Hi 🙂 I have an EKS cluster created with pulumi, with some services / helm charts applied, I'm seeing the follow weirdness: When a helm chart is applied fresh, it creates an ELB and adds its security group to the node security group, and all works as expected. On a subsequent pulumu run, it says it want to update the node security group, and removes the rule so that the ELB can no longer reach the cluster. This also happens with a

Service

created without helm. I've recently upgraded pulumi to 1.0 - This cluster has been running for some time, and updates have been ok till now - although we did experience a similar thing when pulumi updated the AMI for the EKS cluster. Has anyone else observed something similar?

Can you share the exact diff you are seeing? Is this with

@pulumi/eks

?

Sure The diff looks like it's replacing the rules with the default rules:

~ aws:ec2/securityGroup:SecurityGroup: (update)
            [id=sg-01290dc7456d80e3a]
            [urn=urn:pulumi:prod::insights-base::eks:index:Cluster$aws:ec2/securityGroup:SecurityGroup::cluster-nodeSecurityGroup]
            description        : "Managed by Pulumi"
            egress             : [
                [0]: {
                    cidrBlocks : [
                        [0]: "0.0.0.0/0"
                    ]
                    description: "Allow internet access."
                    fromPort   : 0
                    protocol   : "-1"
                    self       : false
                    toPort     : 0
                }
            ]
            ingress            : [
                [0]: {
                    description: "Allow nodes to communicate with each other"
                    fromPort   : 0
                    protocol   : "-1"
                    self       : true
                    toPort     : 0
                }
                [1]: {
                    description   : "Allow worker Kubelets and pods to receive communication from the cluster control plane"
                    fromPort      : 1025
                    protocol      : "tcp"
                    securityGroups: [
                        [0]: "sg-02442ca8c9d39cd06"
                    ]
                    self          : false
                    toPort        : 65535
                }
                [2]: {
                    description   : "Allow pods running extension API servers on port 443 to receive communication from cluster control plane"
                    fromPort      : 443
                    protocol      : "tcp"
                    securityGroups: [
                        [0]: "sg-02442ca8c9d39cd06"
                    ]
                    self          : false
                    toPort        : 443
                }
            ]
            name               : "cluster-nodeSecurityGroup-bb73210"
            revokeRulesOnDelete: false
            tags               : {
                <http://kubernetes.io/cluster/cluster-eksCluster-50e3f63|kubernetes.io/cluster/cluster-eksCluster-50e3f63>: "owned"
            }
            vpcId              : "vpc-8194a0e8"

What version of

@pulumi/EKS

are you using? Versions since

0.18.3

have managed these rules independently from the security group. Also see https://github.com/pulumi/pulumi-eks/blob/master/CHANGELOG.md#0185-released-may-09-2019.

Even after a successful "pulumi up", running immediately again still says it want to update the group in the plan:

├─ eks:index:Cluster                         cluster                                               
 ~   │  └─ aws:ec2:SecurityGroup                  cluster-nodeSecurityGroup                  update

Two things: 1. What version of Pulumi-eks? 2. Are you doing refresh at all?

Thanks - looks like outdated pulumi-eks might be it - currently 0.17.4 - will try the upgrade steps you linked and see how it goes.