🔧 Update Pulumi config to add IAM role with access entries (#108)

infra/__main__.py

@@ -1,6 +1,7 @@
 import pulumi
 import pulumi_awsx as awsx
 import pulumi_eks as eks
+import pulumi_aws as aws
 
 # Get some values from the Pulumi configuration (or use defaults)
 config = pulumi.Config()
@@ -10,6 +11,12 @@
 eks_node_instance_type = config.get("eksNodeInstanceType", "t3.medium")
 vpc_network_cidr = config.get("vpcNetworkCidr", "10.0.0.0/16")
 
+
+# Role generated automatically by AWS from permission set from AWS IAM Identity Center
+roles = aws.iam.get_roles(name_regex="FastAPILabsPowerUserK8s")
+k8s_role_arn = roles.arns[0]
+
+
 # Create a VPC for the EKS cluster
 eks_vpc = awsx.ec2.Vpc(
     "eks-vpc",
@@ -37,8 +44,27 @@
     # Change these values for a private cluster (VPN access required)
     endpoint_private_access=False,
     endpoint_public_access=True,
+    # Enable access via access entries, not just role maps
+    authentication_mode=eks.AuthenticationMode.API_AND_CONFIG_MAP,
+    # Add access entries for IAM
+    access_entries={
+        "fastapilabs_access_entry": eks.AccessEntryArgs(
+            principal_arn=k8s_role_arn,
+            access_policies={
+                "fastapilabs_access_policy": eks.AccessPolicyAssociationArgs(
+                    access_scope=aws.eks.AccessPolicyAssociationAccessScopeArgs(
+                        type="cluster",
+                    ),
+                    policy_arn="arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy",
+                    # policy_arn="arn:aws:eks::aws:cluster-access-policy/AmazonEKSViewPolicy",
+                )
+            },
+        )
+    },
 )
 
+
 # Export values to use elsewhere
 pulumi.export("kubeconfig", eks_cluster.kubeconfig)
-pulumi.export("vpcId", eks_vpc.vpc_id)
+pulumi.export("vpc_id", eks_vpc.vpc_id)
+pulumi.export("role_arn", k8s_role_arn)