@pulumi/eks 2.8.1 → 3.0.0-alpha.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (125) hide show
  1. package/addon.d.ts +61 -13
  2. package/addon.js +45 -18
  3. package/addon.js.map +1 -1
  4. package/cluster.d.ts +291 -585
  5. package/cluster.js +120 -947
  6. package/cluster.js.map +1 -1
  7. package/clusterCreationRoleProvider.d.ts +28 -0
  8. package/clusterCreationRoleProvider.js +47 -0
  9. package/clusterCreationRoleProvider.js.map +1 -0
  10. package/clusterMixins.d.ts +71 -0
  11. package/clusterMixins.js +107 -0
  12. package/clusterMixins.js.map +1 -0
  13. package/index.d.ts +31 -7
  14. package/index.js +80 -34
  15. package/index.js.map +1 -1
  16. package/managedNodeGroup.d.ts +221 -0
  17. package/managedNodeGroup.js +81 -0
  18. package/managedNodeGroup.js.map +1 -0
  19. package/nodeGroup.d.ts +273 -0
  20. package/nodeGroup.js +93 -0
  21. package/nodeGroup.js.map +1 -0
  22. package/nodeGroupSecurityGroup.d.ts +51 -0
  23. package/nodeGroupSecurityGroup.js +60 -0
  24. package/nodeGroupSecurityGroup.js.map +1 -0
  25. package/nodeGroupV2.d.ts +280 -0
  26. package/nodeGroupV2.js +90 -0
  27. package/nodeGroupV2.js.map +1 -0
  28. package/nodegroupMixins.d.ts +203 -0
  29. package/{securitygroup.js → nodegroupMixins.js} +25 -36
  30. package/nodegroupMixins.js.map +1 -0
  31. package/package.json +8 -36
  32. package/provider.d.ts +21 -0
  33. package/provider.js +38 -0
  34. package/provider.js.map +1 -0
  35. package/{storageclass.js → storageclassMixins.js} +1 -14
  36. package/storageclassMixins.js.map +1 -0
  37. package/types/enums/index.d.ts +170 -0
  38. package/types/enums/index.js +145 -0
  39. package/types/enums/index.js.map +1 -0
  40. package/types/index.d.ts +4 -0
  41. package/types/index.js +13 -0
  42. package/types/index.js.map +1 -0
  43. package/types/input.d.ts +745 -0
  44. package/types/input.js +30 -0
  45. package/types/input.js.map +1 -0
  46. package/types/output.d.ts +422 -0
  47. package/types/output.js +5 -0
  48. package/types/output.js.map +1 -0
  49. package/utilities.d.ts +8 -1
  50. package/utilities.js +90 -17
  51. package/utilities.js.map +1 -1
  52. package/vpcCniAddon.d.ts +175 -0
  53. package/vpcCniAddon.js +88 -0
  54. package/vpcCniAddon.js.map +1 -0
  55. package/LICENSE +0 -202
  56. package/README.md +0 -77
  57. package/authenticationMode.d.ts +0 -24
  58. package/authenticationMode.js +0 -172
  59. package/authenticationMode.js.map +0 -1
  60. package/authenticationMode.test.d.ts +0 -1
  61. package/authenticationMode.test.js +0 -208
  62. package/authenticationMode.test.js.map +0 -1
  63. package/cert-thumprint.d.ts +0 -16
  64. package/cert-thumprint.js +0 -113
  65. package/cert-thumprint.js.map +0 -1
  66. package/cmd/provider/addon.d.ts +0 -1
  67. package/cmd/provider/addon.js +0 -40
  68. package/cmd/provider/addon.js.map +0 -1
  69. package/cmd/provider/cluster.d.ts +0 -1
  70. package/cmd/provider/cluster.js +0 -71
  71. package/cmd/provider/cluster.js.map +0 -1
  72. package/cmd/provider/cni.d.ts +0 -2
  73. package/cmd/provider/cni.js +0 -291
  74. package/cmd/provider/cni.js.map +0 -1
  75. package/cmd/provider/index.d.ts +0 -1
  76. package/cmd/provider/index.js +0 -171
  77. package/cmd/provider/index.js.map +0 -1
  78. package/cmd/provider/nodegroup.d.ts +0 -1
  79. package/cmd/provider/nodegroup.js +0 -89
  80. package/cmd/provider/nodegroup.js.map +0 -1
  81. package/cmd/provider/randomSuffix.d.ts +0 -1
  82. package/cmd/provider/randomSuffix.js +0 -52
  83. package/cmd/provider/randomSuffix.js.map +0 -1
  84. package/cmd/provider/schema.json +0 -1909
  85. package/cmd/provider/securitygroup.d.ts +0 -1
  86. package/cmd/provider/securitygroup.js +0 -41
  87. package/cmd/provider/securitygroup.js.map +0 -1
  88. package/cni/README.md +0 -6
  89. package/cni/aws-k8s-cni.yaml +0 -602
  90. package/cni.d.ts +0 -177
  91. package/cni.js +0 -64
  92. package/cni.js.map +0 -1
  93. package/dashboard/heapster-rbac.yaml +0 -12
  94. package/dashboard/heapster.yaml +0 -46
  95. package/dashboard/influxdb.yaml +0 -40
  96. package/dashboard/kubernetes-dashboard.yaml +0 -167
  97. package/dashboard.d.ts +0 -5
  98. package/dashboard.js +0 -58
  99. package/dashboard.js.map +0 -1
  100. package/dependencies.d.ts +0 -2
  101. package/dependencies.js +0 -81
  102. package/dependencies.js.map +0 -1
  103. package/dependencies.test.d.ts +0 -1
  104. package/dependencies.test.js +0 -133
  105. package/dependencies.test.js.map +0 -1
  106. package/nodegroup.d.ts +0 -515
  107. package/nodegroup.js +0 -1152
  108. package/nodegroup.js.map +0 -1
  109. package/nodegroup.test.d.ts +0 -1
  110. package/nodegroup.test.js +0 -336
  111. package/nodegroup.test.js.map +0 -1
  112. package/package.json.dev +0 -67
  113. package/randomSuffix.d.ts +0 -1
  114. package/randomSuffix.js +0 -51
  115. package/randomSuffix.js.map +0 -1
  116. package/securitygroup.d.ts +0 -52
  117. package/securitygroup.js.map +0 -1
  118. package/servicerole.d.ts +0 -43
  119. package/servicerole.js +0 -72
  120. package/servicerole.js.map +0 -1
  121. package/storageclass.js.map +0 -1
  122. package/utils.d.ts +0 -23
  123. package/utils.js +0 -16
  124. package/utils.js.map +0 -1
  125. /package/{storageclass.d.ts → storageclassMixins.d.ts} +0 -0
package/cluster.d.ts CHANGED
@@ -1,489 +1,352 @@
1
- import * as aws from "@pulumi/aws";
2
- import * as k8s from "@pulumi/kubernetes";
3
1
  import * as pulumi from "@pulumi/pulumi";
4
- import { VpcCni, VpcCniOptions } from "./cni";
5
- import { NodeGroup, NodeGroupBaseOptions, NodeGroupData } from "./nodegroup";
6
- import { EBSVolumeType, StorageClass } from "./storageclass";
7
- import { InputTags, UserStorageClasses } from "./utils";
2
+ import * as inputs from "./types/input";
3
+ import * as outputs from "./types/output";
4
+ import * as enums from "./types/enums";
5
+ import * as pulumiAws from "@pulumi/aws";
8
6
  /**
9
- * RoleMapping describes a mapping from an AWS IAM role to a Kubernetes user and groups.
7
+ * Cluster is a component that wraps the AWS and Kubernetes resources necessary to run an EKS cluster, its worker nodes, its optional StorageClasses, and an optional deployment of the Kubernetes Dashboard.
8
+ *
9
+ * ## Example Usage
10
+ *
11
+ * ### Provisioning a New EKS Cluster
12
+ *
13
+ * <!--Start PulumiCodeChooser -->
14
+ * ```typescript
15
+ * import * as pulumi from "@pulumi/pulumi";
16
+ * import * as eks from "@pulumi/eks";
17
+ *
18
+ * // Create an EKS cluster with the default configuration.
