The gcp:container/awsCluster:AwsCluster resource, part of the Pulumi GCP provider, defines an Anthos cluster running on AWS: its control plane configuration, networking, authentication, and fleet registration. This guide focuses on three capabilities: control plane and networking setup, AWS authentication and encryption, and logging and instance placement.
Anthos clusters on AWS require extensive pre-existing infrastructure: VPC, subnets, security groups, IAM roles, and KMS keys. The examples are intentionally small. Combine them with your own AWS infrastructure and node pool resources.
Deploy a GKE cluster on AWS infrastructure
Organizations running multi-cloud Kubernetes use Anthos to manage clusters across AWS and Google Cloud from a single control plane.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const versions = gcp.container.getAwsVersions({
project: "my-project-name",
location: "us-west1",
});
const primary = new gcp.container.AwsCluster("primary", {
authorization: {
adminUsers: [{
username: "my@service-account.com",
}],
adminGroups: [{
group: "group@domain.com",
}],
},
awsRegion: "my-aws-region",
controlPlane: {
awsServicesAuthentication: {
roleArn: "arn:aws:iam::012345678910:role/my--1p-dev-oneplatform",
roleSessionName: "my--1p-dev-session",
},
configEncryption: {
kmsKeyArn: "arn:aws:kms:my-aws-region:012345678910:key/12345678-1234-1234-1234-123456789111",
},
databaseEncryption: {
kmsKeyArn: "arn:aws:kms:my-aws-region:012345678910:key/12345678-1234-1234-1234-123456789111",
},
iamInstanceProfile: "my--1p-dev-controlplane",
subnetIds: ["subnet-00000000000000000"],
version: versions.then(versions => versions.validVersions?.[0]),
instanceType: "t3.medium",
mainVolume: {
iops: 3000,
kmsKeyArn: "arn:aws:kms:my-aws-region:012345678910:key/12345678-1234-1234-1234-123456789111",
sizeGib: 10,
volumeType: "GP3",
},
proxyConfig: {
secretArn: "arn:aws:secretsmanager:us-west-2:126285863215:secret:proxy_config20210824150329476300000001-ABCDEF",
secretVersion: "12345678-ABCD-EFGH-IJKL-987654321098",
},
rootVolume: {
iops: 3000,
kmsKeyArn: "arn:aws:kms:my-aws-region:012345678910:key/12345678-1234-1234-1234-123456789111",
sizeGib: 10,
volumeType: "GP3",
},
securityGroupIds: ["sg-00000000000000000"],
sshConfig: {
ec2KeyPair: "my--1p-dev-ssh",
},
tags: {
owner: "my@service-account.com",
},
},
fleet: {
project: "my-project-number",
},
location: "us-west1",
name: "name",
networking: {
podAddressCidrBlocks: ["10.2.0.0/16"],
serviceAddressCidrBlocks: ["10.1.0.0/16"],
vpcId: "vpc-00000000000000000",
},
annotations: {
"label-one": "value-one",
},
description: "A sample aws cluster",
project: "my-project-name",
});
import pulumi
import pulumi_gcp as gcp
versions = gcp.container.get_aws_versions(project="my-project-name",
location="us-west1")
primary = gcp.container.AwsCluster("primary",
authorization={
"admin_users": [{
"username": "my@service-account.com",
}],
"admin_groups": [{
"group": "group@domain.com",
}],
},
aws_region="my-aws-region",
control_plane={
"aws_services_authentication": {
"role_arn": "arn:aws:iam::012345678910:role/my--1p-dev-oneplatform",
"role_session_name": "my--1p-dev-session",
},
"config_encryption": {
"kms_key_arn": "arn:aws:kms:my-aws-region:012345678910:key/12345678-1234-1234-1234-123456789111",
},
"database_encryption": {
"kms_key_arn": "arn:aws:kms:my-aws-region:012345678910:key/12345678-1234-1234-1234-123456789111",
},
"iam_instance_profile": "my--1p-dev-controlplane",
"subnet_ids": ["subnet-00000000000000000"],
"version": versions.valid_versions[0],
"instance_type": "t3.medium",
"main_volume": {
"iops": 3000,
"kms_key_arn": "arn:aws:kms:my-aws-region:012345678910:key/12345678-1234-1234-1234-123456789111",
"size_gib": 10,
"volume_type": "GP3",
},
"proxy_config": {
"secret_arn": "arn:aws:secretsmanager:us-west-2:126285863215:secret:proxy_config20210824150329476300000001-ABCDEF",
"secret_version": "12345678-ABCD-EFGH-IJKL-987654321098",
},
"root_volume": {
"iops": 3000,
"kms_key_arn": "arn:aws:kms:my-aws-region:012345678910:key/12345678-1234-1234-1234-123456789111",
"size_gib": 10,
"volume_type": "GP3",
},
"security_group_ids": ["sg-00000000000000000"],
"ssh_config": {
"ec2_key_pair": "my--1p-dev-ssh",
},
"tags": {
"owner": "my@service-account.com",
},
},
fleet={
"project": "my-project-number",
},
location="us-west1",
name="name",
networking={
"pod_address_cidr_blocks": ["10.2.0.0/16"],
"service_address_cidr_blocks": ["10.1.0.0/16"],
"vpc_id": "vpc-00000000000000000",
},
annotations={
"label-one": "value-one",
},
description="A sample aws cluster",
project="my-project-name")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/container"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
