@pulumi/eks 2.6.0-alpha.1717448271 → 2.6.0-alpha.1717489923

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,24 @@
1
+ import * as aws from "@pulumi/aws";
2
+ import * as pulumi from "@pulumi/pulumi";
3
+ import { AccessEntry, ClusterOptions, RoleMapping, UserMapping } from "./cluster";
4
+ export declare const CONFIG_MAP = "CONFIG_MAP";
5
+ export declare const API_AND_CONFIG_MAP = "API_AND_CONFIG_MAP";
6
+ export declare const API = "API";
7
+ export declare function validateAuthenticationMode(args: ClusterOptions): void;
8
+ export declare function supportsConfigMap(authenticationMode: string | undefined): boolean;
9
+ export declare function supportsAccessEntries(authenticationMode: string | undefined): boolean;
10
+ /**
11
+ * Creates the AWS authentication data for the aws-auth ConfigMap.
12
+ *
13
+ * @param instanceRoles - The instance roles to be mapped.
14
+ * @param roleMappings - The IAM role mappings to be included.
15
+ * @param userMappings - The IAM user mappings to be included.
16
+ * @returns The AWS authentication data for the aws-auth ConfigMap.
17
+ * @throws Error if the IAM role mappings or user mappings are invalid or cannot be serialized to YAML.
18
+ */
19
+ export declare function createAwsAuthData(instanceRoles: pulumi.Output<aws.iam.Role[]>, roleMappings: pulumi.Input<pulumi.Input<RoleMapping>[]> | undefined, userMappings: pulumi.Input<pulumi.Input<UserMapping>[]> | undefined): pulumi.Input<{
20
+ [key: string]: pulumi.Input<string>;
21
+ }>;
22
+ export declare function createAccessEntries(componentName: string, clusterName: pulumi.Input<string>, accessEntries: {
23
+ [key: string]: AccessEntry;
24
+ }, opts: pulumi.CustomResourceOptions): aws.eks.AccessEntry[];
@@ -0,0 +1,142 @@
1
+ "use strict";
2
+ // Copyright 2016-2024, Pulumi Corporation.
3
+ //
4
+ // Licensed under the Apache License, Version 2.0 (the "License");
5
+ // you may not use this file except in compliance with the License.
6
+ // You may obtain a copy of the License at
7
+ //
8
+ // http://www.apache.org/licenses/LICENSE-2.0
9
+ //
10
+ // Unless required by applicable law or agreed to in writing, software
11
+ // distributed under the License is distributed on an "AS IS" BASIS,
12
+ // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13
+ // See the License for the specific language governing permissions and
14
+ // limitations under the License.
15
+ Object.defineProperty(exports, "__esModule", { value: true });
16
+ exports.createAccessEntries = exports.createAwsAuthData = exports.supportsAccessEntries = exports.supportsConfigMap = exports.validateAuthenticationMode = exports.API = exports.API_AND_CONFIG_MAP = exports.CONFIG_MAP = void 0;
17
+ const aws = require("@pulumi/aws");
18
+ const pulumi = require("@pulumi/pulumi");
19
+ const jsyaml = require("js-yaml");
20
+ exports.CONFIG_MAP = "CONFIG_MAP";
21
+ exports.API_AND_CONFIG_MAP = "API_AND_CONFIG_MAP";
22
+ exports.API = "API";
23
+ function validateAuthenticationMode(args) {
24
+ if (args.authenticationMode &&
25
+ args.authenticationMode !== exports.CONFIG_MAP &&
26
+ args.authenticationMode !== exports.API_AND_CONFIG_MAP &&
27
+ args.authenticationMode !== exports.API) {
28
+ throw new Error(`Invalid value for authenticationMode: ${args.authenticationMode}. Allowed values are: ${exports.CONFIG_MAP}, ${exports.API_AND_CONFIG_MAP}, ${exports.API}.`);
29
+ }
30
+ const configMapOnlyProperties = [
31
+ "roleMappings",
32
+ "userMappings",
33
+ "instanceRoles",
34
+ ];
35
+ const apiOnlyProperties = ["accessEntries"];
36
+ if (!supportsConfigMap(args.authenticationMode)) {
37
+ configMapOnlyProperties.forEach((prop) => {
38
+ if (args[prop]) {
39
+ throw new Error(`The '${prop}' property is not supported when 'authenticationMode' is set to '${args.authenticationMode}'.`);
40
+ }
41
+ });
42
+ }
43
+ if (!supportsAccessEntries(args.authenticationMode)) {
44
+ apiOnlyProperties.forEach((prop) => {
45
+ if (args[prop]) {
46
+ const errorMsg = args.authenticationMode != null
47
+ ? `set to '${args.authenticationMode}'`
48
+ : "not set";
49
+ throw new Error(`The '${prop}' property is not supported when 'authenticationMode' is ${errorMsg}.`);
50
+ }
51
+ });
52
+ }
53
+ }
54
+ exports.validateAuthenticationMode = validateAuthenticationMode;
55
+ function supportsConfigMap(authenticationMode) {
56
+ // If authenticationMode is not provided, it defaults to CONFIG_MAP
57
+ return (!authenticationMode ||
58
+ authenticationMode === exports.CONFIG_MAP ||
59
+ authenticationMode === exports.API_AND_CONFIG_MAP);
60
+ }
61
+ exports.supportsConfigMap = supportsConfigMap;
62
+ function supportsAccessEntries(authenticationMode) {
63
+ return authenticationMode === exports.API || authenticationMode === exports.API_AND_CONFIG_MAP;
64
+ }
65
+ exports.supportsAccessEntries = supportsAccessEntries;
66
+ /**
67
+ * Creates the AWS authentication data for the aws-auth ConfigMap.
