How do I integrate an API Gateway using Pulumi with EKS?

Question

Pulumi · Accepted Answer

To integrate an API Gateway with an EKS cluster, you'll need to set up an AWS API Gateway integration and an IAM Role for EKS.

The AWS API Gateway `aws.apigateway.RestApi` allows you to create, deploy, and manage a RESTful API to expose your backend HTTP endpoints, AWS Lambda functions, or other AWS services.

The AWS IAM Role `aws-iam.EKSRole` is used to permit EKS to call other AWS services on your behalf.

Here's how you could perform this integration:

```typescript
import * as aws from "@pulumi/aws";
import * as awsx from "@pulumi/awsx";
import * as eks from "@pulumi/eks";

// Create a new EKS cluster.
const cluster = new eks.Cluster("my-cluster", {
    desiredCapacity: 2,
    minSize: 1,
    maxSize: 2,
    storageClasses: "gp2",
    deployDashboard: false,
});

// Create a role that EKS can assume.
const eksRole = new aws.iam.Role("eksIamRole", {
    assumeRolePolicy: aws.getCallerIdentity().then(id => JSON.stringify({
        Version: "2008-10-17",
        Statement: [
            {
                Action: "sts:AssumeRole",
                Principal: {
                    AWS: `arn:aws:iam::${id.accountId}:root`,
                },
                Effect: "Allow",
                Sid: "",
            },
        ],
    })),
});

// Attach the AmazonEKSClusterPolicy to the role.
const eksRolePolicyAttachment = new aws.iam.RolePolicyAttachment("eksRolePolicyAttachment", {
    role: eksRole,
    policyArn: "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy",
});

// Create a new REST API
let api = new aws.apigateway.RestApi("api", {
    description: "My API for EKS",
});

// For simplicity, we simply proxy all routes straight through to the target.
let integration = new aws.apigateway.Integration("api-integration", {
    restApi: api,
    type: "AWS_PROXY",
    uri: cluster.cluster.endpoint,
    // You should set it to eksRole.arn,
    // but as of now, you can't attach the execution role to the EKS.
    // So assumedRoleArn is kept empty.
});

let method = new aws.apigateway.Method("api-method", {
    restApi: api,
    resourceId: api.rootResourceId,
    httpMethod: "ANY",
    authorization: "NONE",
    apiKeyRequired: false,
    integration: {
        type: "AWS_PROXY",
        uri: integration.uri,
        httpMethod: "POST",
        credentials: "", //you should set it to eksRole.arn
    },
});

// Export the cluster's kubeconfig.
export const kubeconfig = cluster.kubeconfig;

```

In this example, the EKS cluster is created using the `pulumi/eks` package. Also, note that the code above creates the integration with `aws_proxy` type for simply forwarding all HTTP requests to the EKS cluster. If you want to define specific endpoints inside the gateway, you'll need to create separate integrations and methods.

[API Gateway Integration Documentation](https://www.pulumi.com/registry/packages/aws/api-docs/apigateway/integration/)
[EKS Role Documentation](https://www.pulumi.com/registry/packages/aws-iam/api-docs/eksrole/)

Security is important, please make sure to review the IAM roles and policies to ensure they adhere to the practice of least privilege.

Note: As of now, Amazon EKS does not directly support assuming an IAM role for its service account, thus you cannot set the `credentials` property of the `Integration` type with the EKS IAM role ARN directly. AWS recommends deploying a proxy layer like kube2iam for this use case.