Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Setting AuthenticationMode to ApiAndConfigMap breaks #1435

Open
avinassh opened this issue Oct 11, 2024 · 5 comments
Open

Setting AuthenticationMode to ApiAndConfigMap breaks #1435

avinassh opened this issue Oct 11, 2024 · 5 comments
Labels
kind/bug Some behavior is incorrect or out of spec language/go

Comments

@avinassh
Copy link

What happened?

If you set AuthenticationMode in ClusterArgs, the resources are setup correctly, but at the end it fails with following error:

...
    error: an unhandled error occurred: program failed:
    waiting for RPCs: expected a eks.AccessEntry, got a resource of type *eks.AccessEntry

Resources:
    + 57 created

Duration: 13m22s

The error happens if you run pulumi up again or add any resources to the stack, thus blocking any further operations

Example

a reproducer code:

package main

import (
	"fmt"
	eks2 "github.com/pulumi/pulumi-aws/sdk/v6/go/aws/eks"

	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws"
	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
	"github.com/pulumi/pulumi-awsx/sdk/v2/go/awsx/ec2"
	"github.com/pulumi/pulumi-eks/sdk/v2/go/eks"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func ptrTo[T any](v T) *T {
	return &v
}

func newVPC(ctx *pulumi.Context, clusterName string) (*ec2.Vpc, error) {
	vpc, err := ec2.NewVpc(ctx, fmt.Sprintf("%s-vpc", clusterName), &ec2.VpcArgs{
		AvailabilityZoneNames: []string{"eu-west-1a", "eu-west-1b", "eu-west-1c"},
		Tags: pulumi.StringMap{
			"Name":                                 pulumi.String(fmt.Sprintf("%s-vpc", clusterName)),
			"kubernetes.io/cluster/" + clusterName: pulumi.String("shared"),
		},
		EnableDnsHostnames: pulumi.BoolPtr(true),
		EnableDnsSupport:   pulumi.BoolPtr(true),
		SubnetSpecs: []ec2.SubnetSpecArgs{
			{
				Type: ec2.SubnetTypePublic,
				Name: ptrTo("public"),
				Tags: pulumi.StringMap{
					"Name":                                 pulumi.String(fmt.Sprintf("%s-public-subnet", clusterName)),
					"kubernetes.io/role/elb":               pulumi.String("1"),
					"kubernetes.io/cluster/" + clusterName: pulumi.String("shared"),
				},
			},
			{
				Type: ec2.SubnetTypePrivate,
				Name: ptrTo("private"),
				Tags: pulumi.StringMap{
					"Name":                                 pulumi.String(fmt.Sprintf("%s-private-subnet", clusterName)),
					"kubernetes.io/role/internal-elb":      pulumi.String("1"),
					"kubernetes.io/cluster/" + clusterName: pulumi.String("shared"),
				},
			},
		},
		SubnetStrategy: ptrTo(ec2.SubnetAllocationStrategyAuto),
	})
	return vpc, err
}

func createClusterRole(ctx *pulumi.Context, name string) (*iam.Role, *iam.InstanceProfile, error) {
	role, err := iam.NewRole(ctx, fmt.Sprintf("%s-instance-role", name), &iam.RoleArgs{
		AssumeRolePolicy: pulumi.String(`{
					"Version": "2012-10-17",
					"Statement": [{
						"Action": "sts:AssumeRole",
						"Effect": "Allow",
						"Principal": {
							"Service": "ec2.amazonaws.com"
						}
					}]
				}`),
		ManagedPolicyArns: pulumi.ToStringArray([]string{
			"arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
			"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
			"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
			"arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore",
		}),
	})
	if err != nil {
		return nil, nil, err
	}
	instanceProfile, err := iam.NewInstanceProfile(ctx, fmt.Sprintf("%s-instance-profile", name), &iam.InstanceProfileArgs{
		Role: role,
	})
	if err != nil {
		return nil, nil, err
	}
	return role, instanceProfile, nil
}

