Trying to follow this guide regard k8s and efs here: https://www.pulumi.com/blog/persisting-kubernetes-workloads-with-amazon-efscsi-volumes-using-pulumi-sdks/ but I'm getting these errors:

admin@ponyo ~/s/infrastructure (cleanup) [1]> kc logs efs-csi-controller-0 --namespace=kube-system
error: a container name must be specified for pod efs-csi-controller-0, choose one of: [efs-plugin csi-attacher]
admin@ponyo ~/s/infrastructure (cleanup) [1]> kc logs efs-csi-node-qt48m --namespace=kube-system
error: a container name must be specified for pod efs-csi-node-qt48m, choose one of: [efs-plugin csi-driver-registrar]

My code here: https://gist.github.com/benjick/fade82590773b89d753c3580e107a1fa How do I specify the container names?

Are there pre-built security groups with well-known rules and rule groups? Like the Terraform "aws security-group" module? I'd like a shortcut for creating the security group needed for EC2 instances to join an AD domain, and there's about 16 well-known rules needed...

Is there a way to get the dnsIpAddresses of a MicrosoftAD instance in the same run as it is being created? The Terraform module provides them on the DirectoryService resource, but the only thing in the Pulumi equivalent is its ID. If I

.apply()

the ID, I can use getDirectory which returns the dnsIPAddresses, but I can't create a new resource from within an

.apply()

. So I can't create my VpcDhcpOptions from those IP addresses 😞

I'm creating a bucket and a bucket policy using Pulumi / Python. How to get the bucket arn from a bucket resource for creating the bucket policy? If I try to get the bucket arn in the same

pulumi up

run (i.e. creating the bucket and bucket policy) I get

required field is not set

.

Hi, That’s not a pulumi question per se, but we have an aws role issue when creating an EKS cluster. It seems bound to the person creating it (or the aws credentials used by the pulumi aws provider). If someone else tries to interact with it (doing an

aws eks update-kubeconfig

then a

kubectl

) even with aws administrator permissions, we get an Unauthorized error. How would one properly provision an EKS Cluster with pulumi, with the right role(s)/provider, so that team members can interact afterward on it with

kubectl

without getting an error ?

I think this one needs a refresh: https://www.pulumi.com/blog/persisting-kubernetes-workloads-with-amazon-efscsi-volumes-using-pulumi-sdks/ So much stuff outdated

Is there any way I can "wait" for this?

const image = repository.buildAndPushImage(buildOptions)

(using

awsx/ecr

) I want helm to be run after it's built and pushed but I can't use it with

dependsOn

because it's just output

Can a "magic function" refer to pulumi.Output values at runtime via the`get()` method or will they be undefined? Thread follows.

Any suggestions on how to create a mysql-provider for a rds-cluster inside a VPC? My current code looks like this but I guess I have to take my ip and add it to some rule maybe?

I'm struggling with setting up EKS with alb ingress controller. I followed guide from: https://www.pulumi.com/blog/kubernetes-ingress-with-aws-alb-ingress-controller-and-pulumi-crosswalk/ But I'm struggling to make it work. Needed to modify a bit as was outdated, but it always fails on creation of alb ingress with:

error: 2 errors occurred:
        * resource test/test-alb-ingress was successfully created, but the Kubernetes API server reported that it failed to fully initialize or become live: 'test-alb-ingress' timed out waiting to be Ready
        * Ingress .status.loadBalancer field was not updated with a hostname/IP address.
        for more information about this error, see <https://pulumi.io/xdv72s>

I'm attaching source code here, would appreciate any help! (No loadbalancer is appearing in AWS after this)

We’ve just open-sourced a complete Pulumi-based AWS serverless application for booking office visits: https://github.com/o2Labs/office-booker It’s written in TypeScript, uses some low-level DynamoDB operations, and configured the whole monorepo through Pulumi’s stack config.

Hi, when creating ec2 instance, can the name tag be included...couldn't see where in the doc

I am still trying to figure out how to create a mock integration for api gateway for cors purposes. So far I have been unable to make it work.

Hi, I have a program that creates an ACM cert and a cloudfront distro that uses it. Everything is functioning correctly except that every time I run

pulumi up

it updates the

viewerCertificate

even though nothing has changed. Not sure how to debug this. Can anyone suggest anything please?

I'm trying to create access keys, write a few fields into a new JSON object and convert it to ciphertext, then save it to S3 as a new file. Before this code I create a KMS key (myKms), and IAM user (iamUser) and have an S3 bucket object defined (myS3Bucket). If

userIamAccessKeys.id

or

userIamAccessKeys.secret

is the only

content

on the BucketObject, it writes successfully. If

encryptedKeys

ciphertext is the

content

, the text written is

[object Object]

. I can't seem to use

toJSON

or

toString

or

.apply

to build the ciphertext. How do I pull out some details from the

AccessKey

, convert it to

Ciphertext

and insert it into the

BucketObject

content

?

const userIamAccessKeys = new aws.iam.AccessKey(
    "iam-access-key",
    { user: iamUser.name, },
    { dependsOn: iamUser }
);

const encryptedKeys = new aws.kms.Ciphertext(
    "user-encrypted-keys",
    {
        keyId: myKms.keyId,
        plaintext: `{
          "access_key": ${userIamAccessKeys.id},
          "secret_key": ${userIamAccessKeys.secret}
        }
        `
    },
    { dependsOn: userIamAccessKeys }
);

