From 57c98a92c219c0e180b0b030be6f34132554c1a5 Mon Sep 17 00:00:00 2001 From: Zhao Date: Mon, 3 Mar 2025 16:12:22 -0800 Subject: [PATCH 1/3] fix edge case --- .../cluster-resource-handler/cluster.ts | 23 ++++++++++--------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/packages/@aws-cdk/custom-resource-handlers/lib/aws-eks/cluster-resource-handler/cluster.ts b/packages/@aws-cdk/custom-resource-handlers/lib/aws-eks/cluster-resource-handler/cluster.ts index e802e4e770e50..7fe12005051dc 100644 --- a/packages/@aws-cdk/custom-resource-handlers/lib/aws-eks/cluster-resource-handler/cluster.ts +++ b/packages/@aws-cdk/custom-resource-handlers/lib/aws-eks/cluster-resource-handler/cluster.ts @@ -218,6 +218,18 @@ export class ClusterResourceHandler extends ResourceHandler { } if (updates.updateAuthMode) { + // update-authmode will fail if we try to update to the same mode, + // so skip in this case. + try { + const cluster = (await this.eks.describeCluster({ name: this.clusterName })).cluster; + if (cluster?.accessConfig?.authenticationMode === this.newProps.accessConfig?.authenticationMode) { + console.log(`cluster already at ${cluster?.accessConfig?.authenticationMode}, skipping authMode update`); + return; + } + } catch (e: any) { + throw e; + } + // the update path must be // `undefined or CONFIG_MAP` -> `API_AND_CONFIG_MAP` -> `API` // and it's one way path. @@ -247,17 +259,6 @@ export class ClusterResourceHandler extends ResourceHandler { this.newProps.accessConfig?.authenticationMode === 'API') { throw new Error('Cannot update from CONFIG_MAP to API'); } - // update-authmode will fail if we try to update to the same mode, - // so skip in this case. - try { - const cluster = (await this.eks.describeCluster({ name: this.clusterName })).cluster; - if (cluster?.accessConfig?.authenticationMode === this.newProps.accessConfig?.authenticationMode) { - console.log(`cluster already at ${cluster?.accessConfig?.authenticationMode}, skipping authMode update`); - return; - } - } catch (e: any) { - throw e; - } config.accessConfig = this.newProps.accessConfig; } From a6173780f7d8afb50f749f6ae11cbcd7fb905f0d Mon Sep 17 00:00:00 2001 From: Zhao Date: Tue, 4 Mar 2025 14:50:44 -0800 Subject: [PATCH 2/3] fix --- .../test/aws-eks/cluster-resource-handler-mocks.ts | 1 + 1 file changed, 1 insertion(+) diff --git a/packages/@aws-cdk/custom-resource-handlers/test/aws-eks/cluster-resource-handler-mocks.ts b/packages/@aws-cdk/custom-resource-handlers/test/aws-eks/cluster-resource-handler-mocks.ts index 2c76acfb415bf..65777d7536f75 100644 --- a/packages/@aws-cdk/custom-resource-handlers/test/aws-eks/cluster-resource-handler-mocks.ts +++ b/packages/@aws-cdk/custom-resource-handlers/test/aws-eks/cluster-resource-handler-mocks.ts @@ -90,6 +90,7 @@ export const client: EksClient = { arn: 'arn:cluster-arn', certificateAuthority: { data: 'certificateAuthority-data' }, endpoint: 'http://endpoint', + authenticationMode: 'API', status: simulateResponse.describeClusterResponseMockStatus || 'ACTIVE', }, }; From dca1ab4fb2df3728ce0aea4b4f44491d0ed11c04 Mon Sep 17 00:00:00 2001 From: Zhao Date: Tue, 4 Mar 2025 15:42:26 -0800 Subject: [PATCH 3/3] fix fix --- .../aws-eks/cluster-resource-handler-mocks.ts | 2 +- .../aws-eks/cluster-resource-provider.test.ts | 30 ------------------- 2 files changed, 1 insertion(+), 31 deletions(-) diff --git a/packages/@aws-cdk/custom-resource-handlers/test/aws-eks/cluster-resource-handler-mocks.ts b/packages/@aws-cdk/custom-resource-handlers/test/aws-eks/cluster-resource-handler-mocks.ts index 65777d7536f75..5c65a471f87a9 100644 --- a/packages/@aws-cdk/custom-resource-handlers/test/aws-eks/cluster-resource-handler-mocks.ts +++ b/packages/@aws-cdk/custom-resource-handlers/test/aws-eks/cluster-resource-handler-mocks.ts @@ -90,7 +90,7 @@ export const client: EksClient = { arn: 'arn:cluster-arn', certificateAuthority: { data: 'certificateAuthority-data' }, endpoint: 'http://endpoint', - authenticationMode: 'API', + accessConfig: { authenticationMode: 'CONFIG_MAP' }, status: simulateResponse.describeClusterResponseMockStatus || 'ACTIVE', }, }; diff --git a/packages/@aws-cdk/custom-resource-handlers/test/aws-eks/cluster-resource-provider.test.ts b/packages/@aws-cdk/custom-resource-handlers/test/aws-eks/cluster-resource-provider.test.ts index a7e49575ee0d4..8b012cec1e03d 100644 --- a/packages/@aws-cdk/custom-resource-handlers/test/aws-eks/cluster-resource-provider.test.ts +++ b/packages/@aws-cdk/custom-resource-handlers/test/aws-eks/cluster-resource-provider.test.ts @@ -590,21 +590,6 @@ describe('cluster resource provider', () => { expect(error.message).toEqual('Cannot fallback authenticationMode from defined to undefined'); }); - test('fails from API_AND_CONFIG_MAP to CONFIG_MAP', async () => { - const handler = new ClusterResourceHandler(mocks.client, mocks.newRequest('Update', { - accessConfig: { authenticationMode: 'CONFIG_MAP' }, - }, { - accessConfig: { authenticationMode: 'API_AND_CONFIG_MAP' }, - })); - let error: any; - try { - await handler.onEvent(); - } catch (e) { - error = e; - } - - expect(error.message).toEqual('Cannot fallback authenticationMode from API_AND_CONFIG_MAP to CONFIG_MAP'); - }); test('fails from API to undefined', async () => { const handler = new ClusterResourceHandler(mocks.client, mocks.newRequest('Update', { accessConfig: { authenticationMode: undefined }, @@ -635,21 +620,6 @@ describe('cluster resource provider', () => { expect(error.message).toEqual('Cannot fallback authenticationMode from API to API_AND_CONFIG_MAP'); }); - test('fails from API to CONFIG_MAP', async () => { - const handler = new ClusterResourceHandler(mocks.client, mocks.newRequest('Update', { - accessConfig: { authenticationMode: 'CONFIG_MAP' }, - }, { - accessConfig: { authenticationMode: 'API' }, - })); - let error: any; - try { - await handler.onEvent(); - } catch (e) { - error = e; - } - - expect(error.message).toEqual('Cannot fallback authenticationMode from API to CONFIG_MAP'); - }); test('fails from undefined to API', async () => { const handler = new ClusterResourceHandler(mocks.client, mocks.newRequest('Update', { accessConfig: { authenticationMode: 'API' },