pulumi-eks icon indicating copy to clipboard operation
pulumi-eks copied to clipboard

Published 20 hours ago verified publisher icon pulumi

Python: Error manually defining a cluster's node group. "The NodeGroup's nodeSecurityGroup and the cluster option nodeSecurityGroupTags are mutually exclusive."

Open almson opened this issue 4 years ago • 2 comments
trafficstars

I'm trying to migrate typescript to python. I have an EKS cluster defined with skip_default_node_group and no other node group options:

        self.cluster = eks.Cluster(
            f"{name}-eks",
            name=name,
            vpc_id=vpc.id,
            version="1.19",
            public_subnet_ids=[s.id for s in vpc.public_subnets],
            private_subnet_ids=[s.id for s in vpc.private_subnets],
            cluster_security_group = self.eks_cluster_master_sg,
            endpoint_public_access=False,
            endpoint_private_access=True,
            create_oidc_provider=True,
            skip_default_node_group=True,
            instance_roles=[self.worker_iam_role],
            role_mappings=[
                RoleMappingArgs(
                    # redacted
                )
            ],
            opts=ResourceOptions(parent=self))

I'm creating a node group as:

        self.eks_cluster_worker_sg = ...
        NodeGroup(
            f"{name}-eks-default-nodegroup",
            cluster=self.cluster,
            instance_type="t3.medium",
            node_subnet_ids=[s.id for s in vpc.private_subnets],
            desired_capacity=1,
            ami_id=worker_ami,
            min_size=1,
            max_size=10,
            labels={"ondemand": "True"},
            instance_profile=self.worker_iam_profile,
            node_associate_public_ip_address=False,
            node_security_group=self.eks_cluster_worker_sg,
            auto_scaling_group_tags={"Name": f"{name}-default", **common_tags},
            cloud_formation_tags={"Name": f"{name}-default", **common_tags},
            opts=ResourceOptions(parent=self.cluster)
        )

This fails with error

Exception: The NodeGroup's nodeSecurityGroup and the cluster option nodeSecurityGroupTags are mutually exclusive. Choose a single approach

I am not setting nodeSecurityGroupTags and the approach works in TypeScript.

Context (Environment)

Pulumi 3.3.0 on Manjaro with latest Python packages.

almson avatar May 24 '21 13:05 almson

After more digging, it turns out that nodeSecurityGroup doesn't work in TypeScript either, although in a different way. I didn't try debugging it (because Pulumi hates debuggers and hates developers) and instead tried extraNodeSecurityGroups, which is probably the better approach. However, that doesn't work in Python either, as per #591.

almson avatar Jun 07 '21 14:06 almson