// Store the already encrypted access keys in S3
const accessKeysInS3 = new aws.s3.BucketObject(
    "access-keys-in-s3",
    {
        bucket: myS3Bucket.apply(bucket => bucket.id),
        content: encryptedKeys.toString(),
        key: "accesskeys.json.enc"
    },
    { dependsOn: [userIamAccessKeys, encryptedKeys] }
);

I'm trying to assign an instance profile I just created to a Launch Template , but I get

error: aws:ec2/launchTemplate:LaunchTemplate resource 'my-launch-template' has a problem: iam_instance_profile.0: expected object, got string

Here's my basic code snippet

const myInstanceRole = new ServiceRole(
    `${pulumi.getStack()}-my-instanceRole`,
    {
        managedPolicyArns: [
            "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore",
            "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"
        ],
        service: "<http://ec2.amazonaws.com|ec2.amazonaws.com>"
    }
).role;

const myInstanceProfile = new aws.iam.InstanceProfile(
    "my-instance-profile",
    { role: myInstanceRole }
);

const myLaunchTemplate = new aws.ec2.LaunchTemplate(
    `${namePrefix}-launch-template`,
    {
        description: `Builds the ${namePrefix} my server`,
        iamInstanceProfile: myInstanceProfile,
        imageId: amiId,
        instanceType: instanceType,
        keyName: sshKey,
        namePrefix: namePrefix,
        userData: userData,
        vpcSecurityGroupIds: availableSubnetIds,
    }
);

Any ideas?

When importing existing S3 Bucket to stack, should I use bucket name, domain name or arn?

i would usually recommend arn

I got this error while creating CF distribution. If there's a required parameter, I guess it should fail on pulumi preview

error creating CloudFront Distribution: MalformedXML: 1 validation error detected: Value '' at 'distributionConfigWithTags.distributionConfig.viewerCertificate.sSLSupportMethod' failed to satisfy constraint: Member must satisfy enum value set: [static-ip, sni-only, vip]

Hi is a similar workshop for aws? Thanks. https://twitter.com/pulumicorp/status/1280962386330034177?s=21

Hi, is there an example to build RDS Aurora (mysql, postgresql) multi region w/ global database ?

Hi, is there any example to up Postgres RDS with Secret manager with autorotation?

Hi Team, I'm having issues while pulumi up with the auto generated requirements.txt file, can you please provide solution for this: pulumipulumiStack (Pulumi-latest-dev):     error: an unhandled error occurred: Program exited with non-zero exit code: 3221225781 error: installing dependencies via `pip install -r requirements.txt`: exit status 3221225781

I’m seeing some odd behaviour and I was wondering it someone can check if I’m doing something dumb before I raise an issue…. My program runs in eu-west-1 but it needs to create an acm cert in us-east-1 for cloudfront. My

Pulumi.production.yaml

config has

aws:region: eu-west-1

and

aws:profile: prod_deploy

(a profile that assumes a role in production). However shell has

AWS_PROFILE=dev

(a developer role in a different account) and I found that the ACM cert is getting created in

dev

and everything else is (trying to be) created in

prod

The code is as follows:

us_east_1 = Provider('us-east-1', region='us-east-1')

cert = acm.Certificate(
    "cert",
    domain_name=target_domain,
    validation_method="DNS",
    opts=pulumi.ResourceOptions(provider=us_east_1)
)

cert_validation_domain = route53.Record(
    'cert-validation-domain',
    zone_id=hosted_zone_id,
    ttl=600,
    name=cert.domain_validation_options[0]['resourceRecordName'],
    type=cert.domain_validation_options[0]['resourceRecordType'],
    records=[cert.domain_validation_options[0]['resourceRecordValue']]
)

cert_validation = acm.CertificateValidation(
    'cert-validation',
    certificate_arn=cert.arn,
    validation_record_fqdns=[cert_validation_domain.fqdn],
    opts=pulumi.ResourceOptions(provider=us_east_1)
)

When I

export AWS_REGION=prod_deploy

it works properly. Should I be doing something to pass the profile along when I create the provider in

us-east-1

maybe?

So, this works….

aws_profile = pulumi.Config('aws').require('profile')
us_east_1 = Provider('us-east-1', region='us-east-1', profile=aws_profile)

it’s quite unintuitive to need to do that though - especially when the DNS validation of the cert will work fine across accounts

I’m trying to create ebs volume first Im pulling up az’s then based on the output I want to create ebs volume

azs = aws.get_availability_zones(state="available")
base_image_storage = aws.ebs.Volume(
  "qtx-base-image-storage",
  availability_zone=azs.zone_ids[0],
  size=10)

but Im getting error:

aws:ebs:Volume (image-storage):
    error: Error creating EC2 volume: InvalidZone.NotFound: The zone 'euc1-az2' does not exist.
    	status code: 400, request id: 5659db1c-cbfc-4296-8705-e4d1fe226cec

when I try to use

azs.name[0]