19
+ * const cluster = new eks.Cluster("cluster", {});
20
+ *
21
+ * // Export the cluster's kubeconfig.
22
+ * export const kubeconfig = cluster.kubeconfig;
23
+ * ```
24
+ * <!--End PulumiCodeChooser -->
10
25
  */
11
- export interface RoleMapping {
26
+ export declare class Cluster extends pulumi.ComponentResource {
12
27
  /**
13
- * The ARN of the IAM role to add.
28
+ * Returns true if the given object is an instance of Cluster. This is designed to work even
29
+ * when multiple copies of the Pulumi SDK have been loaded into the same process.
14
30
  */
15
- roleArn: pulumi.Input<aws.ARN>;
31
+ static isInstance(obj: any): obj is Cluster;
16
32
  /**
17
- * The user name within Kubernetes to map to the IAM role. By default, the user name is the ARN of the IAM role.
33
+ * The AWS resource provider.
18
34
  */
19
- username: pulumi.Input<string>;
35
+ readonly awsProvider: pulumi.Output<pulumiAws.Provider>;
20
36
  /**
21
- * A list of groups within Kubernetes to which the role is mapped.
37
+ * The security group for the EKS cluster.
22
38
  */
23
- groups: pulumi.Input<pulumi.Input<string>[]>;
24
- }
25
- /**
26
- * UserMapping describes a mapping from an AWS IAM user to a Kubernetes user and groups.
27
- */
28
- export interface UserMapping {
39
+ readonly clusterSecurityGroup: pulumi.Output<pulumiAws.ec2.SecurityGroup>;
29
40
  /**
30
- * The ARN of the IAM user to add.
41
+ * The EKS cluster and its dependencies.
31
42
  */
32
- userArn: pulumi.Input<aws.ARN>;
43
+ readonly core: pulumi.Output<outputs.CoreData>;
33
44
  /**
34
- * The user name within Kubernetes to map to the IAM user. By default, the user name is the ARN of the IAM user.
45
+ * The default Node Group configuration, or undefined if `skipDefaultNodeGroup` was specified.
35
46
  */
36
- username: pulumi.Input<string>;
47
+ readonly defaultNodeGroup: pulumi.Output<outputs.NodeGroupData | undefined>;
37
48
  /**
38
- * A list of groups within Kubernetes to which the user is mapped to.
49
+ * The EKS cluster.
39
50
  */
40
- groups: pulumi.Input<pulumi.Input<string>[]>;
41
- }
42
- /**
43
- * CreationRoleProvider is a component containing the AWS Role and Provider necessary to override the `[system:master]`
44
- * entity ARN. This is an optional argument used in `ClusterOptions`. Read more: https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html
45
- */
46
- export interface CreationRoleProvider {
47
- role: aws.iam.Role;
48
- provider: pulumi.ProviderResource;
49
- }
50
- /**
51
- * KubeconfigOptions represents the AWS credentials to scope a given kubeconfig
52
- * when using a non-default credential chain.
53
- *
54
- * The options can be used independently, or additively.
55
- *
56
- * A scoped kubeconfig is necessary for certain auth scenarios. For example:
57
- * 1. Assume a role on the default account caller,
58
- * 2. Use an AWS creds profile instead of the default account caller,
59
- * 3. Use an AWS creds creds profile instead of the default account caller,
60
- * and then assume a given role on the profile. This scenario is also
61
- * possible by only using a profile, iff the profile includes a role to
62
- * assume in its settings.
63
- *
64
- * See for more details:
65
- * - https://docs.aws.amazon.com/eks/latest/userguide/create-kubeconfig.html
66
- * - https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html
67
- * - https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html
68
- */
69
- export interface KubeconfigOptions {
51
+ readonly eksCluster: pulumi.Output<pulumiAws.eks.Cluster>;
70
52
  /**
71
- * Role ARN to assume instead of the default AWS credential provider chain.
72
- *
73
- * The role is passed to kubeconfig as an authentication exec argument.
53
+ * The ingress rule that gives node group access to cluster API server.
74
54
  */
75
- roleArn?: pulumi.Input<aws.ARN>;
55
+ readonly eksClusterIngressRule: pulumi.Output<pulumiAws.ec2.SecurityGroupRule>;
76
56
  /**
77
- * AWS credential profile name to always use instead of the
78
- * default AWS credential provider chain.
79
- *
80
- * The profile is passed to kubeconfig as an authentication environment
81
- * setting.
57
+ * The service roles used by the EKS cluster. Only supported with authentication mode `CONFIG_MAP` or `API_AND_CONFIG_MAP`.
82
58
  */
83
- profileName?: pulumi.Input<string>;
84
- }
85
- /**
86
- * CoreData defines the core set of data associated with an EKS cluster, including the network in which it runs.
87
- */
88
- export interface CoreData {
89
- cluster: aws.eks.Cluster;
90
- vpcId: pulumi.Output<string>;
91
- subnetIds: pulumi.Output<string[]>;
92
- endpoint: pulumi.Output<string>;
93
- clusterSecurityGroup: aws.ec2.SecurityGroup;
94
- provider: k8s.Provider;
95
- instanceRoles: pulumi.Output<aws.iam.Role[]>;
96
- nodeGroupOptions: ClusterNodeGroupOptions;
97
- awsProvider?: pulumi.ProviderResource;
98
- publicSubnetIds?: pulumi.Output<string[]>;
99
- privateSubnetIds?: pulumi.Output<string[]>;
100
- eksNodeAccess?: k8s.core.v1.ConfigMap;
101
- storageClasses?: UserStorageClasses;
102
- kubeconfig?: pulumi.Output<any>;
103
- vpcCni?: VpcCni;
104
- tags?: InputTags;
105
- nodeSecurityGroupTags?: InputTags;
106
- fargateProfile: pulumi.Output<aws.eks.FargateProfile | undefined>;
107
- oidcProvider?: aws.iam.OpenIdConnectProvider;
108
- encryptionConfig?: pulumi.Output<aws.types.output.eks.ClusterEncryptionConfig>;
109
- clusterIamRole: pulumi.Output<aws.iam.Role>;
110
- accessEntries?: pulumi.Output<aws.eks.AccessEntry[]>;
111
- }
112
- export interface ClusterCreationRoleProviderOptions {
113
- region?: pulumi.Input<aws.Region>;
114
- profile?: pulumi.Input<string>;
115
- }
116
- /**
117
- * ClusterCreationRoleProvider is a component that wraps creating a role provider that can be passed to
118
- * `new eks.Cluster("test", { creationRoleProvider: ... })`. This can be used to provide a
119
- * specific role to use for the creation of the EKS cluster different from the role being used
120
- * to run the Pulumi deployment.
121
- */
122
- export declare class ClusterCreationRoleProvider extends pulumi.ComponentResource implements CreationRoleProvider {
123
- readonly role: aws.iam.Role;
124
- readonly provider: pulumi.ProviderResource;
59
+ readonly instanceRoles: pulumi.Output<pulumiAws.iam.Role[]>;
125
60
  /**
126
- * Creates a role provider that can be passed to `new eks.Cluster("test", { creationRoleProvider: ... })`.
127
- * This can be used to provide a specific role to use for the creation of the EKS cluster different from
128
- * the role being used to run the Pulumi deployment.
129
- *
130
- * @param name The _unique_ name of this component.
131
- * @param args The arguments for this component.
132
- * @param opts A bag of options that control this component's behavior.
61
+ * A kubeconfig that can be used to connect to the EKS cluster.
133
62
  */
134
- constructor(name: string, args: ClusterCreationRoleProviderOptions, opts?: pulumi.ComponentResourceOptions);
135
- }
136
- /**
137
- * getRoleProvider creates a role provider that can be passed to `new eks.Cluster("test", {
138
- * creationRoleProvider: ... })`. This can be used to provide a specific role to use for the
139
- * creation of the EKS cluster different from the role being used to run the Pulumi deployment.
