pulumi-community #aws

acceptable-stone-35112

04/17/2020, 2:21 PM

Is there a neat way to have pulumi delete non-empty buckets during stack update/destroy?

colossal-tent-75408

04/17/2020, 10:21 PM

Has anyone used Istio / Envoy with EKS?

great-sundown-93190

04/19/2020, 8:10 PM

Hi, my Cognito userpool keeps replacing itself. Diff says following properties are different:

emailConfiguration

passwordPolicy

and

schemas

. But they are just static values. Seems like the default values are just missing with what I actually have described. Is that normal behaviour? The order is also reversed now in the diff.

great-postman-59271

04/20/2020, 9:07 AM

does pulumi work with the Aws Single-sign on? I cant get it to work, but it would make a lot of things easier for organizations that use sso 🙂

sparse-state-34229

04/20/2020, 9:09 AM

edit: sorry, it’s late - i see you did. can you describe what’s not working?

hundreds-receptionist-31352

04/20/2020, 5:40 PM

Hi , is there any way to describe the resources that are created in aws account? , taking into account that is wasn't provisioned with pulumi , just I need to get some ids of NLB for example but it was created manually in the past

quiet-wolf-18467

04/21/2020, 11:47 AM

I'm struggling to get my subnets tagged for use with EKS, has anyone got this working for ALBs?

quiet-wolf-18467

04/21/2020, 12:04 PM

OK. It seems to work when I use

subnetIds: []

eks.Cluster

, but won't work when I use

publicSubnetIds: []

and

privateSubnetIds[]

quiet-wolf-18467

04/21/2020, 12:05 PM

@white-balloon-205 Are you familiar with the difference between the usage here? The comments in the code aren't clear.

quiet-wolf-18467

04/21/2020, 12:05 PM

Copy code

// Form the subnetIds to use on the cluster from either:
    //  - subnetIds
    //  - A combination of privateSubnetIds and/or publicSubnetIds.
    if (args.subnetIds !== undefined) {
        clusterSubnetIds = args.subnetIds;
    } else if (args.publicSubnetIds !== undefined || args.privateSubnetIds !== undefined) {
        clusterSubnetIds = pulumi.all([
            args.publicSubnetIds || [],
            args.privateSubnetIds || [],
        ]).apply(([publicIds, privateIds]) => {
            return [...publicIds, ...privateIds];
        });
    }

quiet-wolf-18467

04/21/2020, 12:05 PM

This code makes me feel like I can use either, but the tagging doesn't happen with public/private

quiet-wolf-18467

04/21/2020, 12:06 PM

Copy code

* Note: The use of `subnetIds`, along with `publicSubnetIds`
     * and/or `privateSubnetIds` is mutually exclusive. The use of
     * `publicSubnetIds` and `privateSubnetIds` is encouraged.

quiet-wolf-18467

04/21/2020, 12:06 PM

This comment actually encourages what I was trying to use

breezy-butcher-78604

04/22/2020, 6:29 AM

Hi, i’m having an issue with a stack where every time i run

pulumi up

it appears to want to update a KMS key even though there’s been no changes to that resource. When I view the details of the change, the resource is listed but without any changes. when i apply the change, theres a

PutKeyPolicy

action performed (i can see it in cloudtrail) but theres no change. Any ideas? the main reason this is an issue is because our CI/CD tool doesn’t have write permission to KMS keys, only read (by design) so the initial deployment is done elsewhere with the relevant credentials. However that assumes that whenever any other changes go through CI/CD, it doesnt need to update any keys.

gifted-city-99717

04/27/2020, 1:59 AM

Hi, I’m trying to load the v2.x.0 branch of pulumi-aws in my go.mod but see

Copy code

/Users/user/code/pulumi-influxdb/go.mod:9: require <http://github.com/pulumi/pulumi-aws/sdk/v2/go/aws|github.com/pulumi/pulumi-aws/sdk/v2/go/aws>: version "v2.1.0" invalid: unknown revision sdk/v2/go/aws/v2.1.0

anyone have any suggestions?

alert-processor-41605

05/02/2020, 10:58 PM

Is there a way to pass in an existing

<http://aws.lb|aws.lb>.LoadBalancer

to a new

<http://awsx.lb|awsx.lb>.ApplicationLoadBalancer

? I am using the typescript package currently. I want to take advantage of the features of aws crosswalk, but it's import that I can use an imported resource of an ALB that already exists in my amazon account. For all the other crosswalk resources, I have used the pattern of creating a non crosswalk resource using the

import

option and then passing that in as the argument to create the crosswalk resource. Am I missing something here with the load balancer? As far as I can tell, it will always create a new load balancer and there is no way to pass in an existing one.

