@pulumi/eks
Version:
[](https://github.com/pulumi/pulumi-eks/actions/workflows/master.yml) [](https://slack.pulumi.com) [); } catch (e) { reject(e); } }
function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
step((generator = generator.apply(thisArg, _arguments || [])).next());
});
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.getRoleProvider = void 0;
const aws = require("@pulumi/aws");
const pulumi = require("@pulumi/pulumi");
const nodeGroup_1 = require("./nodeGroup");
const cluster_1 = require("./cluster");
const kubernetes_1 = require("@pulumi/kubernetes");
Object.defineProperty(cluster_1.Cluster.prototype, '_provider', { writable: true, enumerable: false });
Object.defineProperty(cluster_1.Cluster.prototype, 'provider', {
enumerable: true,
get() {
if (!this._provider) {
this._provider = new kubernetes_1.Provider(`${this.__name}-provider`, {
kubeconfig: this.kubeconfigJson,
}, { parent: this, aliases: [{ name: this.__name }] });
}
return this._provider;
}
});
cluster_1.Cluster.prototype.createNodeGroup = function (name, args, awsProvider) {
const { nodeSecurityGroup, clusterIngressRule } = pulumi.all([this.nodeSecurityGroup, this.eksClusterIngressRule])
.apply(([nodeSecurityGroup, clusterIngressRule]) => {
if (!nodeSecurityGroup || !clusterIngressRule) {
throw new pulumi.ResourceError("The nodeSecurityGroup and eksClusterIngressRule are required when using `createNodeGroup`. Please create the cluster without specifying `skipDefaultNodeGroups`.", this);
}
return { nodeSecurityGroup, clusterIngressRule };
});
return new nodeGroup_1.NodeGroup(name, Object.assign(Object.assign({}, args), { cluster: this.core, nodeSecurityGroup,
clusterIngressRule }), {
// parent: this,
aliases: [{ parent: this }],
transforms: [
(args) => {
return {
props: args.props,
opts: Object.assign(Object.assign({}, args.opts), { aliases: [{ parent: this }] }),
};
}
],
providers: Object.assign(Object.assign({}, (awsProvider ? { aws: awsProvider } : undefined)), { kubernetes: this.provider }),
});
};
/**
* getRoleProvider creates a role provider that can be passed to `new eks.Cluster("test", {
* creationRoleProvider: ... })`. This can be used to provide a specific role to use for the
* creation of the EKS cluster different from the role being used to run the Pulumi deployment.
*/
function getRoleProvider(name, region, profile, parent, provider) {
const partition = aws.getPartitionOutput({}, { parent }).partition;
const accountId = pulumi.output(aws.getCallerIdentity({}, { parent })).accountId;
const iamRole = new aws.iam.Role(`${name}-eksClusterCreatorRole`, {
assumeRolePolicy: pulumi.interpolate `{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:${partition}:iam::${accountId}:root"
},
"Action": "sts:AssumeRole"
}
]
}`,
description: `Admin access to eks-${name}`,
}, { parent, provider });
// `eks:*` is needed to create/read/update/delete the EKS cluster, `iam:PassRole` is needed to pass the EKS service role to the cluster
// https://docs.aws.amazon.com/eks/latest/userguide/service_IAM_role.html
new aws.iam.RolePolicy(`${name}-eksClusterCreatorPolicy`, {
role: iamRole,
policy: {
Version: "2012-10-17",
Statement: [
{
Effect: "Allow",
Action: "eks:*",
Resource: "*",
},
{
Effect: "Allow",
Action: "iam:PassRole",
Resource: "*",
},
],
},
}, { parent: iamRole, provider });
const creatorProvider = new aws.Provider(`${name}-eksClusterCreatorEntity`, {
region: region,
profile: profile,
assumeRoles: [{
roleArn: iamRole.arn.apply((arn) => __awaiter(this, void 0, void 0, function* () {
// wait 30 seconds to assume the IAM Role https://github.com/pulumi/pulumi-aws/issues/673
if (!pulumi.runtime.isDryRun()) {
yield new Promise((resolve) => setTimeout(resolve, 30 * 1000));
}
return arn;
})),
}],
}, { parent: iamRole, provider });
return {
role: iamRole,
provider: creatorProvider,
};
}
exports.getRoleProvider = getRoleProvider;
//# sourceMappingURL=clusterMixins.js.map