)
+    }
+    return undefined;
+}
 /**
  * Properties for the generic cluster provider, containing definitions of managed node groups,
  * auto-scaling groups, fargate profiles.
@@ -282,23 +307,7 @@ export class GenericClusterProvider implements ClusterProvider {
      * @returns 
      */
     protected getKubectlLayer(scope: Construct, version: eks.KubernetesVersion) : ILayerVersion | undefined {
-        switch(version) {
-            case eks.KubernetesVersion.V1_23:
-                return new KubectlV23Layer(scope, "kubectllayer23");
-            case eks.KubernetesVersion.V1_24:
-                return new KubectlV24Layer(scope, "kubectllayer24");
-            case eks.KubernetesVersion.V1_25:
-                return new KubectlV25Layer(scope, "kubectllayer25");
-            case eks.KubernetesVersion.V1_26:
-                    return new KubectlV26Layer(scope, "kubectllayer26");
-        }
-
-        const minor = version.version.split('.')[1];
-
-        if(minor && parseInt(minor, 10) > 26) {
-            return new KubectlV26Layer(scope, "kubectllayer26"); // for all versions above 1.25 use 1.25 kubectl (unless explicitly supported in CDK)
-        }
-        return undefined;
+       return selectKubectlLayer(scope, version);
     }
 
     /**

@@ -0,0 +1,107 @@
+import { ClusterInfo, ClusterProvider } from "../spi";
+import { selectKubectlLayer } from "./generic-cluster-provider";
+import { IVpc } from "aws-cdk-lib/aws-ec2";
+import * as eks from "aws-cdk-lib/aws-eks";
+import { IRole } from "aws-cdk-lib/aws-iam";
+import { IKey } from "aws-cdk-lib/aws-kms";
+import * as sdk from "@aws-sdk/client-eks";
+import { Construct } from "constructs";
+import { getResource } from "../resource-providers/utils";
+import { LookupOpenIdConnectProvider } from "../resource-providers";
+import { logger } from "../utils";
+
+
+/**
+ * Properties object for the ImportClusterProvider.
+ */
+export interface ImportClusterProviderProps extends Omit<eks.ClusterAttributes, "vpc"> {
+    /**
+     * This property is needed as it drives selection of certain add-on versions as well as kubectl layer. 
+     */
+    version: eks.KubernetesVersion;
+}
+
+/**
+ * Importing cluster into the blueprint enabling limited blueprinting capabilities such as adding certain addons, 
+ * teams.
+ */
+export class ImportClusterProvider implements ClusterProvider {
+
+    constructor(private readonly props: ImportClusterProviderProps) { }
+
+    /**
+     * Implements contract method to create a cluster, by importing an existing cluster.
+     * @param scope 
+     * @param vpc 
+     * @param _secretsEncryptionKey 
+     * @returns 
+     */
+    createCluster(scope: Construct, vpc: IVpc, _secretsEncryptionKey?: IKey | undefined): ClusterInfo {
+        const props = { ...this.props, vpc };
+
+        if(! props.kubectlLayer) {
+            props.kubectlLayer = selectKubectlLayer(scope, props.version);
+        }
+
+        const existingCluster = eks.Cluster.fromClusterAttributes(scope, 'imported-cluster-' + this.props.clusterName, props);
+        return new ClusterInfo(existingCluster, this.props.version);
+    }
+
+
+    /**
+     * Requires iam permission to eks.DescribeCluster at build time. Retrieves the cluster information using DescribeCluster api and
+     * creates an import cluster provider. 
+     * @param clusterName name of the cluster
+     * @param region target rego
+     * @param kubectlRole iam Role that provides access to the cluster API (kubectl). The CDK custom resource should be able to assume the role
+     * which in some cases may require trust policy for the account root principal.
+     * @returns the cluster provider with the import cluster configuration
+     */
+    public static async fromClusterLookup(clusterName: string, region: string, kubectlRole: IRole): 
+        Promise<ClusterProvider> {
+
+        const sdkCluster = await getCluster(clusterName, process.env.CDK_DEFAULT_REGION!);
+        return this.fromClusterAttributes(sdkCluster, kubectlRole);
+    }
+
+    /**
+     * Creates a cluster provider for an existing cluster based on the passed result of the describe cluster command.
+     * @param sdkCluster 
+     * @param kubectlRole 
+     * @returns 
+     */
+    public static fromClusterAttributes(sdkCluster: sdk.Cluster, kubectlRole: IRole): ClusterProvider {
+        return new ImportClusterProvider({
+            clusterName: sdkCluster.name!,
+            version: eks.KubernetesVersion.of(sdkCluster.version!),
+            clusterEndpoint: sdkCluster.endpoint,
+            openIdConnectProvider: getResource(context =>
+                new LookupOpenIdConnectProvider(sdkCluster.identity!.oidc!.issuer!).provide(context)),
+            clusterCertificateAuthorityData: sdkCluster.certificateAuthority?.data,
+            kubectlRoleArn: kubectlRole.roleArn,
+        });
+    }
+}
+
+/**
+ * Wraps API call to get the data on the eks.Cluster. 
+ * @param clusterName 
+ * @param region 
+ * @returns 
+ */
+export async function getCluster(clusterName: string, region: string): Promise<sdk.Cluster> {
+    const client = new sdk.EKSClient({ region });
+    const input: sdk.DescribeClusterRequest = {
+        name: clusterName
+    };
+
+    const command = new sdk.DescribeClusterCommand(input);
+    try {
+        const response = await client.send(command);
+        return response.cluster!;
+    }
+    catch (error) {
+        logger.error(error);
+        throw error;
+    }
+}
@@ -1,6 +1,7 @@
 export * from './asg-cluster-provider';
 export * from './fargate-cluster-provider';
 export * from "./generic-cluster-provider";
+export * from "./import-cluster-provider";
 export * from './mng-cluster-provider';
 export * from './types';
 