140
- */
141
- export declare function getRoleProvider(name: string, region?: pulumi.Input<aws.Region>, profile?: pulumi.Input<string>, parent?: pulumi.ComponentResource, provider?: pulumi.ProviderResource): CreationRoleProvider;
142
- /**
143
- * Create the core components and settings required for the EKS cluster.
144
- */
145
- export declare function createCore(name: string, rawArgs: ClusterOptions, parent: pulumi.ComponentResource, provider?: pulumi.ProviderResource): CoreData;
146
- /**
147
- * ClusterOptions describes the configuration options accepted by an EKSCluster component.
148
- */
149
- export interface ClusterOptions {
63
+ readonly kubeconfig: pulumi.Output<any>;
150
64
  /**
151
- * The VPC in which to create the cluster and its worker nodes. If unset, the cluster will be created in the
152
- * default VPC.
65
+ * A kubeconfig that can be used to connect to the EKS cluster as a JSON string.
153
66
  */
154
- vpcId?: pulumi.Input<string>;
67
+ readonly kubeconfigJson: pulumi.Output<string>;
155
68
  /**
156
- * The set of all subnets, public and private, to use for the worker node
157
- * groups on the EKS cluster. These subnets are automatically tagged by EKS
158
- * for Kubernetes purposes.
159
- *
160
- * If `vpcId` is not set, the cluster will use the AWS account's default VPC subnets.
161
- *
162
- * If the list of subnets includes both public and private subnets, the worker
163
- * nodes will only be attached to the private subnets, and the public
164
- * subnets will be used for internet-facing load balancers.
165
- *
166
- * See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.
167
- *
168
- * Note: The use of `subnetIds`, along with `publicSubnetIds`
169
- * and/or `privateSubnetIds` is mutually exclusive. The use of
170
- * `publicSubnetIds` and `privateSubnetIds` is encouraged.
69
+ * The security group for the cluster's nodes.
171
70
  */
172
- subnetIds?: pulumi.Input<pulumi.Input<string>[]>;
71
+ readonly nodeSecurityGroup: pulumi.Output<pulumiAws.ec2.SecurityGroup>;
173
72
  /**
174
- * The set of public subnets to use for the worker node groups on the EKS cluster.
175
- * These subnets are automatically tagged by EKS for Kubernetes purposes.
176
- *
177
- * If `vpcId` is not set, the cluster will use the AWS account's default VPC subnets.
178
- *
179
- * Worker network architecture options:
180
- * - Private-only: Only set `privateSubnetIds`.
181
- * - Default workers to run in a private subnet. In this setting, Kubernetes
182
- * cannot create public, internet-facing load balancers for your pods.
183
- * - Public-only: Only set `publicSubnetIds`.
184
- * - Default workers to run in a public subnet.
185
- * - Mixed (recommended): Set both `privateSubnetIds` and `publicSubnetIds`.
186
- * - Default all worker nodes to run in private subnets, and use the public subnets
187
- * for internet-facing load balancers.
188
- *
189
- * See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.
73
+ * Create a Cluster resource with the given unique name, arguments, and options.
190
74
  *
191
- * Note: The use of `subnetIds`, along with `publicSubnetIds`
192
- * and/or `privateSubnetIds` is mutually exclusive. The use of
193
- * `publicSubnetIds` and `privateSubnetIds` is encouraged.
75
+ * @param name The _unique_ name of the resource.
76
+ * @param args The arguments to use to populate this resource's properties.
77
+ * @param opts A bag of options that control this resource's behavior.
194
78
  */
195
- publicSubnetIds?: pulumi.Input<pulumi.Input<string>[]>;
79
+ constructor(name: string, args?: ClusterArgs, opts?: pulumi.ComponentResourceOptions);
196
80
  /**
197
- * The set of private subnets to use for the worker node groups on the EKS cluster.
198
- * These subnets are automatically tagged by EKS for Kubernetes purposes.
199
- *
200
- * If `vpcId` is not set, the cluster will use the AWS account's default VPC subnets.
81
+ * Generate a kubeconfig for cluster authentication that does not use the default AWS credential provider chain, and instead is scoped to the supported options in `KubeconfigOptions`.
201
82
  *
202
- * Worker network architecture options:
203
- * - Private-only: Only set `privateSubnetIds`.
204
- * - Default workers to run in a private subnet. In this setting, Kubernetes
205
- * cannot create public, internet-facing load balancers for your pods.
206
- * - Public-only: Only set `publicSubnetIds`.
207
- * - Default workers to run in a public subnet.
208
- * - Mixed (recommended): Set both `privateSubnetIds` and `publicSubnetIds`.
209
- * - Default all worker nodes to run in private subnets, and use the public subnets
210
- * for internet-facing load balancers.
83
+ * The kubeconfig generated is automatically stringified for ease of use with the pulumi/kubernetes provider.
211
84
  *
212
- * See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.
213
- *
214
- * Note: The use of `subnetIds`, along with `publicSubnetIds`
215
- * and/or `privateSubnetIds` is mutually exclusive. The use of
216
- * `publicSubnetIds` and `privateSubnetIds` is encouraged.
217
- *
218
- * Also consider setting `nodeAssociatePublicIpAddress: false` for
219
- * fully private workers.
220
- */
221
- privateSubnetIds?: pulumi.Input<pulumi.Input<string>[]>;
222
- /**
223
- * The common configuration settings for NodeGroups.
85
+ * See for more details:
86
+ * - https://docs.aws.amazon.com/eks/latest/userguide/create-kubeconfig.html
87
+ * - https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html
88
+ * - https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html
224
89
  */
225
- nodeGroupOptions?: ClusterNodeGroupOptions;
90
+ getKubeconfig(args?: Cluster.GetKubeconfigArgs): pulumi.Output<Cluster.GetKubeconfigResult>;
91
+ }
92
+ /**
93
+ * The set of arguments for constructing a Cluster resource.
94
+ */
95
+ export interface ClusterArgs {
226
96
  /**
227
- * Whether or not to auto-assign the EKS worker nodes public IP addresses.
228
- * If this toggle is set to true, the EKS workers will be
229
- * auto-assigned public IPs. If false, they will not be auto-assigned
230
- * public IPs.
97
+ * Access entries to add to the EKS cluster. They can be used to allow IAM principals to access the cluster. Access entries are only supported with authentication mode `API` or `API_AND_CONFIG_MAP`.
98
+ *
99
+ * See for more details:
100
+ * https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html
231
101
  */
232
- nodeAssociatePublicIpAddress?: boolean;
102
+ accessEntries?: {
103
+ [key: string]: inputs.AccessEntryArgs;
104
+ };
233
105
  /**
234
- * Optional mappings from AWS IAM roles to Kubernetes users and groups.
235
- * Only supported with authentication mode `CONFIG_MAP` or `API_AND_CONFIG_MAP`.
106
+ * The authentication mode of the cluster. Valid values are `CONFIG_MAP`, `API` or `API_AND_CONFIG_MAP`.
107
+ *
108
+ * See for more details:
109
+ * https://docs.aws.amazon.com/eks/latest/userguide/grant-k8s-access.html#set-cam
236
110
  */
237
- roleMappings?: pulumi.Input<pulumi.Input<RoleMapping>[]>;
111
+ authenticationMode?: enums.AuthenticationMode;
238
112
  /**
239
- * Optional mappings from AWS IAM users to Kubernetes users and groups.
240
- * Only supported with authentication mode `CONFIG_MAP` or `API_AND_CONFIG_MAP`.
113
+ * The security group to use for the cluster API endpoint. If not provided, a new security group will be created with full internet egress and ingress from node groups.
114
+ *
115
+ * Note: The security group resource should not contain any inline ingress or egress rules.
241
116
  */
242
- userMappings?: pulumi.Input<pulumi.Input<UserMapping>[]>;
117
+ clusterSecurityGroup?: pulumi.Input<pulumiAws.ec2.SecurityGroup>;
243
118
  /**
244
- * The configuration of the Amazon VPC CNI plugin for this instance. Defaults are described in the documentation
245
- * for the VpcCniOptions type.
119
+ * The tags to apply to the cluster security group.
