fix(eks): overly permissive trust policies (#25473)

The *CreationRole* and the *default MastersRole* use the account root principal in their trust policy, which is overly permissive. Instead, use the specific lambda handler roles that need it, and remove the default masters role. BREAKING CHANGE: A masters role is no longer provisioned by default. Use the `mastersRole` property to explicitly pass a role that needs cluster access. In addition, the creation role no longer allows any identity (with the appropriate `sts:AssumeRole` permissions) to assume it. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · May 15, 2023 · 51f0193 · 51f0193
1 parent 16ae335
commit 51f0193
Show file tree

Hide file tree

Showing 538 changed files with 17,161 additions and 18,997 deletions.
diff --git a/....snapshot/asset.68b8fc42fe6d1eb6e6c39212ce770fac02511440fecfc5b69a904fe8a19f6b8e/index.js b/....snapshot/asset.68b8fc42fe6d1eb6e6c39212ce770fac02511440fecfc5b69a904fe8a19f6b8e/index.js
diff --git a/...89b792b981d73e22dba92b2dd13caec415dfc.zip → ...a0709bf456e34b06ea7c96111eecb2fddd054.zip b/...89b792b981d73e22dba92b2dd13caec415dfc.zip → ...a0709bf456e34b06ea7c96111eecb2fddd054.zip
diff --git a/...er.js.snapshot/asset.75dfa9114a30421542432dcb55212f010f591a9e3bd203ae98ba3f9bedf5bb31.zip b/...er.js.snapshot/asset.75dfa9114a30421542432dcb55212f010f591a9e3bd203ae98ba3f9bedf5bb31.zip
diff --git a/...1440fecfc5b69a904fe8a19f6b8e/cluster.d.ts → ...4e4e1bca8d4aa818c442e1878ddf/cluster.d.ts b/...1440fecfc5b69a904fe8a19f6b8e/cluster.d.ts → ...4e4e1bca8d4aa818c442e1878ddf/cluster.d.ts
@@ -1,5 +1,5 @@
-import { IsCompleteResponse, OnEventResponse } from '../../../custom-resources/lib/provider-framework/types';
 import { EksClient, ResourceEvent, ResourceHandler } from './common';
+import { IsCompleteResponse, OnEventResponse } from '../../../custom-resources/lib/provider-framework/types';
 export declare class ClusterResourceHandler extends ResourceHandler {
     get clusterName(): string;
     private readonly newProps;

diff --git a/...511440fecfc5b69a904fe8a19f6b8e/cluster.js → ...ae4e4e1bca8d4aa818c442e1878ddf/cluster.js b/...511440fecfc5b69a904fe8a19f6b8e/cluster.js → ...ae4e4e1bca8d4aa818c442e1878ddf/cluster.js
diff --git a/...511440fecfc5b69a904fe8a19f6b8e/cluster.ts → ...ae4e4e1bca8d4aa818c442e1878ddf/cluster.ts b/...511440fecfc5b69a904fe8a19f6b8e/cluster.ts → ...ae4e4e1bca8d4aa818c442e1878ddf/cluster.ts
@@ -1,11 +1,11 @@
 /* eslint-disable no-console */
 
 // eslint-disable-next-line import/no-extraneous-dependencies
-import { IsCompleteResponse, OnEventResponse } from '../../../custom-resources/lib/provider-framework/types';
 // eslint-disable-next-line import/no-extraneous-dependencies
 import * as aws from 'aws-sdk';
 import { EksClient, ResourceEvent, ResourceHandler } from './common';
 import { compareLoggingProps } from './compareLogging';
+import { IsCompleteResponse, OnEventResponse } from '../../../custom-resources/lib/provider-framework/types';
 
 
 const MAX_CLUSTER_NAME_LEN = 100;

diff --git a/...11440fecfc5b69a904fe8a19f6b8e/common.d.ts → ...e4e4e1bca8d4aa818c442e1878ddf/common.d.ts b/...11440fecfc5b69a904fe8a19f6b8e/common.d.ts → ...e4e4e1bca8d4aa818c442e1878ddf/common.d.ts
@@ -1,5 +1,5 @@
-import { IsCompleteResponse, OnEventResponse } from '../../../custom-resources/lib/provider-framework/types';
 import * as aws from 'aws-sdk';
+import { IsCompleteResponse, OnEventResponse } from '../../../custom-resources/lib/provider-framework/types';
 export interface EksUpdateId {
     /**
      * If this field is included in an event passed to "IsComplete", it means we