This message was deleted.

Don’t you create your own VPC first, create subnets in it and pass some of the subnets to the creation of the EKS cluster?

Yes. That's exactly what I do. I create VPC, subnets for EKS and security group for the EKS worker plane and I inject these values as parameters to EKS as in that example above. Everything is fine this far. But. When AWS creates EKS it creates a special security group for the EKS master plane and only when EKS is fully created that value can be found in eks.cluster.vpc_config["clusterSecurityGroupId"]. And I need to access to that security group in the same "pulumi up" run...

You should create and pass your own security group ID for the control plane.

Can't do that - EKS creates it: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html => "Amazon EKS clusters beginning with Kubernetes version 1.14 and platform version 

eks.3

 create a cluster security group as part of cluster creation"

That’s new to me. Coming back to your problem, can you post a snippet of code how you access the vpc_config of the created EKS cluster?

... and: https://www.terraform.io/docs/providers/aws/d/eks_cluster.html => "`cluster_security_group_id` - The cluster security group that was created by Amazon EKS for the cluster."

Are you using

@pulumi/aws

or

@pulumi/eks

to create the cluster?

my_cluster.vpc_config["clusterSecurityGroupId"] ... and this works only in the second "pulumi up" run when the EKS infra (with that master plane security group) was completely created in the first "pulumi up" run...

vpc_config is an

Output

of my_cluster, so referring to vpc_config should (in Pulumi) style wait for the value(s) to be there before it continues execution. I haven’t used Python with Pulumi. Is it possible to also use the dotted notation to refer to clusterSecurityGroupId? Example:

my_cluster.vpc_config.clusterSecurityGroupId

?

I'll try...

It shouldn’t. But we are working with software so you might have bumped into a bug. You might have better chance asking a few hours later when the Pulumi people (mostly US) become alive.

Ok. No problem, I understand. I can create a temporary workaround for this (e.g. a flag which says if EKS is ready, and use that vpc_config only in the second "pulumi up" run when EKS has created that security group. But in the long run it would be nice to find a permanent solution for this. 🙂

the module is also supported in Python, but the pathing is a bit different to get to the same value

@faint-table-42725 , thanks for the reply but that doesn't resolve the issue. If you try to create eks and access

my_cluster.vpc_config['clusterSecurityGroupId']

in the same "pulumi up" run you will notice that the security group (that EKS creates) is not yet ready and pulumi will throw

KeyError: 'clusterSecurityGroupId'

ah… i see, because vpc_config is an Output

Just tried it. This time Pulumi doesn't give the "KeyError" but it doesn't create the security rule either (I'm using the

my_cluster.vpc_config.apply(*lambda* config: config['clusterSecurityGroupId'])

security group id as source_security_group_id for another resource). In the second "pulumi up" run Pulumi creates the EKS node_group for EKS and also the missing security rule (now that EKS has created that Master plane security group id in the first run). That's ok now (even though it would be nice to have all these resources to be created in one "pulumi up" run, but this is behavior I have seen also in the Terraform side, so I guess there always are peculiarities like this when creating cloud resources. Thanks for your help, I'm satisfied with this now.

Sure thing