versions, err := container.GetAwsVersions(ctx, &container.GetAwsVersionsArgs{
Project: pulumi.StringRef("my-project-name"),
Location: pulumi.StringRef("us-west1"),
}, nil)
if err != nil {
return err
}
_, err = container.NewAwsCluster(ctx, "primary", &container.AwsClusterArgs{
Authorization: &container.AwsClusterAuthorizationArgs{
AdminUsers: container.AwsClusterAuthorizationAdminUserArray{
&container.AwsClusterAuthorizationAdminUserArgs{
Username: pulumi.String("my@service-account.com"),
},
},
AdminGroups: container.AwsClusterAuthorizationAdminGroupArray{
&container.AwsClusterAuthorizationAdminGroupArgs{
Group: pulumi.String("group@domain.com"),
},
},
},
AwsRegion: pulumi.String("my-aws-region"),
ControlPlane: &container.AwsClusterControlPlaneArgs{
AwsServicesAuthentication: &container.AwsClusterControlPlaneAwsServicesAuthenticationArgs{
RoleArn: pulumi.String("arn:aws:iam::012345678910:role/my--1p-dev-oneplatform"),
RoleSessionName: pulumi.String("my--1p-dev-session"),
},
ConfigEncryption: &container.AwsClusterControlPlaneConfigEncryptionArgs{
KmsKeyArn: pulumi.String("arn:aws:kms:my-aws-region:012345678910:key/12345678-1234-1234-1234-123456789111"),
},
DatabaseEncryption: &container.AwsClusterControlPlaneDatabaseEncryptionArgs{
KmsKeyArn: pulumi.String("arn:aws:kms:my-aws-region:012345678910:key/12345678-1234-1234-1234-123456789111"),
},
IamInstanceProfile: pulumi.String("my--1p-dev-controlplane"),
SubnetIds: pulumi.StringArray{
pulumi.String("subnet-00000000000000000"),
},
Version: pulumi.String(versions.ValidVersions[0]),
InstanceType: pulumi.String("t3.medium"),
MainVolume: &container.AwsClusterControlPlaneMainVolumeArgs{
Iops: pulumi.Int(3000),
KmsKeyArn: pulumi.String("arn:aws:kms:my-aws-region:012345678910:key/12345678-1234-1234-1234-123456789111"),
SizeGib: pulumi.Int(10),
VolumeType: pulumi.String("GP3"),
},
ProxyConfig: &container.AwsClusterControlPlaneProxyConfigArgs{
SecretArn: pulumi.String("arn:aws:secretsmanager:us-west-2:126285863215:secret:proxy_config20210824150329476300000001-ABCDEF"),
SecretVersion: pulumi.String("12345678-ABCD-EFGH-IJKL-987654321098"),
},
RootVolume: &container.AwsClusterControlPlaneRootVolumeArgs{
Iops: pulumi.Int(3000),
KmsKeyArn: pulumi.String("arn:aws:kms:my-aws-region:012345678910:key/12345678-1234-1234-1234-123456789111"),
SizeGib: pulumi.Int(10),
VolumeType: pulumi.String("GP3"),
},
SecurityGroupIds: pulumi.StringArray{
pulumi.String("sg-00000000000000000"),
},
SshConfig: &container.AwsClusterControlPlaneSshConfigArgs{
Ec2KeyPair: pulumi.String("my--1p-dev-ssh"),
},
Tags: pulumi.StringMap{
"owner": pulumi.String("my@service-account.com"),
},
},
Fleet: &container.AwsClusterFleetArgs{
Project: pulumi.String("my-project-number"),
},
Location: pulumi.String("us-west1"),
Name: pulumi.String("name"),
Networking: &container.AwsClusterNetworkingArgs{
PodAddressCidrBlocks: pulumi.StringArray{
pulumi.String("10.2.0.0/16"),
},
ServiceAddressCidrBlocks: pulumi.StringArray{
pulumi.String("10.1.0.0/16"),
},
VpcId: pulumi.String("vpc-00000000000000000"),
},
Annotations: pulumi.StringMap{
"label-one": pulumi.String("value-one"),
},
Description: pulumi.String("A sample aws cluster"),
Project: pulumi.String("my-project-name"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var versions = Gcp.Container.GetAwsVersions.Invoke(new()
{
Project = "my-project-name",
Location = "us-west1",
});
var primary = new Gcp.Container.AwsCluster("primary", new()
{
Authorization = new Gcp.Container.Inputs.AwsClusterAuthorizationArgs
{
AdminUsers = new[]
{
new Gcp.Container.Inputs.AwsClusterAuthorizationAdminUserArgs
{
Username = "my@service-account.com",
},
},
AdminGroups = new[]
{
new Gcp.Container.Inputs.AwsClusterAuthorizationAdminGroupArgs
{
Group = "group@domain.com",
},
},
},
AwsRegion = "my-aws-region",
ControlPlane = new Gcp.Container.Inputs.AwsClusterControlPlaneArgs
{
AwsServicesAuthentication = new Gcp.Container.Inputs.AwsClusterControlPlaneAwsServicesAuthenticationArgs
{
RoleArn = "arn:aws:iam::012345678910:role/my--1p-dev-oneplatform",
RoleSessionName = "my--1p-dev-session",
},
ConfigEncryption = new Gcp.Container.Inputs.AwsClusterControlPlaneConfigEncryptionArgs
{
KmsKeyArn = "arn:aws:kms:my-aws-region:012345678910:key/12345678-1234-1234-1234-123456789111",
},
DatabaseEncryption = new Gcp.Container.Inputs.AwsClusterControlPlaneDatabaseEncryptionArgs
{
KmsKeyArn = "arn:aws:kms:my-aws-region:012345678910:key/12345678-1234-1234-1234-123456789111",
},
IamInstanceProfile = "my--1p-dev-controlplane",
SubnetIds = new[]
{
"subnet-00000000000000000",
},
