use defined admin access principal for access

provider/pkg/provider/cluster.go

@@ -64,6 +64,7 @@ type ClusterArgs struct {
 	ExternalDNSVersion           pulumi.StringInput       `pulumi:"externalDNSVersion"`
 	CertManagerVersion           pulumi.StringInput       `pulumi:"certManagerVersion"`
 	EnabledClusterLogTypes       *pulumi.StringArrayInput `pulumi:"enabledClusterLogTypes"`
+	AdminAccessPrincipal         pulumi.StringInput       `pulumi:"adminAccessPrincipal"`
 }
 
 // The Cluster component resource.
@@ -117,13 +118,6 @@ func NewCluster(ctx *pulumi.Context,
 		return nil, err
 	}
 
-	sessionIam, err := iam.GetSessionContext(ctx, &iam.GetSessionContextArgs{
-		Arn: callerIdentity.Arn,
-	}, pulumi.Parent(component))
-	if err != nil {
-		return nil, fmt.Errorf("error getting session context: %w", err)
-	}
-
 	current, err := aws.GetPartition(ctx, nil, pulumi.Parent(component))
 	if err != nil {
 		return nil, fmt.Errorf("error getting partition: %w", err)
@@ -265,7 +259,7 @@ func NewCluster(ctx *pulumi.Context,
 	accessEntry, err := eks.NewAccessEntry(ctx, fmt.Sprintf("%s-admin-access", name), &eks.AccessEntryArgs{
 		ClusterName:  controlPlane.Name,
 		Type:         pulumi.String("STANDARD"),
-		PrincipalArn: pulumi.String(sessionIam.IssuerArn),
+		PrincipalArn: args.AdminAccessPrincipal,
 	}, pulumi.Parent(controlPlane))
 
 	if err != nil {

schema.yaml

@@ -217,6 +217,9 @@ resources:
       certificateArn:
         type: string
         description: The ARN of the certificate to use for the ingress controller.
+      adminAccessPrincipal:
+        type: string
+        description: The ARN of the AWS principal that should get admin access.
       tags:
         type: object
         additionalProperties:

sdk/dotnet/Eks/Cluster.cs

@@ -78,6 +78,12 @@ private static ComponentResourceOptions MakeResourceOptions(ComponentResourceOpt
 
     public sealed class ClusterArgs : global::Pulumi.ResourceArgs
     {
+        /// <summary>
+        /// The ARN of the AWS principal that should get admin access.
+        /// </summary>
+        [Input("adminAccessPrincipal")]
+        public Input<string>? AdminAccessPrincipal { get; set; }
+
         /// <summary>
         /// The version of the cert-manager helm chart to deploy.
         /// </summary>

sdk/nodejs/cluster.ts

@@ -65,6 +65,7 @@ export class Cluster extends pulumi.ComponentResource {
             if ((!args || args.systemNodeSubnetIds === undefined) && !opts.urn) {
                 throw new Error("Missing required property 'systemNodeSubnetIds'");
             }
+            resourceInputs["adminAccessPrincipal"] = args ? args.adminAccessPrincipal : undefined;
             resourceInputs["certManagerVersion"] = args ? args.certManagerVersion : undefined;
             resourceInputs["certificateArn"] = args ? args.certificateArn : undefined;
             resourceInputs["clusterEndpointPrivateAccess"] = (args ? args.clusterEndpointPrivateAccess : undefined) ?? false;
@@ -115,6 +116,10 @@ export class Cluster extends pulumi.ComponentResource {
  * The set of arguments for constructing a Cluster resource.
  */
 export interface ClusterArgs {
+    /**
+     * The ARN of the AWS principal that should get admin access.
+     */
+    adminAccessPrincipal?: pulumi.Input<string>;
     /**
      * The version of the cert-manager helm chart to deploy.
      */

