search

pulumi / pulumi-aws-iam

A Pulumi Multi Language Component for working with AWS IAM resources.
Apache License 2.0
6 stars 5 forks source link

RoleForServiceAccountsEks creation fails #10

Closed amkartashov closed 1 year ago

amkartashov commented 1 year ago

What happened?

Deployment of RoleForServiceAccountsEks fails. I copied example code from documentation:

// // Role For Service Accounts EKS
export const roleForServiceAccountsEks = new iam.RoleForServiceAccountsEks("aws-iam-example-role-for-service-accounts-eks", {
    role: {
        name: "vpc-cni"
    },
    tags: {
        Name: "vpc-cni-irsa",
    },
    oidcProviders: {
        main: {
            providerArn: "arn:aws:iam::012345678901:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D",
            namespaceServiceAccounts: ["default:my-app", "canary:my-app"],
        }
    },
    policies: {
        vpnCni: {
            attach: true,
            enableIpv4: true,
        },
    },
});

This is the output of pulumi up:

AWS_PROFILE=deepkeep-dev pulumi up
Previewing update (dev):
     Type                                        Name                                                Plan
     pulumi:pulumi:Stack                         dev-cluster-dev
 +   └─ aws-iam:index:RoleForServiceAccountsEks  aws-iam-example-role-for-service-accounts-eks       create
 +      ├─ aws:iam:Policy                        aws-iam-example-role-for-service-accounts-eks       create
 +      ├─ aws:iam:Role                          aws-iam-example-role-for-service-accounts-eks-role  create
 +      └─ aws:iam:RolePolicyAttachment          aws-iam-example-role-for-service-accounts-eks       create

Resources:
    + 4 to create
    64 unchanged

Do you want to perform this update? yes
Updating (dev):
     Type                                        Name                                                Status           Info
     pulumi:pulumi:Stack                         dev-cluster-dev                                     **failed**       1 error
 +   ├─ aws-iam:index:RoleForServiceAccountsEks  aws-iam-example-role-for-service-accounts-eks       created
 +   │  ├─ aws:iam:Role                          aws-iam-example-role-for-service-accounts-eks-role  created (2s)
 +   │  ├─ aws:iam:Policy                        aws-iam-example-role-for-service-accounts-eks       created (2s)
 +   │  └─ aws:iam:RolePolicyAttachment          aws-iam-example-role-for-service-accounts-eks       created (1s)
     └─ eks:index:Cluster                        dev
        └─ aws:eks:Cluster                       dev-eksCluster

Diagnostics:
  pulumi:pulumi:Stack (dev-cluster-dev):
    error: Running program '/home/me/git/deepkeep/local-dev-env/aws/dev-cluster/' failed with an unhandled exception:
    <ref *1> Error: failed to register new resource aws-iam-example-role-for-service-accounts-eks [aws-iam:index:RoleForServiceAccountsEks]: 2 UNKNOWN: marshaling properties: awaiting input property role: cannot marshal an input of type pulumi.StringOutput with element type string as a value of type pulumi.StringOutput
        at Object.registerResource (/home/me/git/deepkeep/local-dev-env/aws/dev-cluster/node_modules/@pulumi/runtime/resource.ts:339:27)
        at new Resource (/home/me/git/deepkeep/local-dev-env/aws/dev-cluster/node_modules/@pulumi/resource.ts:398:13)
        at new ComponentResource (/home/me/git/deepkeep/local-dev-env/aws/dev-cluster/node_modules/@pulumi/resource.ts:891:9)
        at new RoleForServiceAccountsEks (/home/me/git/deepkeep/local-dev-env/aws/dev-cluster/node_modules/@pulumi/roleForServiceAccountsEks.ts:98:9)
        at Object.<anonymous> (/home/me/git/deepkeep/local-dev-env/aws/dev-cluster/index.ts:119:35)
        at Module._compile (node:internal/modules/cjs/loader:1191:14)
        at Module.m._compile (/home/me/git/deepkeep/local-dev-env/aws/dev-cluster/node_modules/ts-node/src/index.ts:439:23)
        at Module._extensions..js (node:internal/modules/cjs/loader:1245:10)
        at Object.require.extensions.<computed> [as .ts] (/home/me/git/deepkeep/local-dev-env/aws/dev-cluster/node_modules/ts-node/src/index.ts:442:12)
        at Module.load (node:internal/modules/cjs/loader:1069:32) {
      promise: Promise { <rejected> [Circular *1] }
    }

Outputs:
    devAdminK8sToken: [secret]
    kubeconfigScript: [secret]

Resources:
    + 4 created
    64 unchanged

Duration: 16s

Role is created but any other invocation of pulumi up fails instantly with the same exception

