https://pulumi.com logo
Powered by
Title
f

future-nail-59564

01/28/2021, 3:59 PM
Hey everyone! 👋 I’m trying to create an EKS cluster in a specific region, but I can’t see where to specify the region… 🤔 I thought maybe we had to create a VPC explicitly with that region, but even then I can’t figure how to specify the region for the VPC. Any hint? 😁
Oh, and btw, I’m using 
@pulumi/eks/Cluster
, but I just realized there’s also 
@pulumi/aws/eks/Cluster
which seems lower-level. I’m assuming it’s simpler to use the higher-level 
@pulumi/eks/Cluster
because it sets up a bunch of other resources automatically for us, right?
OK, I think I will need a different AWS provider for each region… 🤔
w

witty-candle-66007

01/28/2021, 4:21 PM
Presumably, this region is different than the default region set in your stack config. In which case, you can programmatically create a new provider where you specify the region. E.g.: 
const eastRegion = new aws.Provider("east", {
        profile: aws.config.profile,
        region: "us-east-1", // Per AWS, ACM certificate must be in the us-east-1 region.
    });

    const certificate = new aws.acm.Certificate("certificate", {
        domainName: config.targetDomain,
        validationMethod: "DNS",
    }, { provider: eastRegion });
Right 🙂
In case you didn’t find it: https://www.pulumi.com/docs/intro/concepts/programming-model/#resource-providers
f

future-nail-59564

01/28/2021, 11:24 PM
Thanks @witty-candle-66007! However, now when I try to create a new 
eks.Cluster
using the new provider with the specific region, I get this error: 
Error: providerCredentialOpts and an AWS provider instance must be set together
I see that 
providerCredentialOpts
property on the cluster object, with 
roleArn
and 
profileName
children, but I’m not sure what to put there. Can’t I just use the same defaults that would be used with default region?
w

witty-candle-66007

01/28/2021, 11:32 PM
I don’t know if you saw this: https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/eks/#ClusterOptions-providerCredentialOpts But it seems to be the case.
f

future-nail-59564

01/29/2021, 2:29 PM
Thanks Mitch, yes I had seen that section, but was not sure what it really meant and if it really applied here. I guess it does, because of this:
Creating and using a new AWS provider instance
but I’m still unclear on what it’s expecting for 
roleArn
and `profileName`… 🤔
w

witty-candle-66007

01/29/2021, 3:03 PM
Here are the eks examples: https://github.com/pulumi/pulumi-eks/tree/master/examples The aws-profile-role and aws-profile examples may help. I think profileName in this context refers to a profile set up with the aws cli (found under ~/.aws).
f

future-nail-59564

01/29/2021, 6:26 PM
Thanks once more @witty-candle-66007, I’m looking into those examples right now! 👍
Good Monday @witty-candle-66007! I have made progress on that front, but getting other permission errors during EKS cluster creation: 
kubernetes:core/v1:ConfigMap (dummyon-nodeAccess):
    error: configured Kubernetes cluster is unreachable: unable to load schema information from the API server: the server has asked for the client to provide credentials

  eks:index:VpcCni (dummyon-vpc-cni):
    error: Command failed: kubectl apply -f /tmp/tmp-19308DzDMtCicc4nD.tmp
    unable to recognize "/tmp/tmp-19308DzDMtCicc4nD.tmp": Unauthorized
    unable to recognize "/tmp/tmp-19308DzDMtCicc4nD.tmp": Unauthorized
    unable to recognize "/tmp/tmp-19308DzDMtCicc4nD.tmp": Unauthorized
    unable to recognize "/tmp/tmp-19308DzDMtCicc4nD.tmp": Unauthorized
    unable to recognize "/tmp/tmp-19308DzDMtCicc4nD.tmp": Unauthorized
excerpt.ts
Here’s an excerpt from my pulumi code, here above👆
The 
pulumi
user mentioned in above code is granted 
AdministratorAccess
in IAM.
And the AWS 
default
profile I’m using to run Pulumi is configured with my personal Access Key, also granted 
AdministratorAccess
.
All other resources, including the EKS cluster itself get created successfully. Only the creation of the VPC CNI and the 
aws-auth
ConfigMap fail.
Any idea what could be going wrong? 🤔
w

witty-candle-66007

02/01/2021, 7:18 PM
I asked the team to take a look as well and it’s not obvious what the issue is. The error message appears to be indicating that you can’t authenticate to the k8s cluster from your deployment machine. But if you are using your personal admin-level key, it seems like that shouldn’t be the case.
f

future-nail-59564

02/01/2021, 7:48 PM
Thanks a lot for looking into that, really appreciated! 👍
Hey @witty-candle-66007, here’s a stripped down minimal project that reproduces the issue. Thank you so much for looking into that! 🙂
eks-cluster.zip
2 Views
#awsJoin Slack
Powered by