type fixes and upgrade eks to 3.0.1

components-microstacks/.gitignore

@@ -1 +1,2 @@
 node_modules/
+bun.lockb

eks-hosted/.gitignore

@@ -9,3 +9,5 @@ package-lock.json
 alb-ingress-chart-local/
 */aws-load-balancer-controller/*
 Pulumi.pulumitest.yaml
+Pulumi.*.yaml
+bun.lockb

eks-hosted/01-iam/Pulumi.README.yaml

@@ -7,12 +7,6 @@ config:
   # Note, you will be setting this value for each stack you create, so use a value that will make sense across all the infrastructure. 
   baseName: pulumiselfhost
 
-  # Provide an SSO role arn that can be assumed by the Pulumi cli to deploy the infrastructure.
-  # Currently this is just passed through and consumed by later stacks to enable the k8s provider to assume the role and deploy 
-  # k8s infra to the eks cluster.
-  # A future iteration may create this sso role as part of the stack.
-  ssoRoleArn: arn:aws:iam::123456789012:role/SSO-Role-Name
-
   #### BRINGING YOUR OWN IAM INFRASTRUCTURE ###
   # If you are not using the `01-iam` stack, then set the following values that would have otherwise been provided by the iam stack.
   # The stack will then "pretend" it created the resources and output the values for the other stacks to use.

eks-hosted/01-iam/config.ts

@@ -4,7 +4,6 @@ const pulumiConfig = new pulumi.Config();
 
 export const config = {
     baseName: pulumiConfig.require("baseName"),
-    ssoRoleArn: pulumiConfig.require("ssoRoleArn"),
     // These may not be set - see Pulumi.README.yaml for more information.
     eksServiceRoleName: pulumiConfig.get("eksServiceRoleName"),
     eksInstanceRoleName: pulumiConfig.get("eksInstanceRoleName"), 

eks-hosted/01-iam/index.ts

@@ -3,13 +3,11 @@ import * as aws from "@pulumi/aws";
 import { config } from "./config";
 import { albControllerPolicyStatement } from "./albControllerPolicy";
 
-/// SSO Role ///
-// This is currently managed outside of the stack and passed through for later stacks to use.
-export const ssoRoleArn = config.ssoRoleArn;
-
 // These roles are either provided by the user or created in this stack.
 export let eksServiceRoleName: string | pulumi.Output<string>;
+export let eksServiceRole: aws.iam.Role | pulumi.Output<aws.iam.Role>;
 export let eksInstanceRoleName: string | pulumi.Output<string>; 
+export let eksInstanceRole: aws.iam.Role | pulumi.Output<aws.iam.Role>;
 export let instanceProfileName: string | pulumi.Output<string>;
 export let databaseMonitoringRoleArn: string | pulumi.Output<string>;
 
@@ -18,13 +16,16 @@ export let databaseMonitoringRoleArn: string | pulumi.Output<string>;
 // It's an all-or-nothing situation, so if one is provided, they all must be.
 if (config.eksServiceRoleName && config.eksInstanceRoleName && config.instanceProfileName && config.databaseMonitoringRoleArn) {
     eksServiceRoleName = config.eksServiceRoleName;
+    eksServiceRole = aws.iam.Role.get("eksServiceRole", config.eksServiceRoleName)
     eksInstanceRoleName = config.eksInstanceRoleName;
+    eksInstanceRole = aws.iam.Role.get("instanceRole", config.eksInstanceRoleName)
     instanceProfileName = config.instanceProfileName;
     databaseMonitoringRoleArn = config.databaseMonitoringRoleArn;
+
 } else {
     // Create the roles.
     /// Cluster Role ///
-    const eksRole = new aws.iam.Role(`${config.baseName}-eksRole`, {
+    eksServiceRole = new aws.iam.Role(`${config.baseName}-eksRole`, {
         assumeRolePolicy: {
             Statement: [
                 {   Action:"sts:AssumeRole",
@@ -41,10 +42,10 @@ if (config.eksServiceRoleName && config.eksInstanceRoleName && config.instancePr
             "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
         ],
     });
-    eksServiceRoleName = eksRole.name;
+    eksServiceRoleName = eksServiceRole.name;
 
