Relax validations on eks.Cluster instance_roles #1227
Conversation
|
I've confirmed this fixes preview of the following program. Checking if it fixes import pulumi
import pulumi_aws as aws
import pulumi_awsx as awsx
import pulumi_eks as eks
vpc = awsx.ec2.Vpc("vpc")
cluster = eks.Cluster(
"zd-5423",
vpc_id=vpc.vpc_id,
public_subnet_ids=vpc.public_subnet_ids,
private_subnet_ids=vpc.private_subnet_ids,
authentication_mode=eks.AuthenticationMode.API,
skip_default_node_group=True,
instance_roles=[],
use_default_vpc_cni=False,
) |
Does the PR have any schema changes?Looking good! No breaking changes found. |
Does the PR have any schema changes?Looking good! No breaking changes found. |
| // Validate promptly if possible, otherwise validate in the Promise chain underlying the Output and ensure that the | ||
| // input is gated on the validation. Unfortunately since apply always unwraps, the validate function required here needs | ||
| // to be able to handle both unwrapped and normal forms. | ||
| function validatedInput<T>( |
There was a problem hiding this comment.
This trick didn't work as neatly as I hoped. I hoped to make a pulumi.Input<T> that is gated on the validation. Unfortunately I couldn't wrestle the jest framework to be able to assert against failing pulumi.Output values :/ so simply coercing pulumi.Input<T> to pulumi.Output<T> does not cut it because I couldn't fix the unit tests. Instead this is further refined to handle immediately available T on the stack and only jump into an apply chain if that is not possible. Unfortunately since apply always unwraps and there doesn't seem to be a non-unwrapping variant available, the validate function has this signature:
validate: (value: T|pulumi.Unwrap<T>|undefined) => void
where the ideal signature would be:
validate: (value: T|undefined) => void
| @@ -70,10 +70,20 @@ describe("validateAuthenticationMode", () => { | |||
| }; | |||
|
|
|||
| expect(() => validateAuthenticationMode(args)).toThrowError( | |||
| "The 'instanceRoles' property is not supported when 'authenticationMode' is set to 'API'.", | |||
| "The 'instanceRoles' property does not support non-empty values when 'authenticationMode' is set to 'API'.", | |||
There was a problem hiding this comment.
Actually something must be of as this test shouldn't compile.
const args = {
authenticationMode: "API",
instanceRoles: ["roleArn"],
};
"roleArn" is not a valid aws.eks.Role.
There was a problem hiding this comment.
The test isn't type checked because it's executed as js. If you'd like to satisfy the type checker you could pass the args as ClusterOptions
There was a problem hiding this comment.
I've added it to tsconfig.json and fixed it up, it now is type-checked.
|
Wish list for the Node SDK here.
|
nodejs/eks/authenticationMode.ts
Outdated
| if (!supportsConfigMap(args.authenticationMode)) { | ||
| configMapOnlyProperties.forEach((prop) => { | ||
| if (args[prop]) { | ||
| const check: (prop: string) => (propertyValue: any|undefined) => void = (prop) => (pv) => { |
There was a problem hiding this comment.
Nit: prop could be keyof ClusterOptions. What do you think about renaming this to checkIsUndefined? That way it's clearer what it is actually checking
nodejs/eks/authenticationMode.ts
Outdated
| throw new Error( | ||
| `The '${prop}' property is not supported when 'authenticationMode' is set to '${args.authenticationMode}'.`, | ||
| ); | ||
| } | ||
| }; | ||
|
|
||
| args.roleMappings = validatedInput(args.roleMappings, check("roleMappings")); |
There was a problem hiding this comment.
Why don't we extend this to roleMappings and userMappings as well? Would be a nice improvement and it's a bit odd imho if roleMappings/userMappings don't allow empty arrays while instanceRoles does
| it("should not throw an error for instanceRoles=[] when authentication mode is set to API", () => { | ||
| const args = { | ||
| authenticationMode: "API", | ||
| instanceRoles: [], |
There was a problem hiding this comment.
Could we also test passing instanceRoles as a Promise and Output?
There was a problem hiding this comment.
That'd be great but I was running into limitations that seem to make failing outputs un-testable. I can ask around for help.
There was a problem hiding this comment.
Might be worth adding an integration test tif that doesn't work
There was a problem hiding this comment.
I filed pulumi/pulumi#16665 - there's something odd, possibly a bug in Node SDK that makes it extra difficult. I'll look into an integration test.
Does the PR have any schema changes?Looking good! No breaking changes found. |
| describe("validateAuthenticationMode", () => { | ||
|
|
||
| const testRole: aws.iam.Role = (<any>{"arn": "testRole"}); |
| @@ -89,6 +90,50 @@ func TestReportUpgradeCoverage(t *testing.T) { | |||
| providertest.ReportUpgradeCoverage(t) | |||
| } | |||
|
|
|||
| func TestEksClusterInputValidations(t *testing.T) { | |||
There was a problem hiding this comment.
This is executed as part of the upgrade tests right now in CI. What do you think about moving it to it's own job?
There was a problem hiding this comment.
Hmm, interesting, I thought that we're trying to put tests that are not useful as examples to end-users now under provider/* instead of under examples/*, I can backlog cleaning this up.
|
This PR has been shipped in release v2.7.4. |
|
This PR has been shipped in release v2.7.5. |
|
This PR has been shipped in release v2.7.6. |
<!--Thanks for your contribution. See [CONTRIBUTING](CONTRIBUTING.md)
for Pulumi's contribution guidelines.
Help us merge your changes more quickly by adding more details such
as labels, milestones, and reviewers.-->
### Proposed changes
<!--Give us a brief description of what you've done and what it solves.
-->
This change allows a program to set empty `instance_roles=[]` on an
eks.Cluster with custom `authentication_mode` without triggering a
warning on these properties being incompatible.
roleMappings and userMappings are treated symmetrically.
### Related issues (optional)
<!--Refer to related PRs or issues: #1234, or 'Fixes #1234' or 'Closes
#1234'.
Or link to full URLs to issues or pull requests in other GitHub
repositories. -->
Fixes #1220
Proposed changes
This change allows a program to set empty
instance_roles=[]on an eks.Cluster with customauthentication_modewithout triggering a warning on these properties being incompatible.roleMappings and userMappings are treated symmetrically.
Related issues (optional)
Fixes #1220