246
120
  */
247
- vpcCniOptions?: VpcCniOptions;
121
+ clusterSecurityGroupTags?: pulumi.Input<{
122
+ [key: string]: pulumi.Input<string>;
123
+ }>;
248
124
  /**
249
- * Use the default VPC CNI instead of creating a custom one. Should not be used in conjunction with `vpcCniOptions`.
125
+ * The tags to apply to the EKS cluster.
250
126
  */
251
- useDefaultVpcCni?: boolean;
127
+ clusterTags?: pulumi.Input<{
128
+ [key: string]: pulumi.Input<string>;
129
+ }>;
252
130
  /**
253
- * The instance type to use for the cluster's nodes. Defaults to "t2.medium".
131
+ * Options for managing the `coredns` addon.
254
132
  */
255
- instanceType?: pulumi.Input<aws.ec2.InstanceType | string>;
133
+ corednsAddonOptions?: inputs.CoreDnsAddonOptionsArgs;
256
134
  /**
257
- * This enables the simple case of only registering a *single* IAM
258
- * instance role with the cluster, that is required to be shared by
259
- * *all* node groups in their instance profiles.
135
+ * Indicates whether an IAM OIDC Provider is created for the EKS cluster.
260
136
  *
261
- * Note: options `instanceRole` and `instanceRoles` are mutually exclusive.
137
+ * The OIDC provider is used in the cluster in combination with k8s Service Account annotations to provide IAM roles at the k8s Pod level.
138
+ *
139
+ * See for more details:
140
+ * - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html
141
+ * - https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html
142
+ * - https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/
143
+ * - https://www.pulumi.com/registry/packages/aws/api-docs/eks/cluster/#enabling-iam-roles-for-service-accounts
262
144
  */
263
- instanceRole?: pulumi.Input<aws.iam.Role>;
145
+ createOidcProvider?: pulumi.Input<boolean>;
264
146
  /**
265
- * The default IAM InstanceProfile to use on the Worker NodeGroups, if one is not already set in the NodeGroup.
147
+ * The IAM Role Provider used to create & authenticate against the EKS cluster. This role is given `[system:masters]` permission in K8S, See: https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html
148
+ *
149
+ * Note: This option is only supported with Pulumi nodejs programs. Please use `ProviderCredentialOpts` as an alternative instead.
266
150
  */
267
- instanceProfileName?: pulumi.Input<string>;
151
+ creationRoleProvider?: inputs.CreationRoleProviderArgs;
268
152
  /**
269
- * IAM Service Role for EKS to use to manage the cluster.
153
+ * List of addons to remove upon creation. Any addon listed will be "adopted" and then removed. This allows for the creation of a baremetal cluster where no addon is deployed and direct management of addons via Pulumi Kubernetes resources. Valid entries are kube-proxy, coredns and vpc-cni. Only works on first creation of a cluster.
270
154
  */
271
- serviceRole?: pulumi.Input<aws.iam.Role>;
155
+ defaultAddonsToRemove?: pulumi.Input<pulumi.Input<string>[]>;
272
156
  /**
273
- * The IAM Role Provider used to create & authenticate against the EKS cluster. This role is given `[system:masters]`
274
- * permission in K8S, See: https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html
157
+ * The number of worker nodes that should be running in the cluster. Defaults to 2.
275
158
  */
276
- creationRoleProvider?: CreationRoleProvider;
159
+ desiredCapacity?: pulumi.Input<number>;
277
160
  /**
278
- * This enables the advanced case of registering *many* IAM instance roles
279
- * with the cluster for per node group IAM, instead of the simpler, shared case of `instanceRole`.
280
- * Only supported with authentication mode `CONFIG_MAP` or `API_AND_CONFIG_MAP`.
161
+ * Sets the 'enableConfigMapMutable' option on the cluster kubernetes provider.
281
162
  *
282
- * Note: options `instanceRole` and `instanceRoles` are mutually exclusive.
163
+ * Applies updates to the aws-auth ConfigMap in place over a replace operation if set to true.
164
+ * https://www.pulumi.com/registry/packages/kubernetes/api-docs/provider/#enableconfigmapmutable_nodejs
283
165
  */
284
- instanceRoles?: pulumi.Input<pulumi.Input<aws.iam.Role>[]>;
166
+ enableConfigMapMutable?: pulumi.Input<boolean>;
285
167
  /**
286
- * Attach a custom role policy to worker node instance role
287
- *
288
- * @deprecated This option has been replaced with the use of
289
- * `instanceRole` or `instanceRoles`. The role provided to either option
290
- * should already include all required policies.
168
+ * Enable EKS control plane logging. This sends logs to cloudwatch. Possible list of values are: ["api", "audit", "authenticator", "controllerManager", "scheduler"]. By default it is off.
291
169
  */
292
- customInstanceRolePolicy?: pulumi.Input<string>;
170
+ enabledClusterLogTypes?: pulumi.Input<pulumi.Input<string>[]>;
293
171
  /**
294
- * The AMI ID to use for the worker nodes.
295
- *
296
- * Defaults to the latest recommended EKS Optimized Linux AMI from the
297
- * AWS Systems Manager Parameter Store.
298
- *
299
- * Note: `nodeAmiId` and `gpu` are mutually exclusive.
172
+ * KMS Key ARN to use with the encryption configuration for the cluster.
300
173
  *
174
+ * Only available on Kubernetes 1.13+ clusters created after March 6, 2020.
301
175
  * See for more details:
302
- * - https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.
176
+ * - https://aws.amazon.com/about-aws/whats-new/2020/03/amazon-eks-adds-envelope-encryption-for-secrets-with-aws-kms/
303
177
  */
304
- nodeAmiId?: pulumi.Input<string>;
178
+ encryptionConfigKeyArn?: pulumi.Input<string>;
179
+ /**
180
+ * Indicates whether or not the Amazon EKS private API server endpoint is enabled. Default is `false`.
181
+ */
182
+ endpointPrivateAccess?: pulumi.Input<boolean>;
183
+ /**
184
+ * Indicates whether or not the Amazon EKS public API server endpoint is enabled. Default is `true`.
185
+ */
186
+ endpointPublicAccess?: pulumi.Input<boolean>;
305
187
  /**
306
- * Use the latest recommended EKS Optimized Linux AMI with GPU support for
307
- * the worker nodes from the AWS Systems Manager Parameter Store.
188
+ * Add support for launching pods in Fargate. Defaults to launching pods in the `default` namespace. If specified, the default node group is skipped as though `skipDefaultNodeGroup: true` had been passed.
189
+ */
190
+ fargate?: pulumi.Input<boolean | inputs.FargateProfileArgs>;
191
+ /**
192
+ * Use the latest recommended EKS Optimized Linux AMI with GPU support for the worker nodes from the AWS Systems Manager Parameter Store.
308
193
  *
309
194
  * Defaults to false.
310
195
  *
311
196
  * Note: `gpu` and `nodeAmiId` are mutually exclusive.
312
197
  *
313
198
  * See for more details:
314
- * - https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.
199
+ * - https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
315
200
  * - https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html
316
201
  */
317
202
  gpu?: pulumi.Input<boolean>;
318
203
  /**
319
- * Public key material for SSH access to worker nodes. See allowed formats at:
320
- * https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html
321
- * If not provided, no SSH access is enabled on VMs.
322
- */
323
- nodePublicKey?: pulumi.Input<string>;
324
- /**
325
- * The subnets to use for worker nodes. Defaults to the value of subnetIds.
204
+ * The default IAM InstanceProfile to use on the Worker NodeGroups, if one is not already set in the NodeGroup.
326
205
  */
327
- nodeSubnetIds?: pulumi.Input<pulumi.Input<string>[]>;
206
+ instanceProfileName?: pulumi.Input<string>;
328
207
  /**
329
- * The security group to use for the cluster API endpoint. If not provided, a new security group will be created
330
- * with full internet egress and ingress from node groups.
208
+ * This enables the simple case of only registering a *single* IAM instance role with the cluster, that is required to be shared by *all* node groups in their instance profiles.
331
209
  *
332
- * Note: The security group resource should not contain any inline ingress or egress rules.
