1. How do I integrate an API Gateway using Pulumi with EKS?


    To integrate an API Gateway with an EKS cluster, you'll need to set up an AWS API Gateway integration and an IAM Role for EKS.

    The AWS API Gateway aws.apigateway.RestApi allows you to create, deploy, and manage a RESTful API to expose your backend HTTP endpoints, AWS Lambda functions, or other AWS services.

    The AWS IAM Role aws-iam.EKSRole is used to permit EKS to call other AWS services on your behalf.

    Here's how you could perform this integration:

    import * as aws from "@pulumi/aws"; import * as awsx from "@pulumi/awsx"; import * as eks from "@pulumi/eks"; // Create a new EKS cluster. const cluster = new eks.Cluster("my-cluster", { desiredCapacity: 2, minSize: 1, maxSize: 2, storageClasses: "gp2", deployDashboard: false, }); // Create a role that EKS can assume. const eksRole = new aws.iam.Role("eksIamRole", { assumeRolePolicy: aws.getCallerIdentity().then(id => JSON.stringify({ Version: "2008-10-17", Statement: [ { Action: "sts:AssumeRole", Principal: { AWS: `arn:aws:iam::${id.accountId}:root`, }, Effect: "Allow", Sid: "", }, ], })), }); // Attach the AmazonEKSClusterPolicy to the role. const eksRolePolicyAttachment = new aws.iam.RolePolicyAttachment("eksRolePolicyAttachment", { role: eksRole, policyArn: "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy", }); // Create a new REST API let api = new aws.apigateway.RestApi("api", { description: "My API for EKS", }); // For simplicity, we simply proxy all routes straight through to the target. let integration = new aws.apigateway.Integration("api-integration", { restApi: api, type: "AWS_PROXY", uri: cluster.cluster.endpoint, // You should set it to eksRole.arn, // but as of now, you can't attach the execution role to the EKS. // So assumedRoleArn is kept empty. }); let method = new aws.apigateway.Method("api-method", { restApi: api, resourceId: api.rootResourceId, httpMethod: "ANY", authorization: "NONE", apiKeyRequired: false, integration: { type: "AWS_PROXY", uri: integration.uri, httpMethod: "POST", credentials: "", //you should set it to eksRole.arn }, }); // Export the cluster's kubeconfig. export const kubeconfig = cluster.kubeconfig;

    In this example, the EKS cluster is created using the pulumi/eks package. Also, note that the code above creates the integration with aws_proxy type for simply forwarding all HTTP requests to the EKS cluster. If you want to define specific endpoints inside the gateway, you'll need to create separate integrations and methods.

    API Gateway Integration Documentation EKS Role Documentation

    Security is important, please make sure to review the IAM roles and policies to ensure they adhere to the practice of least privilege.

    Note: As of now, Amazon EKS does not directly support assuming an IAM role for its service account, thus you cannot set the credentials property of the Integration type with the EKS IAM role ARN directly. AWS recommends deploying a proxy layer like kube2iam for this use case.