https://pulumi.com logo
Title
b

bright-sandwich-93783

06/30/2021, 12:59 AM
you need to run something like this script to compute the thumbprint. Any suggestions for doing this in Pulumi? running code to do this in the Apply function of the returned cluster issuer output property?
l

little-cartoon-10569

06/30/2021, 3:26 AM
You could run it form your program before creating the resource. Or pass the thumbprint in via config.
b

bright-sandwich-93783

06/30/2021, 3:39 AM
that kind of defeats the purpose of using something like pulumi to imperatively define resource dependency graphs. But yeah, I might have to
thx for the input ๐Ÿ™‚
b

billowy-army-68599

06/30/2021, 8:44 AM
@bright-sandwich-93783 the thumprint is the same for every cluster, most people hardcode it
b

bright-sandwich-93783

06/30/2021, 9:02 PM
@billowy-army-68599 thank you! I did eventually realize thumbprint is basically static for each cluster and each region. However, I did find a decent solution using the Pulumi TLS package! You can grab the cert using the Pulumi TLS package and access the fingerprint. A somewhat incomplete example of this can be seen here (it notably omits the critical call to
GetCertificate
)
i figured this out by reading this article, in which point 3 mentions that the TF TLS provider update sometime last year made the fingerprint accessible
b

billowy-army-68599

06/30/2021, 9:06 PM
@bright-sandwich-93783 this actually sounds really cool, can you show me how it works?
b

bright-sandwich-93783

06/30/2021, 9:08 PM
@billowy-army-68599 yeah once I get the code working I'll paste it here
wait, why would the TS pulumi EKS provider do this, but not the Go provider?
seems like the TS EKS provider gives you a thumbprint output
b

billowy-army-68599

06/30/2021, 9:16 PM
The EKS provider uses multi language output, so itโ€™s written in typescript but you can consume it in all our supported languages
b

bright-sandwich-93783

06/30/2021, 9:17 PM
oh ok. In that case, why is the EKS provider fetching the thumbprint? It's not exposed as an output anywhere
or is it used for something else entirely? Would be really neat to get it back as an output in the
ClusterIdentity
Oidcs
block
(yes the root CA expires in 2034 and probably won't change until then lol)
b

bright-sandwich-93783

06/30/2021, 10:35 PM
not the thumbprint
b

billowy-army-68599

06/30/2021, 10:49 PM
oh sorry yes
b

bright-sandwich-93783

06/30/2021, 11:00 PM
@billowy-army-68599 theoretically, you could do something like this:
package main

import (
	"<http://github.com/pulumi/pulumi-aws/sdk/v3/go/aws/eks|github.com/pulumi/pulumi-aws/sdk/v3/go/aws/eks>"
	"<http://github.com/pulumi/pulumi-aws/sdk/v3/go/aws/iam|github.com/pulumi/pulumi-aws/sdk/v3/go/aws/iam>"
	"<http://github.com/pulumi/pulumi-tls/sdk/v4/go/tls|github.com/pulumi/pulumi-tls/sdk/v4/go/tls>"
	"<http://github.com/pulumi/pulumi/sdk/v3/go/pulumi|github.com/pulumi/pulumi/sdk/v3/go/pulumi>"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		exampleCluster, err := eks.NewCluster(ctx, "exampleCluster", nil)
		if err != nil {
			return err
		}
        exampleCert, err := tls.GetCertificate(ctx, tls.GetCertificateArgs {
          Url: exampleCluster.Identities[0].Url
         })
		_, err = iam.NewOpenIdConnectProvider(ctx, "exampleOpenIdConnectProvider", &iam.OpenIdConnectProviderArgs{
			ClientIdLists: pulumi.StringArray{
				pulumi.String("<http://sts.amazonaws.com|sts.amazonaws.com>"),
			},
			ThumbprintLists: pulumi.StringArray{
				exampleCertificate.ApplyT(func(exampleCertificate tls.GetCertificateResult) (string, error) {
					return exampleCertificate.Certificates[0].Sha1Fingerprint, nil
				}).(pulumi.StringOutput),
			},
			Url: pulumi.String(exampleCluster.Identities.ApplyT(func(identities []eks.ClusterIdentity) (string, error) {
				return identities[0].Oidcs[0].Issuer, nil
			}).(pulumi.StringOutput)),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
getting the
exampleCert
is pseudocode, because I couldn't figure out a way to get the actual
string
value of the issuer URL, unless I wanted to make the
GetCertificate
call inside of an ApplyT callback... Thoughts?
b

billowy-army-68599

06/30/2021, 11:03 PM
you can do it inside the
ApplyT
, we try not to recommend it because it won't show up in previews, but it should work
l

little-cartoon-10569

06/30/2021, 11:06 PM
Why does GetCertificate have to be in an ApplyT?
b

bright-sandwich-93783

06/30/2021, 11:06 PM
because GetCertificate requires a
string
value for the URL, not a StringOutput/Input
which is the type of
eksCluster.Identities.Index(<http://pulumi.Int|pulumi.Int>(0)).Oidcs().Index(<http://pulumi.Int|pulumi.Int>(0)).Issuer().Elem(),
l

little-cartoon-10569

06/30/2021, 11:07 PM
Hmm, could that be a bug in the docs?
b

bright-sandwich-93783

06/30/2021, 11:07 PM
the only way to get the underlying string of that Issuer URL is to use an
ApplyT
callback, at which point you could make the call to
tls.GetCertificate
probably not a bug in the docs, that's what the actual code error is if you try it out
i.e, the result of
GetCertificate
is a vanilla go struct
doesn't implement any methods
l

little-cartoon-10569

06/30/2021, 11:09 PM
Yep, I see that in the TS version too. Sometimes the docs say string but the implementation is in Output or Input... but not this time ๐Ÿ˜ž