Expected Behavior

no errors

Steps to reproduce

try example from https://www.pulumi.com/registry/packages/aws-iam/ with RoleForServiceAccountsEks

Output of pulumi about

CLI
Version      3.58.0
Go Version   go1.20.2
Go Compiler  gc

Plugins
NAME        VERSION
aws         5.32.0
aws         5.16.2
aws-iam     0.1.0
awsx        1.0.2
docker      3.6.1
eks         1.0.1
kubernetes  3.24.2
nodejs      unknown

Host
OS       ubuntu
Version  22.04
Arch     x86_64

This project is written in nodejs: executable='/usr/bin/node' version='v16.19.1'

Current Stack: dev

TYPE                                                        URN
pulumi:pulumi:Stack                                         urn:pulumi:dev::dev-cluster::pulumi:pulumi:Stack::dev-cluster-dev
eks:index:Cluster                                           urn:pulumi:dev::dev-cluster::eks:index:Cluster::dev
eks:index:ServiceRole                                       urn:pulumi:dev::dev-cluster::eks:index:Cluster$eks:index:ServiceRole::dev-instanceRole
pulumi:providers:aws                                        urn:pulumi:dev::dev-cluster::pulumi:providers:aws::default_5_16_2
eks:index:ServiceRole                                       urn:pulumi:dev::dev-cluster::eks:index:Cluster$eks:index:ServiceRole::dev-eksRole
pulumi:providers:awsx                                       urn:pulumi:dev::dev-cluster::pulumi:providers:awsx::default_1_0_2
awsx:ec2:Vpc                                                urn:pulumi:dev::dev-cluster::awsx:ec2:Vpc::dev
pulumi:providers:eks                                        urn:pulumi:dev::dev-cluster::pulumi:providers:eks::default
eks:index:RandomSuffix                                      urn:pulumi:dev::dev-cluster::eks:index:Cluster$eks:index:RandomSuffix::dev-cfnStackName
pulumi:providers:aws-iam                                    urn:pulumi:dev::dev-cluster::pulumi:providers:aws-iam::default_0_1_0
aws:iam/role:Role                                           urn:pulumi:dev::dev-cluster::eks:index:Cluster$eks:index:ServiceRole$aws:iam/role:Role::dev-eksRole-role
aws:iam/role:Role                                           urn:pulumi:dev::dev-cluster::eks:index:Cluster$eks:index:ServiceRole$aws:iam/role:Role::dev-instanceRole-role
aws-iam:index:RoleForServiceAccountsEks                     urn:pulumi:dev::dev-cluster::aws-iam:index:RoleForServiceAccountsEks::aws-iam-example-role-for-service-accounts-eks
pulumi:providers:aws                                        urn:pulumi:dev::dev-cluster::pulumi:providers:aws::default
aws:iam/rolePolicyAttachment:RolePolicyAttachment           urn:pulumi:dev::dev-cluster::eks:index:Cluster$eks:index:ServiceRole$aws:iam/rolePolicyAttachment:RolePolicyAttachment::dev-eksRole-4b490823
aws:iam/rolePolicyAttachment:RolePolicyAttachment           urn:pulumi:dev::dev-cluster::eks:index:Cluster$eks:index:ServiceRole$aws:iam/rolePolicyAttachment:RolePolicyAttachment::dev-instanceRole-03516f97
aws:iam/rolePolicyAttachment:RolePolicyAttachment           urn:pulumi:dev::dev-cluster::eks:index:Cluster$eks:index:ServiceRole$aws:iam/rolePolicyAttachment:RolePolicyAttachment::dev-instanceRole-e1b295bd
aws:iam/rolePolicyAttachment:RolePolicyAttachment           urn:pulumi:dev::dev-cluster::eks:index:Cluster$eks:index:ServiceRole$aws:iam/rolePolicyAttachment:RolePolicyAttachment::dev-instanceRole-3eb088f2
aws:ec2/vpc:Vpc                                             urn:pulumi:dev::dev-cluster::awsx:ec2:Vpc$aws:ec2/vpc:Vpc::dev
aws:ec2/subnet:Subnet                                       urn:pulumi:dev::dev-cluster::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet::dev-private-3
aws:ec2/internetGateway:InternetGateway                     urn:pulumi:dev::dev-cluster::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/internetGateway:InternetGateway::dev
aws:ec2/subnet:Subnet                                       urn:pulumi:dev::dev-cluster::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet::dev-public-1
aws:ec2/subnet:Subnet                                       urn:pulumi:dev::dev-cluster::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet::dev-private-1
aws:ec2/subnet:Subnet                                       urn:pulumi:dev::dev-cluster::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet::dev-public-2
aws:ec2/subnet:Subnet                                       urn:pulumi:dev::dev-cluster::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet::dev-private-2
aws:ec2/subnet:Subnet                                       urn:pulumi:dev::dev-cluster::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet::dev-public-3
