you need to run something like this script to compute the thumbprint. Any suggestions for doing this in Pulumi? running code to do this in the Apply function of the returned cluster issuer output property?

You could run it form your program before creating the resource. Or pass the thumbprint in via config.

that kind of defeats the purpose of using something like pulumi to imperatively define resource dependency graphs. But yeah, I might have to

@bright-sandwich-93783 the thumprint is the same for every cluster, most people hardcode it

@billowy-army-68599 thank you! I did eventually realize thumbprint is basically static for each cluster and each region. However, I did find a decent solution using the Pulumi TLS package! You can grab the cert using the Pulumi TLS package and access the fingerprint. A somewhat incomplete example of this can be seen here (it notably omits the critical call to

GetCertificate

)

@bright-sandwich-93783 this actually sounds really cool, can you show me how it works?

@billowy-army-68599 yeah once I get the code working I'll paste it here

The EKS provider uses multi language output, so it’s written in typescript but you can consume it in all our supported languages

oh ok. In that case, why is the EKS provider fetching the thumbprint? It's not exposed as an output anywhere

it does output them: https://github.com/jaxxstorm/pulumi-examples/blob/main/typescript/aws/eks-platform/eks/index.ts#L23-L24

not the thumbprint

oh sorry yes

@billowy-army-68599 theoretically, you could do something like this:

package main

import (
	"<http://github.com/pulumi/pulumi-aws/sdk/v3/go/aws/eks|github.com/pulumi/pulumi-aws/sdk/v3/go/aws/eks>"
	"<http://github.com/pulumi/pulumi-aws/sdk/v3/go/aws/iam|github.com/pulumi/pulumi-aws/sdk/v3/go/aws/iam>"
	"<http://github.com/pulumi/pulumi-tls/sdk/v4/go/tls|github.com/pulumi/pulumi-tls/sdk/v4/go/tls>"
	"<http://github.com/pulumi/pulumi/sdk/v3/go/pulumi|github.com/pulumi/pulumi/sdk/v3/go/pulumi>"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		exampleCluster, err := eks.NewCluster(ctx, "exampleCluster", nil)
		if err != nil {
			return err
		}
        exampleCert, err := tls.GetCertificate(ctx, tls.GetCertificateArgs {
          Url: exampleCluster.Identities[0].Url
         })
		_, err = iam.NewOpenIdConnectProvider(ctx, "exampleOpenIdConnectProvider", &iam.OpenIdConnectProviderArgs{
			ClientIdLists: pulumi.StringArray{
				pulumi.String("<http://sts.amazonaws.com|sts.amazonaws.com>"),
			},
			ThumbprintLists: pulumi.StringArray{
				exampleCertificate.ApplyT(func(exampleCertificate tls.GetCertificateResult) (string, error) {
					return exampleCertificate.Certificates[0].Sha1Fingerprint, nil
				}).(pulumi.StringOutput),
			},
			Url: pulumi.String(exampleCluster.Identities.ApplyT(func(identities []eks.ClusterIdentity) (string, error) {
				return identities[0].Oidcs[0].Issuer, nil
			}).(pulumi.StringOutput)),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

you can do it inside the

ApplyT

, we try not to recommend it because it won't show up in previews, but it should work

Why does GetCertificate have to be in an ApplyT?

because GetCertificate requires a

string

value for the URL, not a StringOutput/Input

Hmm, could that be a bug in the docs?

the only way to get the underlying string of that Issuer URL is to use an

ApplyT

callback, at which point you could make the call to

tls.GetCertificate

Yep, I see that in the TS version too. Sometimes the docs say string but the implementation is in Output or Input... but not this time 😞