Version = versions.Apply(getAwsVersionsResult => getAwsVersionsResult.ValidVersions[0]),
InstanceType = "t3.medium",
MainVolume = new Gcp.Container.Inputs.AwsClusterControlPlaneMainVolumeArgs
{
Iops = 3000,
KmsKeyArn = "arn:aws:kms:my-aws-region:012345678910:key/12345678-1234-1234-1234-123456789111",
SizeGib = 10,
VolumeType = "GP3",
},
ProxyConfig = new Gcp.Container.Inputs.AwsClusterControlPlaneProxyConfigArgs
{
SecretArn = "arn:aws:secretsmanager:us-west-2:126285863215:secret:proxy_config20210824150329476300000001-ABCDEF",
SecretVersion = "12345678-ABCD-EFGH-IJKL-987654321098",
},
RootVolume = new Gcp.Container.Inputs.AwsClusterControlPlaneRootVolumeArgs
{
Iops = 3000,
KmsKeyArn = "arn:aws:kms:my-aws-region:012345678910:key/12345678-1234-1234-1234-123456789111",
SizeGib = 10,
VolumeType = "GP3",
},
SecurityGroupIds = new[]
{
"sg-00000000000000000",
},
SshConfig = new Gcp.Container.Inputs.AwsClusterControlPlaneSshConfigArgs
{
Ec2KeyPair = "my--1p-dev-ssh",
},
Tags =
{
{ "owner", "my@service-account.com" },
},
},
Fleet = new Gcp.Container.Inputs.AwsClusterFleetArgs
{
Project = "my-project-number",
},
Location = "us-west1",
Name = "name",
Networking = new Gcp.Container.Inputs.AwsClusterNetworkingArgs
{
PodAddressCidrBlocks = new[]
{
"10.2.0.0/16",
},
ServiceAddressCidrBlocks = new[]
{
"10.1.0.0/16",
},
VpcId = "vpc-00000000000000000",
},
Annotations =
{
{ "label-one", "value-one" },
},
Description = "A sample aws cluster",
Project = "my-project-name",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.container.ContainerFunctions;
import com.pulumi.gcp.container.inputs.GetAwsVersionsArgs;
import com.pulumi.gcp.container.AwsCluster;
import com.pulumi.gcp.container.AwsClusterArgs;
import com.pulumi.gcp.container.inputs.AwsClusterAuthorizationArgs;
import com.pulumi.gcp.container.inputs.AwsClusterControlPlaneArgs;
import com.pulumi.gcp.container.inputs.AwsClusterControlPlaneAwsServicesAuthenticationArgs;
import com.pulumi.gcp.container.inputs.AwsClusterControlPlaneConfigEncryptionArgs;
import com.pulumi.gcp.container.inputs.AwsClusterControlPlaneDatabaseEncryptionArgs;
import com.pulumi.gcp.container.inputs.AwsClusterControlPlaneMainVolumeArgs;
import com.pulumi.gcp.container.inputs.AwsClusterControlPlaneProxyConfigArgs;
import com.pulumi.gcp.container.inputs.AwsClusterControlPlaneRootVolumeArgs;
import com.pulumi.gcp.container.inputs.AwsClusterControlPlaneSshConfigArgs;
import com.pulumi.gcp.container.inputs.AwsClusterFleetArgs;
import com.pulumi.gcp.container.inputs.AwsClusterNetworkingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var versions = ContainerFunctions.getAwsVersions(GetAwsVersionsArgs.builder()
.project("my-project-name")
.location("us-west1")
.build());
var primary = new AwsCluster("primary", AwsClusterArgs.builder()
.authorization(AwsClusterAuthorizationArgs.builder()
.adminUsers(AwsClusterAuthorizationAdminUserArgs.builder()
.username("my@service-account.com")
.build())
.adminGroups(AwsClusterAuthorizationAdminGroupArgs.builder()
.group("group@domain.com")
.build())
.build())
.awsRegion("my-aws-region")
.controlPlane(AwsClusterControlPlaneArgs.builder()
.awsServicesAuthentication(AwsClusterControlPlaneAwsServicesAuthenticationArgs.builder()
.roleArn("arn:aws:iam::012345678910:role/my--1p-dev-oneplatform")
.roleSessionName("my--1p-dev-session")
.build())
.configEncryption(AwsClusterControlPlaneConfigEncryptionArgs.builder()
.kmsKeyArn("arn:aws:kms:my-aws-region:012345678910:key/12345678-1234-1234-1234-123456789111")
.build())
.databaseEncryption(AwsClusterControlPlaneDatabaseEncryptionArgs.builder()
.kmsKeyArn("arn:aws:kms:my-aws-region:012345678910:key/12345678-1234-1234-1234-123456789111")
.build())
.iamInstanceProfile("my--1p-dev-controlplane")
.subnetIds("subnet-00000000000000000")
.version(versions.validVersions()[0])
.instanceType("t3.medium")
.mainVolume(AwsClusterControlPlaneMainVolumeArgs.builder()
.iops(3000)
.kmsKeyArn("arn:aws:kms:my-aws-region:012345678910:key/12345678-1234-1234-1234-123456789111")
.sizeGib(10)
.volumeType("GP3")
.build())
.proxyConfig(AwsClusterControlPlaneProxyConfigArgs.builder()
.secretArn("arn:aws:secretsmanager:us-west-2:126285863215:secret:proxy_config20210824150329476300000001-ABCDEF")
.secretVersion("12345678-ABCD-EFGH-IJKL-987654321098")
.build())
.rootVolume(AwsClusterControlPlaneRootVolumeArgs.builder()
.iops(3000)
.kmsKeyArn("arn:aws:kms:my-aws-region:012345678910:key/12345678-1234-1234-1234-123456789111")
.sizeGib(10)
.volumeType("GP3")
.build())
.securityGroupIds("sg-00000000000000000")
.sshConfig(AwsClusterControlPlaneSshConfigArgs.builder()
.ec2KeyPair("my--1p-dev-ssh")
.build())
