From 82848f1472680b9758775b88c60dab096c124f78 Mon Sep 17 00:00:00 2001 From: Vikas Rangarajan Date: Tue, 11 Jun 2019 19:27:02 -0500 Subject: [PATCH 1/9] add serviceRole and instanceProfile to ClusterOptions --- nodejs/eks/cluster.ts | 32 ++++++++++++++++++++++++++------ 1 file changed, 26 insertions(+), 6 deletions(-) diff --git a/nodejs/eks/cluster.ts b/nodejs/eks/cluster.ts index 27474300..f3494a59 100644 --- a/nodejs/eks/cluster.ts +++ b/nodejs/eks/cluster.ts @@ -108,14 +108,19 @@ export function createCore(name: string, args: ClusterOptions, parent: pulumi.Co } // Create the EKS service role - const eksRole = new ServiceRole(`${name}-eksRole`, { + let eksRole: pulumi.Output; + if (args.serviceRole) { + eksRole = pulumi.output(args.serviceRole); + } else { + eksRole = (new ServiceRole(`${name}-eksRole`, { service: "eks.amazonaws.com", description: "Allows EKS to manage clusters on your behalf.", managedPolicyArns: [ "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy", "arn:aws:iam::aws:policy/AmazonEKSServicePolicy", ], - }, { parent: parent }); + }, { parent: parent })).role; + } // Create the EKS cluster security group const eksClusterSecurityGroup = new aws.ec2.SecurityGroup(`${name}-eksClusterSecurityGroup`, { @@ -140,7 +145,7 @@ export function createCore(name: string, args: ClusterOptions, parent: pulumi.Co // Create the EKS cluster const eksCluster = new aws.eks.Cluster(`${name}-eksCluster`, { - roleArn: eksRole.role.apply(r => r.arn), + roleArn: eksRole.apply(r => r.arn), vpcConfig: { securityGroupIds: [ eksClusterSecurityGroup.id ], subnetIds: subnetIds }, version: args.version, enabledClusterLogTypes: args.enabledClusterLogTypes, @@ -212,9 +217,13 @@ export function createCore(name: string, args: ClusterOptions, parent: pulumi.Co } else if (args.instanceRole) { // Create an instance profile if using a default node group if (!args.skipDefaultNodeGroup) { - instanceProfile = new aws.iam.InstanceProfile(`${name}-instanceProfile`, { - role: args.instanceRole, - }, { parent: parent }); + if (args.instanceProfileName) { + instanceProfile = aws.iam.InstanceProfile.get(args.instanceProfileName, args.instanceProfileName); + } else { + instanceProfile = new aws.iam.InstanceProfile(`${name}-instanceProfile`, { + role: args.instanceRole, + }, { parent: parent }); + } } instanceRoleMappings = pulumi.output(args.instanceRole).apply(instanceRole => @@ -367,6 +376,17 @@ export interface ClusterOptions { */ instanceRole?: pulumi.Input; + /** + * Node instance profile - for worker nodes. If not supplied, it will be created. + */ + instanceProfileName?: string; + + /** + * Service role for eks cluster + * + */ + serviceRole?: pulumi.Input; + /** * This enables the advanced case of registering *many* IAM instance roles * with the cluster for per node group IAM, instead of the simpler, shared case of `instanceRole`. From 3b514be33ee41cc34e3f851945f5bdaf0fb58b9e Mon Sep 17 00:00:00 2001 From: Vikas Rangarajan Date: Tue, 11 Jun 2019 19:36:49 -0500 Subject: [PATCH 2/9] update changelog --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 04303f1a..2d4d4bd8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,8 @@ ### Improvements +- feature(cluster): Allow service role and instance profile to be injected during cluster creation + [#159](https://github.com/pulumi/pulumi-eks/pull/159) - fix(cluster): expose instanceRoles [#155](https://github.com/pulumi/pulumi-eks/pull/155) - tests(cluster): enable test to replace cluster by adding more subnets From 67288ea96b11778f1802fe1b25fb460b52987e4b Mon Sep 17 00:00:00 2001 From: Vikas Rangarajan <7152444+VRanga000@users.noreply.github.com> Date: Tue, 18 Jun 2019 10:36:18 -0500 Subject: [PATCH 3/9] clarify inline documentation Co-Authored-By: metral <1112768+metral@users.noreply.github.com> --- nodejs/eks/cluster.