search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.68k stars 3.93k forks source link

aws-eks : ALB controller IAM policies created in China using wrong partition #23642

Open ItielOlenick opened 1 year ago

ItielOlenick commented 1 year ago

Describe the bug

When using the CDK to create a EKS cluster and specifying the use of alb controller, upon the creation of the IAM policy for alb controller the following error arises:

Partition "aws" is not valid for resource "arn:aws:ec2:*:*:security-group/*". (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID
: xxxx-xx-xx-xxxxx-xxx-xx-xxx; Proxy: null)

A quick search for "arn:aws:ec2:*:*:security-group/*" in the repo shows a few pages where this is used.

Expected Behavior

A EKS cluster should be successfully created when using CDK to create in China

Current Behavior

Partition "aws" is not valid for resource "arn:aws:ec2:*:*:security-group/*". (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID
: xxxx-xx-xx-xxxxx-xxx-xx-xxx; Proxy: null)

Reproduction Steps

Try to create a EKS cluster in China with the ALB controller enabled:

self.eks_cluster = aws_eks.Cluster(
    self,
    id="cvat-in-k8s-cluster",
    version=aws_eks.KubernetesVersion.V1_21,
    vpc=self.vpc,
    vpc_subnets=[aws_ec2.SubnetSelection(subnet_type=aws_ec2.SubnetType.PRIVATE_WITH_NAT)],
    default_capacity=2,
    alb_controller=aws_eks.AlbControllerOptions(
        version=aws_eks.AlbControllerVersion.V2_4_1
    ),
    endpoint_access=aws_eks.EndpointAccess.PUBLIC_AND_PRIVATE.only_from(*CIDR_BLOCKS),
)

Possible Solution

Check if the region is in China, and if so change the partition to aws-cn

Additional Information/Context

No response

CDK CLI Version

2.37.1

Framework Version

No response

Node.js Version

15

OS

Linux

Language

Python

Language Version

No response

Other information

No response

pahud commented 1 year ago

Thanks for your report. Which aws region were you deploying to? cn-north-1 or cn-northwest-1 ?

zorrofox commented 1 year ago

I think either cn-north-1 or cn-northwest-1 for China partition is not work for the default IAM policy, as the policy document is come from this line https://github.com/aws/aws-cdk/blob/33ee4de185fc966ab27de35b7abd98862f04b852/packages/%40aws-cdk/aws-eks/lib/alb-controller.ts#L216 And all these version policy documents are come from ALB ingress repo for this file, they are all for global partition not for GOV or China partitions. There have another policy document in the repo is for the China partition.

zorrofox commented 1 year ago

Same issue for #22520

ItielOlenick commented 1 year ago

For me this happened in cn-northwest-1, But like @zorrofox said, this has to do with the use of the wrong partition in the alb policy.

Taking a quick look at https://github.com/aws/aws-cdk/search?q=arn%3Aaws%3Aec2%3A*%3A*%3Asecurity-group%2F* shows that nothing is done to check the partition in the alb-iam_policy files which results in the use of the wrong one.

zorrofox commented 1 year ago

Can we just use the commercial partition policy files to substitute with China or GOV partitions? Or we just like commercial partition to host all the policy files for China and GOV partitions?