Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

(jsii)(v2): Cannot apply Aspects to EKS cluster stack

See original GitHub issue

I’m trying to apply Aspects to a EKS cluster stack, but it fails with a jsii.errors.JavaScriptError. The reason to apply aspects is to apply permission boundaries to every role generated.

Is there any way to work-around this situation? i’m interested in modifying the roles generated by EKS custom resources E.G: Kubectlhandler.

Reproduction Steps

#!/usr/bin/env python3
import os
import jsii
from aws_cdk import App, IAspect, Aspects, Tags, Stack, Environment, aws_eks as eks, aws_iam as iam, aws_ec2 as ec2
from constructs import Construct, IConstruct

@jsii.implements(IAspect)
class PermissionsBoundary:

    def __init__(self, permission_boundary_arn: str):
        self.permissions_boundary_arn = permission_boundary_arn
  

    def visit(self, node: IConstruct):
        print("Visited", node.node.path)

class EksCluster(Stack):

    def __init__(self, scope: Construct, id: str, vpc_id:str, **kwargs) -> None:
        super().__init__(scope, id, **kwargs)

        vpc = ec2.Vpc.from_lookup(self, "VPC", vpc_id=vpc_id)
        eks_cluster_role = iam.Role(self, id + "-role",
                                    assumed_by=iam.ServicePrincipal("eks.amazonaws.com"),
                                    managed_policies=[
                                        iam.ManagedPolicy.from_aws_managed_policy_name("AmazonEKSServicePolicy"),
                                        iam.ManagedPolicy.from_aws_managed_policy_name("AmazonEKSClusterPolicy")])

        eks_master_role = iam.Role(self, id + "-admin",
                                   assumed_by=iam.AccountRootPrincipal())

        cluster = eks.Cluster(self, id,
                              masters_role=eks_master_role,
                              version=eks.KubernetesVersion.V1_21,
                              role=eks_cluster_role,
                              vpc=vpc,
                              endpoint_access=eks.EndpointAccess.PRIVATE,
                              default_capacity=0,
                              output_cluster_name=True,
                              output_masters_role_arn=True
                              )

# CDK app
app = App()
account = os.getenv('ACCOUNT_ID')
env_EU = Environment(region="eu-west-1", account=account)

stack = EksCluster(app, "test-cdkv2-eks-cluster", vpc_id=os.getenv('VPC_ID'), env=env_EU )

Aspects.of(stack).add(PermissionsBoundary(f"arn:aws:iam::{os.getenv('ACCOUNT_ID')}:policy/platform-main-boundary"))

app.synth()

What did you expect to happen?

Print the node paths of every node.

What actually happened?

jsii.errors.JavaScriptError: Error: Unknown type: aws-cdk-lib.custom_resources.Provider at KernelHost.completeCallback (/private/var/folders/dk/g35p0fxd719dz_nbyct9y1b40000gp/T/tmprxijvdhs/lib/program.js:9675:35) at KernelHost.callbackHandler (/private/var/folders/dk/g35p0fxd719dz_nbyct9y1b40000gp/T/tmprxijvdhs/lib/program.js:9666:41) at Object.value (/private/var/folders/dk/g35p0fxd719dz_nbyct9y1b40000gp/T/tmprxijvdhs/lib/program.js:8536:49) at recurse (/private/var/folders/dk/g35p0fxd719dz_nbyct9y1b40000gp/T/jsii-kernel-wOF0bw/node_modules/aws-cdk-lib/lib/core/lib/private/synthesis.js:83:20) at recurse (/private/var/folders/dk/g35p0fxd719dz_nbyct9y1b40000gp/T/jsii-kernel-wOF0bw/node_modules/aws-cdk-lib/lib/core/lib/private/synthesis.js:95:17) at recurse (/private/var/folders/dk/g35p0fxd719dz_nbyct9y1b40000gp/T/jsii-kernel-wOF0bw/node_modules/aws-cdk-lib/lib/core/lib/private/synthesis.js:95:17) at recurse (/private/var/folders/dk/g35p0fxd719dz_nbyct9y1b40000gp/T/jsii-kernel-wOF0bw/node_modules/aws-cdk-lib/lib/core/lib/private/synthesis.js:95:17) at invokeAspects (/private/var/folders/dk/g35p0fxd719dz_nbyct9y1b40000gp/T/jsii-kernel-wOF0bw/node_modules/aws-cdk-lib/lib/core/lib/private/synthesis.js:69:5) at Object.synthesize (/private/var/folders/dk/g35p0fxd719dz_nbyct9y1b40000gp/T/jsii-kernel-wOF0bw/node_modules/aws-cdk-lib/lib/core/lib/private/synthesis.js:15:5) at App.synth (/private/var/folders/dk/g35p0fxd719dz_nbyct9y1b40000gp/T/jsii-kernel-wOF0bw/node_modules/aws-cdk-lib/lib/core/lib/stage.js:97:41)

Environment

CDK CLI Version : 1.123.0
Framework Version: v2.0.0-rc23
Node.js Version: v14.17.6
OS : macOS 11.2
Language (Version): Python (3.8.9)

Other

This is 🐛 Bug Report

Issue Analytics

State:
Created 2 years ago
Comments:12 (8 by maintainers)

Top GitHub Comments

1reaction

jzhncommented, Oct 19, 2021

I had the same issue as @keepler-ivanmarques posted above that package.json not found when declaring EKS Cluster in my stack. (using TypeScript/JavaScript).

I believe this is a separate issue, created https://github.com/aws/aws-cdk/issues/17059 to track that.

1reaction

otaviomacedocommented, Oct 1, 2021

Hi, @keepler-ivanmarques. Thanks for catching this.

The fully qualified name of the class in Python is aws_cdk.custom_resources.Provider, whereas the type being referenced is aws-cdk-lib.custom_resources.Provider, according to the error message. There is probably something wrong in the rewrite that happens when the v2 build is generated.

Marking this as a V2 GA milestone bug.