333
- */
334
- clusterSecurityGroup?: aws.ec2.SecurityGroup;
335
- /**
336
- * The tags to apply to the cluster security group.
337
- */
338
- clusterSecurityGroupTags?: InputTags;
339
- /**
340
- * Encrypt the root block device of the nodes in the node group.
210
+ * Note: options `instanceRole` and `instanceRoles` are mutually exclusive.
341
211
  */
342
- nodeRootVolumeEncrypted?: pulumi.Input<boolean>;
212
+ instanceRole?: pulumi.Input<pulumiAws.iam.Role>;
343
213
  /**
344
- * The tags to apply to the default `nodeSecurityGroup` created by the cluster.
214
+ * This enables the advanced case of registering *many* IAM instance roles with the cluster for per node group IAM, instead of the simpler, shared case of `instanceRole`.
345
215
  *
346
- * Note: The `nodeSecurityGroupTags` option and the node group option
347
- * `nodeSecurityGroup` are mutually exclusive.
216
+ * Note: options `instanceRole` and `instanceRoles` are mutually exclusive.
348
217
  */
349
- nodeSecurityGroupTags?: InputTags;
218
+ instanceRoles?: pulumi.Input<pulumi.Input<pulumiAws.iam.Role>[]>;
350
219
  /**
351
- * The size in GiB of a cluster node's root volume. Defaults to 20.
220
+ * The instance type to use for the cluster's nodes. Defaults to "t3.medium".
352
221
  */
353
- nodeRootVolumeSize?: pulumi.Input<number>;
222
+ instanceType?: pulumi.Input<string>;
354
223
  /**
355
- * Extra code to run on node startup. This code will run after the AWS EKS bootstrapping code and before the node
356
- * signals its readiness to the managing CloudFormation stack. This code must be a typical user data script:
357
- * critically it must begin with an interpreter directive (i.e. a `#!`).
224
+ * The IP family used to assign Kubernetes pod and service addresses. Valid values are `ipv4` (default) and `ipv6`.
225
+ * You can only specify an IP family when you create a cluster, changing this value will force a new cluster to be created.
358
226
  */
359
- nodeUserData?: pulumi.Input<string>;
227
+ ipFamily?: pulumi.Input<string>;
360
228
  /**
361
- * The number of worker nodes that should be running in the cluster. Defaults to 2.
229
+ * Options for managing the `kube-proxy` addon.
362
230
  */
363
- desiredCapacity?: pulumi.Input<number>;
231
+ kubeProxyAddonOptions?: inputs.KubeProxyAddonOptionsArgs;
364
232
  /**
365
- * The minimum number of worker nodes running in the cluster. Defaults to 1.
233
+ * The CIDR block to assign Kubernetes service IP addresses from. If you don't
234
+ * specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or
235
+ * 172.20.0.0/16 CIDR blocks. This setting only applies to IPv4 clusters. We recommend that you specify a block
236
+ * that does not overlap with resources in other networks that are peered or connected to your VPC. You can only specify
237
+ * a custom CIDR block when you create a cluster, changing this value will force a new cluster to be created.
238
+ *
239
+ * The block must meet the following requirements:
240
+ * - Within one of the following private IP address blocks: 10.0.0.0/8, 172.16.0.0.0/12, or 192.168.0.0/16.
241
+ * - Doesn't overlap with any CIDR block assigned to the VPC that you selected for VPC.
242
+ * - Between /24 and /12.
366
243
  */
367
- minSize?: pulumi.Input<number>;
244
+ kubernetesServiceIpAddressRange?: pulumi.Input<string>;
368
245
  /**
369
246
  * The maximum number of worker nodes running in the cluster. Defaults to 2.
370
247
  */
371
248
  maxSize?: pulumi.Input<number>;
372
249
  /**
373
- * An optional set of StorageClasses to enable for the cluster. If this is a single volume type rather than a map,
374
- * a single StorageClass will be created for that volume type.
375
- *
376
- * Note: As of Kubernetes v1.11+ on EKS, a default `gp2` storage class will
377
- * always be created automatically for the cluster by the EKS service. See
378
- * https://docs.aws.amazon.com/eks/latest/userguide/storage-classes.html
379
- */
380
- storageClasses?: {
381
- [name: string]: StorageClass;
382
- } | EBSVolumeType;
383
- /**
384
- * If this toggle is set to true, the EKS cluster will be created without node group attached.
385
- * Defaults to false, unless `fargate` input is provided.
250
+ * The minimum number of worker nodes running in the cluster. Defaults to 1.
386
251
  */
387
- skipDefaultNodeGroup?: boolean;
252
+ minSize?: pulumi.Input<number>;
388
253
  /**
389
- * Whether or not to deploy the Kubernetes dashboard to the cluster. If the dashboard is deployed, it can be
390
- * accessed as follows:
391
- *
392
- * 1. Retrieve an authentication token for the dashboard by running the following and copying the value of `token`
393
- * from the output of the last command:
394
- *
395
- * $ kubectl -n kube-system get secret | grep eks-admin | awk '{print $1}'
396
- * $ kubectl -n kube-system describe secret <output from previous command>
254
+ * The cluster's physical resource name.
397
255
  *
398
- * 2. Start the kubectl proxy:
256
+ * If not specified, the default is to use auto-naming for the cluster's name, resulting in a physical name with the format `${name}-eksCluster-0123abcd`.
399
257
  *
400
- * $ kubectl proxy
258
+ * See for more details: https://www.pulumi.com/docs/intro/concepts/programming-model/#autonaming
259
+ */
260
+ name?: pulumi.Input<string>;
261
+ /**
262
+ * The AMI ID to use for the worker nodes.
401
263
  *
402
- * 3. Open `http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/` in a
403
- * web browser.
404
- * 4. Choose `Token` authentication, paste the token retrieved earlier into the `Token` field, and sign in.
264
+ * Defaults to the latest recommended EKS Optimized Linux AMI from the AWS Systems Manager Parameter Store.
405
265
  *
406
- * Defaults to `false`.
266
+ * Note: `nodeAmiId` and `gpu` are mutually exclusive.
407
267
  *
408
- * @deprecated This option has been deprecated due to a lack of
409
- * support for it on EKS, and the general community recommendation to avoid
410
- * using it for security concerns. If you'd like alternatives to deploy the
411
- * dashboard, consider writing it in Pulumi, or using the Helm chart.
412
- */
413
- deployDashboard?: boolean;
414
- /**
415
- * Key-value mapping of tags that are automatically applied to all AWS
416
- * resources directly under management with this cluster, which support tagging.
268
+ * See for more details:
269
+ * - https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html.
417
270
  */
418
- tags?: InputTags;
271
+ nodeAmiId?: pulumi.Input<string>;
419
272
  /**
420
- * Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.
273
+ * Whether or not to auto-assign the EKS worker nodes public IP addresses. If this toggle is set to true, the EKS workers will be auto-assigned public IPs. If false, they will not be auto-assigned public IPs.
421
274
  */
422
- version?: pulumi.Input<string>;
275
+ nodeAssociatePublicIpAddress?: boolean;
423
276
  /**
424
- * Enable EKS control plane logging. This sends logs to cloudwatch.
425
- * Possible list of values are: ["api", "audit", "authenticator", "controllerManager", "scheduler"].
426
- * By default it is off.
277
+ * The common configuration settings for NodeGroups.
427
278
  */
428
- enabledClusterLogTypes?: pulumi.Input<pulumi.Input<string>[]>;
279
+ nodeGroupOptions?: inputs.ClusterNodeGroupOptionsArgs;
429
280
  /**
430
- * List of addons to remove upon creation. Any addon listed will be "adopted" and then removed.
431
- * This allows for the creation of a baremetal cluster where no addon is deployed and direct management of addons via Pulumi Kubernetes resources.
432
- * Valid entries are kube-proxy, coredns and vpc-cni. Only works on first creation of a cluster.
281
+ * Public key material for SSH access to worker nodes. See allowed formats at:
282
+ * https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html
283
+ * If not provided, no SSH access is enabled on VMs.
