-
Notifications
You must be signed in to change notification settings - Fork 83
/
Copy pathindex.ts
84 lines (77 loc) · 2.6 KB
/
index.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
import * as pulumi from "@pulumi/pulumi";
import * as awsx from "@pulumi/awsx";
import * as aws from "@pulumi/aws";
import * as eks from "@pulumi/eks";
import * as k8s from "@pulumi/kubernetes";
const projectName = pulumi.getProject();
// Create a new VPC.
const vpc = new awsx.ec2.Vpc(`${projectName}`, {
tags: { "Name": `${projectName}` },
});
// Create a new IAM role on the account caller to use as a cluster admin.
const accountId = pulumi.output(aws.getCallerIdentity({})).accountId;
const assumeRolePolicy = accountId.apply(id => JSON.stringify(
{
Version: "2012-10-17",
Statement: [
{
Sid: "",
Effect: "Allow",
Principal: {
AWS: `arn:aws:iam::${id}:root`,
},
Action: "sts:AssumeRole",
},
],
},
));
const clusterAdminRole = new aws.iam.Role("clusterAdminRole", {
assumeRolePolicy,
tags: {
clusterAccess: "admin-usr",
},
});
// Create an EKS cluster with a named profile. Map in the new IAM role into
// RBAC for usage after the cluster is running.
//
// Note, the role needs to be mapped into the cluster before it can be used.
// It is omitted from providerCredentialOpts as it will not have access
// to the cluster yet to write the aws-auth configmap for its own permissions.
// See example pod below to use the role once the cluster is ready.
const cluster = new eks.Cluster(`${projectName}`, {
vpcId: vpc.vpcId,
publicSubnetIds: vpc.publicSubnetIds,
providerCredentialOpts: {
profileName: aws.config.profile,
},
nodeAmiId: "ami-066e69f6f03b5383e",
roleMappings: [
{
groups: ["system:masters"],
roleArn: clusterAdminRole.arn,
username: "pulumi:admin-usr",
},
],
});
// Export the cluster kubeconfig.
export const kubeconfig = cluster.kubeconfig;
// Create a role-based kubeconfig with the named profile and the new
// role mapped into the cluster's RBAC.
const roleKubeconfigOpts: eks.KubeconfigOptions = {
profileName: aws.config.profile,
roleArn: clusterAdminRole.arn,
};
export const roleKubeconfig = cluster.getKubeconfig(roleKubeconfigOpts).result;
const roleProvider = new k8s.Provider("provider", {
kubeconfig: roleKubeconfig,
}, {dependsOn: [cluster.provider]});
// Create a pod with the role-based kubeconfig.
const pod = new k8s.core.v1.Pod("nginx", {
spec: {
containers: [{
name: "nginx",
image: "nginx",
ports: [{ name: "http", containerPort: 80 }],
}],
},
}, { provider: roleProvider });