feat(eks): support AccessConfig for the Cluster construct

packages/@aws-cdk/custom-resource-handlers/lib/aws-eks/cluster-resource-handler/cluster.ts

@@ -1,9 +1,9 @@
 /* eslint-disable no-console */
 // eslint-disable-next-line import/no-extraneous-dependencies
 import * as EKS from '@aws-sdk/client-eks';
+import { IsCompleteResponse, OnEventResponse } from 'aws-cdk-lib/custom-resources/lib/provider-framework/types';
 import { EksClient, ResourceEvent, ResourceHandler } from './common';
 import { compareLoggingProps } from './compareLogging';
-import { IsCompleteResponse, OnEventResponse } from 'aws-cdk-lib/custom-resources/lib/provider-framework/types';
 
 const MAX_CLUSTER_NAME_LEN = 100;
 
@@ -116,8 +116,7 @@ export class ClusterResourceHandler extends ResourceHandler {
     // if there is an update that requires replacement, go ahead and just create
     // a new cluster with the new config. The old cluster will automatically be
     // deleted by cloudformation upon success.
-    if (updates.replaceName || updates.replaceRole ) {
-
+    if (updates.replaceName || updates.replaceRole || updates.updateBootstrapClusterCreatorAdminPermissions ) {
       // if we are replacing this cluster and the cluster has an explicit
       // physical name, the creation of the new cluster will fail with "there is
       // already a cluster with that name". this is a common behavior for
@@ -129,6 +128,24 @@ export class ClusterResourceHandler extends ResourceHandler {
       return this.onCreate();
     }
 
+    // We can only update one type of the UpdateTypes:
+    type UpdateTypes = {
+      updateLogging: boolean;
+      updateAccess: boolean;
+      updateVpc: boolean;
+      updateAuthMode: boolean;
+    };
+    // validate updates
+    const updateTypes = Object.keys(updates) as (keyof UpdateTypes)[];
+    const enabledUpdateTypes = updateTypes.filter((type) => updates[type]);
+    console.log(enabledUpdateTypes);
+
+    if (enabledUpdateTypes.length > 1) {
+      throw new Error(
+        'Only one type of update - VpcConfigUpdate, LoggingUpdate, EndpointAccessUpdate, or AuthModeUpdate can be allowed',
+      );
+    }
+
     // Update tags
     if (updates.updateTags) {
       try {
@@ -185,12 +202,7 @@ export class ClusterResourceHandler extends ResourceHandler {
       return this.updateClusterVersion(this.newProps.version);
     }
 
-    if ((updates.updateLogging && updates.updateAccess) || (updates.updateLogging && updates.updateVpc) ||
-      (updates.updateVpc && updates.updateAccess)) {
-      throw new Error('Only one type of update - VpcConfigUpdate, LoggingUpdate or EndpointAccessUpdate can be allowed');
-    }
-
-    if (updates.updateLogging || updates.updateAccess || updates.updateVpc) {
+    if (updates.updateLogging || updates.updateAccess || updates.updateVpc || updates.updateAuthMode) {
       const config: EKS.UpdateClusterConfigCommandInput = {
         name: this.clusterName,
       };
@@ -203,13 +215,48 @@ export class ClusterResourceHandler extends ResourceHandler {
           endpointPublicAccess: this.newProps.resourcesVpcConfig?.endpointPublicAccess,
           publicAccessCidrs: this.newProps.resourcesVpcConfig?.publicAccessCidrs,
         };
-      }
+      };
+
+      if (updates.updateAuthMode) {
+        // the update path must be
+        // `undefined or CONFIG_MAP` -> `API_AND_CONFIG_MAP` -> `API`
+        // and it's one way path.
+        // old value is API - cannot fallback backwards
+        if (this.oldProps.accessConfig?.authenticationMode === 'API' &&
+          this.newProps.accessConfig?.authenticationMode !== 'API') {
+          throw new Error(`Cannot fallback authenticationMode from API to ${this.newProps.accessConfig?.authenticationMode}`);
+        }
+        // old value is API_AND_CONFIG_MAP - cannot fallback to CONFIG_MAP
+        if (this.oldProps.accessConfig?.authenticationMode === 'API_AND_CONFIG_MAP' &&
+          this.newProps.accessConfig?.authenticationMode === 'CONFIG_MAP') {
+          throw new Error(`Cannot fallback authenticationMode from API_AND_CONFIG_MAP to ${this.newProps.accessConfig?.authenticationMode}`);
+        }
+        // cannot fallback from defined to undefined
+        if (this.oldProps.accessConfig?.authenticationMode !== undefined &&
+          this.newProps.accessConfig?.authenticationMode === undefined) {
+          throw new Error('Cannot fallback authenticationMode from defined to undefined');
+        }
+        // cannot update from undefined to API because undefined defaults CONFIG_MAP which
+        // can only change to API_AND_CONFIG_MAP
+        if (this.oldProps.accessConfig?.authenticationMode === undefined &&
+          this.newProps.accessConfig?.authenticationMode === 'API') {
+          throw new Error('Cannot update from undefined(CONFIG_MAP) to API');
+        }
+        // cannot update from CONFIG_MAP to API
+        if (this.oldProps.accessConfig?.authenticationMode === 'CONFIG_MAP' &&
+          this.newProps.accessConfig?.authenticationMode === 'API') {
+          throw new Error('Cannot update from CONFIG_MAP to API');
+        }
+        config.accessConfig = this.newProps.accessConfig;
+      };
+
       if (updates.updateVpc) {
         config.resourcesVpcConfig = {
           subnetIds: this.newProps.resourcesVpcConfig?.subnetIds,
           securityGroupIds: this.newProps.resourcesVpcConfig?.securityGroupIds,
         };
       }
+
       const updateResponse = await this.eks.updateClusterConfig(config);
 