.tags(Map.of("owner", "my@service-account.com"))
.build())
.fleet(AwsClusterFleetArgs.builder()
.project("my-project-number")
.build())
.location("us-west1")
.name("name")
.networking(AwsClusterNetworkingArgs.builder()
.podAddressCidrBlocks("10.2.0.0/16")
.serviceAddressCidrBlocks("10.1.0.0/16")
.vpcId("vpc-00000000000000000")
.build())
.annotations(Map.of("label-one", "value-one"))
.description("A sample aws cluster")
.project("my-project-name")
.build());
}
}
resources:
primary:
type: gcp:container:AwsCluster
properties:
authorization:
adminUsers:
- username: my@service-account.com
adminGroups:
- group: group@domain.com
awsRegion: my-aws-region
controlPlane:
awsServicesAuthentication:
roleArn: arn:aws:iam::012345678910:role/my--1p-dev-oneplatform
roleSessionName: my--1p-dev-session
configEncryption:
kmsKeyArn: arn:aws:kms:my-aws-region:012345678910:key/12345678-1234-1234-1234-123456789111
databaseEncryption:
kmsKeyArn: arn:aws:kms:my-aws-region:012345678910:key/12345678-1234-1234-1234-123456789111
iamInstanceProfile: my--1p-dev-controlplane
subnetIds:
- subnet-00000000000000000
version: ${versions.validVersions[0]}
instanceType: t3.medium
mainVolume:
iops: 3000
kmsKeyArn: arn:aws:kms:my-aws-region:012345678910:key/12345678-1234-1234-1234-123456789111
sizeGib: 10
volumeType: GP3
proxyConfig:
secretArn: arn:aws:secretsmanager:us-west-2:126285863215:secret:proxy_config20210824150329476300000001-ABCDEF
secretVersion: 12345678-ABCD-EFGH-IJKL-987654321098
rootVolume:
iops: 3000
kmsKeyArn: arn:aws:kms:my-aws-region:012345678910:key/12345678-1234-1234-1234-123456789111
sizeGib: 10
volumeType: GP3
securityGroupIds:
- sg-00000000000000000
sshConfig:
ec2KeyPair: my--1p-dev-ssh
tags:
owner: my@service-account.com
fleet:
project: my-project-number
location: us-west1
name: name
networking:
podAddressCidrBlocks:
- 10.2.0.0/16
serviceAddressCidrBlocks:
- 10.1.0.0/16
vpcId: vpc-00000000000000000
annotations:
label-one: value-one
description: A sample aws cluster
project: my-project-name
variables:
versions:
fn::invoke:
function: gcp:container:getAwsVersions
arguments:
project: my-project-name
location: us-west1
The controlPlane block defines the Kubernetes control plane: its AWS authentication (awsServicesAuthentication), encryption keys for config and database (configEncryption, databaseEncryption), and EC2 configuration (instanceType, iamInstanceProfile, subnetIds). The networking block sets pod and service CIDR ranges plus the VPC ID. The authorization block grants cluster admin access to users and groups. The fleet block registers the cluster with a Google Cloud project for centralized management.
Configure logging and instance placement
Production clusters often need centralized logging for troubleshooting, plus control over EC2 instance placement for isolation or licensing.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const versions = gcp.container.getAwsVersions({
project: "my-project-name",
location: "us-west1",
});
const primary = new gcp.container.AwsCluster("primary", {
authorization: {
adminUsers: [{
username: "my@service-account.com",
}],
},
awsRegion: "my-aws-region",
controlPlane: {
awsServicesAuthentication: {
roleArn: "arn:aws:iam::012345678910:role/my--1p-dev-oneplatform",
roleSessionName: "my--1p-dev-session",
},
configEncryption: {
kmsKeyArn: "arn:aws:kms:my-aws-region:012345678910:key/12345678-1234-1234-1234-123456789111",
},
databaseEncryption: {
kmsKeyArn: "arn:aws:kms:my-aws-region:012345678910:key/12345678-1234-1234-1234-123456789111",
},
iamInstanceProfile: "my--1p-dev-controlplane",
subnetIds: ["subnet-00000000000000000"],
version: versions.then(versions => versions.validVersions?.[0]),
instanceType: "t3.medium",
mainVolume: {
iops: 3000,
kmsKeyArn: "arn:aws:kms:my-aws-region:012345678910:key/12345678-1234-1234-1234-123456789111",
sizeGib: 10,
volumeType: "gp3",
},
proxyConfig: {
secretArn: "arn:aws:secretsmanager:us-west-2:126285863215:secret:proxy_config20210824150329476300000001-ABCDEF",
secretVersion: "12345678-ABCD-EFGH-IJKL-987654321098",
},
rootVolume: {
iops: 3000,
kmsKeyArn: "arn:aws:kms:my-aws-region:012345678910:key/12345678-1234-1234-1234-123456789111",
sizeGib: 10,
volumeType: "gp3",
},
securityGroupIds: ["sg-00000000000000000"],
sshConfig: {
ec2KeyPair: "my--1p-dev-ssh",
},
tags: {
owner: "my@service-account.com",
},
instancePlacement: {
tenancy: "dedicated",
},
},
fleet: {
project: "my-project-number",
},
location: "us-west1",
name: "name",
networking: {
podAddressCidrBlocks: ["10.2.0.0/16"],
serviceAddressCidrBlocks: ["10.1.0.0/16"],
vpcId: "vpc-00000000000000000",
},
annotations: {
"label-one": "value-one",
},
