Add serviceRole and instanceProfile to ClusterOptions (#159)

Fixes #159.
pulumi · Jul 1, 2019 · 743bcc6 · 743bcc6
1 parent e2228a0
commit 743bcc6
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 9 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -18,6 +18,9 @@
 - fix(nodegroup): make VPN-only subnets private
   [#163](https://github.com/pulumi/pulumi-eks/pull/163)
 
+- feature(cluster): Allow service role and instance profile to be injected during cluster creation
+  [#159](https://github.com/pulumi/pulumi-eks/pull/159)
+
 ## 0.18.7 (Released June 12, 2019)
 
 ### Improvements

diff --git a/nodejs/eks/cluster.ts b/nodejs/eks/cluster.ts
@@ -85,6 +85,19 @@ export interface CoreData {
     nodeSecurityGroupTags?: InputTags;
 }
 
+function createOrGetInstanceProfile(parent: pulumi.ComponentResource, instanceRoleName?: pulumi.Input<aws.iam.Role>, instanceProfileName?: pulumi.Input<string>): aws.iam.InstanceProfile {
+  let instanceProfile: aws.iam.InstanceProfile;
+  if (instanceProfileName) {
+    instanceProfile = aws.iam.InstanceProfile.get(`${name}-instanceProfile`, instanceProfileName, undefined, { parent: parent });
+  } else {
+    instanceProfile = new aws.iam.InstanceProfile(`${name}-instanceProfile`, {
+        role: instanceRoleName,
+    }, { parent: parent });
+  }
+
+  return instanceProfile;
+}
+
 export function createCore(name: string, args: ClusterOptions, parent: pulumi.ComponentResource): CoreData {
     // Check to ensure that aws-iam-authenticator is installed, as we'll need it in order to deploy k8s resources
     // to the EKS cluster.
@@ -109,14 +122,19 @@ export function createCore(name: string, args: ClusterOptions, parent: pulumi.Co
     }
 
     // Create the EKS service role
-    const eksRole = new ServiceRole(`${name}-eksRole`, {
+    let eksRole: pulumi.Output<aws.iam.Role>;
+    if (args.serviceRole) {
+      eksRole = pulumi.output(args.serviceRole);
+    } else {
+      eksRole = (new ServiceRole(`${name}-eksRole`, {
         service: "eks.amazonaws.com",
         description: "Allows EKS to manage clusters on your behalf.",
         managedPolicyArns: [
             "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy",
             "arn:aws:iam::aws:policy/AmazonEKSServicePolicy",
         ],
-    }, { parent: parent });
+      }, { parent: parent })).role;
+    }
 
     // Create the EKS cluster security group
     let eksClusterSecurityGroup: aws.ec2.SecurityGroup;
@@ -149,7 +167,7 @@ export function createCore(name: string, args: ClusterOptions, parent: pulumi.Co
 
     // Create the EKS cluster
     const eksCluster = new aws.eks.Cluster(`${name}-eksCluster`, {
-        roleArn: eksRole.role.apply(r => r.arn),
+        roleArn: eksRole.apply(r => r.arn),
         vpcConfig: {
             securityGroupIds: [eksClusterSecurityGroup.id],
             subnetIds: subnetIds,
@@ -226,9 +244,7 @@ export function createCore(name: string, args: ClusterOptions, parent: pulumi.Co
     } else if (args.instanceRole) {
         // Create an instance profile if using a default node group
         if (!args.skipDefaultNodeGroup) {
-            instanceProfile = new aws.iam.InstanceProfile(`${name}-instanceProfile`, {
-                role: args.instanceRole,
-            }, { parent: parent });
+            instanceProfile = createOrGetInstanceProfile(parent, args.instanceRole, args.instanceProfileName);
         }
 
         instanceRoleMappings = pulumi.output(args.instanceRole).apply(instanceRole =>
@@ -244,6 +260,7 @@ export function createCore(name: string, args: ClusterOptions, parent: pulumi.Co
                 "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
             ],
         }, { parent: parent })).role;
+
         instanceRoles = pulumi.output([instanceRole]);
 
         // Create a new policy for the role, if specified.
@@ -256,9 +273,7 @@ export function createCore(name: string, args: ClusterOptions, parent: pulumi.Co
 
         // Create an instance profile if using a default node group
         if (!args.skipDefaultNodeGroup) {
-            instanceProfile = new aws.iam.InstanceProfile(`${name}-instanceProfile`, {
-                role: instanceRole,
-            }, { parent: parent });
+            instanceProfile = createOrGetInstanceProfile(parent, args.instanceRole, args.instanceProfileName);
         }
 
         instanceRoleMappings = pulumi.output(instanceRole).apply(role =>
@@ -379,6 +394,16 @@ export interface ClusterOptions {
      */
     instanceRole?: pulumi.Input<aws.iam.Role>;
 
+    /**
+     * The default IAM InstanceProfile to use on the Worker NodeGroups, if one is not already set in the NodeGroup.
+     */
+     instanceProfileName?: pulumi.Input<string>;
+
+    /**
+     * IAM Service Role for EKS to use to manage the cluster.
+     */
+    serviceRole?: pulumi.Input<aws.iam.Role>;
+
     /**
      * This enables the advanced case of registering *many* IAM instance roles
      * with the cluster for per node group IAM, instead of the simpler, shared case of `instanceRole`.