       return { EksUpdateId: updateResponse.update?.id };
@@ -361,6 +408,8 @@ interface UpdateMap {
   updateLogging: boolean; // logging
   updateEncryption: boolean; // encryption (cannot be updated)
   updateAccess: boolean; // resourcesVpcConfig.endpointPrivateAccess and endpointPublicAccess
+  updateAuthMode: boolean; // accessConfig.authenticationMode
+  updateBootstrapClusterCreatorAdminPermissions: boolean; // accessConfig.bootstrapClusterCreatorAdminPermissions
   updateVpc: boolean; // resourcesVpcConfig.subnetIds and securityGroupIds
   updateTags: boolean; // tags
 }
@@ -376,6 +425,8 @@ function analyzeUpdate(oldProps: Partial<EKS.CreateClusterCommandInput>, newProp
   const newPublicAccessCidrs = new Set(newVpcProps.publicAccessCidrs ?? []);
   const newEnc = newProps.encryptionConfig || {};
   const oldEnc = oldProps.encryptionConfig || {};
+  const newAccessConfig = newProps.accessConfig || {};
+  const oldAccessConfig = oldProps.accessConfig || {};
 
   return {
     replaceName: newProps.name !== oldProps.name,
@@ -390,6 +441,9 @@ function analyzeUpdate(oldProps: Partial<EKS.CreateClusterCommandInput>, newProp
     updateVersion: newProps.version !== oldProps.version,
     updateEncryption: JSON.stringify(newEnc) !== JSON.stringify(oldEnc),
     updateLogging: JSON.stringify(newProps.logging) !== JSON.stringify(oldProps.logging),
+    updateAuthMode: JSON.stringify(newAccessConfig.authenticationMode) !== JSON.stringify(oldAccessConfig.authenticationMode),
+    updateBootstrapClusterCreatorAdminPermissions: JSON.stringify(newAccessConfig.bootstrapClusterCreatorAdminPermissions) !==
+      JSON.stringify(oldAccessConfig.bootstrapClusterCreatorAdminPermissions),
     updateTags: JSON.stringify(newProps.tags) !== JSON.stringify(oldProps.tags),
   };
 }

packages/@aws-cdk/custom-resource-handlers/lib/aws-eks/cluster-resource-handler/compareLogging.ts

@@ -12,8 +12,8 @@ import * as EKS from '@aws-sdk/client-eks';
 export function compareLoggingProps(oldProps: Partial<EKS.CreateClusterCommandInput>,
   newProps: Partial<EKS.CreateClusterCommandInput>): Partial<EKS.CreateClusterCommandInput> {
   const result: Partial<EKS.CreateClusterCommandInput> = { logging: {} };
-  let enabledTypes: (EKS.LogType | string)[] = [];
-  let disabledTypes: (EKS.LogType | string)[] = [];
+  let enabledTypes: EKS.LogType[] = [];
+  let disabledTypes: EKS.LogType[] = [];
 
   if (newProps.logging?.clusterLogging === undefined && oldProps.logging?.clusterLogging === undefined) {
     return newProps;

packages/@aws-cdk/custom-resource-handlers/package.json

@@ -42,7 +42,7 @@
     "@aws-sdk/client-route-53": "3.421.0",
     "@aws-sdk/client-cloudwatch-logs": "3.421.0",
     "@aws-sdk/client-dynamodb": "3.421.0",
-    "@aws-sdk/client-eks": "3.421.0",
+    "@aws-sdk/client-eks": "3.476.0",
     "@aws-sdk/client-sts": "3.421.0",
     "@aws-sdk/node-http-handler": "^3.370.0",
     "@smithy/util-stream": "^2.2.0",