     /// Instance Role ///
-    const instanceRole = new aws.iam.Role(`${config.baseName}-instanceRole`, {
+    eksInstanceRole = new aws.iam.Role(`${config.baseName}-instanceRole`, {
         assumeRolePolicy: aws.iam.assumeRolePolicyForPrincipal(aws.iam.Principals.Ec2Principal),
         managedPolicyArns: [
             "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
@@ -56,7 +57,7 @@ if (config.eksServiceRoleName && config.eksInstanceRoleName && config.instancePr
     // S3 policy used by Pulumi services
     const instanceRoleS3Policy = new aws.iam.RolePolicyAttachment("instanceRoleS3Policy", {
         policyArn: "arn:aws:iam::aws:policy/AmazonS3FullAccess",
-        role: instanceRole 
+        role: eksInstanceRole 
     })
 
     // ALB management used by ingress controller
@@ -65,7 +66,7 @@ if (config.eksServiceRoleName && config.eksInstanceRoleName && config.instancePr
     });
     const rpaAlbPolicy = new aws.iam.RolePolicyAttachment("albPolicy", {
         policyArn: albControllerPolicy.arn,
-        role: instanceRole
+        role: eksInstanceRole
     })
 
     // Opensearch access
@@ -85,10 +86,10 @@ if (config.eksServiceRoleName && config.eksInstanceRoleName && config.instancePr
     });
     const openSearchPolicyAttachment = new aws.iam.RolePolicyAttachment("opensearchPolicy", {
         policyArn: opensearchPolicy.arn,
-        role: instanceRole
+        role: eksInstanceRole
     })
 
-    eksInstanceRoleName = instanceRole.name;
+    eksInstanceRoleName = eksInstanceRole.name;
 
     const instanceProfile =  new aws.iam.InstanceProfile("ng-standard", {role: eksInstanceRoleName})
     instanceProfileName = instanceProfile.name;

eks-hosted/05-eks-cluster/config.ts

@@ -12,7 +12,8 @@ const iamStackRef = new pulumi.StackReference(`${orgName}/selfhosted-01-iam/${st
 const eksInstanceRoleName = iamStackRef.requireOutput("eksInstanceRoleName");
 const instanceProfileName = iamStackRef.requireOutput("instanceProfileName");
 const eksServiceRoleName = iamStackRef.requireOutput("eksServiceRoleName");
-const ssoRoleArn = iamStackRef.requireOutput("ssoRoleArn");
+const eksServiceRole = iamStackRef.requireOutput("eksServiceRole")
+const eksInstanceRole = iamStackRef.requireOutput("eksInstanceRole")
 
 // Networking Stack values
 // Get the needed values from the networking stack.
@@ -49,12 +50,12 @@ export const config = {
     eksInstanceRoleName: eksInstanceRoleName,
     instanceProfileName: instanceProfileName,
     eksServiceRoleName: eksServiceRoleName,
-    ssoRoleArn: ssoRoleArn,
+    eksInstanceRole: eksInstanceRole,
+    eksServiceRole: eksServiceRole,
 
     // Networking stack values
     clusterName: clusterName,
     vpcId: vpcId,
     publicSubnetIds: publicSubnetIds,
     privateSubnetIds: privateSubnetIds,
-
-};
+}

eks-hosted/05-eks-cluster/index.ts

@@ -8,24 +8,20 @@ const tags = { "Project": "pulumi-k8s-aws-cluster", "Owner": "pulumi"};
 
 /////////////////////
 // --- EKS Cluster ---
-const serviceRole = aws.iam.Role.get("eksServiceRole", config.eksServiceRoleName)
-const instanceRole = aws.iam.Role.get("instanceRole", config.eksInstanceRoleName)
-const instanceProfile = aws.iam.InstanceProfile.get("ng-standard", config.instanceProfileName)
 