hundreds-receptionist-31352

05/04/2020, 7:21 PM

hi , I'm following this example https://github.com/pulumi/examples/tree/master/kubernetes-ts-helm-wordpress , and I can't get wordpress stack running , one of the pods that are failing seems that needs another variables :

acceptable-stone-35112

05/05/2020, 3:10 PM

I have a dilemma with deployment of api gateway. I am deploying rest api where methods have integrations to AWS services (dynamodb, lambda, sns, ...), so I can't use new crosswalk api for that. I want to utilize api gateway stages, so dev/qa/staging/prod stacks will deploy to corresponding stages and make new/modified api methods available for immediate testing in specific environment and I do have different method settings per stage for monitoring, logging, etc... The problem is that when I create stage in a stack along with resources and methods, other stacks fail with error, since aws detects that resource already exists, while pulumi tries to create it, but even if I create all resources in advance when I create api gateway (which I don't really like to do), it would fail on methods, since they also exist on resources, as HTTP verb is unique per resource Is there anything recommended in such case? Other ways involve using one stage, add suffixes to all api resources and override settings per method, api gateway per stack, but I need to understand if stages can be used as designed in such scenario

abundant-airplane-93796

05/07/2020, 5:55 PM

Just started running into errors that look like this:

Copy code

preparing urn:pulumi:sandbox::irisvr-infra::aws:s3/bucket:Bucket::prospect-releases's old property state: expected string or JSON map; got <nil>

broad-dog-22463

05/11/2020, 11:01 AM

@abundant-airplane-93796 just wanted to update you on this issue, I found the issue and am working on publishing a fix for you!

woohoo 2

broad-dog-22463

05/11/2020, 11:01 AM

I am testing it right now

broad-dog-22463

05/11/2020, 11:02 AM

//cc @hallowed-scooter-54575 ☝️

broad-dog-22463

05/11/2020, 12:03 PM

Copy code

▶ pulumi up
Previewing update (dev):
     Type                 Name        Plan     Info
     pulumi:pulumi:Stack  create-dev
     └─ aws:s3:Bucket     test                 1 error

Diagnostics:
  aws:s3:Bucket (test):
    error: preparing urn:pulumi:dev::create::aws:s3/bucket:Bucket::test's old property state: expected string or JSON map; got <nil>

broad-dog-22463

05/11/2020, 12:03 PM

before ☝️

broad-dog-22463

05/11/2020, 12:03 PM

after: 👇

Copy code

~/code/create                                                                                                                                                   ⍉
▶ pulumi up
Previewing update (dev):
     Type                 Name        Plan
     pulumi:pulumi:Stack  create-dev

Resources:
    2 unchanged

best-receptionist-98400

05/11/2020, 12:19 PM

Good Morning - I had a question in regards to attaching a new or existing instance to an ELB using Pulumi. In the docs, it seems like you can do this out of the box with

TargetGroupAttachment

for ALBs and NLBs. For ELBs though, it says to see the Terraform provider. So does that mean, for this piece I need to use terraform rather than Pulumi? https://www.pulumi.com/docs/reference/pkg/aws/applicationloadbalancing/targetgroupattachment/

incalculable-engineer-92975

05/13/2020, 5:21 PM

When creating an EKS cluster, the ClusterOptions only allows a single clusterSecurityGroup. Is this a Terraform limitation or how can I associate multiple security groups?

acceptable-stone-35112

05/13/2020, 7:23 PM

Question about AwsGuard policy. With s3BucketLoggingEnabled mandatory all buckets are verified to have access logs. This creates problem with the log buckets themselves, that don't have access log buckets of their own, but rather rely on retention policy (glacier, etc...) or otherwise that would be infinite chain of buckets. To me it seems that this policy needs to support filtering those buckets out, either by dependency or by tag/name predicate.

quaint-jelly-95055

05/14/2020, 9:37 AM

When creating a ecs ec2 service, how could we provide sharedMemorySize in linuxParameters? As if now it seems to be missing.

acceptable-stone-35112

05/14/2020, 9:54 AM

is it possible to pass arguments to my policy pack when testing locally with preview --policy-pack ?