Skip to content

Commit

Permalink
Add serviceRole and instanceProfile to ClusterOptions (#159)
Browse files Browse the repository at this point in the history
Fixes #159.
  • Loading branch information
VRanga000 authored and lukehoban committed Jul 1, 2019
1 parent e2228a0 commit 743bcc6
Show file tree
Hide file tree
Showing 2 changed files with 37 additions and 9 deletions.
3 changes: 3 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,9 @@
- fix(nodegroup): make VPN-only subnets private
[#163](https://github.com/pulumi/pulumi-eks/pull/163)

- feature(cluster): Allow service role and instance profile to be injected during cluster creation
[#159](https://github.com/pulumi/pulumi-eks/pull/159)

## 0.18.7 (Released June 12, 2019)

### Improvements
Expand Down
43 changes: 34 additions & 9 deletions nodejs/eks/cluster.ts
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,19 @@ export interface CoreData {
nodeSecurityGroupTags?: InputTags;
}

function createOrGetInstanceProfile(parent: pulumi.ComponentResource, instanceRoleName?: pulumi.Input<aws.iam.Role>, instanceProfileName?: pulumi.Input<string>): aws.iam.InstanceProfile {
let instanceProfile: aws.iam.InstanceProfile;
if (instanceProfileName) {
instanceProfile = aws.iam.InstanceProfile.get(`${name}-instanceProfile`, instanceProfileName, undefined, { parent: parent });
} else {
instanceProfile = new aws.iam.InstanceProfile(`${name}-instanceProfile`, {
role: instanceRoleName,
}, { parent: parent });
}

return instanceProfile;
}

export function createCore(name: string, args: ClusterOptions, parent: pulumi.ComponentResource): CoreData {
// Check to ensure that aws-iam-authenticator is installed, as we'll need it in order to deploy k8s resources
// to the EKS cluster.
Expand All @@ -109,14 +122,19 @@ export function createCore(name: string, args: ClusterOptions, parent: pulumi.Co
}

// Create the EKS service role
const eksRole = new ServiceRole(`${name}-eksRole`, {
let eksRole: pulumi.Output<aws.iam.Role>;
if (args.serviceRole) {
eksRole = pulumi.output(args.serviceRole);
} else {
eksRole = (new ServiceRole(`${name}-eksRole`, {
service: "eks.amazonaws.com",
description: "Allows EKS to manage clusters on your behalf.",
managedPolicyArns: [
"arn:aws:iam::aws:policy/AmazonEKSClusterPolicy",
"arn:aws:iam::aws:policy/AmazonEKSServicePolicy",
],
}, { parent: parent });
}, { parent: parent })).role;
}

// Create the EKS cluster security group
let eksClusterSecurityGroup: aws.ec2.SecurityGroup;
Expand Down Expand Up @@ -149,7 +167,7 @@ export function createCore(name: string, args: ClusterOptions, parent: pulumi.Co

// Create the EKS cluster
const eksCluster = new aws.eks.Cluster(`${name}-eksCluster`, {
roleArn: eksRole.role.apply(r => r.arn),
roleArn: eksRole.apply(r => r.arn),
vpcConfig: {
securityGroupIds: [eksClusterSecurityGroup.id],
subnetIds: subnetIds,
Expand Down Expand Up @@ -226,9 +244,7 @@ export function createCore(name: string, args: ClusterOptions, parent: pulumi.Co
} else if (args.instanceRole) {
// Create an instance profile if using a default node group
if (!args.skipDefaultNodeGroup) {
instanceProfile = new aws.iam.InstanceProfile(`${name}-instanceProfile`, {
role: args.instanceRole,
}, { parent: parent });
instanceProfile = createOrGetInstanceProfile(parent, args.instanceRole, args.instanceProfileName);
}

instanceRoleMappings = pulumi.output(args.instanceRole).apply(instanceRole =>
Expand All @@ -244,6 +260,7 @@ export function createCore(name: string, args: ClusterOptions, parent: pulumi.Co
"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
],
}, { parent: parent })).role;

instanceRoles = pulumi.output([instanceRole]);

// Create a new policy for the role, if specified.
Expand All @@ -256,9 +273,7 @@ export function createCore(name: string, args: ClusterOptions, parent: pulumi.Co

// Create an instance profile if using a default node group
if (!args.skipDefaultNodeGroup) {
instanceProfile = new aws.iam.InstanceProfile(`${name}-instanceProfile`, {
role: instanceRole,
}, { parent: parent });
instanceProfile = createOrGetInstanceProfile(parent, args.instanceRole, args.instanceProfileName);
}

instanceRoleMappings = pulumi.output(instanceRole).apply(role =>
Expand Down Expand Up @@ -379,6 +394,16 @@ export interface ClusterOptions {
*/
instanceRole?: pulumi.Input<aws.iam.Role>;

/**
* The default IAM InstanceProfile to use on the Worker NodeGroups, if one is not already set in the NodeGroup.
*/
instanceProfileName?: pulumi.Input<string>;

/**
* IAM Service Role for EKS to use to manage the cluster.
*/
serviceRole?: pulumi.Input<aws.iam.Role>;

/**
* This enables the advanced case of registering *many* IAM instance roles
* with the cluster for per node group IAM, instead of the simpler, shared case of `instanceRole`.
Expand Down

0 comments on commit 743bcc6

Please sign in to comment.