aws:iam/instanceProfile:InstanceProfile                     urn:pulumi:dev::dev-cluster::eks:index:Cluster$aws:iam/instanceProfile:InstanceProfile::dev-instanceProfile
aws:ec2/routeTable:RouteTable                               urn:pulumi:dev::dev-cluster::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable::dev-private-3
aws:ec2/routeTable:RouteTable                               urn:pulumi:dev::dev-cluster::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable::dev-public-1
aws:ec2/eip:Eip                                             urn:pulumi:dev::dev-cluster::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/eip:Eip::dev-1
aws:ec2/routeTable:RouteTable                               urn:pulumi:dev::dev-cluster::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable::dev-private-1
aws:ec2/routeTable:RouteTable                               urn:pulumi:dev::dev-cluster::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable::dev-public-2
aws:ec2/eip:Eip                                             urn:pulumi:dev::dev-cluster::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/eip:Eip::dev-2
aws:ec2/routeTable:RouteTable                               urn:pulumi:dev::dev-cluster::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable::dev-private-2
aws:ec2/eip:Eip                                             urn:pulumi:dev::dev-cluster::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/eip:Eip::dev-3
aws:ec2/routeTable:RouteTable                               urn:pulumi:dev::dev-cluster::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable::dev-public-3
aws:ec2/routeTableAssociation:RouteTableAssociation         urn:pulumi:dev::dev-cluster::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/routeTableAssociation:RouteTableAssociation::dev-private-3
aws:ec2/routeTableAssociation:RouteTableAssociation         urn:pulumi:dev::dev-cluster::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/routeTableAssociation:RouteTableAssociation::dev-public-1
aws:ec2/route:Route                                         urn:pulumi:dev::dev-cluster::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/route:Route::dev-public-1
aws:ec2/natGateway:NatGateway                               urn:pulumi:dev::dev-cluster::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/natGateway:NatGateway::dev-1
aws:ec2/routeTableAssociation:RouteTableAssociation         urn:pulumi:dev::dev-cluster::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/routeTableAssociation:RouteTableAssociation::dev-private-1
aws:ec2/routeTableAssociation:RouteTableAssociation         urn:pulumi:dev::dev-cluster::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/routeTableAssociation:RouteTableAssociation::dev-public-2
aws:ec2/route:Route                                         urn:pulumi:dev::dev-cluster::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/route:Route::dev-public-2
aws:ec2/natGateway:NatGateway                               urn:pulumi:dev::dev-cluster::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/natGateway:NatGateway::dev-2
aws:ec2/routeTableAssociation:RouteTableAssociation         urn:pulumi:dev::dev-cluster::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/routeTableAssociation:RouteTableAssociation::dev-private-2
aws:ec2/natGateway:NatGateway                               urn:pulumi:dev::dev-cluster::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/natGateway:NatGateway::dev-3
aws:ec2/route:Route                                         urn:pulumi:dev::dev-cluster::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/route:Route::dev-public-3
aws:ec2/routeTableAssociation:RouteTableAssociation         urn:pulumi:dev::dev-cluster::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/routeTableAssociation:RouteTableAssociation::dev-public-3
aws:ec2/route:Route                                         urn:pulumi:dev::dev-cluster::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/route:Route::dev-private-1
aws:ec2/route:Route                                         urn:pulumi:dev::dev-cluster::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/route:Route::dev-private-2
aws:ec2/route:Route                                         urn:pulumi:dev::dev-cluster::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/route:Route::dev-private-3
pulumi:providers:pulumi                                     urn:pulumi:dev::dev-cluster::pulumi:providers:pulumi::default
aws:ec2/securityGroup:SecurityGroup                         urn:pulumi:dev::dev-cluster::eks:index:Cluster$aws:ec2/securityGroup:SecurityGroup::dev-eksClusterSecurityGroup