68
+ *
69
+ * @param instanceRoles - The instance roles to be mapped.
70
+ * @param roleMappings - The IAM role mappings to be included.
71
+ * @param userMappings - The IAM user mappings to be included.
72
+ * @returns The AWS authentication data for the aws-auth ConfigMap.
73
+ * @throws Error if the IAM role mappings or user mappings are invalid or cannot be serialized to YAML.
74
+ */
75
+ function createAwsAuthData(instanceRoles, roleMappings, userMappings) {
76
+ const instanceRoleMappings = instanceRoles.apply((roles) => roles.map((role) => createInstanceRoleMapping(role.arn)));
77
+ const mapRoles = pulumi
78
+ .all([pulumi.output(roleMappings || []), instanceRoleMappings])
79
+ .apply(([mappings, instanceMappings]) => {
80
+ let mappingYaml = "";
81
+ try {
82
+ mappingYaml = jsyaml.dump([...mappings, ...instanceMappings].map((m) => ({
83
+ rolearn: m.roleArn,
84
+ username: m.username,
85
+ groups: m.groups,
86
+ })));
87
+ }
88
+ catch (e) {
89
+ throw new Error(`The IAM role mappings provided could not be properly serialized to YAML for the aws-auth ConfigMap`);
90
+ }
91
+ return mappingYaml;
92
+ });
93
+ const nodeAccessData = {
94
+ mapRoles: mapRoles,
95
+ };
96
+ if (userMappings) {
97
+ nodeAccessData.mapUsers = pulumi.output(userMappings).apply((mappings) => {
98
+ let mappingYaml = "";
99
+ try {
100
+ mappingYaml = jsyaml.dump(mappings.map((m) => ({
101
+ userarn: m.userArn,
102
+ username: m.username,
103
+ groups: m.groups,
104
+ })));
105
+ }
106
+ catch (e) {
107
+ throw new Error(`The IAM user mappings provided could not be properly serialized to YAML for the aws-auth ConfigMap`);
108
+ }
109
+ return mappingYaml;
110
+ });
111
+ }
112
+ return nodeAccessData;
113
+ }
114
+ exports.createAwsAuthData = createAwsAuthData;
115
+ function createAccessEntries(componentName, clusterName, accessEntries, opts) {
116
+ return Object.entries(accessEntries).map(([name, accessEntry]) => {
117
+ const entry = new aws.eks.AccessEntry(`${componentName}-${name}`, Object.assign(Object.assign({}, accessEntry), { clusterName, userName: accessEntry.username }), opts);
118
+ Object.entries(accessEntry.accessPolicies || {}).map(([associationName, association]) => {
119
+ const associationOutput = pulumi.output(association);
120
+ const policyAssociation = new aws.eks.AccessPolicyAssociation(`${componentName}-${name}-${associationName}`, {
121
+ accessScope: associationOutput.accessScope,
122
+ principalArn: accessEntry.principalArn,
123
+ policyArn: associationOutput.policyArn,
124
+ clusterName,
125
+ }, Object.assign(Object.assign({}, opts), { parent: entry, dependsOn: [entry] }));
126
+ });
127
+ return entry;
128
+ });
129
+ }
130
+ exports.createAccessEntries = createAccessEntries;
131
+ /**
132
+ * Enable access to the EKS cluster for worker nodes, by creating an
133
+ * instance role mapping to the k8s username and groups of aws-auth.
