EKS Auto mode cannot be disabled

[flostadler]

What happened?

A user on the community slack reported that they cannot disable EKS Auto Mode after enabling it: https://pulumi-community.slack.com/archives/CRH5ENVDX/p1736832563712379

Disabling it fails with:

Diagnostics:
  pulumi:pulumi:Stack (brainfish-universe-eks-au):
    error: eks:index:Cluster resource 'brainfish-au' has a problem: grpc: the client connection is closing

  aws:eks:Cluster (brainfish-au-eksCluster):
    error:   sdk-v2/provider2.go:515: sdk.helper_schema: compute_config.enabled, kubernetes_networking_config.elastic_load_balancing.enabled, and storage_config.block_storage.enabled must all be set to either true or false: [email protected]
    error: diffing urn:pulumi:au::brainfish-universe-eks::eks:index:Cluster$aws:eks/cluster:Cluster::brainfish-au-eksCluster: 1 error occurred:
        * compute_config.enabled, kubernetes_networking_config.elastic_load_balancing.enabled, and storage_config.block_storage.enabled must all be set to either true or false

Example

Run pulumi up with the following program and then remove the autoMode block before running pulumi up again.

import * as awsx from "@pulumi/awsx";
import * as eks from "@pulumi/eks";

const eksVpc = new awsx.ec2.Vpc("eks-vpc", {
    enableDnsHostnames: true,
});

// Create the EKS cluster
const eksCluster = new eks.Cluster("eks-cluster", {
    vpcId: eksVpc.vpcId,
    authenticationMode: eks.AuthenticationMode.Api,
    publicSubnetIds: eksVpc.publicSubnetIds,
    privateSubnetIds: eksVpc.privateSubnetIds,
    skipDefaultNodeGroup: true,
    skipDefaultSecurityGroups: true,
    // set autoMode.enabled to `false` or remove the automode block on the next up
    autoMode: {
        enabled: false
    }
});

Output of pulumi about

n/a

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[flostadler]

Turns out this is caused by an upstream Terraform issue: hashicorp/terraform-provider-aws#40582
It's not correctly handling the auto mode settings going from true to null.

Setting autoMode to false doesn't work either. Right now pulumi-eks would still insert undefined for the kubernetesNetworkConfig.enabled, storageConfig.enabled and computeConfig.enabled. I've tried changing the implementation to pass an explicit false through to those settings, but that doesn't work either because then computeConfig.nodeRoleArn gets (correctly) omitted which causes a cluster replacement.

This needs to be fixed upstream.

If you need to workaround this issue, I'd recommend to disable auto mode manually (AWS CLI or Console) and then run pulumi refresh.

[flostadler]

I also opened an issue in pulumi-aws to track this there as well: pulumi/pulumi-aws#5105