This comment actually encourages what I was trying to use

Which subnets tags in particular are you not seeing? https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html Note that these tags get added by EKS itself, not by the

@pukumi/eks

provider. If they are not getting added, I would expect there is something misconfigured in the networking setup being used. Can you share any more details on your setup?

When I remove

publicSubnetIds

and

privateSubnetIds

and use

subnetids

, I get the tag added

Do you have a repro or any more details on your code? I certainly expect this to work in general - it’s a fairly heavily used component and this is the “normal” way to configure it. The component itself doesn’t do much related to these subnets - that’s mostly handled by EKS itself. Would love to understand what configuration is leading to this for you.

I've just started spinning up again with

subnetIds

, then I'll branch off and update to use

privateSubnetIds

and

publicSubnetIds

@quiet-wolf-18467 Please let me know if you continue to experience issues here, or with EKS in general. Happy to sit down and help get you moving forward.

Thanks @breezy-hamburger-69619. Currently fighting with the service account to iam role stuff, there's not a lot of documentation around this

Thanks for the feedback. We have the following resources available: an example, and a to help with per Pod IAM. Where are you getting stuck that I could be of help with?

That's not the service account integration though, right? I'm using aws.iam.OpenIdConnectProvider

Yes they’re the same, but it appears you’re trying to manually set this up. We’ve taken the liberty and handled all of the set up by using a cluster option `createOidcProvider`: https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/eks/#ClusterOptions-createOidcProvider

The only example I found was

Sorry, linked the wrong example. Meant this one: https://github.com/pulumi/pulumi-eks/blob/master/nodejs/eks/examples/oidc-iam-sa/index.ts#L12

What would this become, using the

createOidcProvider

helper?

const exampleAssumeRolePolicy = pulumi.all([exampleOpenIdConnectProvider.url, exampleOpenIdConnectProvider.arn]).apply(([url, arn]) => aws.iam.getPolicyDocument({
    statements: [{
        actions: ["sts:AssumeRoleWithWebIdentity"],
        conditions: [{
            test: "StringEquals",
            values: ["system:serviceaccount:kube-system:aws-node"],
            variable: `${url.replace("https://", "")}:sub`,
        }],
        effect: "Allow",
        principals: [{
            identifiers: [arn],
            type: "Federated",
        }],
    }],
}));

I’m sorry you’ve wasted time on this 😞 We aim to take that on where possible

The problem I had was I checked

pulumi/examples

Makes total sense. We should update

pulumi/examples

to call out that EKS has other, extensive examples at the link posted above.

When I get this working, I am happy to submit an example of running ExternalDNS on EKS with the iam role mappings

The reason for the split is that

pulumi/examples

historically covers many different scenarios across languages, providers, stacks etc. and the examples in

pulumi/eks

are centered around EKS paritcular features, options, and usage scenarios that we actively test in our CI. The examples and tests subdir in it can shine a light on what type of coverage we have.

@breezy-hamburger-69619 and just like that, the magic happens and external-dns is working

🎉

What should be adding the

<http://kubernetes.io/role/elb|kubernetes.io/role/elb>

tag to the subnets, is that Pulumi or AWS?

What should be adding the 

<http://kubernetes.io/role/elb|kubernetes.io/role/elb>

 tag to the subnets, is that Pulumi or AWS?

Neither 🙂. You will need to add these. Pulumi doesn't necessarily manage the desired state of these subnets, and AWS doesn't take care of adding them, so you will want whatever code does manage the desired state of the subnets to add these (if that's Pulumi, then you can add it to the tags at the definition site of the Subnets).

Ah, OK. Gotcha! Thanks Luke

If you’re creating the vpc with

awsx

and passing it’s subnets into the cluster, they will get auto-tagged by the EKS service in AWS. e.g.: https://github.com/pulumi/pulumi-eks/blob/98f4a7b1ac71222af268f4357a9dbc9990262d88/nodejs/eks/examples/tests/migrate-nodegroups/index.ts#L14-L39

I'd need to get the

publicSubnetIds

and then tag them with

<http://kubernetes.io/role/elb|kubernetes.io/role/elb>

(I think)

Right

It feels like pulumi-eks should do this bit

p/eks has no way of knowing if the subnets provided are being created in the same stack, another stack, or if the VPC exists outside of the context of the pulumi program if bringing an existing one. As Luke pointed to, you can set the tags in the subnet definition if you’re creating the vpc using pulumi, but if the vpc and subnets exist outside of pulumi, we cannot modify the tags on a resource pulumi does not manage.

OK. That makes sense