func createCluster(ctx *pulumi.Context, clusterName, imageAmiId string, vpc *ec2.Vpc, instanceRole iam.RoleInput, instanceProfile *iam.InstanceProfile) (*eks.Cluster, error) {
	cluster, err := eks.NewCluster(ctx, clusterName, &eks.ClusterArgs{
		Name:                         pulumi.String(clusterName),
		VpcId:                        vpc.VpcId,
		PublicSubnetIds:              vpc.PublicSubnetIds,
		PrivateSubnetIds:             vpc.PrivateSubnetIds,
		NodeAssociatePublicIpAddress: pulumi.BoolRef(false),
		SkipDefaultNodeGroup:         pulumi.BoolRef(true),
		CreateOidcProvider:           pulumi.Bool(true),
		InstanceRole:                 instanceRole,
		NodeAmiId:                    pulumi.String(imageAmiId),
		AuthenticationMode:           ptrTo(eks.AuthenticationModeApiAndConfigMap),
	})
	if err != nil {
		return nil, err
	}
	_, err = eks.NewManagedNodeGroup(ctx, fmt.Sprintf("%s-internal", clusterName), &eks.ManagedNodeGroupArgs{
		Cluster:       cluster,
		NodeGroupName: pulumi.String("internal"),
		InstanceTypes: pulumi.StringArray{
			pulumi.String("m5.large"),
		},
		ScalingConfig: &eks2.NodeGroupScalingConfigArgs{
			DesiredSize: pulumi.Int(1),
			MinSize:     pulumi.Int(1),
			MaxSize:     pulumi.Int(10),
		},
		SubnetIds: pulumi.StringArray{vpc.PrivateSubnetIds.ApplyT(func(ids []string) string {
			return ids[0]
		}).(pulumi.StringOutput)},
		NodeRole: instanceRole,
		Labels: pulumi.StringMap{
			"cluster-name":                   cluster.EksCluster.Name(),
			"nodegroup-name":                 pulumi.String("internal"),
			"alpha.eksctl.io/nodegroup-name": pulumi.String("internal"),
		},
	}, pulumi.DependsOn([]pulumi.Resource{cluster}))
	if err != nil {
		return nil, err
	}
	return cluster, nil
}

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		region := "eu-west-1"
		clusterName := "my-cluster-aws-" + region
		imageAmiId := "ami-0b429fd2c7bbec0d5"

		reg, err := aws.GetRegion(ctx, nil, nil)
		if err != nil {
			return err
		}
		if region != reg.Id {
			return fmt.Errorf("invalid region configured. expected %s, got %s", region, reg.Id)
		}

		vpc, err := newVPC(ctx, clusterName)
		if err != nil {
			return err
		}
		instanceRole, instanceProfile, err := createClusterRole(ctx, clusterName)
		if err != nil {
			return err
		}
		cluster, err := createCluster(ctx, clusterName, imageAmiId, vpc, instanceRole, instanceProfile)
		if err != nil {
			return err
		}

		ctx.Export("clusterName", cluster.Core.Cluster().Name())
		ctx.Export("kubeconfig", cluster.Kubeconfig)

		return nil
	})
}

Output of pulumi about

$ pulumi about

CLI
Version      3.136.1
Go Version   go1.23.2
Go Compiler  gc

Plugins
KIND      NAME        VERSION
resource  aws         6.51.1
resource  awsx        2.14.0
resource  docker      4.4.3
resource  eks         2.7.9
language  go          3.136.1
resource  kubernetes  4.18.1

Host
OS       darwin
Version  14.5
Arch     x86_64

This project is written in go: executable='/usr/local/bin/go' version='go version go1.23.2 darwin/amd64'

Current Stack: organization/pulumi/t

TYPE                                                 URN
pulumi:pulumi:Stack                                  urn:pulumi:t::pulumi::pulumi:pulumi:Stack::pulumi-t
pulumi:providers:aws                                 urn:pulumi:t::pulumi::pulumi:providers:aws::default_6_51_1
pulumi:providers:awsx                                urn:pulumi:t::pulumi::pulumi:providers:awsx::default_2_14_0
awsx:ec2:Vpc                                         urn:pulumi:t::pulumi::awsx:ec2:Vpc::my-cluster-aws-eu-west-1-vpc
pulumi:providers:aws                                 urn:pulumi:t::pulumi::pulumi:providers:aws::default_6_47_0
aws:iam/role:Role                                    urn:pulumi:t::pulumi::aws:iam/role:Role::my-cluster-aws-eu-west-1-instance-role
aws:iam/instanceProfile:InstanceProfile              urn:pulumi:t::pulumi::aws:iam/instanceProfile:InstanceProfile::my-cluster-aws-eu-west-1-instance-profile
aws:ec2/vpc:Vpc                                      urn:pulumi:t::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc::my-cluster-aws-eu-west-1-vpc
aws:ec2/subnet:Subnet                                urn:pulumi:t::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet::my-cluster-aws-eu-west-1-vpc-private-1
aws:ec2/subnet:Subnet                                urn:pulumi:t::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet::my-cluster-aws-eu-west-1-vpc-private-3
aws:ec2/subnet:Subnet                                urn:pulumi:t::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet::my-cluster-aws-eu-west-1-vpc-private-2
aws:ec2/internetGateway:InternetGateway              urn:pulumi:t::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/internetGateway:InternetGateway::my-cluster-aws-eu-west-1-vpc
aws:ec2/routeTable:RouteTable                        urn:pulumi:t::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable::my-cluster-aws-eu-west-1-vpc-private-1
aws:ec2/routeTable:RouteTable                        urn:pulumi:t::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable::my-cluster-aws-eu-west-1-vpc-private-3
aws:ec2/routeTable:RouteTable                        urn:pulumi:t::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable::my-cluster-aws-eu-west-1-vpc-private-2
aws:ec2/routeTableAssociation:RouteTableAssociation  urn:pulumi:t::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/routeTableAssociation:RouteTableAssociation::my-cluster-aws-eu-west-1-vpc-private-1
aws:ec2/routeTableAssociation:RouteTableAssociation  urn:pulumi:t::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/routeTableAssociation:RouteTableAssociation::my-cluster-aws-eu-west-1-vpc-private-2
aws:ec2/routeTableAssociation:RouteTableAssociation  urn:pulumi:t::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/routeTableAssociation:RouteTableAssociation::my-cluster-aws-eu-west-1-vpc-private-3
aws:ec2/subnet:Subnet                                urn:pulumi:t::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet::my-cluster-aws-eu-west-1-vpc-public-2
aws:ec2/subnet:Subnet                                urn:pulumi:t::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet::my-cluster-aws-eu-west-1-vpc-public-3
aws:ec2/subnet:Subnet                                urn:pulumi:t::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet::my-cluster-aws-eu-west-1-vpc-public-1
aws:ec2/eip:Eip                                      urn:pulumi:t::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/eip:Eip::my-cluster-aws-eu-west-1-vpc-2
aws:ec2/routeTable:RouteTable                        urn:pulumi:t::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable::my-cluster-aws-eu-west-1-vpc-public-2
aws:ec2/eip:Eip                                      urn:pulumi:t::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/eip:Eip::my-cluster-aws-eu-west-1-vpc-3
aws:ec2/routeTable:RouteTable                        urn:pulumi:t::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable::my-cluster-aws-eu-west-1-vpc-public-3
aws:ec2/eip:Eip                                      urn:pulumi:t::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/eip:Eip::my-cluster-aws-eu-west-1-vpc-1
aws:ec2/routeTable:RouteTable                        urn:pulumi:t::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable::my-cluster-aws-eu-west-1-vpc-public-1
aws:ec2/routeTableAssociation:RouteTableAssociation  urn:pulumi:t::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/routeTableAssociation:RouteTableAssociation::my-cluster-aws-eu-west-1-vpc-public-2
aws:ec2/routeTableAssociation:RouteTableAssociation  urn:pulumi:t::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/routeTableAssociation:RouteTableAssociation::my-cluster-aws-eu-west-1-vpc-public-3
aws:ec2/routeTableAssociation:RouteTableAssociation  urn:pulumi:t::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/routeTableAssociation:RouteTableAssociation::my-cluster-aws-eu-west-1-vpc-public-1
aws:ec2/route:Route                                  urn:pulumi:t::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/route:Route::my-cluster-aws-eu-west-1-vpc-public-2
aws:ec2/route:Route                                  urn:pulumi:t::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/route:Route::my-cluster-aws-eu-west-1-vpc-public-3
aws:ec2/route:Route                                  urn:pulumi:t::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/route:Route::my-cluster-aws-eu-west-1-vpc-public-1
aws:ec2/natGateway:NatGateway                        urn:pulumi:t::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/natGateway:NatGateway::my-cluster-aws-eu-west-1-vpc-2
aws:ec2/natGateway:NatGateway                        urn:pulumi:t::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/natGateway:NatGateway::my-cluster-aws-eu-west-1-vpc-1
aws:ec2/route:Route                                  urn:pulumi:t::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/route:Route::my-cluster-aws-eu-west-1-vpc-private-2
aws:ec2/route:Route                                  urn:pulumi:t::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/route:Route::my-cluster-aws-eu-west-1-vpc-private-1
aws:ec2/natGateway:NatGateway                        urn:pulumi:t::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/natGateway:NatGateway::my-cluster-aws-eu-west-1-vpc-3
aws:ec2/route:Route                                  urn:pulumi:t::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/route:Route::my-cluster-aws-eu-west-1-vpc-private-3
pulumi:providers:pulumi                              urn:pulumi:t::pulumi::pulumi:providers:pulumi::default
pulumi:providers:eks                                 urn:pulumi:t::pulumi::pulumi:providers:eks::default_2_7_9
eks:index:Cluster                                    urn:pulumi:t::pulumi::eks:index:Cluster::my-cluster-aws-eu-west-1
eks:index:ServiceRole                                urn:pulumi:t::pulumi::eks:index:Cluster$eks:index:ServiceRole::my-cluster-aws-eu-west-1-eksRole
pulumi:providers:aws                                 urn:pulumi:t::pulumi::pulumi:providers:aws::default_6_45_0
aws:iam/role:Role                                    urn:pulumi:t::pulumi::eks:index:Cluster$eks:index:ServiceRole$aws:iam/role:Role::my-cluster-aws-eu-west-1-eksRole-role
aws:iam/rolePolicyAttachment:RolePolicyAttachment    urn:pulumi:t::pulumi::eks:index:Cluster$eks:index:ServiceRole$aws:iam/rolePolicyAttachment:RolePolicyAttachment::my-cluster-aws-eu-west-1-eksRole-4b490823
aws:ec2/securityGroup:SecurityGroup                  urn:pulumi:t::pulumi::eks:index:Cluster$aws:ec2/securityGroup:SecurityGroup::my-cluster-aws-eu-west-1-eksClusterSecurityGroup
aws:ec2/securityGroupRule:SecurityGroupRule          urn:pulumi:t::pulumi::eks:index:Cluster$aws:ec2/securityGroupRule:SecurityGroupRule::my-cluster-aws-eu-west-1-eksClusterInternetEgressRule
aws:eks/cluster:Cluster                              urn:pulumi:t::pulumi::eks:index:Cluster$aws:eks/cluster:Cluster::my-cluster-aws-eu-west-1-eksCluster
pulumi:providers:kubernetes                          urn:pulumi:t::pulumi::eks:index:Cluster$pulumi:providers:kubernetes::my-cluster-aws-eu-west-1-provider
pulumi:providers:kubernetes                          urn:pulumi:t::pulumi::eks:index:Cluster$pulumi:providers:kubernetes::my-cluster-aws-eu-west-1-eks-k8s
aws:eks/accessEntry:AccessEntry                      urn:pulumi:t::pulumi::eks:index:Cluster$aws:eks/accessEntry:AccessEntry::my-cluster-aws-eu-west-1-defaultNodeGroupInstanceRole
aws:iam/openIdConnectProvider:OpenIdConnectProvider  urn:pulumi:t::pulumi::eks:index:Cluster$aws:iam/openIdConnectProvider:OpenIdConnectProvider::my-cluster-aws-eu-west-1-oidcProvider
aws:ec2/securityGroup:SecurityGroup                  urn:pulumi:t::pulumi::eks:index:Cluster$aws:ec2/securityGroup:SecurityGroup::my-cluster-aws-eu-west-1-nodeSecurityGroup
kubernetes:core/v1:ConfigMap                         urn:pulumi:t::pulumi::eks:index:Cluster$kubernetes:core/v1:ConfigMap::my-cluster-aws-eu-west-1-nodeAccess
aws:ec2/securityGroupRule:SecurityGroupRule          urn:pulumi:t::pulumi::eks:index:Cluster$aws:ec2/securityGroupRule:SecurityGroupRule::my-cluster-aws-eu-west-1-eksExtApiServerClusterIngressRule
aws:ec2/securityGroupRule:SecurityGroupRule          urn:pulumi:t::pulumi::eks:index:Cluster$aws:ec2/securityGroupRule:SecurityGroupRule::my-cluster-aws-eu-west-1-eksClusterIngressRule
aws:ec2/securityGroupRule:SecurityGroupRule          urn:pulumi:t::pulumi::eks:index:Cluster$aws:ec2/securityGroupRule:SecurityGroupRule::my-cluster-aws-eu-west-1-eksNodeInternetEgressRule
aws:ec2/securityGroupRule:SecurityGroupRule          urn:pulumi:t::pulumi::eks:index:Cluster$aws:ec2/securityGroupRule:SecurityGroupRule::my-cluster-aws-eu-west-1-eksNodeIngressRule
aws:ec2/securityGroupRule:SecurityGroupRule          urn:pulumi:t::pulumi::eks:index:Cluster$aws:ec2/securityGroupRule:SecurityGroupRule::my-cluster-aws-eu-west-1-eksNodeClusterIngressRule
eks:index:VpcCni                                     urn:pulumi:t::pulumi::eks:index:Cluster$eks:index:VpcCni::my-cluster-aws-eu-west-1-vpc-cni
eks:index:ManagedNodeGroup                           urn:pulumi:t::pulumi::eks:index:ManagedNodeGroup::my-cluster-aws-eu-west-1-internal
aws:eks/nodeGroup:NodeGroup                          urn:pulumi:t::pulumi::eks:index:ManagedNodeGroup$aws:eks/nodeGroup:NodeGroup::my-cluster-aws-eu-west-1-internal


Found no pending operations associated with t

Backend
Name           v-MacBook-Pro.local
URL            file://~
User           v
Organizations
Token type     personal

Dependencies:
NAME                                        VERSION
github.com/aws/aws-sdk-go-v2/config         v1.15.15
github.com/aws/aws-sdk-go-v2/service/sts    v1.16.10
github.com/pulumi/pulumi-aws/sdk/v6         v6.51.1
github.com/pulumi/pulumi-awsx/sdk/v2        v2.14.0
github.com/pulumi/pulumi-eks/sdk/v2         v2.7.9
github.com/pulumi/pulumi-kubernetes/sdk/v4  v4.18.1
github.com/pulumi/pulumi/sdk/v3             v3.132.0

Pulumi locates its logs in /var/folders/3l/n25ms2z97wg1d6k4xthfx7j40000gn/T/ by default

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
@avinassh avinassh added kind/bug Some behavior is incorrect or out of spec needs-triage Needs attention from the triage team labels Oct 11, 2024
@avinassh
Copy link
Author

If I try to add a new resource I am getting:

    error: an unhandled error occurred: program failed:
    waiting for RPCs: marshaling properties: awaiting input property "role": marshaling properties: awaiting input property "assumeRolePolicy": expected a eks.AccessEntry, got a resource of type *eks.AccessEntry

@t0yv0
Copy link
Member

t0yv0 commented Oct 14, 2024

Thank you for sending a repro! I'm running this to see if I can get the same issue. Indeed do.

While we are chasing this down, have you found an acceptable workaround? I am noticing that this configuration setting is deprecated.

	// Both aws-auth ConfigMap and Access Entries can be used for authenticating to the Kubernetes API.
	//
	// Deprecated: The aws-auth ConfigMap is deprecated. The recommended method to manage access to Kubernetes APIs is Access Entries with the AuthenticationMode API.
	// For more information and instructions how to upgrade, see https://docs.aws.amazon.com/eks/latest/userguide/migrating-access-entries.html.
	AuthenticationModeApiAndConfigMap = AuthenticationMode("API_AND_CONFIG_MAP")

Tangentially, our team is also working on a 3.x.x release that will come with a migration guide to get off these deprecated entries.

@t0yv0
Copy link
Member

t0yv0 commented Oct 14, 2024

I can reproduce. There is something I found in digging further. The gRPC Construct response indicates a Resource reference to an AWS AcessEntry resource.

  "response": {
      "core": {

        "accessEntries": [
          {
            "4dabf18193072939515e22adb298388d": "5cf8f73096256a8f31e491e813e4eb8e",
            "id": "my-cluster-aws-us-east-1:arn:aws:iam::616138583583:role/my-cluster-aws-us-east-1-instance-role-0420beb",
            "urn": "urn:pulumi:dev::pulumi-eks-1435::eks:index:Cluster$aws:eks/accessEntry:AccessEntry::my-cluster-aws-us-east-1-defaultNodeGroupInstanceRole"
          }
        ],

That seems consistent with the code:

https://github.com/pulumi/pulumi-eks/blob/master/nodejs/eks/authenticationMode.ts#L183

export function createAccessEntries(
    componentName: string,
    clusterName: pulumi.Input<string>,
    accessEntries: { [key: string]: AccessEntry },
    opts: pulumi.CustomResourceOptions,
): aws.eks.AccessEntry[] {

However the schema indicates a type:

        "eks:index:CoreData": {
            "description": "Defines the core set of data associated with an EKS cluster, including the network in which it runs.",
            "properties": {
                "accessEntries": {
                    "type": "array",
                    "items": {
                        "$ref": "#/types/eks:index:AccessEntry"
                    },
                    "description": "The access entries added to the cluster."
                },

This was introduced in #1171

I think this cannot work properly as language runtime support does not guarantee that type references can be substituted into normal types for all languages.

@t0yv0
Copy link
Member

t0yv0 commented Oct 14, 2024

@flostadler do you think this could be fixed if the provider implementation changed to repackage aws.eks.AccessEntry resource into a plain object corresponding to the #/types/eks:index:AccessEntry" type-spec so that it does not project as a resource reference on the wire?

@t0yv0 t0yv0 added language/go and removed needs-triage Needs attention from the triage team labels Oct 14, 2024
@flostadler
Copy link
Contributor

@t0yv0 yeah we should change the provider implementation to send #/types/eks:index:AccessEntry instead. This was a miss during implementation

@avinassh you could try omitting the InstanceRole property as a workaround in the meantime. The AWS EKS service creates access entries for all roles used for managed node groups or fargate profiles.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Some behavior is incorrect or out of spec language/go
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@t0yv0 @avinassh @flostadler