description: "A sample aws cluster",
project: "my-project-name",
loggingConfig: {
componentConfig: {
enableComponents: [
"system_components",
"workloads",
],
},
},
});
import pulumi
import pulumi_gcp as gcp
versions = gcp.container.get_aws_versions(project="my-project-name",
location="us-west1")
primary = gcp.container.AwsCluster("primary",
authorization={
"admin_users": [{
"username": "my@service-account.com",
}],
},
aws_region="my-aws-region",
control_plane={
"aws_services_authentication": {
"role_arn": "arn:aws:iam::012345678910:role/my--1p-dev-oneplatform",
"role_session_name": "my--1p-dev-session",
},
"config_encryption": {
"kms_key_arn": "arn:aws:kms:my-aws-region:012345678910:key/12345678-1234-1234-1234-123456789111",
},
"database_encryption": {
"kms_key_arn": "arn:aws:kms:my-aws-region:012345678910:key/12345678-1234-1234-1234-123456789111",
},
"iam_instance_profile": "my--1p-dev-controlplane",
"subnet_ids": ["subnet-00000000000000000"],
"version": versions.valid_versions[0],
"instance_type": "t3.medium",
"main_volume": {
"iops": 3000,
"kms_key_arn": "arn:aws:kms:my-aws-region:012345678910:key/12345678-1234-1234-1234-123456789111",
"size_gib": 10,
"volume_type": "gp3",
},
"proxy_config": {
"secret_arn": "arn:aws:secretsmanager:us-west-2:126285863215:secret:proxy_config20210824150329476300000001-ABCDEF",
"secret_version": "12345678-ABCD-EFGH-IJKL-987654321098",
},
"root_volume": {
"iops": 3000,
"kms_key_arn": "arn:aws:kms:my-aws-region:012345678910:key/12345678-1234-1234-1234-123456789111",
"size_gib": 10,
"volume_type": "gp3",
},
"security_group_ids": ["sg-00000000000000000"],
"ssh_config": {
"ec2_key_pair": "my--1p-dev-ssh",
},
"tags": {
"owner": "my@service-account.com",
},
"instance_placement": {
"tenancy": "dedicated",
},
},
fleet={
"project": "my-project-number",
},
location="us-west1",
name="name",
networking={
"pod_address_cidr_blocks": ["10.2.0.0/16"],
"service_address_cidr_blocks": ["10.1.0.0/16"],
"vpc_id": "vpc-00000000000000000",
},
annotations={
"label-one": "value-one",
},
description="A sample aws cluster",
project="my-project-name",
logging_config={
"component_config": {
"enable_components": [
"system_components",
"workloads",
],
},
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/container"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
versions, err := container.GetAwsVersions(ctx, &container.GetAwsVersionsArgs{
Project: pulumi.StringRef("my-project-name"),
Location: pulumi.StringRef("us-west1"),
}, nil)
if err != nil {
return err
}
_, err = container.NewAwsCluster(ctx, "primary", &container.AwsClusterArgs{
Authorization: &container.AwsClusterAuthorizationArgs{
AdminUsers: container.AwsClusterAuthorizationAdminUserArray{
&container.AwsClusterAuthorizationAdminUserArgs{
Username: pulumi.String("my@service-account.com"),
},
},
},
AwsRegion: pulumi.String("my-aws-region"),
ControlPlane: &container.AwsClusterControlPlaneArgs{
AwsServicesAuthentication: &container.AwsClusterControlPlaneAwsServicesAuthenticationArgs{
RoleArn: pulumi.String("arn:aws:iam::012345678910:role/my--1p-dev-oneplatform"),
RoleSessionName: pulumi.String("my--1p-dev-session"),
},
ConfigEncryption: &container.AwsClusterControlPlaneConfigEncryptionArgs{
KmsKeyArn: pulumi.String("arn:aws:kms:my-aws-region:012345678910:key/12345678-1234-1234-1234-123456789111"),
},
DatabaseEncryption: &container.AwsClusterControlPlaneDatabaseEncryptionArgs{
KmsKeyArn: pulumi.String("arn:aws:kms:my-aws-region:012345678910:key/12345678-1234-1234-1234-123456789111"),
},
IamInstanceProfile: pulumi.String("my--1p-dev-controlplane"),
SubnetIds: pulumi.StringArray{
pulumi.String("subnet-00000000000000000"),
},
Version: pulumi.String(versions.ValidVersions[0]),
InstanceType: pulumi.String("t3.medium"),
MainVolume: &container.AwsClusterControlPlaneMainVolumeArgs{
Iops: pulumi.Int(3000),
KmsKeyArn: pulumi.String("arn:aws:kms:my-aws-region:012345678910:key/12345678-1234-1234-1234-123456789111"),
SizeGib: pulumi.Int(10),
VolumeType: pulumi.String("gp3"),
},
ProxyConfig: &container.AwsClusterControlPlaneProxyConfigArgs{
SecretArn: pulumi.String("arn:aws:secretsmanager:us-west-2:126285863215:secret:proxy_config20210824150329476300000001-ABCDEF"),
SecretVersion: pulumi.String("12345678-ABCD-EFGH-IJKL-987654321098"),
},
RootVolume: &container.AwsClusterControlPlaneRootVolumeArgs{
Iops: pulumi.Int(3000),
KmsKeyArn: pulumi.String("arn:aws:kms:my-aws-region:012345678910:key/12345678-1234-1234-1234-123456789111"),
SizeGib: pulumi.Int(10),
VolumeType: pulumi.String("gp3"),
},
SecurityGroupIds: pulumi.StringArray{
pulumi.String("sg-00000000000000000"),
},
SshConfig: &container.AwsClusterControlPlaneSshConfigArgs{