sdk/python/lbrlabs_pulumi_eks/cluster.py

@@ -18,6 +18,7 @@ class ClusterArgs:
     def __init__(__self__, *,
                  cluster_subnet_ids: pulumi.Input[Sequence[pulumi.Input[str]]],
                  system_node_subnet_ids: pulumi.Input[Sequence[pulumi.Input[str]]],
+                 admin_access_principal: Optional[pulumi.Input[str]] = None,
                  cert_manager_version: Optional[pulumi.Input[str]] = None,
                  certificate_arn: Optional[pulumi.Input[str]] = None,
                  cluster_endpoint_private_access: Optional[pulumi.Input[bool]] = None,
@@ -45,6 +46,7 @@ def __init__(__self__, *,
                  tags: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None):
         """
         The set of arguments for constructing a Cluster resource.
+        :param pulumi.Input[str] admin_access_principal: The ARN of the AWS principal that should get admin access.
         :param pulumi.Input[str] cert_manager_version: The version of the cert-manager helm chart to deploy.
         :param pulumi.Input[str] certificate_arn: The ARN of the certificate to use for the ingress controller.
         :param pulumi.Input[bool] cluster_endpoint_private_access: Indicates whether or not the Amazon EKS private API server endpoint is enabled.
@@ -71,6 +73,8 @@ def __init__(__self__, *,
         """
         pulumi.set(__self__, "cluster_subnet_ids", cluster_subnet_ids)
         pulumi.set(__self__, "system_node_subnet_ids", system_node_subnet_ids)
+        if admin_access_principal is not None:
+            pulumi.set(__self__, "admin_access_principal", admin_access_principal)
         if cert_manager_version is not None:
             pulumi.set(__self__, "cert_manager_version", cert_manager_version)
         if certificate_arn is not None:
@@ -162,6 +166,18 @@ def system_node_subnet_ids(self) -> pulumi.Input[Sequence[pulumi.Input[str]]]:
     def system_node_subnet_ids(self, value: pulumi.Input[Sequence[pulumi.Input[str]]]):
         pulumi.set(self, "system_node_subnet_ids", value)
 
+    @property
+    @pulumi.getter(name="adminAccessPrincipal")
+    def admin_access_principal(self) -> Optional[pulumi.Input[str]]:
+        """
+        The ARN of the AWS principal that should get admin access.
+        """
+        return pulumi.get(self, "admin_access_principal")
+
+    @admin_access_principal.setter
+    def admin_access_principal(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "admin_access_principal", value)
+
     @property
     @pulumi.getter(name="certManagerVersion")
     def cert_manager_version(self) -> Optional[pulumi.Input[str]]:
@@ -462,6 +478,7 @@ class Cluster(pulumi.ComponentResource):
     def __init__(__self__,
                  resource_name: str,
                  opts: Optional[pulumi.ResourceOptions] = None,
+                 admin_access_principal: Optional[pulumi.Input[str]] = None,
                  cert_manager_version: Optional[pulumi.Input[str]] = None,
                  certificate_arn: Optional[pulumi.Input[str]] = None,
                  cluster_endpoint_private_access: Optional[pulumi.Input[bool]] = None,
@@ -494,6 +511,7 @@ def __init__(__self__,
         Create a Cluster resource with the given unique name, props, and options.
         :param str resource_name: The name of the resource.
         :param pulumi.ResourceOptions opts: Options for the resource.
+        :param pulumi.Input[str] admin_access_principal: The ARN of the AWS principal that should get admin access.
         :param pulumi.Input[str] cert_manager_version: The version of the cert-manager helm chart to deploy.
         :param pulumi.Input[str] certificate_arn: The ARN of the certificate to use for the ingress controller.
         :param pulumi.Input[bool] cluster_endpoint_private_access: Indicates whether or not the Amazon EKS private API server endpoint is enabled.
@@ -541,6 +559,7 @@ def __init__(__self__, resource_name: str, *args, **kwargs):
     def _internal_init(__self__,
                  resource_name: str,
                  opts: Optional[pulumi.ResourceOptions] = None,
+                 admin_access_principal: Optional[pulumi.Input[str]] = None,
                  cert_manager_version: Optional[pulumi.Input[str]] = None,
                  certificate_arn: Optional[pulumi.Input[str]] = None,
                  cluster_endpoint_private_access: Optional[pulumi.Input[bool]] = None,
@@ -579,6 +598,7 @@ def _internal_init(__self__,
                 raise TypeError('__props__ is only valid when passed in combination with a valid opts.id to get an existing resource')
             __props__ = ClusterArgs.__new__(ClusterArgs)
 
+            __props__.__dict__["admin_access_principal"] = admin_access_principal
             __props__.__dict__["cert_manager_version"] = cert_manager_version
             __props__.__dict__["certificate_arn"] = certificate_arn
             if cluster_endpoint_private_access is None: