Export the ARN for the IAM Role attached to the EKS Cluster

Fixes: #727 In #670, we removed the deprecated IAM Role Policy `AmazonEKSServicePolicy`. Unfortunately, this has broken clusters older than 16th April 2020 Rather than adding this policy back by default, we now expose the ARN of the IAM Role for the cluster so that a user can do as follows: ``` const cluster1 = new eks.Cluster(`${projectName}-1`); const iamRole = cluster1.clusterIamRole; const rpa = new aws.iam.RolePolicyAttachment("rpa", { role: iamRole.name, policy: "arn:aws:iam::aws:policy/AmazonEKSServicePolicy" }) ```
pulumi · Jul 6, 2022 · e54c730 · e54c730
1 parent aaaff67
commit e54c730
Show file tree

Hide file tree

Showing 10 changed files with 74 additions and 6 deletions.
diff --git a/dotnet/Inputs/CoreDataArgs.cs b/dotnet/Inputs/CoreDataArgs.cs
@@ -21,6 +21,12 @@ public sealed class CoreDataArgs : Pulumi.ResourceArgs
         [Input("cluster", required: true)]
         public Input<Pulumi.Aws.Eks.Cluster> Cluster { get; set; } = null!;
 
+        /// <summary>
+        /// The IAM Role attached to the EKS Cluster
+        /// </summary>
+        [Input("clusterIamRole", required: true)]
+        public Input<Pulumi.Aws.Iam.Role> ClusterIamRole { get; set; } = null!;
+
         [Input("clusterSecurityGroup", required: true)]
         public Input<Pulumi.Aws.Ec2.SecurityGroup> ClusterSecurityGroup { get; set; } = null!;
 

diff --git a/dotnet/Outputs/CoreData.cs b/dotnet/Outputs/CoreData.cs
@@ -18,6 +18,10 @@ public sealed class CoreData
     {
         public readonly Pulumi.Aws.Provider? AwsProvider;
         public readonly Pulumi.Aws.Eks.Cluster Cluster;
+        /// <summary>
+        /// The IAM Role attached to the EKS Cluster
+        /// </summary>
+        public readonly Pulumi.Aws.Iam.Role ClusterIamRole;
         public readonly Pulumi.Aws.Ec2.SecurityGroup ClusterSecurityGroup;
         public readonly Pulumi.Kubernetes.Core.V1.ConfigMap? EksNodeAccess;
         public readonly Pulumi.Aws.Eks.Outputs.ClusterEncryptionConfig? EncryptionConfig;
@@ -43,6 +47,8 @@ private CoreData(
 
             Pulumi.Aws.Eks.Cluster cluster,
 
+            Pulumi.Aws.Iam.Role clusterIamRole,
+
             Pulumi.Aws.Ec2.SecurityGroup clusterSecurityGroup,
 
             Pulumi.Kubernetes.Core.V1.ConfigMap? eksNodeAccess,
@@ -81,6 +87,7 @@ private CoreData(
         {
             AwsProvider = awsProvider;
             Cluster = cluster;
+            ClusterIamRole = clusterIamRole;
             ClusterSecurityGroup = clusterSecurityGroup;
             EksNodeAccess = eksNodeAccess;
             EncryptionConfig = encryptionConfig;

diff --git a/examples/cluster/index.ts b/examples/cluster/index.ts
@@ -32,3 +32,6 @@ const cluster2 = new eks.Cluster(`${projectName}-2`, {
 // Export the clusters' kubeconfig.
 export const kubeconfig1 = cluster1.kubeconfig;
 export const kubeconfig2 = cluster2.kubeconfig;
+
+// export the IAM Role ARN of the cluster
+export const iamRoleArn = cluster1.clusterIamRole.arn;
diff --git a/examples/examples_nodejs_test.go b/examples/examples_nodejs_test.go
@@ -44,6 +44,9 @@ func TestAccCluster(t *testing.T) {
 					info.Outputs["kubeconfig2"],
 				)
 
