Hi all, I've got an old manually created EIP that I'm making use of in my Pulumi code. When I try associate it with a different instance, I get the following and I just want to confirm that this isn't going to delete the actual EIP:

are you importing it? https://www.pulumi.com/docs/guides/adopting/import/

Hmm, no I'm not. I've created an EipAssociation and am grabbing it by its allocation ID.

I'll give that doc a read and see where I'm going wrong.

Hi, I’m getting an error trying to create an elastic search cluster with pulumi (golang).

Diagnostics:
[ yments/ci-telemetry/datastores ]   aws:iam:ServiceLinkedRole (insights-ci-es-dev-linked-role):
[ yments/ci-telemetry/datastores ]     error: Error creating service-linked role with name <http://es.amazonaws.com|es.amazonaws.com>: InvalidInput: Service role name AWSServiceRoleForAmazonElasticsearchService has been taken in this account, please try a different suffix.
[ yments/ci-telemetry/datastores ]     	status code: 400, request id: a5add6a6-3215-463a-80d8-19509d7d0e21

If I try a

CustomSuffix

in the DomainArgs struct, I’m told suffixs aren’t support with ES. can I only have 1 cluster per account?

Hmm, it appears the role can’t be deleted as it thinks a domain still exists..

ok. Nevermind. I was able to delete the role manually in the console… Maybe there’s a update lag between IAM and ES

I'm trying to get Pulumi to deploy to my LocalStack AWS environment but can't seem to get it to work.. I can successfully deploy to one of my actual AWS accounts specified in my default profile but I keep getting a 403 forbidden. I've tried to create an IAM user with admin access and generated an access/secret key in my LocalStack AWS environment. 403 Forbidden. I've tried to manually use AWS CLI pointed at my LocalStack environment to get STS credentials and still another 403 Forbidden when I try to use those to deploy. There must be something I didn't set correctly with my LocalStack environment because it works in one of my actual AWS accounts... Any ideas?

Is there a way to accomplish the following scenario: • Create new version of launch template • Update ASG to use latest version of launch template • Force all old instances created w/ old launch template out to bring in the new instances w/ new launch template? Steps 1 and 2 are fine, but I am having trouble with step 3. There's "TerminationPolicy" but I think that only applies when the instances are told to spin down?

Hi all, I have been using the following line in calls to new aws.ec2.Instance(

subnetId: vpc.publicSubnetIds[0], // use the subnet(s) from awsx.ec2.Vpc

It works fine in 3 of my stacks with identical vpcs but on a new on it gives this error

Element implicitly has an 'any' type because expression of type '0' can't be used to index type 'Promise<Output<string>[]>'.
  Property '0' does not exist on type 'Promise<Output<string>[]>'.

I am baffled by it, if I copy index.ts to a new name it does not show the error. Any help greatly appreciated.

Has anyone had issues with

pulumi logs -f

not aggregating cloudwatch logs recently? They are in cloudwatch, but the logs command isn’t displaying anything.

Hi all. I’m experiencing a problem trying to set up a bucket notification but am seeing the following:

[ ts/ci-telemetry/notifying-sink ] Updating (p-it-loptaploca-notifying--d6912a43):
[ ts/ci-telemetry/notifying-sink ]
[ ts/ci-telemetry/notifying-sink ]     pulumi:pulumi:Stack corelight-notifying-sink-p-it-loptaploca-notifying--d6912a43 running
[ ts/ci-telemetry/notifying-sink ]     citelemetry:notifyingsink:S3SinkBucket ci-telemetry-test
[ ts/ci-telemetry/notifying-sink ]     aws:iam:Role task-exec-role
[ ts/ci-telemetry/notifying-sink ]     aws:s3:Bucket ci-telemetry-test
[ ts/ci-telemetry/notifying-sink ]     aws:lambda:Function s3Handler
[ ts/ci-telemetry/notifying-sink ]     aws:sns:Topic ci-telemetry-test-sns-topic
[ ts/ci-telemetry/notifying-sink ]     aws:lambda:Permission lambda-permission
[ ts/ci-telemetry/notifying-sink ]  +  aws:s3:BucketNotification ci-telemetry-test-notification creating
[ ts/ci-telemetry/notifying-sink ]     aws:sns:TopicSubscription topic-subscription
[ ts/ci-telemetry/notifying-sink ]  +  aws:s3:BucketNotification ci-telemetry-test-notification creating error: Error putting S3 notification configuration: InvalidARNError: invalid ARN
[ ts/ci-telemetry/notifying-sink ]  +  aws:s3:BucketNotification ci-telemetry-test-notification **creating failed** error: Error putting S3 notification configuration: InvalidARNError: invalid ARN
[ ts/ci-telemetry/notifying-sink ]     pulumi:pulumi:Stack corelight-notifying-sink-p-it-loptaploca-notifying--d6912a43 running error: update failed
[ ts/ci-telemetry/notifying-sink ]     pulumi:pulumi:Stack corelight-notifying-sink-p-it-loptaploca-notifying--d6912a43 **failed** 1 error
[ ts/ci-telemetry/notifying-sink ]     citelemetry:notifyingsink:S3SinkBucket ci-telemetry-test
[ ts/ci-telemetry/notifying-sink ]