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodejs/eks/cluster.ts b/nodejs/eks/cluster.ts index 92904a2f..ca7dbff1 100644 --- a/nodejs/eks/cluster.ts +++ b/nodejs/eks/cluster.ts @@ -387,7 +387,7 @@ export interface ClusterOptions { /** * Service role for eks cluster - * + *IAM Service Role for EKS to use to manage the cluster. */ serviceRole?: pulumi.Input; From b9127f0f68d07de369569544d4ac9a0a127f0d12 Mon Sep 17 00:00:00 2001 From: Vikas Rangarajan <7152444+VRanga000@users.noreply.github.com> Date: Tue, 18 Jun 2019 10:37:47 -0500 Subject: [PATCH 4/9] clarify inline documentation Co-Authored-By: metral <1112768+metral@users.noreply.github.com> --- nodejs/eks/cluster.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodejs/eks/cluster.ts b/nodejs/eks/cluster.ts index ca7dbff1..749a4cd1 100644 --- a/nodejs/eks/cluster.ts +++ b/nodejs/eks/cluster.ts @@ -382,7 +382,7 @@ export interface ClusterOptions { /** * Node instance profile - for worker nodes. If not supplied, it will be created. - */ + */The default IAM InstanceProfile to use on the Worker NodeGroups, if one is not already set in the NodeGroup. instanceProfileName?: string; /** From 2495e4b56880a27b54dcd31e2b13fe5000d3050d Mon Sep 17 00:00:00 2001 From: Vikas Rangarajan Date: Tue, 18 Jun 2019 10:41:41 -0500 Subject: [PATCH 5/9] fix whitespace in comments, remove old doc lines --- nodejs/eks/cluster.ts | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/nodejs/eks/cluster.ts b/nodejs/eks/cluster.ts index 749a4cd1..ce6314dd 100644 --- a/nodejs/eks/cluster.ts +++ b/nodejs/eks/cluster.ts @@ -381,13 +381,12 @@ export interface ClusterOptions { instanceRole?: pulumi.Input; /** - * Node instance profile - for worker nodes. If not supplied, it will be created. - */The default IAM InstanceProfile to use on the Worker NodeGroups, if one is not already set in the NodeGroup. - instanceProfileName?: string; + * The default IAM InstanceProfile to use on the Worker NodeGroups, if one is not already set in the NodeGroup. + */ + instanceProfileName?: string; /** - * Service role for eks cluster - *IAM Service Role for EKS to use to manage the cluster. + * IAM Service Role for EKS to use to manage the cluster. */ serviceRole?: pulumi.Input; From a0c61ab9023ca807e032f156b3b08cd463164d6d Mon Sep 17 00:00:00 2001 From: Vikas Rangarajan <7152444+VRanga000@users.noreply.github.com> Date: Fri, 21 Jun 2019 10:30:17 -0500 Subject: [PATCH 6/9] use more explicit typing for instanceProfileName Co-Authored-By: Pat Gavlin --- nodejs/eks/cluster.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodejs/eks/cluster.ts b/nodejs/eks/cluster.ts index ce6314dd..f7f6c041 100644 --- a/nodejs/eks/cluster.ts +++ b/nodejs/eks/cluster.ts @@ -383,7 +383,7 @@ export interface ClusterOptions { /** * The default IAM InstanceProfile to use on the Worker NodeGroups, if one is not already set in the NodeGroup. */ - instanceProfileName?: string; + instanceProfileName?: pulumi.Input; /** * IAM Service Role for EKS to use to manage the cluster. From d06051523ddfcafa377f9db0ed0086793d210821 Mon Sep 17 00:00:00 2001 From: Vikas Rangarajan <7152444+VRanga000@users.noreply.github.com> Date: Fri, 21 Jun 2019 10:35:23 -0500 Subject: [PATCH 7/9] Update nodejs/eks/cluster.ts Co-Authored-By: Pat Gavlin --- nodejs/eks/cluster.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodejs/eks/cluster.ts b/nodejs/eks/cluster.ts index f7f6c041..532c9a9c 100644 --- a/nodejs/eks/cluster.ts +++ b/nodejs/eks/cluster.ts @@ -222,7 +222,7 @@ export function createCore(name: string, args: ClusterOptions, parent: pulumi.Co // Create an instance profile if using a default node group if (!args.skipDefaultNodeGroup) { if (args.instanceProfileName) { - instanceProfile = aws.iam.InstanceProfile.get(args.instanceProfileName, args.instanceProfileName); + instanceProfile = aws.iam.InstanceProfile.get(`${name}-instanceProfile`, args.instanceProfileName, undefined, { parent: parent }); } else { instanceProfile = new aws.iam.InstanceProfile(`${name}-instanceProfile`, { role: args.instanceRole, From 01da3f10d75c3e02ee072a7869434b51c67aa446 Mon Sep 17 00:00:00 2001 From: Vikas Rangarajan Date: Mon, 24 Jun 2019 16:40:41 -0500 Subject: [PATCH 8/9] fix syntax error --- nodejs/eks/cluster.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodejs/eks/cluster.ts b/nodejs/eks/cluster.ts index 3b460a2f..86c314cb 100644 --- a/nodejs/eks/cluster.ts +++ b/nodejs/eks/cluster.ts @@ -154,7 +154,7 @@ export function createCore(name: string, args: ClusterOptions, parent: pulumi.Co // Create the EKS cluster const eksCluster = new aws.eks.Cluster(`${name}-eksCluster`, { - roleArn: eksRole.role.apply(r => r.arn), + roleArn: eksRole.apply(r => r.arn), vpcConfig: { securityGroupIds: [eksClusterSecurityGroup.id], subnetIds: subnetIds, From 43248e54119636f48ad9799c80b1f3ce5515597e Mon Sep 17 00:00:00 2001 From: Vikas Rangarajan Date: Mon, 1 Jul 2019 14:43:21 -0500 Subject: [PATCH 9/9] address review comments from @lukehoban - make other code branches uniform in handling of instanceprofile creation --- nodejs/eks/cluster.ts | 26 ++++++++++++++++---------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/nodejs/eks/cluster.ts b/nodejs/eks/cluster.ts index 86c314cb..30f9fdf6 100644 --- a/nodejs/eks/cluster.ts +++ b/nodejs/eks/cluster.ts @@ -85,6 +85,19 @@ export interface CoreData { nodeSecurityGroupTags?: InputTags; } +function createOrGetInstanceProfile(parent: pulumi.ComponentResource, instanceRoleName?: pulumi.Input, instanceProfileName?: pulumi.Input): aws.iam.InstanceProfile { + let instanceProfile: aws.iam.InstanceProfile; + if (instanceProfileName) { + instanceProfile = aws.iam.InstanceProfile.get(`${name}-instanceProfile`, instanceProfileName, undefined, { parent: parent }); + } else { + instanceProfile = new aws.iam.InstanceProfile(`${name}-instanceProfile`, { + role: instanceRoleName, + }, { parent: parent }); + } + + return instanceProfile; +} + export function createCore(name: string, args: ClusterOptions, parent: pulumi.ComponentResource): CoreData { // Check to ensure that aws-iam-authenticator is installed, as we'll need it in order to deploy k8s resources // to the EKS cluster. @@ -231,13 +244,7 @@ export function createCore(name: string, args: ClusterOptions, parent: pulumi.Co } else if (args.instanceRole) { // Create an instance profile if using a default node group if (!args.skipDefaultNodeGroup) { - if (args.instanceProfileName) { - instanceProfile = aws.iam.InstanceProfile.get(`${name}-instanceProfile`, args.instanceProfileName, undefined, { parent: parent }); - } else { - instanceProfile = new aws.iam.InstanceProfile(`${name}-instanceProfile`, { - role: args.instanceRole, - }, { parent: parent }); - } + instanceProfile = createOrGetInstanceProfile(parent, args.instanceRole, args.instanceProfileName); } instanceRoleMappings = pulumi.output(args.instanceRole).apply(instanceRole => @@ -253,6 +260,7 @@ export function createCore(name: string, args: ClusterOptions, parent: pulumi.Co "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly", ], }, { parent: parent })).role; + instanceRoles = pulumi.output([instanceRole]); // Create a new policy for the role, if specified. @@ -265,9 +273,7 @@ export function createCore(name: string, args: ClusterOptions, parent: pulumi.Co // Create an instance profile if using a default node group if (!args.skipDefaultNodeGroup) { - instanceProfile = new aws.iam.InstanceProfile(`${name}-instanceProfile`, { - role: instanceRole, - }, { parent: parent }); + instanceProfile = createOrGetInstanceProfile(parent, args.instanceRole, args.instanceProfileName); } instanceRoleMappings = pulumi.output(instanceRole).apply(role =>