+				// let's test there's a iamRoleArn specified for the cluster
+				assert.NotEmpty(t, info.Outputs["iamRoleArn"])
+
 				assert.NoError(t, utils.ValidateDaemonSet(t, info.Outputs["kubeconfig2"], "kube-system", "aws-node", func(ds *appsv1.DaemonSet) {
 					for _, ic := range ds.Spec.Template.Spec.InitContainers {
 						assert.Equal(t, "602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon-k8s-cni-init:v1.11.0",

diff --git a/nodejs/eks/cluster.ts b/nodejs/eks/cluster.ts
@@ -146,6 +146,7 @@ export interface CoreData {
     fargateProfile: pulumi.Output<aws.eks.FargateProfile | undefined>;
     oidcProvider?: aws.iam.OpenIdConnectProvider;
     encryptionConfig?: pulumi.Output<aws.types.output.eks.ClusterEncryptionConfig>;
+    clusterIamRole: pulumi.Output<aws.iam.Role>;
 }
 
 function createOrGetInstanceProfile(
@@ -800,6 +801,7 @@ export function createCore(name: string, args: ClusterOptions, parent: pulumi.Co
         fargateProfile: fargateProfile,
         oidcProvider: oidcProvider,
         encryptionConfig: encryptionConfig,
+        clusterIamRole: eksRole,
     };
 }
 

diff --git a/provider/cmd/pulumi-gen-eks/main.go b/provider/cmd/pulumi-gen-eks/main.go
@@ -950,6 +950,10 @@ func generateSchema() schema.PackageSpec {
 						"encryptionConfig": {
 							TypeSpec: schema.TypeSpec{Ref: awsRef("#/types/aws:eks%2FClusterEncryptionConfig:ClusterEncryptionConfig")},
 						},
+						"clusterIamRole": {
+							Description: "The IAM Role attached to the EKS Cluster",
+							TypeSpec:    schema.TypeSpec{Ref: awsRef("#/resources/aws:iam%2Frole:Role")},
+						},
 					},
 					Required: []string{
 						"cluster",
@@ -960,6 +964,7 @@ func generateSchema() schema.PackageSpec {
 						"provider",
 						"instanceRoles",
 						"nodeGroupOptions",
+						"clusterIamRole",
 					},
 				},
 			},

diff --git a/provider/cmd/pulumi-resource-eks/schema.json b/provider/cmd/pulumi-resource-eks/schema.json
@@ -152,6 +152,10 @@
                 "cluster": {
                     "$ref": "/aws/v5.4.0/schema.json#/resources/aws:eks%2Fcluster:Cluster"
                 },
+                "clusterIamRole": {
+                    "$ref": "/aws/v5.4.0/schema.json#/resources/aws:iam%2Frole:Role",
+                    "description": "The IAM Role attached to the EKS Cluster"
+                },
                 "clusterSecurityGroup": {
                     "$ref": "/aws/v5.4.0/schema.json#/resources/aws:ec2%2FsecurityGroup:SecurityGroup"
                 },
@@ -237,7 +241,8 @@
                 "clusterSecurityGroup",
                 "provider",
                 "instanceRoles",
-                "nodeGroupOptions"
+                "nodeGroupOptions",
+                "clusterIamRole"
             ]
         },
         "eks:index:CreationRoleProvider": {

diff --git a/python/pulumi_eks/_inputs.py b/python/pulumi_eks/_inputs.py
@@ -548,6 +548,7 @@ def version(self, value: Optional[pulumi.Input[str]]):
 class CoreDataArgs:
     def __init__(__self__, *,
                  cluster: pulumi.Input['pulumi_aws.eks.Cluster'],
+                 cluster_iam_role: pulumi.Input['pulumi_aws.iam.Role'],
                  cluster_security_group: pulumi.Input['pulumi_aws.ec2.SecurityGroup'],
                  endpoint: pulumi.Input[str],
                  instance_roles: pulumi.Input[Sequence[pulumi.Input['pulumi_aws.iam.Role']]],
@@ -569,8 +570,10 @@ def __init__(__self__, *,
                  vpc_cni: Optional[pulumi.Input['VpcCni']] = None):
         """
         Defines the core set of data associated with an EKS cluster, including the network in which it runs.
+        :param pulumi.Input['pulumi_aws.iam.Role'] cluster_iam_role: The IAM Role attached to the EKS Cluster
         """
         pulumi.set(__self__, "cluster", cluster)
+        pulumi.set(__self__, "cluster_iam_role", cluster_iam_role)
         pulumi.set(__self__, "cluster_security_group", cluster_security_group)
         pulumi.set(__self__, "endpoint", endpoint)
         pulumi.set(__self__, "instance_roles", instance_roles)
@@ -612,6 +615,18 @@ def cluster(self) -> pulumi.Input['pulumi_aws.eks.Cluster']:
     def cluster(self, value: pulumi.Input['pulumi_aws.eks.Cluster']):
         pulumi.set(self, "cluster", value)
 
+    @property
+    @pulumi.getter(name="clusterIamRole")
+    def cluster_iam_role(self) -> pulumi.Input['pulumi_aws.iam.Role']:
+        """
+        The IAM Role attached to the EKS Cluster
+        """
+        return pulumi.get(self, "cluster_iam_role")
+
+    @cluster_iam_role.setter
+    def cluster_iam_role(self, value: pulumi.Input['pulumi_aws.iam.Role']):
+        pulumi.set(self, "cluster_iam_role", value)
+
     @property
     @pulumi.getter(name="clusterSecurityGroup")
     def cluster_security_group(self) -> pulumi.Input['pulumi_aws.ec2.SecurityGroup']:

diff --git a/python/pulumi_eks/outputs.py b/python/pulumi_eks/outputs.py
@@ -503,7 +503,9 @@ class CoreData(dict):
     @staticmethod
     def __key_warning(key: str):
         suggest = None
-        if key == "clusterSecurityGroup":
+        if key == "clusterIamRole":
+            suggest = "cluster_iam_role"
+        elif key == "clusterSecurityGroup":
             suggest = "cluster_security_group"
         elif key == "instanceRoles":
             suggest = "instance_roles"
@@ -547,6 +549,7 @@ def get(self, key: str, default = None) -> Any:
 
     def __init__(__self__, *,
                  cluster: 'pulumi_aws.eks.Cluster',
+                 cluster_iam_role: 'pulumi_aws.iam.Role',
                  cluster_security_group: 'pulumi_aws.ec2.SecurityGroup',
                  endpoint: str,
                  instance_roles: Sequence['pulumi_aws.iam.Role'],
@@ -568,8 +571,10 @@ def __init__(__self__, *,
                  vpc_cni: Optional['VpcCni'] = None):
         """
         Defines the core set of data associated with an EKS cluster, including the network in which it runs.
+        :param 'pulumi_aws.iam.Role' cluster_iam_role: The IAM Role attached to the EKS Cluster
         """
         pulumi.set(__self__, "cluster", cluster)
+        pulumi.set(__self__, "cluster_iam_role", cluster_iam_role)
         pulumi.set(__self__, "cluster_security_group", cluster_security_group)
         pulumi.set(__self__, "endpoint", endpoint)
         pulumi.set(__self__, "instance_roles", instance_roles)
@@ -607,6 +612,14 @@ def __init__(__self__, *,
     def cluster(self) -> 'pulumi_aws.eks.Cluster':
         return pulumi.get(self, "cluster")
 
+    @property
+    @pulumi.getter(name="clusterIamRole")
+    def cluster_iam_role(self) -> 'pulumi_aws.iam.Role':
+        """
+        The IAM Role attached to the EKS Cluster
+        """
+        return pulumi.get(self, "cluster_iam_role")
+
     @property
     @pulumi.getter(name="clusterSecurityGroup")
     def cluster_security_group(self) -> 'pulumi_aws.ec2.SecurityGroup':

diff --git a/sdk/go/eks/pulumiTypes.go b/sdk/go/eks/pulumiTypes.go