https://pulumi.com logo
q

quiet-painter-30539

02/19/2020, 1:16 PM
I'm new to Pulumi. Is there some way for Pulumi to wait a resource to be completely ready before querying information about the resource? I need to create AWS EKS and then to query the AWS EKS's vpc_config but there is a piece of information that is not available until AWS has completely created the EKS (the master plane security group).
l

limited-rainbow-51650

02/19/2020, 1:20 PM
Don’t you create your own VPC first, create subnets in it and pass some of the subnets to the creation of the EKS cluster?
q

quiet-painter-30539

02/19/2020, 1:51 PM
Yes. That's exactly what I do. I create VPC, subnets for EKS and security group for the EKS worker plane and I inject these values as parameters to EKS as in that example above. Everything is fine this far. But. When AWS creates EKS it creates a special security group for the EKS master plane and only when EKS is fully created that value can be found in eks.cluster.vpc_config["clusterSecurityGroupId"]. And I need to access to that security group in the same "pulumi up" run...
l

limited-rainbow-51650

02/19/2020, 1:53 PM
You should create and pass your own security group ID for the control plane.
q

quiet-painter-30539

02/19/2020, 2:04 PM
Can't do that - EKS creates it: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html => "Amazon EKS clusters beginning with Kubernetes version 1.14 and platform version 
eks.3
 create a cluster security group as part of cluster creation"
l

limited-rainbow-51650

02/19/2020, 2:06 PM
That’s new to me. Coming back to your problem, can you post a snippet of code how you access the vpc_config of the created EKS cluster?
q

quiet-painter-30539

02/19/2020, 2:06 PM
... and: https://www.terraform.io/docs/providers/aws/d/eks_cluster.html => "`cluster_security_group_id` - The cluster security group that was created by Amazon EKS for the cluster."
l

limited-rainbow-51650

02/19/2020, 2:07 PM
Are you using
@pulumi/aws
or
@pulumi/eks
to create the cluster?
q

quiet-painter-30539

02/19/2020, 2:08 PM
my_cluster.vpc_config["clusterSecurityGroupId"] ... and this works only in the second "pulumi up" run when the EKS infra (with that master plane security group) was completely created in the first "pulumi up" run...
from pulumi_aws import eks
i.e. the Python SDK.
We are considering to use Pulumi instead of Terraform in one customer case. This far everything has been pretty smooth with Pulumi - this is the first show-stopper.
l

limited-rainbow-51650

02/19/2020, 2:15 PM
vpc_config is an
Output
of my_cluster, so referring to vpc_config should (in Pulumi) style wait for the value(s) to be there before it continues execution. I haven’t used Python with Pulumi. Is it possible to also use the dotted notation to refer to clusterSecurityGroupId? Example:
my_cluster.vpc_config.clusterSecurityGroupId
?
q

quiet-painter-30539

02/19/2020, 2:33 PM
I'll try...
my_cluster.vpc_config.clusterSecurityGroupId, => AttributeError: 'dict' object has no attribute 'clusterSecurityGroupId'
Is there some differences which language you use with Pulumi? I.e. something like this works with Typescript SDK but doesn't work with Python SDK?
l

limited-rainbow-51650

02/19/2020, 2:38 PM
It shouldn’t. But we are working with software so you might have bumped into a bug. You might have better chance asking a few hours later when the Pulumi people (mostly US) become alive.
q

quiet-painter-30539

02/19/2020, 2:41 PM
Ok. No problem, I understand. I can create a temporary workaround for this (e.g. a flag which says if EKS is ready, and use that vpc_config only in the second "pulumi up" run when EKS has created that security group. But in the long run it would be nice to find a permanent solution for this. 🙂
I created a workaround this, but it needs two "pulumi up" runs: in the first run create just EKS, in the second run use the my_cluster.vpc_config.clusterSecurityGroupId that EKS created. I'd like to know if this is a Pulumi bug?
f

faint-table-42725

02/21/2020, 2:02 AM
the module is also supported in Python, but the pathing is a bit different to get to the same value
instead of
my_cluster.vpc_config.clusterSecurityGroupId
you’ll want to try
my_cluster.vpc_config['clusterSecurityGroupId']
lmk if that helps resolve your issue
q

quiet-painter-30539

02/21/2020, 9:01 AM
@faint-table-42725 , thanks for the reply but that doesn't resolve the issue. If you try to create eks and access
my_cluster.vpc_config['clusterSecurityGroupId']
in the same "pulumi up" run you will notice that the security group (that EKS creates) is not yet ready and pulumi will throw
Copy code
KeyError: 'clusterSecurityGroupId'
f

faint-table-42725

02/22/2020, 12:53 AM
ah… i see, because vpc_config is an Output
if you do
my_cluster.vpc_config.apply(*lambda* config: config['clusterSecurityGroupId'])
does that work instead?
q

quiet-painter-30539

02/22/2020, 10:50 AM
Just tried it. This time Pulumi doesn't give the "KeyError" but it doesn't create the security rule either (I'm using the
my_cluster.vpc_config.apply(*lambda* config: config['clusterSecurityGroupId'])
security group id as source_security_group_id for another resource). In the second "pulumi up" run Pulumi creates the EKS node_group for EKS and also the missing security rule (now that EKS has created that Master plane security group id in the first run). That's ok now (even though it would be nice to have all these resources to be created in one "pulumi up" run, but this is behavior I have seen also in the Terraform side, so I guess there always are peculiarities like this when creating cloud resources. Thanks for your help, I'm satisfied with this now.
f

faint-table-42725

02/22/2020, 4:04 PM
Sure thing
One last thought on this is you could wait for the status of the cluster (my_cluster.status) to be Active
before you continue with attempting to use that value
and occasionally fetch the status via .get
2 Views