This message was deleted.

sparse-intern-71089

05/27/2020, 8:45 PM

This message was deleted.

dazzling-sundown-39670

05/27/2020, 8:46 PM

Code here:

Copy code

import * as pulumi from '@pulumi/pulumi';
import * as aws from '@pulumi/aws';
import * as k8s from '@pulumi/kubernetes';
import { cluster } from './cluster';
import { updateRoute53Role } from './roles';

// export const role = new aws.iam.Role('update-route53', {
//   assumeRolePolicy: JSON.stringify({
//     Version: '2012-10-17',
//     Statement: [
//       {
//         Action: 'sts:AssumeRole',
//         Principal: {
//           Service: '<http://ec2.amazonaws.com|ec2.amazonaws.com>',
//         },
//         Effect: 'Allow',
//         Sid: '',
//       },
//     ],
//   }),
// });

export const policy = new aws.iam.Policy('AllowExternalDNSUpdates', {
  description: 'This policy allows external-dns to update route53',
  path: '/',
  policy: JSON.stringify({
    Version: '2012-10-17',
    Statement: [
      {
        Effect: 'Allow',
        Action: ['route53:ChangeResourceRecordSets'],
        Resource: ['arn:aws:route53:::hostedzone/*'],
      },
      {
        Effect: 'Allow',
        Action: ['route53:ListHostedZones', 'route53:ListResourceRecordSets'],
        Resource: ['*'],
      },
    ],
  }),
});

const rolePolicyAttachment = new aws.iam.RolePolicyAttachment(
  'update-route53',
  {
    role: updateRoute53Role,
    policyArn: policy.arn,
  },
);

const policyAttachment = new aws.iam.PolicyAttachment('update-route53', {
  roles: [updateRoute53Role],
  policyArn: policy.arn,
});

export const externalDnsRoleArn = updateRoute53Role.arn;

export const externalDnsChart = new k8s.helm.v2.Chart(
  'external-dns',
  {
    chart: 'external-dns',
    version: '3.1.0',
    values: {
      txtOwnerId: 'foo-external-dns-pulumi',
      domainFilters: ['<http://aws2.fooqa.com|aws2.fooqa.com>'],
      aws: {
        zoneType: 'public',
        assumeRoleArn: externalDnsRoleArn,
      },
      'podSecurityContext.fsGroup': 65534,
    },
    fetchOpts: {
      repo: '<https://charts.bitnami.com/bitnami>',
    },
  },
  {
    dependsOn: cluster,
    provider: cluster.provider,
  },
);

dazzling-sundown-39670

05/27/2020, 8:49 PM

Cluster:

Copy code

const instanceType: aws.ec2.InstanceType = config.require('k8sinstancetype');

export const cluster = new eks.Cluster('k8s-pulumi', {
  vpcId: vpc.id,
  subnetIds: vpc.publicSubnetIds,
  clusterSecurityGroup: sg.securityGroup,
  instanceType,
  desiredCapacity: 3,
  minSize: 1,
  maxSize: 4,
  // serviceRole: updateRoute53Role,
  // instanceRole: updateRoute53Role,
});

dazzling-sundown-39670

05/28/2020, 1:44 AM

Also tried this now:

Copy code

const instanceRole = cluster.instanceRoles.apply((roles) => roles[0]);
export const arn = pulumi.interpolate`${instanceRole.arn}`;

dazzling-sundown-39670

05/28/2020, 1:45 AM

Instead of creating a role

dazzling-sundown-39670

05/28/2020, 1:56 AM

So I'm guessing the problem is that my role has

sts:AssumeRole

instead of

sts:AssumeRoleWithWebIdentity

but I can't figure out how to change that

4 Views

Open in Slack

Previous Next

Pulumi Community

No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.