134
+ */
135
+ function createInstanceRoleMapping(arn) {
136
+ return {
137
+ roleArn: arn,
138
+ username: "system:node:{{EC2PrivateDNSName}}",
139
+ groups: ["system:bootstrappers", "system:nodes"],
140
+ };
141
+ }
142
+ //# sourceMappingURL=authenticationMode.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"authenticationMode.js","sourceRoot":"","sources":["../authenticationMode.ts"],"names":[],"mappings":";AAAA,2CAA2C;AAC3C,EAAE;AACF,kEAAkE;AAClE,mEAAmE;AACnE,0CAA0C;AAC1C,EAAE;AACF,iDAAiD;AACjD,EAAE;AACF,sEAAsE;AACtE,oEAAoE;AACpE,2EAA2E;AAC3E,sEAAsE;AACtE,iCAAiC;;;AAEjC,mCAAmC;AACnC,yCAAyC;AAEzC,kCAAkC;AAGrB,QAAA,UAAU,GAAG,YAAY,CAAC;AAC1B,QAAA,kBAAkB,GAAG,oBAAoB,CAAC;AAC1C,QAAA,GAAG,GAAG,KAAK,CAAC;AAEzB,SAAgB,0BAA0B,CAAC,IAAoB;IAC3D,IACI,IAAI,CAAC,kBAAkB;QACvB,IAAI,CAAC,kBAAkB,KAAK,kBAAU;QACtC,IAAI,CAAC,kBAAkB,KAAK,0BAAkB;QAC9C,IAAI,CAAC,kBAAkB,KAAK,WAAG,EACjC;QACE,MAAM,IAAI,KAAK,CACX,yCAAyC,IAAI,CAAC,kBAAkB,yBAAyB,kBAAU,KAAK,0BAAkB,KAAK,WAAG,GAAG,CACxI,CAAC;KACL;IAED,MAAM,uBAAuB,GAA6B;QACtD,cAAc;QACd,cAAc;QACd,eAAe;KAClB,CAAC;IACF,MAAM,iBAAiB,GAA6B,CAAC,eAAe,CAAC,CAAC;IAEtE,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,kBAAkB,CAAC,EAAE;QAC7C,uBAAuB,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,EAAE;YACrC,IAAI,IAAI,CAAC,IAAI,CAAC,EAAE;gBACZ,MAAM,IAAI,KAAK,CACX,QAAQ,IAAI,oEAAoE,IAAI,CAAC,kBAAkB,IAAI,CAC9G,CAAC;aACL;QACL,CAAC,CAAC,CAAC;KACN;IAED,IAAI,CAAC,qBAAqB,CAAC,IAAI,CAAC,kBAAkB,CAAC,EAAE;QACjD,iBAAiB,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,EAAE;YAC/B,IAAI,IAAI,CAAC,IAAI,CAAC,EAAE;gBACZ,MAAM,QAAQ,GACV,IAAI,CAAC,kBAAkB,IAAI,IAAI;oBAC3B,CAAC,CAAC,WAAW,IAAI,CAAC,kBAAkB,GAAG;oBACvC,CAAC,CAAC,SAAS,CAAC;gBACpB,MAAM,IAAI,KAAK,CACX,QAAQ,IAAI,4DAA4D,QAAQ,GAAG,CACtF,CAAC;aACL;QACL,CAAC,CAAC,CAAC;KACN;AACL,CAAC;AA1CD,gEA0CC;AAED,SAAgB,iBAAiB,CAAC,kBAAsC;IACpE,mEAAmE;IACnE,OAAO,CACH,CAAC,kBAAkB;QACnB,kBAAkB,KAAK,kBAAU;QACjC,kBAAkB,KAAK,0BAAkB,CAC5C,CAAC;AACN,CAAC;AAPD,8CAOC;AAED,SAAgB,qBAAqB,CAAC,kBAAsC;IACxE,OAAO,kBAAkB,KAAK,WAAG,IAAI,kBAAkB,KAAK,0BAAkB,CAAC;AACnF,CAAC;AAFD,sDAEC;AAED;;;;;;;;GAQG;AACH,SAAgB,iBAAiB,CAC7B,aAA4C,EAC5C,YAAmE,EACnE,YAAmE;IAEnE,MAAM,oBAAoB,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE,CACvD,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,yBAAyB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAC3D,CAAC;IAEF,MAAM,QAAQ,GAAG,MAAM;SAClB,GAAG,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,YAAY,IAAI,EAAE,CAAC,EAAE,oBAAoB,CAAC,CAAC;SAC9D,KAAK,CAAC,CAAC,CAAC,QAAQ,EAAE,gBAAgB,CAAC,EAAE,EAAE;QACpC,IAAI,WAAW,GAAG,EAAE,CAAC;QACrB,IAAI;YACA,WAAW,GAAG,MAAM,CAAC,IAAI,CACrB,CAAC,GAAG,QAAQ,EAAE,GAAG,gBAAgB,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;gBAC3C,OAAO,EAAE,CAAC,CAAC,OAAO;gBAClB,QAAQ,EAAE,CAAC,CAAC,QAAQ;gBACpB,MAAM,EAAE,CAAC,CAAC,MAAM;aACnB,CAAC,CAAC,CACN,CAAC;SACL;QAAC,OAAO,CAAC,EAAE;YACR,MAAM,IAAI,KAAK,CACX,oGAAoG,CACvG,CAAC;SACL;QACD,OAAO,WAAW,CAAC;IACvB,CAAC,CAAC,CAAC;IAEP,MAAM,cAAc,GAAQ;QACxB,QAAQ,EAAE,QAAQ;KACrB,CAAC;IACF,IAAI,YAAY,EAAE;QACd,cAAc,CAAC,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,KAAK,CAAC,CAAC,QAAQ,EAAE,EAAE;YACrE,IAAI,WAAW,GAAG,EAAE,CAAC;YACrB,IAAI;gBACA,WAAW,GAAG,MAAM,CAAC,IAAI,CACrB,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;oBACjB,OAAO,EAAE,CAAC,CAAC,OAAO;oBAClB,QAAQ,EAAE,CAAC,CAAC,QAAQ;oBACpB,MAAM,EAAE,CAAC,CAAC,MAAM;iBACnB,CAAC,CAAC,CACN,CAAC;aACL;YAAC,OAAO,CAAC,EAAE;gBACR,MAAM,IAAI,KAAK,CACX,oGAAoG,CACvG,CAAC;aACL;YACD,OAAO,WAAW,CAAC;QACvB,CAAC,CAAC,CAAC;KACN;IACD,OAAO,cAAc,CAAC;AAC1B,CAAC;AApDD,8CAoDC;AAED,SAAgB,mBAAmB,CAC/B,aAAqB,EACrB,WAAiC,EACjC,aAA6C,EAC7C,IAAkC;IAElC,OAAO,MAAM,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,WAAW,CAAC,EAAE,EAAE;QAC7D,MAAM,KAAK,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,WAAW,CACjC,GAAG,aAAa,IAAI,IAAI,EAAE,kCAEnB,WAAW,KACd,WAAW,EACX,QAAQ,EAAE,WAAW,CAAC,QAAQ,KAElC,IAAI,CACP,CAAC;QAEF,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC,cAAc,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,eAAe,EAAE,WAAW,CAAC,EAAE,EAAE;YACpF,MAAM,iBAAiB,GAAG,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;YACrD,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,uBAAuB,CACzD,GAAG,aAAa,IAAI,IAAI,IAAI,eAAe,EAAE,EAC7C;gBACI,WAAW,EAAE,iBAAiB,CAAC,WAAW;gBAC1C,YAAY,EAAE,WAAW,CAAC,YAAY;gBACtC,SAAS,EAAE,iBAAiB,CAAC,SAAS;gBACtC,WAAW;aACd,kCAEM,IAAI,KACP,MAAM,EAAE,KAAK,EACb,SAAS,EAAE,CAAC,KAAK,CAAC,IAEzB,CAAC;QACN,CAAC,CAAC,CAAC;QAEH,OAAO,KAAK,CAAC;IACjB,CAAC,CAAC,CAAC;AACP,CAAC;AArCD,kDAqCC;AAED;;;GAGG;AACH,SAAS,yBAAyB,CAAC,GAAyB;IACxD,OAAO;QACH,OAAO,EAAE,GAAG;QACZ,QAAQ,EAAE,mCAAmC;QAC7C,MAAM,EAAE,CAAC,sBAAsB,EAAE,cAAc,CAAC;KACnD,CAAC;AACN,CAAC"}
package/cluster.d.ts CHANGED
@@ -107,6 +107,7 @@ export interface CoreData {
107
107
  oidcProvider?: aws.iam.OpenIdConnectProvider;
108
108
  encryptionConfig?: pulumi.Output<aws.types.output.eks.ClusterEncryptionConfig>;
109
109
  clusterIamRole: pulumi.Output<aws.iam.Role>;
110
+ accessEntries?: pulumi.Output<aws.eks.AccessEntry[]>;
110
111
  }
111
112
  export interface ClusterCreationRoleProviderOptions {
112
113
  region?: pulumi.Input<aws.Region>;
@@ -231,10 +232,12 @@ export interface ClusterOptions {
231
232
  nodeAssociatePublicIpAddress?: boolean;
232
233
  /**
233
234
  * Optional mappings from AWS IAM roles to Kubernetes users and groups.
235
+ * Only supported with authentication mode `CONFIG_MAP` or `API_AND_CONFIG_MAP`.
234
236
  */
235
237
  roleMappings?: pulumi.Input<pulumi.Input<RoleMapping>[]>;
236
238
  /**
237
239
  * Optional mappings from AWS IAM users to Kubernetes users and groups.
240
+ * Only supported with authentication mode `CONFIG_MAP` or `API_AND_CONFIG_MAP`.
238
241
  */
239
242
  userMappings?: pulumi.Input<pulumi.Input<UserMapping>[]>;
240
243
  /**
@@ -274,6 +277,7 @@ export interface ClusterOptions {
274
277
  /**
275
278
  * This enables the advanced case of registering *many* IAM instance roles
276
279
  * with the cluster for per node group IAM, instead of the simpler, shared case of `instanceRole`.
280
+ * Only supported with authentication mode `CONFIG_MAP` or `API_AND_CONFIG_MAP`.
277
281
  *
278
282
  * Note: options `instanceRole` and `instanceRoles` are mutually exclusive.
279
283
  */
@@ -541,6 +545,20 @@ export interface ClusterOptions {
541
545
  * a new cluster to be created.
542
546
  */
543
547
  ipFamily?: pulumi.Input<string>;
548
+ /**
549
+ * The authentication mode of the cluster. Valid values are `CONFIG_MAP`, `API` or `API_AND_CONFIG_MAP`
550
+ * See for more details:\nhttps://docs.aws.amazon.com/eks/latest/userguide/grant-k8s-access.html#set-cam
551
+ */
552
+ authenticationMode?: AuthenticationMode;
553
+ /**
554
+ * Access entries to add to the EKS cluster. They can be used to allow IAM principals to access the cluster.
555
+ * Access entries are only supported with authentication mode `API` or `API_AND_CONFIG_MAP`.
556
+ *
557
+ * See for more details:\nhttps://docs.aws.amazon.com/eks/latest/userguide/access-entries.html
558
+ */
559
+ accessEntries?: {
560
+ [key: string]: AccessEntry;
561
+ };
544
562
  }
545
563
  /**
546
564
  * FargateProfile defines how Kubernetes pods are executed in Fargate. See
@@ -568,6 +586,89 @@ export interface FargateProfile {
568
586
  */
569
587
  export interface ClusterNodeGroupOptions extends NodeGroupBaseOptions {
570
588
  }
589
+ export interface AccessEntry {
590
+ /**
591
+ * The IAM Principal ARN which requires Authentication access to the EKS cluster.
592
+ */
593
+ principalArn: pulumi.Input<string>;
594
+ /**
595
+ * Defaults to the principalArn if the principal is a user, else defaults to assume-role/session-name.
596
+ */
597
+ username?: pulumi.Input<string>;
598
+ /**
599
+ * A list of groups within Kubernetes to which the IAM principal is mapped to.
600
+ */
601
+ kubernetesGroups?: pulumi.Input<pulumi.Input<string>[]>;
602
+ /**
603
+ * The access policies to associate to the access entry.
604
+ */
605
+ accessPolicies?: {
606
+ [key: string]: pulumi.Input<AccessPolicyAssociation>;
607
+ };
608
+ /**
609
+ * The tags to apply to the AccessEntry.
610
+ */
611
+ tags?: InputTags;
612
+ /**
613
+ * The type of the new access entry. Valid values are STANDARD, FARGATE_LINUX, EC2_LINUX, and EC2_WINDOWS.
614
+ *
615
+ * Defaults to STANDARD which provides the standard workflow. EC2_LINUX and EC2_WINDOWS types disallow users
616
+ * to input a kubernetesGroup, and prevent associating access policies..
617
+ */
618
+ type?: pulumi.Input<AccessEntryType>;
619
+ }
620
+ export interface AccessPolicyAssociation {
621
+ /**
622
+ * The ARN of the access policy to associate with the principal
623
+ */
624
+ policyArn: pulumi.Input<string>;
625
+ /**
626
+ * The scope of the access policy association. This controls whether the access policy is scoped to the cluster or to a particular namespace.
627
+ */
628
+ accessScope: aws.types.input.eks.AccessPolicyAssociationAccessScope;
629
+ }
630
+ export declare const AuthenticationMode: {
631
+ /**
632
+ * Only Access Entries will be used for authenticating to the Kubernetes API.
633
+ */
634
+ readonly API: "API";
635
+ /**
636
+ * Only aws-auth ConfigMap will be used for authenticating to the Kubernetes API.
637
+ */
638
+ readonly CONFIG_MAP: "CONFIG_MAP";
639
+ /**
640
+ * Both aws-auth ConfigMap and Access Entries can be used for authenticating to the Kubernetes API.
641
+ */
642
+ readonly API_AND_CONFIG_MAP: "API_AND_CONFIG_MAP";
643
+ };
644
+ /**
645
+ * The authentication mode of the cluster. Valid values are `CONFIG_MAP`, `API` or `API_AND_CONFIG_MAP`
646
+ * See for more details:\nhttps://docs.aws.amazon.com/eks/latest/userguide/grant-k8s-access.html#set-cam
647
+ */
648
+ export type AuthenticationMode = (typeof AuthenticationMode)[keyof typeof AuthenticationMode];
649
+ export declare const AccessEntryType: {
650
+ /**
651
+ * Standard Access Entry Workflow. Allows users to input a username and kubernetesGroup, and to associate access policies.