the code looks like

resource.Bucket, err = s3.NewBucket(ctx, name, &s3.BucketArgs{
		Bucket: pulumi.String(name),
	}, pulumi.Parent(&resource))
	if err != nil {
		return nil, err
	}

	resource.Topic, err = sns.NewTopic(ctx, name+"-sns-topic", &sns.TopicArgs{
		Policy: pulumi.Sprintf(`{
			"Version":"2012-10-17",
			"Statement":[{
				"Effect": "Allow",
				"Principal": { "AWS": "*" },
				"Action": "SNS:Publish",
				"Resource": "arn:aws:sns:*:*:s3-event-notification-topic",
				"Condition":{
					"ArnLike":{"aws:SourceArn": "%s"}
				}
			}]
		}`, resource.Bucket.Arn),
	}, pulumi.Parent(&resource))
	if err != nil {
		return nil, err
	}

	// I think this is causing the 'Invalid ARN'
	resource.S3Notification, err = s3.NewBucketNotification(ctx, name+"-notification", &s3.BucketNotificationArgs{
		Bucket: resource.Bucket.Arn,
		Topics: s3.BucketNotificationTopicArray{
			s3.BucketNotificationTopicArgs{
				Events:   toPulumiStringArray("s3:ObjectCreated:*"),
				TopicArn: resource.Topic.Arn,
			},
		},
	}, pulumi.Parent(&resource), pulumi.DependsOn([]pulumi.Resource{resource.Bucket, resource.Topic}))
	if err != nil {
		return nil, err
	}

Has anyone seen anything like this before? Or maybe there’s an example of a bucketnotification?

I'm having issues using the EC2 SDK from a lambda that Pulumi has created via

aws.cloudwatch.onSchedule()

. I can run

console.log

inside the eventhandler code and I can see the output in my cloudwatch log. But the

console.log

code I have inside my

ec2Client.describeInstances()

callback is not appearing in cloudwatch; I don't know if it's because the callback isn't being called, or if there's insufficient permissions. How should I investigate? Where would (for example) permission errors show up?

How do I use crosswalk to set up an api that targets a step functions state machine?

Would the code below cause a “pulumi up” to replace servers every time debian updates the AMI? If so is it easy to pin it after the fact since that is not the behavior I want.

// Get latest Debian Buster AMI
const busterId = aws.getAmi({
    owners: ["136693071363"],
    mostRecent: true,
    filters: [{
        name: "name",
        values: ["debian-10-amd64-*"],
    }],
}, { async: true }).then(ami => ami.id);

With latest sdk's, creation of cluster is failing. Is this known issue?

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
import * as awsx from "@pulumi/awsx";
import * as eks from "@pulumi/eks";

// Create an EKS cluster with the default configuration.
const cluster = new eks.Cluster("my-cluster");

// Export the cluster's kubeconfig.
export const kubeconfig = cluster.kubeconfig

having a huge problem trying to get an sns topic, and then set the topic & topic arn for creating a subscription, has anyone else dealt with SNS topics & subscriptions?

When deploying an EC2 instance, does

pulumi up

command wait for the user_data scripts to complete before returning?