aws:ec2/securityGroupRule:SecurityGroupRule                 urn:pulumi:dev::dev-cluster::eks:index:Cluster$aws:ec2/securityGroupRule:SecurityGroupRule::dev-eksClusterInternetEgressRule
aws:eks/cluster:Cluster                                     urn:pulumi:dev::dev-cluster::eks:index:Cluster$aws:eks/cluster:Cluster::dev-eksCluster
aws:ec2/securityGroup:SecurityGroup                         urn:pulumi:dev::dev-cluster::eks:index:Cluster$aws:ec2/securityGroup:SecurityGroup::dev-nodeSecurityGroup
aws:iam/openIdConnectProvider:OpenIdConnectProvider         urn:pulumi:dev::dev-cluster::eks:index:Cluster$aws:iam/openIdConnectProvider:OpenIdConnectProvider::dev-oidcProvider
aws:ec2/securityGroupRule:SecurityGroupRule                 urn:pulumi:dev::dev-cluster::eks:index:Cluster$aws:ec2/securityGroupRule:SecurityGroupRule::dev-eksNodeClusterIngressRule
aws:ec2/securityGroupRule:SecurityGroupRule                 urn:pulumi:dev::dev-cluster::eks:index:Cluster$aws:ec2/securityGroupRule:SecurityGroupRule::dev-eksClusterIngressRule
aws:ec2/securityGroupRule:SecurityGroupRule                 urn:pulumi:dev::dev-cluster::eks:index:Cluster$aws:ec2/securityGroupRule:SecurityGroupRule::dev-eksNodeIngressRule
aws:ec2/securityGroupRule:SecurityGroupRule                 urn:pulumi:dev::dev-cluster::eks:index:Cluster$aws:ec2/securityGroupRule:SecurityGroupRule::dev-eksNodeInternetEgressRule
aws:ec2/securityGroupRule:SecurityGroupRule                 urn:pulumi:dev::dev-cluster::eks:index:Cluster$aws:ec2/securityGroupRule:SecurityGroupRule::dev-eksExtApiServerClusterIngressRule
eks:index:VpcCni                                            urn:pulumi:dev::dev-cluster::eks:index:Cluster$eks:index:VpcCni::dev-vpc-cni
pulumi:providers:kubernetes                                 urn:pulumi:dev::dev-cluster::eks:index:Cluster$pulumi:providers:kubernetes::dev-eks-k8s
kubernetes:core/v1:ConfigMap                                urn:pulumi:dev::dev-cluster::eks:index:Cluster$kubernetes:core/v1:ConfigMap::dev-nodeAccess
aws:iam/policy:Policy                                       urn:pulumi:dev::dev-cluster::aws-iam:index:RoleForServiceAccountsEks$aws:iam/policy:Policy::aws-iam-example-role-for-service-accounts-eks
aws:iam/role:Role                                           urn:pulumi:dev::dev-cluster::aws-iam:index:RoleForServiceAccountsEks$aws:iam/role:Role::aws-iam-example-role-for-service-accounts-eks-role
aws:ec2/launchConfiguration:LaunchConfiguration             urn:pulumi:dev::dev-cluster::eks:index:Cluster$aws:ec2/launchConfiguration:LaunchConfiguration::dev-nodeLaunchConfiguration
aws:cloudformation/stack:Stack                              urn:pulumi:dev::dev-cluster::eks:index:Cluster$aws:cloudformation/stack:Stack::dev-nodes
aws:iam/rolePolicyAttachment:RolePolicyAttachment           urn:pulumi:dev::dev-cluster::aws-iam:index:RoleForServiceAccountsEks$aws:iam/rolePolicyAttachment:RolePolicyAttachment::aws-iam-example-role-for-service-accounts-eks
pulumi:providers:kubernetes                                 urn:pulumi:dev::dev-cluster::eks:index:Cluster$pulumi:providers:kubernetes::dev-provider
kubernetes:core/v1:ServiceAccount                           urn:pulumi:dev::dev-cluster::kubernetes:core/v1:ServiceAccount::dev-admin
kubernetes:core/v1:Secret                                   urn:pulumi:dev::dev-cluster::kubernetes:core/v1:Secret::dev-admin-token
kubernetes:rbac.authorization.k8s.io/v1:ClusterRoleBinding  urn:pulumi:dev::dev-cluster::kubernetes:rbac.authorization.k8s.io/v1:ClusterRoleBinding::dev-admin

Found no pending operations associated with dev

Backend
Name           hengroen
URL            s3://pulimi-state-deepkeep-431370296018-eu-central-1?profile=deepkeep-dev
User           me
Organizations

Dependencies:
NAME                              VERSION
@pulumi/aws                       5.32.0
@pulumi/aws-iam                   0.1.0
@pulumi/awsx                      1.0.2
@pulumi/eks                       1.0.1
@pulumi/pulumi                    3.58.0
typescript                        4.9.5
@types/node                       16.18.18
@typescript-eslint/eslint-plugin  5.56.0
@typescript-eslint/parser         5.56.0
eslint                            8.36.0
eslint-config-prettier            8.8.0
eslint-plugin-prettier            4.2.1
prettier                          2.8.6

Pulumi locates its logs in /tmp by default

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

lucasmarshall commented 1 year ago

I am also seeing this same issue

ztripez commented 8 months ago

I'm using 0.2.0 and get the same error, using the code from the documentation.