Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Teams: When app.synth() is called cdk synth generates template missing existing role statement #542

Open
Ruben-Sh opened this issue Nov 18, 2022 · 0 comments
Open

Teams: When app.synth() is called cdk synth generates template missing existing role statement #542

Ruben-Sh opened this issue Nov 18, 2022 · 0 comments
Labels
bug Something isn't working

Comments

@Ruben-Sh
Copy link

Ruben-Sh commented Nov 18, 2022
edited
Loading

Describe the bug

When performing tests with the Teams module I have found if the app.synth() command is included in my main application definition any existing role I specify is excluded from the CloudFormation template Custom::AWSCDK-EKS-KubernetesResource resource.

Expected Behavior

  1. File Structure

my-blueprints <- this is the project root directory
|
|_ bin
| |_ my-blueprints.ts
|
|_ lib
|_ team-platform.ts

  1. File Contents

my-blueprints.ts

#!/usr/bin/env node
import 'source-map-support/register';
import * as cdk from 'aws-cdk-lib';
import * as blueprints from '@aws-quickstart/eks-blueprints';
import * as team from '../lib/team-platform';

const account = '< Account ID >';
const region = '< Region >';

const teams: Array<blueprints.Team > = [
  new team.TeamPlatform(account)
];

const app = new cdk.App ();

const stack = blueprints.EksBlueprint.builder()
    .account(account)
    .region(region)
    .teams(...teams)
    .build(app, 'eks-blueprint');

team-platform.ts

import { PlatformTeam } from '@aws-quickstart/eks-blueprints';

export class TeamPlatform extends PlatformTeam {
    constructor(accountID: string) {
        super({
            name: "platform",
            userRoleArn: `arn:aws:iam::${accountID}:role/Admin`
        });
    }
}

CFN Template Snippet

  eksblueprintAwsAuthmanifest443E8097:
    Type: Custom::AWSCDK-EKS-KubernetesResource
    Properties:
      ServiceToken:
        Fn::GetAtt:
          - awscdkawseksKubectlProviderNestedStackawscdkawseksKubectlProviderNestedStackResourceA7AEBA6B
          - Outputs.eksblueprintawscdkawseksKubectlProviderframeworkonEvent3BFA8E46Arn
      Manifest:
        Fn::Join:
          - ""
          - - '[{"apiVersion":"v1","kind":"ConfigMap","metadata":{"name":"aws-auth","namespace":"kube-system","labels":{"aws.cdk.eks/prune-c80a08f34ed7899415c119f2fdfb26c213c91fb28c":""}},"data":{"mapRoles":"[{\"rolearn\":\"'
            - Fn::GetAtt:
                - eksblueprintMastersRoleDF959839
                - Arn
            - \",\"username\":\"
            - Fn::GetAtt:
                - eksblueprintMastersRoleDF959839
                - Arn
            - \",\"groups\":[\"system:masters\"]},{\"rolearn\":\"
            - Fn::GetAtt:
                - eksblueprintNodegroupeksblueprintngngNodeGroupRole4B4E34D4
                - Arn
            - \",\"username\":\"system:node:{{EC2PrivateDNSName}}\",\"groups\":[\"system:bootstrappers\",\"system:nodes\"]},{\"rolearn\":\"arn:aws:iam::<Account ID>:role/Admin\",\"username\":\"platform\",\"groups\":[\"system:masters\"]}]","mapUsers":"[]","mapAccounts":"[]"}}]

Current Behavior

When app.synth() is added to my-blueprints.ts as follows the arn:aws:iam::${accountID}:role/Admin is no longer included in the Join:

my-blueprints.ts

#!/usr/bin/env node
import 'source-map-support/register';
import * as cdk from 'aws-cdk-lib';
import * as blueprints from '@aws-quickstart/eks-blueprints';
import * as team from '../lib/team-platform';

const account = '< Account ID >';
const region = '< Region >';

const teams: Array<blueprints.Team > = [
  new team.TeamPlatform(account)
];

const app = new cdk.App ();

const stack = blueprints.EksBlueprint.builder()
    .account(account)
    .region(region)
    .teams(...teams)
    .build(app, 'eks-blueprint');

app.synth()

CFN Template Snippet

  eksblueprintAwsAuthmanifest443E8097:
    Type: Custom::AWSCDK-EKS-KubernetesResource
    Properties:
      ServiceToken:
        Fn::GetAtt:
          - awscdkawseksKubectlProviderNestedStackawscdkawseksKubectlProviderNestedStackResourceA7AEBA6B
          - Outputs.eksblueprintawscdkawseksKubectlProviderframeworkonEvent3BFA8E46Arn
      Manifest:
        Fn::Join:
          - ""
          - - '[{"apiVersion":"v1","kind":"ConfigMap","metadata":{"name":"aws-auth","namespace":"kube-system","labels":{"aws.cdk.eks/prune-c80a08f34ed7899415c119f2fdfb26c213c91fb28c":""}},"data":{"mapRoles":"[{\"rolearn\":\"'
            - Fn::GetAtt:
                - eksblueprintMastersRoleDF959839
                - Arn
            - \",\"username\":\"
            - Fn::GetAtt:
                - eksblueprintMastersRoleDF959839
                - Arn
            - \",\"groups\":[\"system:masters\"]},{\"rolearn\":\"
            - Fn::GetAtt:
                - eksblueprintNodegroupeksblueprintngngNodeGroupRole4B4E34D4
                - Arn
            - \",\"username\":\"system:node:{{EC2PrivateDNSName}}\",\"groups\":[\"system:bootstrappers\",\"system:nodes\"]}]","mapUsers":"[]","mapAccounts":"[]"}}]

Could you please investigate and advise - thanks.

CDK CLI Version

2.50.0 (build 4c11af6)

EKS Blueprints Version

1.4.1

Node.js Version

v18.12.1

Environment details (OS name and version, etc.)

MacOS
@Ruben-Sh Ruben-Sh added the bug Something isn't working label Nov 18, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Ruben-Sh