Ec2KeyPair: pulumi.String("my--1p-dev-ssh"),
},
Tags: pulumi.StringMap{
"owner": pulumi.String("my@service-account.com"),
},
InstancePlacement: &container.AwsClusterControlPlaneInstancePlacementArgs{
Tenancy: pulumi.String("dedicated"),
},
},
Fleet: &container.AwsClusterFleetArgs{
Project: pulumi.String("my-project-number"),
},
Location: pulumi.String("us-west1"),
Name: pulumi.String("name"),
Networking: &container.AwsClusterNetworkingArgs{
PodAddressCidrBlocks: pulumi.StringArray{
pulumi.String("10.2.0.0/16"),
},
ServiceAddressCidrBlocks: pulumi.StringArray{
pulumi.String("10.1.0.0/16"),
},
VpcId: pulumi.String("vpc-00000000000000000"),
},
Annotations: pulumi.StringMap{
"label-one": pulumi.String("value-one"),
},
Description: pulumi.String("A sample aws cluster"),
Project: pulumi.String("my-project-name"),
LoggingConfig: &container.AwsClusterLoggingConfigArgs{
ComponentConfig: &container.AwsClusterLoggingConfigComponentConfigArgs{
EnableComponents: pulumi.StringArray{
pulumi.String("system_components"),
pulumi.String("workloads"),
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var versions = Gcp.Container.GetAwsVersions.Invoke(new()
{
Project = "my-project-name",
Location = "us-west1",
});
var primary = new Gcp.Container.AwsCluster("primary", new()
{
Authorization = new Gcp.Container.Inputs.AwsClusterAuthorizationArgs
{
AdminUsers = new[]
{
new Gcp.Container.Inputs.AwsClusterAuthorizationAdminUserArgs
{
Username = "my@service-account.com",
},
},
},
AwsRegion = "my-aws-region",
ControlPlane = new Gcp.Container.Inputs.AwsClusterControlPlaneArgs
{
AwsServicesAuthentication = new Gcp.Container.Inputs.AwsClusterControlPlaneAwsServicesAuthenticationArgs
{
RoleArn = "arn:aws:iam::012345678910:role/my--1p-dev-oneplatform",
RoleSessionName = "my--1p-dev-session",
},
ConfigEncryption = new Gcp.Container.Inputs.AwsClusterControlPlaneConfigEncryptionArgs
{
KmsKeyArn = "arn:aws:kms:my-aws-region:012345678910:key/12345678-1234-1234-1234-123456789111",
},
DatabaseEncryption = new Gcp.Container.Inputs.AwsClusterControlPlaneDatabaseEncryptionArgs
{
KmsKeyArn = "arn:aws:kms:my-aws-region:012345678910:key/12345678-1234-1234-1234-123456789111",
},
IamInstanceProfile = "my--1p-dev-controlplane",
SubnetIds = new[]
{
"subnet-00000000000000000",
},
Version = versions.Apply(getAwsVersionsResult => getAwsVersionsResult.ValidVersions[0]),
InstanceType = "t3.medium",
MainVolume = new Gcp.Container.Inputs.AwsClusterControlPlaneMainVolumeArgs
{
Iops = 3000,
KmsKeyArn = "arn:aws:kms:my-aws-region:012345678910:key/12345678-1234-1234-1234-123456789111",
SizeGib = 10,
VolumeType = "gp3",
},
ProxyConfig = new Gcp.Container.Inputs.AwsClusterControlPlaneProxyConfigArgs
{
SecretArn = "arn:aws:secretsmanager:us-west-2:126285863215:secret:proxy_config20210824150329476300000001-ABCDEF",
SecretVersion = "12345678-ABCD-EFGH-IJKL-987654321098",
},
RootVolume = new Gcp.Container.Inputs.AwsClusterControlPlaneRootVolumeArgs
{
Iops = 3000,
KmsKeyArn = "arn:aws:kms:my-aws-region:012345678910:key/12345678-1234-1234-1234-123456789111",
SizeGib = 10,
VolumeType = "gp3",
},
SecurityGroupIds = new[]
{
"sg-00000000000000000",
},
SshConfig = new Gcp.Container.Inputs.AwsClusterControlPlaneSshConfigArgs
{
Ec2KeyPair = "my--1p-dev-ssh",
},
Tags =
{
{ "owner", "my@service-account.com" },
},
InstancePlacement = new Gcp.Container.Inputs.AwsClusterControlPlaneInstancePlacementArgs
{
Tenancy = "dedicated",
},
},
Fleet = new Gcp.Container.Inputs.AwsClusterFleetArgs
{
Project = "my-project-number",
},
Location = "us-west1",
Name = "name",
Networking = new Gcp.Container.Inputs.AwsClusterNetworkingArgs
{
PodAddressCidrBlocks = new[]
{
"10.2.0.0/16",
},
ServiceAddressCidrBlocks = new[]
{
"10.1.0.0/16",
},
VpcId = "vpc-00000000000000000",
},
Annotations =
{
{ "label-one", "value-one" },
},
Description = "A sample aws cluster",
Project = "my-project-name",
LoggingConfig = new Gcp.Container.Inputs.AwsClusterLoggingConfigArgs
{
ComponentConfig = new Gcp.Container.Inputs.AwsClusterLoggingConfigComponentConfigArgs
{
EnableComponents = new[]
{
"system_components",
"workloads",
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.container.ContainerFunctions;
import com.pulumi.gcp.container.inputs.GetAwsVersionsArgs;
import com.pulumi.gcp.container.AwsCluster;
import com.pulumi.gcp.container.AwsClusterArgs;
import com.pulumi.gcp.container.inputs.AwsClusterAuthorizationArgs;
import com.pulumi.gcp.container.inputs.AwsClusterControlPlaneArgs;
import com.pulumi.gcp.container.inputs.AwsClusterControlPlaneAwsServicesAuthenticationArgs;
import com.pulumi.gcp.container.inputs.AwsClusterControlPlaneConfigEncryptionArgs;
import com.pulumi.gcp.container.inputs.AwsClusterControlPlaneDatabaseEncryptionArgs;
import com.pulumi.gcp.container.inputs.AwsClusterControlPlaneMainVolumeArgs;
import com.pulumi.gcp.container.inputs.AwsClusterControlPlaneProxyConfigArgs;
import com.pulumi.gcp.container.inputs.AwsClusterControlPlaneRootVolumeArgs;
import com.pulumi.gcp.container.inputs.AwsClusterControlPlaneSshConfigArgs;
import com.pulumi.gcp.container.inputs.AwsClusterControlPlaneInstancePlacementArgs;
import com.pulumi.gcp.container.inputs.AwsClusterFleetArgs;
import com.pulumi.gcp.container.inputs.AwsClusterNetworkingArgs;
import com.pulumi.gcp.container.inputs.AwsClusterLoggingConfigArgs;
import com.pulumi.gcp.container.inputs.AwsClusterLoggingConfigComponentConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var versions = ContainerFunctions.getAwsVersions(GetAwsVersionsArgs.builder()
.project("my-project-name")
.location("us-west1")
.build());
var primary = new AwsCluster("primary", AwsClusterArgs.builder()
.authorization(AwsClusterAuthorizationArgs.builder()
.adminUsers(AwsClusterAuthorizationAdminUserArgs.builder()
.username("my@service-account.com")
.build())
.build())
.awsRegion("my-aws-region")
.controlPlane(AwsClusterControlPlaneArgs.builder()
.awsServicesAuthentication(AwsClusterControlPlaneAwsServicesAuthenticationArgs.builder()
.roleArn("arn:aws:iam::012345678910:role/my--1p-dev-oneplatform")
.roleSessionName("my--1p-dev-session")
.build())
.configEncryption(AwsClusterControlPlaneConfigEncryptionArgs.builder()
.kmsKeyArn("arn:aws:kms:my-aws-region:012345678910:key/12345678-1234-1234-1234-123456789111")
.build())
.databaseEncryption(AwsClusterControlPlaneDatabaseEncryptionArgs.builder()
.kmsKeyArn("arn:aws:kms:my-aws-region:012345678910:key/12345678-1234-1234-1234-123456789111")
.build())
.iamInstanceProfile("my--1p-dev-controlplane")
.subnetIds("subnet-00000000000000000")
.version(versions.validVersions()[0])
.instanceType("t3.medium")
.mainVolume(AwsClusterControlPlaneMainVolumeArgs.builder()
.iops(3000)
.kmsKeyArn("arn:aws:kms:my-aws-region:012345678910:key/12345678-1234-1234-1234-123456789111")
.sizeGib(10)
.volumeType("gp3")
.build())
.proxyConfig(AwsClusterControlPlaneProxyConfigArgs.builder()
.secretArn("arn:aws:secretsmanager:us-west-2:126285863215:secret:proxy_config20210824150329476300000001-ABCDEF")
.secretVersion("12345678-ABCD-EFGH-IJKL-987654321098")
.build())
.rootVolume(AwsClusterControlPlaneRootVolumeArgs.builder()
.iops(3000)
.kmsKeyArn("arn:aws:kms:my-aws-region:012345678910:key/12345678-1234-1234-1234-123456789111")
.sizeGib(10)
.volumeType("gp3")
.build())
.securityGroupIds("sg-00000000000000000")
.sshConfig(AwsClusterControlPlaneSshConfigArgs.builder()
.ec2KeyPair("my--1p-dev-ssh")
.build())
.tags(Map.of("owner", "my@service-account.com"))
.instancePlacement(AwsClusterControlPlaneInstancePlacementArgs.builder()
.tenancy("dedicated")
.build())
.build())
.fleet(AwsClusterFleetArgs.builder()
.project("my-project-number")
.build())
.location("us-west1")
.name("name")
.networking(AwsClusterNetworkingArgs.builder()
.podAddressCidrBlocks("10.2.0.0/16")
.serviceAddressCidrBlocks("10.1.0.0/16")
.vpcId("vpc-00000000000000000")
.build())
.annotations(Map.of("label-one", "value-one"))
.description("A sample aws cluster")
.project("my-project-name")
.loggingConfig(AwsClusterLoggingConfigArgs.builder()
.componentConfig(AwsClusterLoggingConfigComponentConfigArgs.builder()
.enableComponents(
"system_components",
"workloads")
.build())
.build())
.build());
}
}
resources:
primary:
type: gcp:container:AwsCluster
properties:
authorization:
adminUsers:
- username: my@service-account.com
awsRegion: my-aws-region
controlPlane:
awsServicesAuthentication:
roleArn: arn:aws:iam::012345678910:role/my--1p-dev-oneplatform
roleSessionName: my--1p-dev-session
configEncryption:
kmsKeyArn: arn:aws:kms:my-aws-region:012345678910:key/12345678-1234-1234-1234-123456789111
databaseEncryption:
kmsKeyArn: arn:aws:kms:my-aws-region:012345678910:key/12345678-1234-1234-1234-123456789111
iamInstanceProfile: my--1p-dev-controlplane
subnetIds:
- subnet-00000000000000000
version: ${versions.validVersions[0]}
instanceType: t3.medium
mainVolume:
iops: 3000
kmsKeyArn: arn:aws:kms:my-aws-region:012345678910:key/12345678-1234-1234-1234-123456789111
sizeGib: 10
volumeType: gp3
proxyConfig:
secretArn: arn:aws:secretsmanager:us-west-2:126285863215:secret:proxy_config20210824150329476300000001-ABCDEF
secretVersion: 12345678-ABCD-EFGH-IJKL-987654321098
rootVolume:
iops: 3000
kmsKeyArn: arn:aws:kms:my-aws-region:012345678910:key/12345678-1234-1234-1234-123456789111
sizeGib: 10
volumeType: gp3
