adds instanceProfileName field to nodegroups

[jdavredbeard]

Proposed changes

Add instanceProfileName as an Input<string> field to NodeGroup and NodeGroupV2. This would unblock pulumi/pulumi-self-hosted-installers#181 by creating a path for users to create an InstanceProfile in a separate stack from the NodeGroup and pass the instance profile's name by stack reference. Currently pulumi/pulumi#17515, prevents NodeGroup components from accepting InstanceProfile values created in another stack and provided to the NodeGroup's stack by aws.iam.InstanceProfile.get(), and the instanceProfile parameter cannot accept an InstanceProfile resource passed by stack reference because the instanceProfile parameter is a plain InstanceProfile type, not an Input<InstanceProfile>.

Related issues (optional)

Closes #1497

[github-actions]

Does the PR have any schema changes?

Looking good! No breaking changes found.
No new resources/functions.

[flostadler]

Left some comments. Love the unit tests! But it would be great if we could add an integration test for this as well.

[flostadler]

Could you please add function docs explaining what this function is exactly doing and when it's throwing errors. Thanks!

[flostadler]

These seem to be unrelated changes

[flostadler]

I think pulling in the resource with the .get function would incur RUM costs. We circumvent this by using the data source instead.

It seems like we're only interested in the ARN, right? Instance Profile ARNs follow this format: arn:aws:iam::<account-id>:instance-profile/<profile-name>.
If we know the name we can construct it without having to load the resource.

In that case we need other props, we could use iam.getInstanceProfileOutput instead.

[flostadler]

We should point out here that instanceProfile and instanceProfileName is mutually exclusive.

[flostadler]

Why did you have to make this change?

[flostadler]

Why not do core.apply(c => resolveInstanceProfileName(...)) instead like before?
That way resolveInstanceProfileName can stay out of the output-space and operate on promptly available data instead. That would simplify testing

[flostadler]

The function would change to this in that case:

export function resolveInstanceProfileName(
    nodeGroupName: string,
    args: Omit<NodeGroupOptions, "cluster">,
    c: pulumi.UnwrappedObject<CoreData>,
    parent: pulumi.ComponentResource,
): pulumi.Output<string> {
    if (
        !args.instanceProfile &&
        !args.instanceProfileName &&
        !c.nodeGroupOptions.instanceProfile &&
        !c.nodeGroupOptions.instanceProfileName
    ) {
        throw new pulumi.ResourceError(
            `an instanceProfile or instanceProfileName is required`,
            parent,
        );
    }
    if (
        (args.instanceProfile || c.nodeGroupOptions.instanceProfile) &&
        (args.instanceProfileName || c.nodeGroupOptions.instanceProfileName)
    ) {
        throw new pulumi.ResourceError(
            `invalid args for node group ${name}, instanceProfile and instanceProfileName are mutually exclusive`,
            parent,
        );
    }

    return args.instanceProfile?.name ?? pulumi.output(c.nodeGroupOptions.instanceProfileName!) 
}

[flostadler]

I'd also slightly change the definedness checks to check for all possible cases:

export function resolveInstanceProfileName(
    name: string,
    args: Omit<NodeGroupOptions, "cluster">,
    c: pulumi.UnwrappedObject<CoreData>,
    parent: pulumi.ComponentResource,
): pulumi.Output<string> {
    // todo check the mutual exclusive'ness

    if (args.instanceProfileName) {
        return pulumi.output(args.instanceProfileName);
    } else if (c.nodeGroupOptions.instanceProfileName) {
        return pulumi.output(c.nodeGroupOptions.instanceProfileName);
    } else if (args.instanceProfile) {
        return args.instanceProfile.name;
    } else if (c.nodeGroupOptions.instanceProfile) {
        return c.nodeGroupOptions.instanceProfile.name;
    } else {
        throw new pulumi.ResourceError(
            `an instanceProfile or instanceProfileName is required`,
            parent,
        );
    }
}

[flostadler]

Shouldn't this always return a value?

[flostadler]

This can actually not needed anymore. I guess this is copied from

pulumi-eks/tests/testdata/programs/self-managed-ng-os/index.ts

Line 32 in a1061b6

// Needed for AL2023 until the CNI is managed with an addon because our custom CNI is too old

?

I'll remove it there as well

[flostadler]

You need to export the kubeconfig of all clusters and run acceptance tests using those. Right now only one cluster is tested.

The test is creating a lot of clusters and node groups right now. Aren't the unit tests already checking that we pick the right option for instance profile?
I think it would be good enough if you added a single cluster and two node groups (v1/v2) using the instanceProfileName arg

[jdavredbeard]

Whoops missed exporting the other kubeconfigs... sure I can reduce the scope of the tests, I was going for a more completionist approach

[flostadler]

Nice! Thanks a lot

[pulumi-bot]

This PR has been shipped in release v3.3.0.