433
284
  */
434
- defaultAddonsToRemove?: pulumi.Input<pulumi.Input<string>[]>;
285
+ nodePublicKey?: pulumi.Input<string>;
435
286
  /**
436
- * Indicates whether or not the Amazon EKS public API server endpoint is enabled. Default is `true`.
287
+ * Encrypt the root block device of the nodes in the node group.
437
288
  */
438
- endpointPublicAccess?: pulumi.Input<boolean>;
289
+ nodeRootVolumeEncrypted?: pulumi.Input<boolean>;
439
290
  /**
440
- * Indicates whether or not the Amazon EKS private API server endpoint is enabled. The default is `false`.
291
+ * The size in GiB of a cluster node's root volume. Defaults to 20.
441
292
  */
442
- endpointPrivateAccess?: pulumi.Input<boolean>;
293
+ nodeRootVolumeSize?: pulumi.Input<number>;
443
294
  /**
444
- * Indicates which CIDR blocks can access the Amazon EKS public API server endpoint.
295
+ * The tags to apply to the default `nodeSecurityGroup` created by the cluster.
296
+ *
297
+ * Note: The `nodeSecurityGroupTags` option and the node group option `nodeSecurityGroup` are mutually exclusive.
445
298
  */
446
- publicAccessCidrs?: pulumi.Input<pulumi.Input<string>[]>;
299
+ nodeSecurityGroupTags?: pulumi.Input<{
300
+ [key: string]: pulumi.Input<string>;
301
+ }>;
447
302
  /**
448
- * Add support for launching pods in Fargate. Defaults to launching pods in the `default`
449
- * namespace. If specified, the default node group is skipped as though `skipDefaultNodeGroup:
450
- * true` had been passed.
303
+ * The subnets to use for worker nodes. Defaults to the value of subnetIds.
451
304
  */
452
- fargate?: pulumi.Input<boolean | FargateProfile>;
305
+ nodeSubnetIds?: pulumi.Input<pulumi.Input<string>[]>;
453
306
  /**
454
- * The tags to apply to the EKS cluster.
307
+ * Extra code to run on node startup. This code will run after the AWS EKS bootstrapping code and before the node signals its readiness to the managing CloudFormation stack. This code must be a typical user data script: critically it must begin with an interpreter directive (i.e. a `#!`).
455
308
  */
456
- clusterTags?: InputTags;
309
+ nodeUserData?: pulumi.Input<string>;
457
310
  /**
458
- * Indicates whether an IAM OIDC Provider is created for the EKS cluster.
311
+ * The set of private subnets to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.
459
312
  *
460
- * The OIDC provider is used in the cluster in combination with k8s
461
- * Service Account annotations to provide IAM roles at the k8s Pod level.
313
+ * If `vpcId` is not set, the cluster will use the AWS account's default VPC subnets.
462
314
  *
463
- * See for more details:
464
- * - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html
465
- * - https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html
466
- * - https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/
467
- * - https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/aws/eks/#enabling-iam-roles-for-service-accounts
315
+ * Worker network architecture options:
316
+ * - Private-only: Only set `privateSubnetIds`.
317
+ * - Default workers to run in a private subnet. In this setting, Kubernetes cannot create public, internet-facing load balancers for your pods.
318
+ * - Public-only: Only set `publicSubnetIds`.
319
+ * - Default workers to run in a public subnet.
320
+ * - Mixed (recommended): Set both `privateSubnetIds` and `publicSubnetIds`.
321
+ * - Default all worker nodes to run in private subnets, and use the public subnets for internet-facing load balancers.
322
+ *
323
+ * See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.Note: The use of `subnetIds`, along with `publicSubnetIds` and/or `privateSubnetIds` is mutually exclusive. The use of `publicSubnetIds` and `privateSubnetIds` is encouraged.
324
+ *
325
+ * Also consider setting `nodeAssociatePublicIpAddress: false` for fully private workers.
468
326
  */
469
- createOidcProvider?: pulumi.Input<boolean>;
327
+ privateSubnetIds?: pulumi.Input<pulumi.Input<string>[]>;
470
328
  /**
471
- * The cluster's physical resource name.
329
+ * The AWS provider credential options to scope the cluster's kubeconfig authentication when using a non-default credential chain.
472
330
  *
473
- * If not specified, the default is to use auto-naming for the cluster's
474
- * name, resulting in a physical name with the format `${name}-eksCluster-0123abcd`.
331
+ * This is required for certain auth scenarios. For example:
332
+ * - Creating and using a new AWS provider instance, or
333
+ * - Setting the AWS_PROFILE environment variable, or
334
+ * - Using a named profile configured on the AWS provider via:
335
+ * `pulumi config set aws:profile <profileName>`
475
336
  *
476
337
  * See for more details:
477
- * https://www.pulumi.com/docs/intro/concepts/programming-model/#autonaming
338
+ * - https://www.pulumi.com/registry/packages/aws/api-docs/provider/
339
+ * - https://www.pulumi.com/docs/intro/cloud-providers/aws/setup/
340
+ * - https://www.pulumi.com/docs/intro/cloud-providers/aws/#configuration
341
+ * - https://docs.aws.amazon.com/eks/latest/userguide/create-kubeconfig.html
478
342
  */
479
- name?: pulumi.Input<string>;
343
+ providerCredentialOpts?: pulumi.Input<inputs.KubeconfigOptionsArgs>;
480
344
  /**
481
345
  * The HTTP(S) proxy to use within a proxied environment.
482
346
  *
483
- * The proxy is used during cluster creation, and OIDC configuration.
347
+ * The proxy is used during cluster creation, and OIDC configuration.
484
348
  *
485
- * This is an alternative option to setting the proxy environment variables:
486
- * HTTP(S)_PROXY and/or http(s)_proxy.
349
+ * This is an alternative option to setting the proxy environment variables: HTTP(S)_PROXY and/or http(s)_proxy.
487
350
  *
488
351
  * This option is required iff the proxy environment variables are not set.
489
352
  *
@@ -497,266 +360,109 @@ export interface ClusterOptions {
497
360
  */
498
361
  proxy?: string;
499
362
  /**
500
- * The AWS provider credential options to scope the cluster's kubeconfig
501
- * authentication when using a non-default credential chain.
502
- *
503
- * This is required for certain auth scenarios. For example:
504
- * - Creating and using a new AWS provider instance, or
505
- * - Setting the AWS_PROFILE environment variable, or
506
- * - Using a named profile configured on the AWS provider via:
507
- * `pulumi config set aws:profile <profileName>`
508
- *
509
- * See for more details:
510
- * - https://www.pulumi.com/registry/packages/aws/api-docs/provider/
511
- * - https://www.pulumi.com/docs/intro/cloud-providers/aws/setup/
512
- * - https://www.pulumi.com/docs/intro/cloud-providers/aws/#configuration
513
- * - https://docs.aws.amazon.com/eks/latest/userguide/create-kubeconfig.html
514
- */
515
- providerCredentialOpts?: pulumi.Input<KubeconfigOptions>;
516
- /**
517
- * Sets the 'enableConfigMapMutable' option on the cluster kubernetes provider.
518
- * Applies updates to the aws-auth ConfigMap in place over a replace operation if set to true.
519
- * https://www.pulumi.com/registry/packages/kubernetes/api-docs/provider/#enableconfigmapmutable_nodejs
363
+ * Indicates which CIDR blocks can access the Amazon EKS public API server endpoint.
520
364
  */
521
- enableConfigMapMutable?: pulumi.Input<boolean>;
365
+ publicAccessCidrs?: pulumi.Input<pulumi.Input<string>[]>;
522
366
  /**
523
- * KMS Key ARN to use with the encryption configuration for the cluster.
367
+ * The set of public subnets to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.
524
368
  *
525
- * Only available on Kubernetes 1.13+ clusters created after March 6, 2020.
526
- * See for more details:
527
- * - https://aws.amazon.com/about-aws/whats-new/2020/03/amazon-eks-adds-envelope-encryption-for-secrets-with-aws-kms/
528
- */
529
- encryptionConfigKeyArn?: pulumi.Input<string>;
530
- /**
531
- * The CIDR block to assign Kubernetes service IP addresses from. If you don't specify a block, Kubernetes assigns
532
- * addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks. We recommend that you specify a block that
533
- * does not overlap with resources in other networks that are peered or connected to your VPC. You can only specify
534
- * a custom CIDR block when you create a cluster, changing this value will force a new cluster to be created.