 // Create an EKS cluster.
 const cluster = new eks.Cluster(`${baseName}`, {
     name: config.clusterName,
     authenticationMode: "API",
     // We keep these serviceRole and instanceRole properties to prevent the EKS provider from creating its own roles.
-    serviceRole: serviceRole,
-    instanceRole: instanceRole,
+    serviceRole: config.eksServiceRole,
+    instanceRole: config.eksInstanceRole,
     vpcId: config.vpcId,
     publicSubnetIds: config.publicSubnetIds,
     privateSubnetIds: config.privateSubnetIds,
     providerCredentialOpts: { profileName: process.env.AWS_PROFILE}, 
     nodeAssociatePublicIpAddress: false,
     skipDefaultNodeGroup: true,
-    deployDashboard: false,
     version: config.clusterVersion,
     createOidcProvider: false,
     tags: tags,
@@ -48,7 +44,9 @@ const cluster = new eks.Cluster(`${baseName}`, {
 export const kubeconfig = pulumi.secret(cluster.kubeconfig.apply(JSON.stringify));
 export const clusterName = cluster.core.cluster.name;
 export const region = aws.config.region;
-export const nodeSecurityGroupId = cluster.nodeSecurityGroup.id; // For RDS
+export const nodeSecurityGroupId = cluster.nodeSecurityGroupId;
+
+// For RDS
 export const nodeGroupInstanceType = config.pulumiNodeGroupInstanceType;
 
 /////////////////////
@@ -57,23 +55,23 @@ const ssmParam = pulumi.output(aws.ssm.getParameter({
     // https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html
     name: `/aws/service/eks/optimized-ami/${config.clusterVersion}/amazon-linux-2/recommended`,
 }))
-const amiId = ssmParam.value.apply(s => JSON.parse(s).image_id)
+const amiId = ssmParam.value.apply(s => <string>JSON.parse(s).image_id)
 
+const instanceProfile = new aws.iam.InstanceProfile("ng-standard", {role: config.eksInstanceRoleName})
 // Create a standard node group.
-const ngStandard = new eks.NodeGroup(`${baseName}-ng-standard`, {
+const ngStandard = new eks.NodeGroupV2(`${baseName}-ng-standard`, {
     cluster: cluster,
     instanceProfile: instanceProfile,
     nodeAssociatePublicIpAddress: false,
-    nodeSecurityGroup: cluster.nodeSecurityGroup,
-    clusterIngressRule: cluster.eksClusterIngressRule,
+    nodeSecurityGroupId: cluster.nodeSecurityGroupId,
+    clusterIngressRuleId: cluster.clusterIngressRuleId,
     amiId: amiId,
-
     instanceType: <aws.ec2.InstanceType>config.standardNodeGroupInstanceType,
     desiredCapacity: config.standardNodeGroupDesiredCapacity,
     minSize: config.standardNodeGroupMinSize,
     maxSize: config.standardNodeGroupMaxSize,
 
-    labels: {"amiId": `${amiId}`},
+    labels: {"amiId": amiId},
     cloudFormationTags: clusterName.apply(clusterName => ({
         "k8s.io/cluster-autoscaler/enabled": "true",
         [`k8s.io/cluster-autoscaler/${clusterName}`]: "true",
@@ -84,20 +82,20 @@ const ngStandard = new eks.NodeGroup(`${baseName}-ng-standard`, {
 });
 
 // Create a standard node group tainted for use only by self-hosted pulumi.
-const ngStandardPulumi = new eks.NodeGroup(`${baseName}-ng-standard-pulumi`, {
+const ngStandardPulumi = new eks.NodeGroupV2(`${baseName}-ng-standard-pulumi`, {
     cluster: cluster,
     instanceProfile: instanceProfile,
     nodeAssociatePublicIpAddress: false,
-    nodeSecurityGroup: cluster.nodeSecurityGroup,
-    clusterIngressRule: cluster.eksClusterIngressRule,
+    nodeSecurityGroupId: cluster.nodeSecurityGroupId,
+    clusterIngressRuleId: cluster.clusterIngressRuleId,
     amiId: amiId,
 
     instanceType: <aws.ec2.InstanceType>config.pulumiNodeGroupInstanceType,
     desiredCapacity: config.pulumiNodeGroupDesiredCapacity,
     minSize: config.pulumiNodeGroupMinSize,
     maxSize: config.pulumiNodeGroupMaxSize,
 
