diff --git a/examples/custom-managed-nodegroup/index.ts b/examples/custom-managed-nodegroup/index.ts index 17212260c..76a82f675 100644 --- a/examples/custom-managed-nodegroup/index.ts +++ b/examples/custom-managed-nodegroup/index.ts @@ -23,7 +23,13 @@ const cluster = new eks.Cluster("example-managed-nodegroup", { publicSubnetIds: eksVpc.publicSubnetIds, // Private subnets will be used for cluster nodes privateSubnetIds: eksVpc.privateSubnetIds, - instanceRoles: [instanceRole], + authenticationMode: eks.AuthenticationMode.API, + accessEntries: { + instanceRole: { + principalArn: instanceRole.arn, + type: eks.AccessEntryType.EC2_LINUX, + } + } }); // Export the cluster's kubeconfig. diff --git a/nodejs/eks/nodegroup.ts b/nodejs/eks/nodegroup.ts index 720bea963..cfc65ab88 100644 --- a/nodejs/eks/nodegroup.ts +++ b/nodejs/eks/nodegroup.ts @@ -19,6 +19,7 @@ import * as pulumi from "@pulumi/pulumi"; import * as crypto from "crypto"; import * as netmask from "netmask"; +import { supportsAccessEntries } from "./authenticationMode"; import { Cluster, ClusterInternal, CoreData } from "./cluster"; import randomSuffix from "./randomSuffix"; import { createNodeGroupSecurityGroup } from "./securitygroup"; @@ -1667,13 +1668,16 @@ function createManagedNodeGroupInternal( }); }); - nodegroupRole.apply((role) => { - if (!role) { - throw new Error( - `A managed node group cannot be created without first setting its role in the cluster's instanceRoles`, - ); - } - }); + pulumi + .all([core.cluster.accessConfig.authenticationMode, nodegroupRole]) + .apply(([authMode, role]) => { + // access entries can be added out of band, so we don't require them to be set in the cluster. + if (!supportsAccessEntries(authMode) && !role) { + throw new Error( + `A managed node group cannot be created without first setting its role in the cluster's instanceRoles`, + ); + } + }); // Compute the node group subnets to use. let subnetIds: pulumi.Output;