@@ -74,5 +74,5 @@ export function assertEC2NodeGroup(clusterInfo: ClusterInfo, source: string): ek
     if(clusterInfo.autoscalingGroups != undefined && clusterInfo.autoscalingGroups.length > 0) {
         return clusterInfo.autoscalingGroups;
     }
-    throw new Error(`${source} is supported with EKS EC2 only`);
+    throw new Error(`${source} is supported with EKS EC2 only and is not supported for imported clusters`);
 }
@@ -1,16 +1,18 @@
 import * as iam from 'aws-cdk-lib/aws-iam';
 import { IManagedPolicy } from 'aws-cdk-lib/aws-iam';
 import * as spi from '../spi';
+import assert = require('assert');
 
 /**
  * Role provider that imports an existing role, performing its lookup by the provided name.
  */
 export class LookupRoleProvider implements spi.ResourceProvider<iam.IRole> {
 
-    constructor(private readonly roleName: string) { }
+    constructor(private readonly roleName: string, private readonly mutable?: boolean) { }
 
     provide(context: spi.ResourceContext): iam.IRole {
-        return iam.Role.fromRoleName(context.scope, `${this.roleName}-iam-provider`, this.roleName);
+        return iam.Role.fromRoleName(context.scope, `${this.roleName}-iam-provider`, this.roleName, 
+        { mutable: this.mutable });
     }
 
 }
@@ -34,4 +36,28 @@ export class CreateRoleProvider implements spi.ResourceProvider<iam.Role> {
             managedPolicies: this.policies
         });
     }
+}
+
+const httpsPrefix = 'https://';
+
+/**
+ * OpenIdConnect provider can lookup an existing OpenIdConnectProvider based on the OIDC provider URL. 
+ */
+export class LookupOpenIdConnectProvider implements spi.ResourceProvider<iam.IOpenIdConnectProvider> {
+
+    protected readonly id: string;
+
+    constructor(readonly url: string, id?: string) {
+        const urlParts = url.split('/');
+        assert(url.startsWith(httpsPrefix) && urlParts[urlParts.length - 1], "Invalid OIDC provider URL format");
+        this.id = id ?? urlParts[urlParts.length - 1];
+    }
+
+    provide(context: spi.ResourceContext): iam.IOpenIdConnectProvider {
+        return iam.OpenIdConnectProvider.fromOpenIdConnectProviderArn(
+            context.scope,
+            this.id,
+            `arn:aws:iam::${context.scope.account}:oidc-provider/${this.url.substring(httpsPrefix.length)}`
+        );
+    }
 }
@@ -1,7 +1,7 @@
 import * as assert from "assert";
 import * as cdk from 'aws-cdk-lib';
 import { AutoScalingGroup } from 'aws-cdk-lib/aws-autoscaling';
-import { Cluster, FargateProfile, KubernetesVersion, Nodegroup } from 'aws-cdk-lib/aws-eks';
+import * as eks from 'aws-cdk-lib/aws-eks';
 import { Construct, IConstruct } from 'constructs';
 import { ResourceProvider } from '.';
 import { EksBlueprintProps } from '../stacks';
@@ -130,8 +130,8 @@ export class ClusterInfo {
      * Constructor for ClusterInfo
      * @param props
      */
-    constructor(readonly cluster: Cluster, readonly version: KubernetesVersion,
-        readonly nodeGroups?: Nodegroup[], readonly autoscalingGroups?: AutoScalingGroup[], readonly fargateProfiles?: FargateProfile[]) {
+    constructor(readonly cluster: eks.ICluster, readonly version: eks.KubernetesVersion,
+        readonly nodeGroups?: eks.Nodegroup[], readonly autoscalingGroups?: AutoScalingGroup[], readonly fargateProfiles?: eks.FargateProfile[]) {
         this.cluster = cluster;
         this.provisionedAddOns = new Map<string, Construct>();
         this.scheduledAddOns = new Map<string, Promise<Construct>>();

@@ -1,4 +1,4 @@
-import { Cluster } from "aws-cdk-lib/aws-eks";
+import { ICluster } from "aws-cdk-lib/aws-eks";
 import { FederatedPrincipal, IManagedPolicy, ManagedPolicy, PolicyStatement, Role } from "aws-cdk-lib/aws-iam";
 import { Aws, CfnJson, CfnOutput, CfnTag } from "aws-cdk-lib";
 import * as nsutils from '../utils/namespace-utils';
@@ -187,7 +187,7 @@ export class EmrEksTeam extends ApplicationTeam {
    * @param name Name of the IAM role
    * @returns Role
    */
-  private createExecutionRole(cluster: Cluster, policy: IManagedPolicy, namespace: string, name: string): Role {
+  private createExecutionRole(cluster: ICluster, policy: IManagedPolicy, namespace: string, name: string): Role {
 
     const stack = cluster.stack;