purple-plumber-90981
05/17/2021, 10:20 PMbillowy-army-68599
05/17/2021, 10:50 PMpurple-plumber-90981
05/17/2021, 11:00 PMbillowy-army-68599
05/17/2021, 11:02 PMpurple-plumber-90981
05/17/2021, 11:36 PMbillowy-army-68599
05/18/2021, 12:44 AMpurple-plumber-90981
05/18/2021, 12:44 AMbillowy-army-68599
05/18/2021, 1:30 AMpurple-plumber-90981
05/18/2021, 4:40 AM"""An AWS Python Pulumi program"""
import json
import pulumi
from itplat_region_providers import providers
import pulumi_aws as aws
provider_opts = pulumi.ResourceOptions(provider=providers['us-east-1'])
admin_role_name = "itplat_eks_clusteradmin_role"
eks_admin_role = aws.iam.Role(
admin_role_name,
assume_role_policy='''{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":["<http://ec2.amazonaws.com|ec2.amazonaws.com>","<http://eks.amazonaws.com|eks.amazonaws.com>"]},"Action":"sts:AssumeRole"}]}''',
name=admin_role_name,
tags={
"clusterAccess": "itplat_eks_admin",
},
opts=pulumi.ResourceOptions(provider=providers['us-east-1']),
)
eks_cluster_vpc_config = {
"endpoint_private_access": True,
"endpoint_public_access": False,
"public_access_cidrs": [
"0.0.0.0/0",
],
"security_group_ids": [
"eks_securitygroup.id",
],
"subnet_ids": ["subnet-0e0ff2e099999c840", "subnet-0b962f999996f624b", "subnet-09cc9999998dc4474"],
}
eks_cluster_config = {"role_arn": eks_admin_role.arn, "version": "1.19", "vpc_config": eks_cluster_vpc_config,
'name': "itplat-eks-cluster"}
# create cluster resource
eks_cluster = aws.eks.Cluster("itplat-eks-cluster", opts=provider_opts, **eks_cluster_config)
# create oidc provider for cluster
eks_oidc_provider = aws.iam.OpenIdConnectProvider("itplat_eks_oidc_provider",
client_id_lists=[
"<http://sts.amazonaws.com|sts.amazonaws.com>"],
thumbprint_lists=["9e99a48a999999999999999922da2b0ab7280"],
url=eks_cluster.identities[0].oidcs[0].issuer)
# create the trust relationship (assume_role_policy) for the eks_admin_role
crossplane_provider_trust_relationship = '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Federated":"' + \
eks_oidc_provider.arn.apply(lambda arn: f"{arn}") + \
'"},"Action":"sts:AssumeRoleWithWebIdentity","Condition":{"StringLike":{"' + \
eks_oidc_provider.id.apply(lambda id: f"{id}") + \
':sub": "system:serviceaccount:crossplane-system:provider-aws-*"'
# Merge the oidc trust with the existing role trust
current_trust = json.loads(eks_admin_role.assume_role_policy.apply(lambda trust: f"{trust}"))
cpt = json.loads(crossplane_provider_trust_relationship)
final_trust = {key: value for (key, value) in (current_trust.items() + cpt.items())}
# apply merged trust relationship (assume_role_policy) to the eks_admin_role
eks_admin_role = aws.iam.Role(
admin_role_name,
assume_role_policy=json.dumps(final_trust),
name=admin_role_name,
tags={
"clusterAccess": "itplat_eks_admin",
},
opts=pulumi.ResourceOptions(provider=providers['us-east-1']),
)
billowy-army-68599
05/18/2021, 4:58 AMpurple-plumber-90981
05/18/2021, 5:04 AMbillowy-army-68599
05/18/2021, 5:11 AMpurple-plumber-90981
05/18/2021, 5:11 AMbillowy-army-68599
05/18/2021, 5:12 AMassumeRoleWithWebIdentity
shouldn't go in the admin rolepurple-plumber-90981
05/18/2021, 5:13 AMbillowy-army-68599
05/18/2021, 5:13 AMpurple-plumber-90981
05/18/2021, 5:14 AMbillowy-army-68599
05/18/2021, 5:19 AMapply()
- create a completely distinct role called crossplaneRole
and build the IAM document using that info: https://github.com/pulumi/cert-manager-examples/blob/master/examples/letsencrypt/rbac.ts#L14-L28
I'm not sure what you mean when you say you have a role created "earlier" - do you mean in the code or outside Pulumi?purple-plumber-90981
05/18/2021, 5:22 AMbillowy-army-68599
