Skip to content

Commit 51f0193

Browse files
iliapoloiliapolo
authored
fix(eks): overly permissive trust policies (#25473)
The *CreationRole* and the *default MastersRole* use the account root principal in their trust policy, which is overly permissive. Instead, use the specific lambda handler roles that need it, and remove the default masters role. BREAKING CHANGE: A masters role is no longer provisioned by default. Use the `mastersRole` property to explicitly pass a role that needs cluster access. In addition, the creation role no longer allows any identity (with the appropriate `sts:AssumeRole` permissions) to assume it. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
1 parent 16ae335 commit 51f0193

File tree

538 files changed

+17161
-18997
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

538 files changed

+17161
-18997
lines changed

packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.alb-controller.js.snapshot/asset.68b8fc42fe6d1eb6e6c39212ce770fac02511440fecfc5b69a904fe8a19f6b8e/index.js

-59
This file was deleted.

packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-service-account-sdk-call.js.snapshot/asset.c33f77e71bef2fbd8299fa87f0d89b792b981d73e22dba92b2dd13caec415dfc.zip renamed to packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.alb-controller.js.snapshot/asset.6a28458f7bc3d04e4d2b17f9c3da0709bf456e34b06ea7c96111eecb2fddd054.zip

14.9 MB
Binary file not shown.

packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.alb-controller.js.snapshot/asset.75dfa9114a30421542432dcb55212f010f591a9e3bd203ae98ba3f9bedf5bb31.zip

0 Bytes
Binary file not shown.

packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.alb-controller.js.snapshot/asset.68b8fc42fe6d1eb6e6c39212ce770fac02511440fecfc5b69a904fe8a19f6b8e/cluster.d.ts renamed to packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.alb-controller.js.snapshot/asset.a21fb971385f0210c6b1c88a25f1b9986bae4e4e1bca8d4aa818c442e1878ddf/cluster.d.ts

+1-1
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
1-
import { IsCompleteResponse, OnEventResponse } from '../../../custom-resources/lib/provider-framework/types';
21
import { EksClient, ResourceEvent, ResourceHandler } from './common';
2+
import { IsCompleteResponse, OnEventResponse } from '../../../custom-resources/lib/provider-framework/types';
33
export declare class ClusterResourceHandler extends ResourceHandler {
44
get clusterName(): string;
55
private readonly newProps;

packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-bottlerocket-ng.js.snapshot/asset.68b8fc42fe6d1eb6e6c39212ce770fac02511440fecfc5b69a904fe8a19f6b8e/cluster.js renamed to packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.alb-controller.js.snapshot/asset.a21fb971385f0210c6b1c88a25f1b9986bae4e4e1bca8d4aa818c442e1878ddf/cluster.js

+1-1
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-bottlerocket-ng.js.snapshot/asset.68b8fc42fe6d1eb6e6c39212ce770fac02511440fecfc5b69a904fe8a19f6b8e/cluster.ts renamed to packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.alb-controller.js.snapshot/asset.a21fb971385f0210c6b1c88a25f1b9986bae4e4e1bca8d4aa818c442e1878ddf/cluster.ts

+1-1
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,11 @@
11
/* eslint-disable no-console */
22

33
// eslint-disable-next-line import/no-extraneous-dependencies
4-
import { IsCompleteResponse, OnEventResponse } from '../../../custom-resources/lib/provider-framework/types';
54
// eslint-disable-next-line import/no-extraneous-dependencies
65
import * as aws from 'aws-sdk';
76
import { EksClient, ResourceEvent, ResourceHandler } from './common';
87
import { compareLoggingProps } from './compareLogging';
8+
import { IsCompleteResponse, OnEventResponse } from '../../../custom-resources/lib/provider-framework/types';
99

1010

1111
const MAX_CLUSTER_NAME_LEN = 100;

packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-cluster-handlers-vpc.js.snapshot/asset.68b8fc42fe6d1eb6e6c39212ce770fac02511440fecfc5b69a904fe8a19f6b8e/common.d.ts renamed to packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.alb-controller.js.snapshot/asset.a21fb971385f0210c6b1c88a25f1b9986bae4e4e1bca8d4aa818c442e1878ddf/common.d.ts

+1-1
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
1-
import { IsCompleteResponse, OnEventResponse } from '../../../custom-resources/lib/provider-framework/types';
21
import * as aws from 'aws-sdk';
2+
import { IsCompleteResponse, OnEventResponse } from '../../../custom-resources/lib/provider-framework/types';
33
export interface EksUpdateId {
44
/**
55
* If this field is included in an event passed to "IsComplete", it means we

0 commit comments

Comments
 (0)