https://pulumi.com logo
b

bland-shoe-75993

05/19/2020, 11:04 PM
Hi everyone! I'm curious, does Pulumi offer any "escape hatches" by which I can grab the underlying AWS API client (TypeScript) to perform some post-provisioning fixups on provisioned infrastructure?
My use case is, I'm provisioning an EKS cluster and would like to modify the egress rules on the autogenerated security group.
k

kind-mechanic-53546

05/19/2020, 11:05 PM
Can't you pre create the SG then supply it to the cluster and then apply the rules?
I haven't looked at the AWS EKS offering but that's effectively what I do in Azure AKS 🙂
b

bland-shoe-75993

05/19/2020, 11:08 PM
Not right now; the SG is autogenerated and (right now) it's not possible to prevent it.
We used to do things differently but changed it late last year to accommodate managed node groups
k

kind-mechanic-53546

05/19/2020, 11:13 PM
You should be able to add the rules to the SG after creation
Copy code
const example = new aws.ec2.SecurityGroupRule("example", {
    type: "ingress",
    fromPort: 0,
    toPort: 65535,
    protocol: "tcp",
    cidrBlocks: aws_vpc.example.cidr_block,
    securityGroupId: "sg-123456",
});
apologies, it's not answering your original question re escape hatches 🙂
b

billowy-army-68599

05/19/2020, 11:15 PM
for those following along, Michael and I were chatting elsewhere and we also chatted internally and think dynamic providers are the best bet: https://www.pulumi.com/blog/dynamic-providers/
b

bland-shoe-75993

05/19/2020, 11:25 PM
@kind-mechanic-53546 in this case, it's a bit trickier since I need to remove an existing rule
k

kind-mechanic-53546

05/19/2020, 11:26 PM
ouch, that's a bit more tricky