Skip to content

Commit

Permalink
change the adminRole prop to optional and use the lambda execution role
Browse files Browse the repository at this point in the history
  • Loading branch information
comcalvi committed Apr 21, 2023
1 parent a9ecff3 commit f87fe61
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 8 deletions.
8 changes: 5 additions & 3 deletions packages/aws-cdk-lib/aws-eks/lib/cluster-resource-provider.ts
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ export interface ClusterResourceProviderProps {
/**
* The IAM role to assume in order to interact with the cluster.
*/
readonly adminRole: iam.IRole;
readonly adminRole?: iam.IRole;

/**
* The VPC to provision the functions in.
Expand Down Expand Up @@ -115,8 +115,10 @@ export class ClusterResourceProvider extends NestedStack {
securityGroups: props.securityGroup ? [props.securityGroup] : undefined,
});

props.adminRole.grant(onEvent.role!, 'sts:AssumeRole');
props.adminRole.grant(isComplete.role!, 'sts:AssumeRole');
if (props.adminRole) {
props.adminRole.grant(onEvent.role!, 'sts:AssumeRole');
props.adminRole.grant(isComplete.role!, 'sts:AssumeRole');
}
}

/**
Expand Down
9 changes: 4 additions & 5 deletions packages/aws-cdk-lib/aws-eks/lib/cluster-resource.ts
Original file line number Diff line number Diff line change
Expand Up @@ -57,17 +57,16 @@ export class ClusterResource extends Construct {
throw new Error('"roleArn" is required');
}

this.adminRole = this.createAdminRole(props);

const provider = ClusterResourceProvider.getOrCreate(this, {
adminRole: this.adminRole,
subnets: props.subnets,
vpc: props.vpc,
environment: props.environment,
onEventLayer: props.onEventLayer,
securityGroup: props.clusterHandlerSecurityGroup,
});

this.adminRole = this.createAdminRole(provider.provider.isCompleteHandler?.role!, props);

const resource = new CustomResource(this, 'Resource', {
resourceType: CLUSTER_RESOURCE_TYPE,
serviceToken: provider.serviceToken,
Expand Down Expand Up @@ -113,13 +112,13 @@ export class ClusterResource extends Construct {
this.attrOpenIdConnectIssuer = Token.asString(resource.getAtt('OpenIdConnectIssuer'));
}

private createAdminRole(props: ClusterResourceProps) {
private createAdminRole(principal: iam.IPrincipal, props: ClusterResourceProps) {
const stack = Stack.of(this);

// the role used to create the cluster. this becomes the administrator role
// of the cluster.
const creationRole = new iam.Role(this, 'CreationRole', {
assumedBy: new iam.AccountRootPrincipal(),
assumedBy: principal,
});

// the CreateCluster API will allow the cluster to assume this role, so we
Expand Down

0 comments on commit f87fe61

Please sign in to comment.