652
+ */
653
+ readonly STANDARD: "STANDARD";
654
+ /**
655
+ * For IAM roles used with AWS Fargate profiles.
656
+ */
657
+ readonly FARGATE_LINUX: "FARGATE_LINUX";
658
+ /**
659
+ * For IAM roles associated with self-managed Linux node groups. Allows the nodes to join the cluster.
660
+ */
661
+ readonly EC2_LINUX: "EC2_LINUX";
662
+ /**
663
+ * For IAM roles associated with self-managed Windows node groups. Allows the nodes to join the cluster.
664
+ */
665
+ readonly EC2_WINDOWS: "EC2_WINDOWS";
666
+ };
667
+ /**
668
+ * The authentication mode of the cluster. Valid values are `CONFIG_MAP`, `API` or `API_AND_CONFIG_MAP`
669
+ * See for more details:\nhttps://docs.aws.amazon.com/eks/latest/userguide/grant-k8s-access.html#set-cam
670
+ */
671
+ export type AccessEntryType = (typeof AccessEntryType)[keyof typeof AccessEntryType];
571
672
  /**
572
673
  * Cluster is a component that wraps the AWS and Kubernetes resources necessary to run an EKS cluster, its worker
573
674
  * nodes, its optional StorageClasses, and an optional deployment of the Kubernetes Dashboard.
package/cluster.js CHANGED
@@ -22,7 +22,7 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
22
22
  });
23
23
  };
24
24
  Object.defineProperty(exports, "__esModule", { value: true });
25
- exports.ClusterInternal = exports.createCluster = exports.Cluster = exports.createCore = exports.getRoleProvider = exports.ClusterCreationRoleProvider = exports.generateKubeconfig = void 0;
25
+ exports.ClusterInternal = exports.createCluster = exports.Cluster = exports.AccessEntryType = exports.AuthenticationMode = exports.createCore = exports.getRoleProvider = exports.ClusterCreationRoleProvider = exports.generateKubeconfig = void 0;
26
26
  const aws = require("@pulumi/aws");
27
27
  const k8s = require("@pulumi/kubernetes");
28
28
  const pulumi = require("@pulumi/pulumi");
@@ -30,10 +30,10 @@ const childProcess = require("child_process");
30
30
  const fs = require("fs");
31
31
  const https = require("https");
32
32
  const HttpsProxyAgent = require("https-proxy-agent");
33
- const jsyaml = require("js-yaml");
34
33
  const process = require("process");
35
34
  const tmp = require("tmp");
36
35
  const url = require("url");
36
+ const authenticationMode_1 = require("./authenticationMode");
37
37
  const cert_thumprint_1 = require("./cert-thumprint");
38
38
  const cni_1 = require("./cni");
39
39
  const dashboard_1 = require("./dashboard");
@@ -206,6 +206,7 @@ function createCore(name, args, parent, provider) {
206
206
  // Check to ensure that a compatible kubectl is installed, as we'll need it in order to deploy
207
207
  // k8s resources later.
208
208
  (0, dependencies_1.assertCompatibleKubectlVersionExists)();
209
+ (0, authenticationMode_1.validateAuthenticationMode)(args);
209
210
  if (args.instanceRole && args.instanceRoles) {
210
211
  throw new Error("instanceRole and instanceRoles are mutually exclusive, and cannot both be set.");
211
212
  }
@@ -346,6 +347,15 @@ function createCore(name, args, parent, provider) {
346
347
  tags: pulumi.all([args.tags, args.clusterTags]).apply(([tags, clusterTags]) => (Object.assign(Object.assign({ Name: `${name}-eksCluster` }, clusterTags), tags))),
347
348
  encryptionConfig,
348
349
  kubernetesNetworkConfig,
350
+ accessConfig: args.authenticationMode
351
+ ? {
352
+ authenticationMode: args.authenticationMode,
353
+ // Explicitely grants the principal creating the cluster admin access to the cluster.
354
+ // This is the default behavior of EKS when no accessConfig is provided.
355
+ // It is required for this component because it deploys charts to the cluster.
356
+ bootstrapClusterCreatorAdminPermissions: true,
357
+ }
358
+ : undefined,
349
359
  }, {
350
360
  parent,
351
361
  provider: args.creationRoleProvider ? args.creationRoleProvider.provider : provider,
@@ -450,13 +460,10 @@ function createCore(name, args, parent, provider) {
450
460
  if (!args.useDefaultVpcCni) {
451
461
  vpcCni = new cni_1.VpcCni(`${name}-vpc-cni`, kubeconfig.apply(JSON.stringify), args.vpcCniOptions, { parent });
452
462
  }
453
- let instanceRoleMappings;
454
463
  let instanceRoles;
464
+ let defaultInstanceRole;
455
465
  // Create role mappings of the instance roles specified for aws-auth.
