Comprehensively align Pulumi Input/Output typing across components

[roulbac]

Motivation

• Fix inconsistent and misleading uses of Pulumi Input/Output typings (follow-up to issue Pulumi Input/Output typing consistency audit #6) so runtime and plan-time behavior match type annotations.
• Avoid plan-time sync invocations and incorrect assumptions about when Python-level sequence operations (like len/indexing) can be used on Pulumi inputs.

Description

• Treat region on EKSCluster as a pulumi.Input[str] | None and store it as a pulumi.Output[str] using pulumi.Output.from_input(...) so downstream providers accept dynamic inputs.
• Standardize subnet collection typing to pulumi.Input[Sequence[pulumi.Input[str]]] for EKSCluster, KarpenterAddon, and EFSCSIAddon, and update helper signatures in create_default_efs_fs_and_sc(...) accordingly.
• Tighten synchronous sequence parameters to Sequence[pulumi.Input[str]] for SkyPilotServiceDiscovery and TailscaleSubnetRouter to reflect that code uses len, indexing, or immediate iteration.
• Make VPC.public_subnet_id consistently an Output (use pulumi.Output.from_input(None) when absent) and correct VPCPeeredGroup.vpc_cidrs typing from Output[dict[str,str]] to dict[str,str] to match runtime behavior.
• Replace plan-time Secrets Manager invoke in TailscaleSubnetRouter with get_secret_version_output(...) and propagate secret values via .apply(...), wiring client_id/client_secret into the Kubernetes Secret as Pulumi outputs and raising a clear ValueError if the secret payload is empty.

Testing

• Ran uv run ruff check pulumi_eks_ml and linting passed (All checks passed!).
• Ran uv run pytest -q tests/unit and all unit tests succeeded (12 passed).

---

Codex Task

---

Note

Medium Risk
Touches core infrastructure components (EKS/VPC/Tailscale/SkyPilot) and changes how secrets and RBAC defaults are wired, which can affect deployment behavior and initial access control if misconfigured.

Overview
Makes SkyPilot’s default RBAC role configurable via new hub.skypilot.default_user_role (plumbed from project config into SkyPilotAPIServer and into the generated API service config), and updates deployment docs to bootstrap with admin then switch back to user, including a recovery path.

Aligns Pulumi Input/Output typing across components to avoid plan-time sync behavior: treats EKSCluster.region as an Output, standardizes subnet ID parameters to Input[Sequence[Input[str]]], and tightens other sequence-typed inputs (SkyPilotServiceDiscovery, TailscaleSubnetRouter). TailscaleSubnetRouter also switches to get_secret_version_output(...).apply(...) for Secrets Manager payloads.

Removes the exported ingress_status output, makes VPC.public_subnet_id consistently an Output (including None), corrects VPCPeeredGroup.vpc_cidrs typing, and bumps pulumi-eks-ml to 0.2.0.

^{Written by Cursor Bugbot for commit 2c894ea. This will update automatically on new commits. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

This PR is being reviewed by Cursor Bugbot

Details

You are on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle.

To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.