securityGroupIds:
- sg-00000000000000000
sshConfig:
ec2KeyPair: my--1p-dev-ssh
tags:
owner: my@service-account.com
instancePlacement:
tenancy: dedicated
fleet:
project: my-project-number
location: us-west1
name: name
networking:
podAddressCidrBlocks:
- 10.2.0.0/16
serviceAddressCidrBlocks:
- 10.1.0.0/16
vpcId: vpc-00000000000000000
annotations:
label-one: value-one
description: A sample aws cluster
project: my-project-name
loggingConfig:
componentConfig:
enableComponents:
- system_components
- workloads
variables:
versions:
fn::invoke:
function: gcp:container:getAwsVersions
arguments:
project: my-project-name
location: us-west1
The loggingConfig block enables component logging by specifying which components to monitor (system_components, workloads). The instancePlacement block controls EC2 tenancy; setting tenancy to “dedicated” ensures instances run on single-tenant hardware. This extends the basic configuration with operational visibility and placement controls.
Beyond these examples
These snippets focus on specific cluster-level features: control plane and networking configuration, AWS authentication and encryption, and logging and instance placement. They’re intentionally minimal rather than full multi-cloud deployments.
The examples reference pre-existing infrastructure such as AWS VPC, subnets, security groups, IAM roles and instance profiles, KMS keys for encryption, EC2 key pairs, and Secrets Manager entries for proxy config. They focus on configuring the cluster rather than provisioning the AWS infrastructure around it.
To keep things focused, common cluster patterns are omitted, including:
- Binary Authorization for image verification
- Node pool configuration (separate resource)
- Monitoring and alerting setup
- Backup and disaster recovery
These omissions are intentional: the goal is to illustrate how each cluster feature is wired, not provide drop-in multi-cloud modules. See the GKE on AWS Cluster resource reference for all available configuration options.
Let's deploy GCP Anthos Clusters
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Cluster Configuration & Immutability
What properties can't I change after creating the cluster?
Five properties are immutable and require cluster recreation if changed:
awsRegion, fleet, location, name, and project. Plan these values carefully during initial creation.Why aren't my annotations showing up in effectiveAnnotations?
The
annotations field is non-authoritative and only manages annotations in your configuration. External changes won’t be tracked. Use the effectiveAnnotations output to see all annotations, including those set outside Pulumi.Should I use 'GP3' or 'gp3' for volume types?
Both uppercase (
GP3) and lowercase (gp3) are valid for volumeType, but choose one convention and use it consistently across your configuration.Security & Encryption
How do I encrypt cluster data?
Configure KMS encryption in three places:
- Control plane config -
controlPlane.configEncryption.kmsKeyArn - etcd database -
controlPlane.databaseEncryption.kmsKeyArn - EBS volumes -
kmsKeyArnincontrolPlane.mainVolumeandcontrolPlane.rootVolume
How do I configure RBAC for the cluster?
Set the
authorization property with adminUsers (list of usernames like my@service-account.com) and/or adminGroups (list of group names like group@domain.com).How do I configure AWS authentication for the control plane?
Set
controlPlane.awsServicesAuthentication with roleArn (IAM role ARN) and roleSessionName for the control plane to authenticate with AWS services.Networking & AWS Integration
What AWS resources do I need before creating the cluster?
You need: VPC ID, subnet IDs for control plane, security group IDs, IAM instance profile, IAM role for AWS services authentication, KMS keys for encryption, and an EC2 key pair for SSH access.
What networking configuration is required?
Provide
networking.vpcId, networking.podAddressCidrBlocks, networking.serviceAddressCidrBlocks, and controlPlane.subnetIds for control plane placement.How do I choose the Kubernetes version?
Use the
gcp.container.getAwsVersions function to fetch valid versions for your project and location, then reference validVersions[0] or a specific version from the list.Advanced Configuration
How do I configure a proxy for the cluster?
Set
controlPlane.proxyConfig with secretArn (AWS Secrets Manager ARN containing proxy config) and secretVersion.How do I enable cluster logging?
Configure
loggingConfig.componentConfig.enableComponents with an array of components like system_components and workloads.Using a different cloud?
Explore containers guides for other cloud providers: