Hey everyone wave I m trying to create an EKS cluster in a s Pulumi Community #aws

Hey everyone! :wave: I’m trying to create an EKS ...

future-nail-59564

01/28/2021, 3:59 PM

Hey everyone! 👋 I’m trying to create an EKS cluster in a specific region, but I can’t see where to specify the region… 🤔 I thought maybe we had to create a VPC explicitly with that region, but even then I can’t figure how to specify the region for the VPC. Any hint? 😁

future-nail-59564

01/28/2021, 4:20 PM

Oh, and btw, I’m using

@pulumi/eks/Cluster

, but I just realized there’s also

@pulumi/aws/eks/Cluster

which seems lower-level. I’m assuming it’s simpler to use the higher-level

@pulumi/eks/Cluster

because it sets up a bunch of other resources automatically for us, right?

future-nail-59564

01/28/2021, 4:21 PM

OK, I think I will need a different AWS provider for each region… 🤔

witty-candle-66007

01/28/2021, 4:21 PM

Presumably, this region is different than the default region set in your stack config. In which case, you can programmatically create a new provider where you specify the region. E.g.:

Copy code

const eastRegion = new aws.Provider("east", {
        profile: aws.config.profile,
        region: "us-east-1", // Per AWS, ACM certificate must be in the us-east-1 region.
    });

    const certificate = new aws.acm.Certificate("certificate", {
        domainName: config.targetDomain,
        validationMethod: "DNS",
    }, { provider: eastRegion });

witty-candle-66007

01/28/2021, 4:22 PM

Right 🙂

witty-candle-66007

01/28/2021, 4:24 PM

In case you didn’t find it: https://www.pulumi.com/docs/intro/concepts/programming-model/#resource-providers

future-nail-59564

01/28/2021, 11:24 PM

Thanks @witty-candle-66007! However, now when I try to create a new

eks.Cluster

using the new provider with the specific region, I get this error:

Copy code

Error: providerCredentialOpts and an AWS provider instance must be set together

I see that

providerCredentialOpts

property on the cluster object, with

roleArn

and

profileName

children, but I’m not sure what to put there. Can’t I just use the same defaults that would be used with default region?

witty-candle-66007

01/28/2021, 11:32 PM

I don’t know if you saw this: https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/eks/#ClusterOptions-providerCredentialOpts But it seems to be the case.

future-nail-59564

01/29/2021, 2:29 PM

Thanks Mitch, yes I had seen that section, but was not sure what it really meant and if it really applied here. I guess it does, because of this:

Creating and using a new AWS provider instance

but I’m still unclear on what it’s expecting for

roleArn

and `profileName`… 🤔

witty-candle-66007

01/29/2021, 3:03 PM

Here are the eks examples: https://github.com/pulumi/pulumi-eks/tree/master/examples The aws-profile-role and aws-profile examples may help. I think profileName in this context refers to a profile set up with the aws cli (found under ~/.aws).

future-nail-59564

01/29/2021, 6:26 PM

Thanks once more @witty-candle-66007, I’m looking into those examples right now! 👍

future-nail-59564

02/01/2021, 5:22 PM

Good Monday @witty-candle-66007! I have made progress on that front, but getting other permission errors during EKS cluster creation:

Copy code

kubernetes:core/v1:ConfigMap (dummyon-nodeAccess):
    error: configured Kubernetes cluster is unreachable: unable to load schema information from the API server: the server has asked for the client to provide credentials

  eks:index:VpcCni (dummyon-vpc-cni):
    error: Command failed: kubectl apply -f /tmp/tmp-19308DzDMtCicc4nD.tmp
    unable to recognize "/tmp/tmp-19308DzDMtCicc4nD.tmp": Unauthorized
    unable to recognize "/tmp/tmp-19308DzDMtCicc4nD.tmp": Unauthorized
    unable to recognize "/tmp/tmp-19308DzDMtCicc4nD.tmp": Unauthorized
    unable to recognize "/tmp/tmp-19308DzDMtCicc4nD.tmp": Unauthorized
    unable to recognize "/tmp/tmp-19308DzDMtCicc4nD.tmp": Unauthorized

future-nail-59564

02/01/2021, 5:24 PM

excerpt.ts

future-nail-59564

02/01/2021, 5:25 PM

Here’s an excerpt from my pulumi code, here above👆

future-nail-59564

02/01/2021, 5:26 PM

The

pulumi

user mentioned in above code is granted

AdministratorAccess

in IAM.

future-nail-59564

02/01/2021, 5:27 PM

And the AWS

default

profile I’m using to run Pulumi is configured with my personal Access Key, also granted

AdministratorAccess

future-nail-59564

02/01/2021, 5:29 PM

All other resources, including the EKS cluster itself get created successfully. Only the creation of the VPC CNI and the

aws-auth

ConfigMap fail.

future-nail-59564

02/01/2021, 5:29 PM

Any idea what could be going wrong? 🤔

witty-candle-66007

02/01/2021, 7:18 PM

I asked the team to take a look as well and it’s not obvious what the issue is. The error message appears to be indicating that you can’t authenticate to the k8s cluster from your deployment machine. But if you are using your personal admin-level key, it seems like that shouldn’t be the case.

future-nail-59564

02/01/2021, 7:48 PM

Thanks a lot for looking into that, really appreciated! 👍

future-nail-59564

02/01/2021, 10:30 PM

Hey @witty-candle-66007, here’s a stripped down minimal project that reproduces the issue. Thank you so much for looking into that! 🙂

eks-cluster.zip

34 Views

Open in Slack

Previous Next