456
466
  if (args.instanceRoles) {
457
- instanceRoleMappings = pulumi
458
- .output(args.instanceRoles)
459
- .apply((roles) => roles.map((role) => createInstanceRoleMapping(role.arn)));
460
467
  instanceRoles = pulumi.output(args.instanceRoles);
461
468
  }
462
469
  else if (args.instanceRole) {
@@ -464,10 +471,8 @@ function createCore(name, args, parent, provider) {
464
471
  if (!skipDefaultNodeGroup) {
465
472
  nodeGroupOptions.instanceProfile = createOrGetInstanceProfile(name, parent, args.instanceRole, args.instanceProfileName);
466
473
  }
467
- instanceRoleMappings = pulumi
468
- .output(args.instanceRole)
469
- .apply((instanceRole) => [createInstanceRoleMapping(instanceRole.arn)]);
470
474
  instanceRoles = pulumi.output([args.instanceRole]);
475
+ defaultInstanceRole = pulumi.output(args.instanceRole);
471
476
  }
472
477
  else {
473
478
  const instanceRole = new servicerole_1.ServiceRole(`${name}-instanceRole`, {
@@ -487,6 +492,7 @@ function createCore(name, args, parent, provider) {
487
492
  },
488
493
  ],
489
494
  }, { parent, provider }).role;
495
+ defaultInstanceRole = instanceRole;
490
496
  instanceRoles = pulumi.output([instanceRole]);
491
497
  // Create a new policy for the role, if specified.
492
498
  if (args.customInstanceRolePolicy) {
@@ -500,57 +506,44 @@ function createCore(name, args, parent, provider) {
500
506
  if (!skipDefaultNodeGroup) {
501
507
  nodeGroupOptions.instanceProfile = createOrGetInstanceProfile(name, parent, instanceRole, args.instanceProfileName);
502
508
  }
503
- instanceRoleMappings = pulumi
504
- .output(instanceRole)
505
- .apply((role) => [createInstanceRoleMapping(role.arn)]);
506
- }
507
- const roleMappings = pulumi
508
- .all([pulumi.output(args.roleMappings || []), instanceRoleMappings])
509
- .apply(([mappings, instanceMappings]) => {
510
- let mappingYaml = "";
511
- try {
512
- mappingYaml = jsyaml.dump([...mappings, ...instanceMappings].map((m) => ({
513
- rolearn: m.roleArn,
514
- username: m.username,
515
- groups: m.groups,
516
- })));
517
- }
518
- catch (e) {
519
- throw new Error(`The IAM role mappings provided could not be properly serialized to YAML for the aws-auth ConfigMap`);
520
- }
521
- return mappingYaml;
522
- });
523
- const nodeAccessData = {
524
- mapRoles: roleMappings,
525
- };
526
- if (args.userMappings) {
527
- nodeAccessData.mapUsers = pulumi.output(args.userMappings).apply((mappings) => {
528
- let mappingYaml = "";
529
- try {
530
- mappingYaml = jsyaml.dump(mappings.map((m) => ({
531
- userarn: m.userArn,
532
- username: m.username,
533
- groups: m.groups,
534
- })));
535
- }
536
- catch (e) {
537
- throw new Error(`The IAM user mappings provided could not be properly serialized to YAML for the aws-auth ConfigMap`);
538
- }
539
- return mappingYaml;
540
- });
541
509
  }
542
- const eksNodeAccess = new k8s.core.v1.ConfigMap(`${name}-nodeAccess`, {
543
- apiVersion: "v1",
544
- immutable: false,
545
- metadata: {
546
- name: `aws-auth`,
547
- namespace: "kube-system",
548
- annotations: {
549
- "pulumi.com/patchForce": "true",
510
+ let eksNodeAccess = undefined;
511
+ if ((0, authenticationMode_1.supportsConfigMap)(args.authenticationMode)) {
512
+ // Create the aws-auth ConfigMap if the authentication mode supports it. This maps instance roles, regular IAM roles, and IAM users to
513
+ // Kubernetes RBAC users and groups.
514
+ const nodeAccessData = (0, authenticationMode_1.createAwsAuthData)(instanceRoles, args.roleMappings, args.userMappings);
515
+ eksNodeAccess = new k8s.core.v1.ConfigMap(`${name}-nodeAccess`, {
516
+ apiVersion: "v1",
517
+ immutable: false,
518
+ metadata: {
519
+ name: `aws-auth`,
520
+ namespace: "kube-system",
521
+ annotations: {
522
+ "pulumi.com/patchForce": "true",
523
+ },
550
524
  },
551
- },
552
- data: nodeAccessData,
553
- }, { parent, provider: k8sProvider });
525
+ data: nodeAccessData,
526
+ }, { parent, provider: k8sProvider });
527
+ }
528
+ // Create the access entries if the authentication mode supports it.
529
+ let accessEntries = undefined;
530
+ if ((0, authenticationMode_1.supportsAccessEntries)(args.authenticationMode)) {
531
+ let createdAccessEntries = [];
532
+ // This additionally maps the defaultInstanceRole to a EC2_LINUX access entry which allows the nodes to register & communicate with the EKS control plane.
533
+ if (defaultInstanceRole) {
534
+ createdAccessEntries = (0, authenticationMode_1.createAccessEntries)(name, eksCluster.name, {
535
+ defaultNodeGroupInstanceRole: {
536
+ principalArn: defaultInstanceRole.arn,
537
+ type: exports.AccessEntryType.EC2_LINUX,
538
+ },
539
+ }, { parent, provider });
540
+ }
541
+ createdAccessEntries = createdAccessEntries.concat((0, authenticationMode_1.createAccessEntries)(name, eksCluster.name, args.accessEntries || {}, {
542
+ parent,
543
+ provider,
544
+ }));
545
+ accessEntries = pulumi.output(createdAccessEntries);
546
+ }
554
547
  const fargateProfile = pulumi
555
548
  .output(args.fargate)
556
549
  .apply((argsFargate) => {
@@ -597,7 +590,7 @@ function createCore(name, args, parent, provider) {
597
590
  return (0, nodegroup_1.computeWorkerSubnets)(parent, subnets);
598
591
  }
599
592
  }),
600
- }, { parent, dependsOn: [eksNodeAccess], provider });
593
+ }, { parent, dependsOn: eksNodeAccess ? [eksNodeAccess] : undefined, provider });
601
594
  // Once the FargateProfile has been created, try to patch/remove the CoreDNS computeType annotation. See
602
595
  // https://docs.aws.amazon.com/eks/latest/userguide/fargate-getting-started.html#fargate-gs-coredns.
603
596
  pulumi.all([result.id, selectors, kubeconfig]).apply(([_, sels, kconfig]) => {
@@ -680,20 +673,10 @@ function createCore(name, args, parent, provider) {
680
673
  oidcProvider: oidcProvider,
681
674
  encryptionConfig: encryptionConfig,
682
675
  clusterIamRole: eksRole,
676
+ accessEntries: accessEntries,
683
677
  };
684
678
  }
685
679
  exports.createCore = createCore;
686
- /**
687
- * Enable access to the EKS cluster for worker nodes, by creating an
688
- * instance role mapping to the k8s username and groups of aws-auth.
689
- */
690
- function createInstanceRoleMapping(arn) {
691
- return {
692
- roleArn: arn,
693
- username: "system:node:{{EC2PrivateDNSName}}",
694
- groups: ["system:bootstrappers", "system:nodes"],
695
- };
696
- }
697
680
  /**
698
681
  * Create an HTTP Agent for use with HTTP(S) requests.
699
682
  * Using a proxy is supported.
@@ -732,6 +715,40 @@ function createHttpAgent(proxy) {
732
715
  maxCachedSessions: 0,
733
716
  });
734
717
  }
718
+ /* tslint:disable-next-line */ // Generating the enum object for AuthenticationMode like codegen does
719
+ exports.AuthenticationMode = {
720
+ /**
721
+ * Only Access Entries will be used for authenticating to the Kubernetes API.
722
+ */
723
+ API: "API",
724
+ /**
725
+ * Only aws-auth ConfigMap will be used for authenticating to the Kubernetes API.
726
+ */
727
+ CONFIG_MAP: "CONFIG_MAP",
728
+ /**
729
+ * Both aws-auth ConfigMap and Access Entries can be used for authenticating to the Kubernetes API.
730
+ */
731
+ API_AND_CONFIG_MAP: "API_AND_CONFIG_MAP",
732
+ };
733
+ /* tslint:disable-next-line */ // Generating the enum object for AccessEntryType like codegen does
734
+ exports.AccessEntryType = {
735
+ /**
736
+ * Standard Access Entry Workflow. Allows users to input a username and kubernetesGroup, and to associate access policies.
737
+ */
738
+ STANDARD: "STANDARD",
739
+ /**
740
+ * For IAM roles used with AWS Fargate profiles.
741
+ */
742
+ FARGATE_LINUX: "FARGATE_LINUX",
743
+ /**
744
+ * For IAM roles associated with self-managed Linux node groups. Allows the nodes to join the cluster.
745
+ */
746
+ EC2_LINUX: "EC2_LINUX",
747
+ /**
748
+ * For IAM roles associated with self-managed Windows node groups. Allows the nodes to join the cluster.
749
+ */
750
+ EC2_WINDOWS: "EC2_WINDOWS",
751
+ };
735
752
  /**
736
753
  * Cluster is a component that wraps the AWS and Kubernetes resources necessary to run an EKS cluster, its worker
737
754
  * nodes, its optional StorageClasses, and an optional deployment of the Kubernetes Dashboard.