369
+ * If `vpcId` is not set, the cluster will use the AWS account's default VPC subnets.
535
370
  *
536
- * The block must meet the following requirements:
537
- * - Within one of the following private IP address blocks: 10.0.0.0/8, 172.16.0.0.0/12, or 192.168.0.0/16.
538
- * - Doesn't overlap with any CIDR block assigned to the VPC that you selected for VPC.
539
- * - Between /24 and /12.
540
- */
541
- kubernetesServiceIpAddressRange?: pulumi.Input<string>;
542
- /**
543
- * The IP family used to assign Kubernetes pod and service addresses. Valid values are ipv4 (default) and ipv6.
544
- * You can only specify an IP family when you create a cluster, changing this value will force
545
- * a new cluster to be created.
546
- */
547
- ipFamily?: pulumi.Input<string>;
548
- /**
549
- * The authentication mode of the cluster. Valid values are `CONFIG_MAP`, `API` or `API_AND_CONFIG_MAP`
550
- * See for more details:\nhttps://docs.aws.amazon.com/eks/latest/userguide/grant-k8s-access.html#set-cam
551
- */
552
- authenticationMode?: AuthenticationMode;
553
- /**
554
- * Access entries to add to the EKS cluster. They can be used to allow IAM principals to access the cluster.
555
- * Access entries are only supported with authentication mode `API` or `API_AND_CONFIG_MAP`.
371
+ * Worker network architecture options:
372
+ * - Private-only: Only set `privateSubnetIds`.
373
+ * - Default workers to run in a private subnet. In this setting, Kubernetes cannot create public, internet-facing load balancers for your pods.
374
+ * - Public-only: Only set `publicSubnetIds`.
375
+ * - Default workers to run in a public subnet.
376
+ * - Mixed (recommended): Set both `privateSubnetIds` and `publicSubnetIds`.
377
+ * - Default all worker nodes to run in private subnets, and use the public subnets for internet-facing load balancers.
556
378
  *
557
- * See for more details:\nhttps://docs.aws.amazon.com/eks/latest/userguide/access-entries.html
558
- */
559
- accessEntries?: {
560
- [key: string]: AccessEntry;
561
- };
562
- }
563
- /**
564
- * FargateProfile defines how Kubernetes pods are executed in Fargate. See
565
- * aws.eks.FargateProfileArgs for reference.
566
- */
567
- export interface FargateProfile {
568
- /**
569
- * Specify a custom role to use for executing pods in Fargate. Defaults to creating a new role
570
- * with the `arn:[partition]:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy` policy attached.
571
- */
572
- podExecutionRoleArn?: pulumi.Input<string>;
573
- /**
574
- * Specify the subnets in which to execute Fargate tasks for pods. Defaults to the private
575
- * subnets associated with the cluster.
576
- */
577
- subnetIds?: pulumi.Input<pulumi.Input<string>[]>;
578
- /**
579
- * Specify the namespace and label selectors to use for launching pods into Fargate.
379
+ * See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.Note: The use of `subnetIds`, along with `publicSubnetIds` and/or `privateSubnetIds` is mutually exclusive. The use of `publicSubnetIds` and `privateSubnetIds` is encouraged.
580
380
  */
581
- selectors?: pulumi.Input<pulumi.Input<aws.types.input.eks.FargateProfileSelector>[]>;
582
- }
583
- /**
584
- * ClusterNodeGroupOptions describes the configuration options accepted by a cluster
585
- * to create its own node groups. It's a subset of NodeGroupOptions.
586
- */
587
- export interface ClusterNodeGroupOptions extends NodeGroupBaseOptions {
588
- }
589
- export interface AccessEntry {
381
+ publicSubnetIds?: pulumi.Input<pulumi.Input<string>[]>;
590
382
  /**
591
- * The IAM Principal ARN which requires Authentication access to the EKS cluster.
383
+ * Optional mappings from AWS IAM roles to Kubernetes users and groups. Only supported with authentication mode `CONFIG_MAP` or `API_AND_CONFIG_MAP`
592
384
  */
593
- principalArn: pulumi.Input<string>;
385
+ roleMappings?: pulumi.Input<pulumi.Input<inputs.RoleMappingArgs>[]>;
594
386
  /**
595
- * Defaults to the principalArn if the principal is a user, else defaults to assume-role/session-name.
387
+ * IAM Service Role for EKS to use to manage the cluster.
596
388
  */
597
- username?: pulumi.Input<string>;
389
+ serviceRole?: pulumi.Input<pulumiAws.iam.Role>;
598
390
  /**
599
- * A list of groups within Kubernetes to which the IAM principal is mapped to.
391
+ * If this toggle is set to true, the EKS cluster will be created without node group attached. Defaults to false, unless `fargate` input is provided.
600
392
  */
601
- kubernetesGroups?: pulumi.Input<pulumi.Input<string>[]>;
393
+ skipDefaultNodeGroup?: boolean;
602
394
  /**
603
- * The access policies to associate to the access entry.
395
+ * An optional set of StorageClasses to enable for the cluster. If this is a single volume type rather than a map, a single StorageClass will be created for that volume type.
396
+ *
397
+ * Note: As of Kubernetes v1.11+ on EKS, a default `gp2` storage class will always be created automatically for the cluster by the EKS service. See https://docs.aws.amazon.com/eks/latest/userguide/storage-classes.html
604
398
  */
605
- accessPolicies?: {
606
- [key: string]: pulumi.Input<AccessPolicyAssociation>;
399
+ storageClasses?: string | {
400
+ [key: string]: inputs.StorageClassArgs;
607
401
  };
608
402
  /**
609
- * The tags to apply to the AccessEntry.
610
- */
611
- tags?: InputTags;
612
- /**
613
- * The type of the new access entry. Valid values are STANDARD, FARGATE_LINUX, EC2_LINUX, and EC2_WINDOWS.
403
+ * The set of all subnets, public and private, to use for the worker node groups on the EKS cluster. These subnets are automatically tagged by EKS for Kubernetes purposes.
614
404
  *
615
- * Defaults to STANDARD which provides the standard workflow. EC2_LINUX and EC2_WINDOWS types disallow users
616
- * to input a kubernetesGroup, and prevent associating access policies..
617
- */
618
- type?: pulumi.Input<AccessEntryType>;
619
- }
620
- export interface AccessPolicyAssociation {
621
- /**
622
- * The ARN of the access policy to associate with the principal
623
- */
624
- policyArn: pulumi.Input<string>;
625
- /**
626
- * The scope of the access policy association. This controls whether the access policy is scoped to the cluster or to a particular namespace.
627
- */
628
- accessScope: aws.types.input.eks.AccessPolicyAssociationAccessScope;
629
- }
630
- export declare const AuthenticationMode: {
631
- /**
632
- * Only Access Entries will be used for authenticating to the Kubernetes API.
633
- */
634
- readonly API: "API";
635
- /**
636
- * Only aws-auth ConfigMap will be used for authenticating to the Kubernetes API.
405
+ * If `vpcId` is not set, the cluster will use the AWS account's default VPC subnets.
637
406
  *
638
- * @deprecated The aws-auth ConfigMap is deprecated. The recommended method to manage access to Kubernetes APIs is Access Entries with the AuthenticationMode API.
639
- * For more information and instructions how to upgrade, see https://docs.aws.amazon.com/eks/latest/userguide/migrating-access-entries.html.
640
- */
641
- readonly CONFIG_MAP: "CONFIG_MAP";
642
- /**
643
- * Both aws-auth ConfigMap and Access Entries can be used for authenticating to the Kubernetes API.
407
+ * If the list of subnets includes both public and private subnets, the worker nodes will only be attached to the private subnets, and the public subnets will be used for internet-facing load balancers.
644
408
  *
645
- * @deprecated The aws-auth ConfigMap is deprecated. The recommended method to manage access to Kubernetes APIs is Access Entries with the AuthenticationMode API.
646
- * For more information and instructions how to upgrade, see https://docs.aws.amazon.com/eks/latest/userguide/migrating-access-entries.html.
647
- */
648
- readonly API_AND_CONFIG_MAP: "API_AND_CONFIG_MAP";
649
- };
650
- /**
651
- * The authentication mode of the cluster. Valid values are `CONFIG_MAP`, `API` or `API_AND_CONFIG_MAP`
652
- * See for more details:\nhttps://docs.aws.amazon.com/eks/latest/userguide/grant-k8s-access.html#set-cam
653
- */
654
- export type AuthenticationMode = (typeof AuthenticationMode)[keyof typeof AuthenticationMode];
655
- export declare const AccessEntryType: {
656
- /**
657
- * Standard Access Entry Workflow. Allows users to input a username and kubernetesGroup, and to associate access policies.
658
- */
659
- readonly STANDARD: "STANDARD";
660
- /**
661
- * For IAM roles used with AWS Fargate profiles.
662
- */
663
- readonly FARGATE_LINUX: "FARGATE_LINUX";
664
- /**
665
- * For IAM roles associated with self-managed Linux node groups. Allows the nodes to join the cluster.
666
- */
667
- readonly EC2_LINUX: "EC2_LINUX";
668
- /**
669
- * For IAM roles associated with self-managed Windows node groups. Allows the nodes to join the cluster.
670
- */
671
- readonly EC2_WINDOWS: "EC2_WINDOWS";
672
- };
673
- /**
674
- * The authentication mode of the cluster. Valid values are `CONFIG_MAP`, `API` or `API_AND_CONFIG_MAP`
675
- * See for more details:\nhttps://docs.aws.amazon.com/eks/latest/userguide/grant-k8s-access.html#set-cam
676
- */
677
- export type AccessEntryType = (typeof AccessEntryType)[keyof typeof AccessEntryType];
678
- /**
679
- * Cluster is a component that wraps the AWS and Kubernetes resources necessary to run an EKS cluster, its worker
680
- * nodes, its optional StorageClasses, and an optional deployment of the Kubernetes Dashboard.
681
- */
682
- export declare class Cluster extends pulumi.ComponentResource {
683
- /**
684
- * A kubeconfig that can be used to connect to the EKS cluster.
685
- */
686
- readonly kubeconfig: pulumi.Output<any>;
687
- /**
688
- * A kubeconfig that can be used to connect to the EKS cluster as a JSON string.
689
- */
690
- readonly kubeconfigJson: pulumi.Output<string>;
691
- /**
692
- * The AWS resource provider.
693
- */
694
- readonly awsProvider: pulumi.ProviderResource;
695
- /**
696
- * A Kubernetes resource provider that can be used to deploy into this cluster. For example, the code below will
697
- * create a new Pod in the EKS cluster.
698
- *
699
- * let eks = new Cluster("eks");
700
- * let pod = new kubernetes.core.v1.Pod("pod", { ... }, { provider: eks.provider });
409
+ * See for more details: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html.
701
410
  *
411
+ * Note: The use of `subnetIds`, along with `publicSubnetIds` and/or `privateSubnetIds` is mutually exclusive. The use of `publicSubnetIds` and `privateSubnetIds` is encouraged.
702
412
  */
703
- readonly provider: k8s.Provider;
704
- /**
705
- * The security group for the EKS cluster.
706
- */
707
- readonly clusterSecurityGroup: aws.ec2.SecurityGroup;
708
- /**
709
- * The service roles used by the EKS cluster.
710
- */
711
- readonly instanceRoles: pulumi.Output<aws.iam.Role[]>;
712
- /**
713
- * The security group for the cluster's nodes.
714
- */
715
- readonly nodeSecurityGroup: aws.ec2.SecurityGroup;
716
- /**
717
- * The ingress rule that gives node group access to cluster API server
718
- */
719
- readonly eksClusterIngressRule: aws.ec2.SecurityGroupRule;
413
+ subnetIds?: pulumi.Input<pulumi.Input<string>[]>;
720
414
  /**
721
- * The default Node Group configuration, or undefined if `skipDefaultNodeGroup` was specified.
415
+ * Key-value mapping of tags that are automatically applied to all AWS resources directly under management with this cluster, which support tagging.
722
416
  */
723
- readonly defaultNodeGroup: NodeGroupData | undefined;
417
+ tags?: pulumi.Input<{
418
+ [key: string]: pulumi.Input<string>;
419
+ }>;
724
420
  /**
725
- * The EKS cluster.
421
+ * Use the default VPC CNI instead of creating a custom one. Should not be used in conjunction with `vpcCniOptions`.
726
422
  */
727
- readonly eksCluster: aws.eks.Cluster;
423
+ useDefaultVpcCni?: boolean;
728
424
  /**
729
- * The EKS cluster and its dependencies.
425
+ * Optional mappings from AWS IAM users to Kubernetes users and groups. Only supported with authentication mode `CONFIG_MAP` or `API_AND_CONFIG_MAP`.
730
426
  */
731
- readonly core: CoreData;
427
+ userMappings?: pulumi.Input<pulumi.Input<inputs.UserMappingArgs>[]>;
732
428
  /**
733
- * Create a new EKS cluster with worker nodes, optional storage classes, and deploy the Kubernetes Dashboard if
734
- * requested.
735
- *
736
- * @param name The _unique_ name of this component.
737
- * @param args The arguments for this cluster.
738
- * @param opts A bag of options that control this component's behavior.
429
+ * Desired Kubernetes master / control plane version. If you do not specify a value, the latest available version is used.
739
430
  */
740
- constructor(name: string, args?: ClusterOptions, opts?: pulumi.ComponentResourceOptions);
431
+ version?: pulumi.Input<string>;
741
432
  /**
742
- * Create a self-managed node group using CloudFormation and an ASG.
743
- *
744
- * See for more details:
745
- * https://docs.aws.amazon.com/eks/latest/userguide/worker.html
433
+ * The configuration of the Amazon VPC CNI plugin for this instance. Defaults are described in the documentation for the VpcCniOptions type.
746
434
  */
747
- createNodeGroup(name: string, args: ClusterNodeGroupOptions): NodeGroup;
435
+ vpcCniOptions?: inputs.VpcCniOptionsArgs;
748
436
  /**
749
- * Generate a kubeconfig for cluster authentication that does not use the
750
- * default AWS credential provider chain, and instead is scoped to
751
- * the supported options in `KubeconfigOptions`.
752
- *
753
- * The kubeconfig generated is automatically stringified for ease of use
754
- * with the pulumi/kubernetes provider.
755
- *
756
- * See for more details:
757
- * - https://docs.aws.amazon.com/eks/latest/userguide/create-kubeconfig.html
758
- * - https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html
759
- * - https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html
437
+ * The VPC in which to create the cluster and its worker nodes. If unset, the cluster will be created in the default VPC.
760
438
  */
761
- getKubeconfig(args: KubeconfigOptions): pulumi.Output<string>;
439
+ vpcId?: pulumi.Input<string>;
440
+ }
441
+ export declare namespace Cluster {
442
+ /**
443
+ * The set of arguments for the Cluster.getKubeconfig method.
444
+ */
445
+ interface GetKubeconfigArgs {
446
+ /**
447
+ * AWS credential profile name to always use instead of the default AWS credential provider chain.
448
+ *
449
+ * The profile is passed to kubeconfig as an authentication environment setting.
450
+ */
451
+ profileName?: pulumi.Input<string>;
452
+ /**
453
+ * Role ARN to assume instead of the default AWS credential provider chain.
454
+ *
455
+ * The role is passed to kubeconfig as an authentication exec argument.
456
+ */
457
+ roleArn?: pulumi.Input<string>;
458
+ }
459
+ /**
460
+ * The results of the Cluster.getKubeconfig method.
461
+ */
462
+ interface GetKubeconfigResult {
463
+ /**
464
+ * The kubeconfig for the cluster.
465
+ */
466
+ readonly result: string;
467
+ }
762
468
  }