05/18/2021, 5:22 AMpurple-plumber-90981
05/18/2021, 5:23 AMbillowy-army-68599
05/18/2021, 5:23 AMpurple-plumber-90981
05/18/2021, 5:24 AMbillowy-army-68599
05/18/2021, 5:26 AMpurple-plumber-90981
05/18/2021, 5:27 AMbillowy-army-68599
05/18/2021, 5:28 AMeks_role = iam.Role(
'eks-iam-role',
assume_role_policy=json.dumps({
'Version': '2012-10-17',
'Statement': [
{
'Action': 'sts:AssumeRole',
'Principal': {
'Service': '<http://eks.amazonaws.com|eks.amazonaws.com>'
},
'Effect': 'Allow',
'Sid': ''
}
],
}),
)
purple-plumber-90981
05/18/2021, 5:28 AMbillowy-army-68599
05/18/2021, 5:28 AMeks_oidc_provider = aws.iam.OpenIdConnectProvider("itplat_eks_oidc_provider",
client_id_lists=[
"<http://sts.amazonaws.com|sts.amazonaws.com>"],
thumbprint_lists=["9e99a48a999999999999999922da2b0ab7280"],
url=eks_cluster.identities[0].oidcs[0].issuer)
okay, if I'm reafing between the lines correctly, you now want to create a role that allows crossplane to function inside EKS with the right perms, right?eks_role = iam.Role(
'eks-iam-role',
assume_role_policy=json.dumps({
'Version': '2012-10-17',
'Statement': [
{
'Action': 'sts:AssumeRole',
'Principal': {
'Service': '<http://eks.amazonaws.com|eks.amazonaws.com>'
},
'Effect': 'Allow',
'Sid': ''
}
],
}),
)
purple-plumber-90981
05/18/2021, 5:30 AMbillowy-army-68599
05/18/2021, 5:32 AMpurple-plumber-90981
05/18/2021, 5:34 AMbillowy-army-68599
05/18/2021, 5:36 AMcrossplan_role = iam.Role(
'crossplane_role',
assume_role_policy=json.dumps({
# You'll need an `apply()` in here
}),
)
add your policy there, then assign THAT role to your k8s service accountpurple-plumber-90981
05/18/2021, 5:37 AMbillowy-army-68599
05/18/2021, 5:37 AMpurple-plumber-90981
05/18/2021, 5:37 AMbillowy-army-68599
05/18/2021, 5:37 AMpurple-plumber-90981
05/18/2021, 5:37 AMcurrent_trustz = json.loads(eks_admin_role.assume_role_policy.apply(lambda policy: f"current_trust={policy}"))
print("-== current_trust ==-")
pprint.pprint(current_trustz)
current_trustz = json.loads(eks_admin_role.assume_role_policy.apply(lambda policy: f"current_trust={policy}"))
File "/Users/bmeehan/.pyenv/versions/3.8.5/lib/python3.8/json/__init__.py", line 341, in loads
raise TypeError(f'the JSON object must be str, bytes or bytearray, '
TypeError: the JSON object must be str, bytes or bytearray, not Output
error: an unhandled error occurred: Program exited with non-zero exit code: 1
billowy-army-68599
05/18/2021, 5:39 AMapply()
works?purple-plumber-90981
05/18/2021, 5:40 AMbillowy-army-68599
05/18/2021, 5:40 AMpurple-plumber-90981
05/18/2021, 5:41 AMbillowy-army-68599
05/18/2021, 5:42 AMcurrent_trustz
example above, if you want to print it, you do it inside the apply()
then it'll work, much like the example in the blog postpurple-plumber-90981
05/18/2021, 5:46 AMcurrent_trustz = json.loads(eks_admin_role.assume_role_policy.apply(lambda policy: pprint.pprint(json.loads(f"{policy}"))))
billowy-army-68599
05/18/2021, 5:49 AMpurple-plumber-90981
05/18/2021, 5:50 AMcurrent_trustz = json.loads(eks_admin_role.assume_role_policy.apply(lambda policy: pprint.pprint(json.loads(f"{policy}"))))
File "/Users/bmeehan/.pyenv/versions/3.8.5/lib/python3.8/json/__init__.py", line 341, in loads
raise TypeError(f'the JSON object must be str, bytes or bytearray, '
TypeError: the JSON object must be str, bytes or bytearray, not Output
error: an unhandled error occurred: Program exited with non-zero exit code: 1
billowy-army-68599
05/18/2021, 5:51 AMpurple-plumber-90981
05/18/2021, 5:52 AMbillowy-army-68599
05/18/2021, 5:52 AMcurrent_trustz = json.loads <----
this onepurple-plumber-90981
05/18/2021, 5:52 AMbillowy-army-68599
