No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Anyone out there using pulumi-eks for cluster + node management? I'm having a heck of a time:
• Using eks.NodeGroup, specifically the bit about the "cluster" argument (would love an example of how to use an eks.Cluster)
• Setting minimal security group ingress on management or worker nodes
Would love some pointers or examples

I am, although I'm still at the trying to get a cluster up and running stage.

I haven't used eks.NodeGroup yet but will probably do so shortly.

I was able to get eks.Cluster working with an eks.ManagedNodeGroup, but that doesn't have input for security groups

I have been adding rules to security groups to allow EFS access and some other things. I created the cluster first and then did this:

```// Need to be able to access the EFS (NFS) ports from the node sg and cluster sg
const nodeEFS = new aws.ec2.SecurityGroupRule("nodeEFS", {
	type: "ingress",
	fromPort: 2049,
	toPort: 2049,
	protocol: "tcp",
	securityGroupId: endp.ids[0],
	sourceSecurityGroupId: sg.id,
	description: `Allow the ${nam} k8s cluster access to the EFS drive in the endpoints sg`,
});```

so sg.Id is the security group I used in the `clusterSecurityGroup` in the new eks.Cluster

and `endp.ids[0]` is the result of Looking up security groups tagged with 'endpoints' in the current vpc

```const clusterEFS = new aws.ec2.SecurityGroupRule("clusterEFS", {
	type: "ingress",
	fromPort: 2049,
	toPort: 2049,
	protocol: "tcp",
	securityGroupId: endp.ids[0],
	sourceSecurityGroupId: cluster.nodeSecurityGroup.id,
	description: `Allow the ${nam} k8s cluster access to the EFS drive in the endpoints sg`,
});```
This is pretty much the same thing, but here cluster.nodeSecurityGroup.id is the id of the node security group created by the `new eks.Cluster`

Ahhh....filtering by endpoints in vpc though? What if you have multiple clusters?

but you could use better tagging than I have

or if you use pulumi to create all the endpoints and endpoint security groups, you could also get the right sg with Stack References

but in my case the endpoint sg already exists (hand-crafted) so I just tagged it so I could find it with a bit of code like:
```const endp = pulumi.output(aws.ec2.getSecurityGroups({
        tags: { 
                Job: "Endpoints",
        },
        filters: [
                {
                        name: "vpc-id",
                        values: [vpcid],
                },
        ],
}));```

I have multiple clusters with multiple `eks.NodeGroup`s in each, if you're still looking for pointers. It works pretty well, with some caveats around `desiredCapacity` overriding what's set by the cluster autoscaler.

That's awesome thanks! How are you setting the cluster argument of the `eks.NodeGroup`?

Basically like:
```const clusterOutput = new eks.Cluster(...);
clusterOutput.apply((cluster) =&gt; {
  new eks.NodeGroup(
    "group-name",
    {
      cluster,
      ...
    });
});```

Unwrap the `pulumi.Output&lt;eks.Cluster&gt;` via the `apply` method.

Hmm, I was passing in cluster.core. I'll try this out, thanks!