Having an issue with pulumi_docker and environment variables. This works fine:

mock_image = docker.Image('mock-server-image',
                          build=docker.DockerBuild(context='../',
                                                   dockerfile=f'../Dockerfile'),
                          image_name=f'{repo.repository_url}',
                          registry=registry)

But as soon as I add an environment variable …

mock_image = docker.Image('mock-server-image',
                          build=docker.DockerBuild(context='../',
                                                   dockerfile=f'../Dockerfile',
                                                   env={'MOCK_PORT': '80'}),
                          image_name=f'{repo.repository_url}',
                          registry=registry)

I get an error:

FileNotFoundError: [Errno 2] No such file or directory: 'docker': 'docker'

guessing that supplying

env

like that replaces the entire environment, including likes like

PATH

- you’d probably want to fetch the existing environment and add your

MOCK_PORT

entry to it, and then pass that to

env

Hello, can anyone help me with this error?

error: aws:cloudfront/distribution:Distribution resource 'cdn' has a problem: "origin.0.domain_name": required field is not set

I have it specified here: https://gist.github.com/benjick/c356bf1776ae5da21cb42baf24eb3563#file-docs-s3-pulumi-ts-L21 I was following this tutorial: https://www.pulumi.com/blog/serving-a-static-website-on-aws-with-pulumi/

How would I enable group metrics collection for a K8s node group autoscaling group in AWS? Group metrics are not collected by default and when I check the Monitoring tab on the ASG it has a link 

Enable Group Metrics Collection

. I want it enabled when it is created. I am using the 

eks

 APIs and calling 

eks.Cluster

 and then 

cluster.createNodeGroup

. I have been able to retrieve from the nodeGroup properties the actual ASG name, but I am not sure how to either update an ASG to have the metrics enabled or to enable metrics on nodeGroup creation.

I created an eks cluster a while ago. Right now I'm using assumerole to auth with kubernetes (i.e., aws-iam-authenticator with role). When anyone else tries to do certain things in aws using the same role, they get error message: 'error: configured Kubernetes cluster is unreachable: unable to load schema information from the API server: the server has asked for the client to provide credentials' I'm able to reproduce this with a test aws account and setting up ~/.aws/credentials to point to these new credentials. The new user has the same access level I do, so should be able to assume the role. I do see what appears to be some discussion of this in https://github.com/pulumi/pulumi-eks/pull/205 but unclear what I should do on my end to fix this. Any ideas?

I'm trying to build an RDS instance and passing the vpc_security_group_ids, but it's throwing an error regardless of how I pass in the parameter. Does anyone have experience of doing this in Python?

Nevermind, I figured it out.

My problem is that I was trying to pass an RDS security group instead of an EC2 one... 🤦‍♂️

Hi there, I notice I can’t delete a VPC when I

pulumi destroy

my stack with an eks cluster and its dedicated VPC (created with

new awsx.ec2.Vpc()

). It hangs and ultimately fails to delete this VPC (while everything else from the stack has been properly destroyed). If I try to delete it manually with AWS console or CLI, everything’s fine, no error and it’s instantly deleted. I’m using the same AWS profile both for pulumi, the CLI or the console in order to exclude any permissions side effects.

error: deleting urn:pulumi:integration::platform::platform:Cluster$awsx:x:ec2:Vpc$aws:ec2/vpc:Vpc::main-cluster-main-vpc: Error deleting VPC: DependencyViolation: The vpc 'vpc-0f6b89731e2593036' has dependencies and cannot be deleted.
        status code: 400, request id: fdefca83-99e9-4b10-8d0f-2d3e5b9ab1b7

I don’t know what dependencies it’s talking about (no clue added in the error), and it does not seems to be an issue when deleting manually from console/CLI. What am I missing here ?

Hello, if I'm trying to set up a Policy on an autoscaling group and there's already a predefined policy (Alarm) that I want to leverage, how would I specify that? https://www.pulumi.com/docs/reference/pkg/aws/autoscaling/policy/

I’m working to get currently provisioned infrastructure into Pulumi. Trying to figure out what id to use to import Route53 Records?

I've trying to assume a role when accessing my eks cluster with kubectl. In my kubeconfig, under the user: section, I've got aws eks get-token --cluster-name --role <myrolearn>... I'm expecting for this for the get-token call to be run prior to my kubectl call and used in my kubectl call and thus ignoring whatever aws config i've got setup via ~/.aws/credentials. Am I understanding this correctly?