05/18/2021, 5:53 AMpurple-plumber-90981
05/18/2021, 5:53 AMbillowy-army-68599
05/18/2021, 5:54 AMpurple-plumber-90981
05/18/2021, 5:54 AMbored-oyster-3147
05/18/2021, 12:41 PMcurrent_trustz = eks_admin_role.assume_role_policy.apply(lambda policy: pprint.pprint(json.loads(f"{policy}")))
current_trustz = eks_admin_role.assume_role_policy.apply(lambda policy: json.loads(f"{policy}"))
purple-plumber-90981
05/19/2021, 12:32 AMbillowy-army-68599
05/19/2021, 1:42 AMpurple-plumber-90981
05/19/2021, 1:43 AMbillowy-army-68599
05/19/2021, 1:57 AMas aws resource have parameters and options that are modify-able, so it follows that we may need to modify / adjust these parameters and optionsIf you have a resource you've defined and you update it, Pulumi will perform an
update
action and modify it for you. Is that not what you're seeing? If if you add one resource/component at a time it'll only add the changes you've madepurple-plumber-90981
05/19/2021, 1:58 AMbillowy-army-68599
05/19/2021, 2:04 AMIamRolePolicyAttachment
) which makes uses of specific API calls if you need to attach objects to other objects, but if it doesn't exist it's because it's not a good ideapurple-plumber-90981
05/19/2021, 2:09 AM# create oidc provider for cluster
eks_oidc_provider = aws.iam.OpenIdConnectProvider("itplat_eks_oidc_provider",
client_id_lists=[
"<http://sts.amazonaws.com|sts.amazonaws.com>"],
thumbprint_lists=["9e99a48a9960b14926bb7f3b02e22da2b0ab7280"],
url=eks_cluster.identities[0].oidcs[0].issuer)
# create crossplaneadmin_role
crossplane_admin_role = aws.iam.Role(
"itplat_eks_crossplaneadmin_role",
assume_role_policy=pulumi.Output.all(eks_oidc_provider.arn, eks_oidc_provider.id).apply(
lambda args: json.dumps(
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": args[0],
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringLike": {f"{args[1]}:sub": "system:serviceaccount:crossplane-system:provider-aws-*"},
},
}
],
}
),
name="itplat_eks_crossplaneadmin_role",
tags={
"clusterAccess": "itplat_eks_admin",
},
opts=pulumi.ResourceOptions(provider=providers['us-east-1']),
)
)
got me
File "./aws_eks.py", line 116, in create
assume_role_policy=pulumi.Output.all(eks_oidc_provider.arn, eks_oidc_provider.id).apply(
TypeError: apply() got an unexpected keyword argument 'name'
error: an unhandled error occurred: Program exited with non-zero exit code: 1
and im lost againbillowy-army-68599
05/19/2021, 3:06 PMpulumi.Output.all
takes a list:
pulumi.Output.all([eks_oidc_provider.arn, eks_oidc_provider.id])
note the square bracketspurple-plumber-90981
05/19/2021, 10:14 PMassume_role_policy=pulumi.Output.all([eks_oidc_provider.arn, eks_oidc_provider.id]).apply(
TypeError: apply() got an unexpected keyword argument 'name'
error: an unhandled error occurred: Program exited with non-zero exit code: 1
bored-oyster-3147
05/19/2021, 10:59 PMassume_role_policy=pulumi.Output.all(eks_oidc_provider.arn, eks_oidc_provider.id).apply(
lambda args: json.dumps(
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": args[0],
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringLike": {f"{args[1]}:sub": "system:serviceaccount:crossplane-system:provider-aws-*"},
},
}
],
}
),
name="itplat_eks_crossplaneadmin_role",
yea you're missing a closing parenthesis on the applypurple-plumber-90981
05/19/2021, 11:00 PMbored-oyster-3147
05/19/2021, 11:01 PMpurple-plumber-90981
05/19/2021, 11:02 PM"StringLike": {f"{args[1]}:sub": "system:serviceaccount:crossplane-system:provider-aws-*"},
IndexError: list index out of range
error: an unhandled error occurred: Program exited with non-zero exit code: 1
bored-oyster-3147
05/19/2021, 11:05 PM