-    labels: {"amiId": `${amiId}`},
+    labels: {"amiId": amiId},
     taints: { "self-hosted-pulumi": { value: "true", effect: "NoSchedule"}},
     cloudFormationTags: clusterName.apply(clusterName => ({
         "k8s.io/cluster-autoscaler/enabled": "true",

eks-hosted/05-eks-cluster/package.json

@@ -4,8 +4,8 @@
     "typescript": "^3.0.0"
   },
   "dependencies": {
-    "@pulumi/aws": "^6.54.0",
-    "@pulumi/pulumi": "^3.136.0",
-    "@pulumi/eks": "^2.8.1"
+    "@pulumi/aws": "^6.59.0",
+    "@pulumi/eks": "^3.0.1",
+    "@pulumi/pulumi": "^3.136.0"
   }
 }

eks-hosted/10-cluster-svcs/index.ts

@@ -1,6 +1,5 @@
 import * as aws from "@pulumi/aws";
 import * as k8s from "@pulumi/kubernetes";
-import * as pulumi from "@pulumi/pulumi";
 import { config } from "./config";
 import { createAlbSecurityGroup, createAlbIngressController } from "./ingress-controller";
 

eks-hosted/20-database/rds-db/index.ts

@@ -59,7 +59,7 @@ export class RdsDatabase extends pulumi.ComponentResource {
             masterUsername: "pulumi",
             masterPassword: this.password,
             storageEncrypted: true,
-            vpcSecurityGroupIds: pulumi.output(args.securityGroupId).apply(id => [id]),        // Must be able to communicate with EKS nodes.
+            vpcSecurityGroupIds: pulumi.output([args.securityGroupId]), // Must be able to communicate with EKS nodes.
             finalSnapshotIdentifier: finalSnapshotIdentifier.hex,
             tags,
         }, { protect: true, });

eks-hosted/25-insights/Pulumi.README.yaml

@@ -9,4 +9,6 @@ config:
 
   # Opensearch configuration
   # Use "pulumi config set opensearchPassword --secret <password>"
+  # Password requirements: minimum 8 characters and must contain at least one uppercase letter, 
+  # one lowercase letter, one digit, and one special character
   opensearchPassword: 

eks-hosted/90-pulumi-service/config.ts

@@ -67,8 +67,8 @@ export const config = {
 
     // reCAPTCHA Config
     // If the config is not set, then recaptcha will be disabled.
-    recaptchaSiteKey: pulumiConfig.get("recaptchaSiteKey"), 
-    recaptchaSecretKey: pulumiConfig.get("recaptchaSecretKey"), 
+    recaptchaSiteKey: pulumiConfig.get("recaptchaSiteKey") || "", 
+    recaptchaSecretKey: pulumiConfig.get("recaptchaSecretKey") || "", 
 
     // Insights Config
     openSearchEndpoint: insightsStackRef.requireOutput("openSearchEndpoint"),

eks-hosted/90-pulumi-service/index.ts

@@ -238,7 +238,7 @@ const consolePodBuilder = new kx.PodBuilder({
             "SAML_SSO_ENABLED": `${config.samlSsoEnabled}`,
             ...recaptchaConsoleConfig,
             ...consoleEmailLoginConfig
-        },
+        } as EnvMap,
         resources: consoleResources,
     }],
 });
@@ -288,14 +288,14 @@ const zone = aws.route53.getZoneOutput({
 
 const certValidation = new aws.route53.Record("certValidation", {
     name: certCertificate.domainValidationOptions[0].resourceRecordName,
-    records: [certCertificate.domainValidationOptions[0].resourceRecordValue],
+    records: pulumi.output([certCertificate.domainValidationOptions[0].resourceRecordValue]),
     ttl: 60,
     type: certCertificate.domainValidationOptions[0].resourceRecordType,
     zoneId: zone.id,
 });
 const certCertificateValidation = new aws.acm.CertificateValidation("cert", {
     certificateArn: certCertificate.arn,
-    validationRecordFqdns: [certValidation.fqdn],
+    validationRecordFqdns: pulumi.output([certValidation.fqdn]),
 });
 
 //////////////
@@ -400,13 +400,13 @@ const consoleDnsRecord = new aws.route53.Record("consoleEndDnsRecord", {
   name: consoleEndpoint,
   type: "CNAME",
   ttl: 300,
-  records: [ consoleLoadbalancerDnsName]
+  records: pulumi.output([consoleLoadbalancerDnsName])
 })
 
 const serviceDnsRecord = new aws.route53.Record("serviceEndDnsRecord", {
   zoneId: zoneId,
   name: serviceEndpoint,
   type: "CNAME",
   ttl: 300,
-  records: [ serviceLoadbalancerDnsName]
+  records: pulumi.output([serviceLoadbalancerDnsName])
 })