dazzling-sundown-39670
06/27/2020, 11:01 AMadmin@ponyo ~/s/infrastructure (cleanup) [1]> kc logs efs-csi-controller-0 --namespace=kube-system
error: a container name must be specified for pod efs-csi-controller-0, choose one of: [efs-plugin csi-attacher]
admin@ponyo ~/s/infrastructure (cleanup) [1]> kc logs efs-csi-node-qt48m --namespace=kube-system
error: a container name must be specified for pod efs-csi-node-qt48m, choose one of: [efs-plugin csi-driver-registrar]
My code here: https://gist.github.com/benjick/fade82590773b89d753c3580e107a1fa
How do I specify the container names?little-cartoon-10569
06/28/2020, 9:20 PMlittle-cartoon-10569
06/28/2020, 11:35 PM.apply()
the ID, I can use getDirectory which returns the dnsIPAddresses, but I can't create a new resource from within an .apply()
. So I can't create my VpcDhcpOptions from those IP addresses 😞quiet-painter-30539
06/30/2020, 8:10 AMpulumi up
run (i.e. creating the bucket and bucket policy) I get required field is not set
.faint-motherboard-95438
06/30/2020, 1:21 PMaws eks update-kubeconfig
then a kubectl
) even with aws administrator permissions, we get an Unauthorized error.
How would one properly provision an EKS Cluster with pulumi, with the right role(s)/provider, so that team members can interact afterward on it with kubectl
without getting an error ?dazzling-sundown-39670
07/01/2020, 9:33 AMdazzling-sundown-39670
07/01/2020, 3:52 PMconst image = repository.buildAndPushImage(buildOptions)
(using awsx/ecr
)
I want helm to be run after it's built and pushed but I can't use it with dependsOn
because it's just outputhundreds-musician-51496
07/02/2020, 4:49 PMdazzling-sundown-39670
07/03/2020, 10:34 PMstrong-lock-6425
07/07/2020, 2:29 PMerror: 2 errors occurred:
* resource test/test-alb-ingress was successfully created, but the Kubernetes API server reported that it failed to fully initialize or become live: 'test-alb-ingress' timed out waiting to be Ready
* Ingress .status.loadBalancer field was not updated with a hostname/IP address.
for more information about this error, see <https://pulumi.io/xdv72s>
I'm attaching source code here, would appreciate any help! (No loadbalancer is appearing in AWS after this)happy-parrot-60128
07/07/2020, 3:05 PMfew-pillow-1133
07/09/2020, 6:00 PMlimited-solstice-34584
07/11/2020, 1:08 AMstocky-lion-56153
07/11/2020, 8:51 PMpulumi up
it updates the viewerCertificate
even though nothing has changed. Not sure how to debug this. Can anyone suggest anything please?salmon-ghost-86211
07/15/2020, 2:27 PMuserIamAccessKeys.id
or userIamAccessKeys.secret
is the only content
on the BucketObject, it writes successfully.
If encryptedKeys
ciphertext is the content
, the text written is [object Object]
.
I can't seem to use toJSON
or toString
or .apply
to build the ciphertext.
How do I pull out some details from the AccessKey
, convert it to Ciphertext
and insert it into the BucketObject
content
?
const userIamAccessKeys = new aws.iam.AccessKey(
"iam-access-key",
{ user: iamUser.name, },
{ dependsOn: iamUser }
);
const encryptedKeys = new aws.kms.Ciphertext(
"user-encrypted-keys",
{
keyId: myKms.keyId,
plaintext: `{
"access_key": ${userIamAccessKeys.id},
"secret_key": ${userIamAccessKeys.secret}
}
`
},
{ dependsOn: userIamAccessKeys }
);
// Store the already encrypted access keys in S3
const accessKeysInS3 = new aws.s3.BucketObject(
"access-keys-in-s3",
{
bucket: myS3Bucket.apply(bucket => bucket.id),
content: encryptedKeys.toString(),
key: "accesskeys.json.enc"
},
{ dependsOn: [userIamAccessKeys, encryptedKeys] }
);
salmon-ghost-86211
07/15/2020, 11:13 PMerror: aws:ec2/launchTemplate:LaunchTemplate resource 'my-launch-template' has a problem: iam_instance_profile.0: expected object, got string
Here's my basic code snippet
const myInstanceRole = new ServiceRole(
`${pulumi.getStack()}-my-instanceRole`,
{
managedPolicyArns: [
"arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore",
"arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"
],
service: "<http://ec2.amazonaws.com|ec2.amazonaws.com>"
}
).role;
const myInstanceProfile = new aws.iam.InstanceProfile(
"my-instance-profile",
{ role: myInstanceRole }
);
const myLaunchTemplate = new aws.ec2.LaunchTemplate(
`${namePrefix}-launch-template`,
{
description: `Builds the ${namePrefix} my server`,
iamInstanceProfile: myInstanceProfile,
imageId: amiId,
instanceType: instanceType,
keyName: sshKey,
namePrefix: namePrefix,
userData: userData,
vpcSecurityGroupIds: availableSubnetIds,
}
);
Any ideas?acceptable-stone-35112
07/16/2020, 10:32 AMlimited-solstice-34584
07/16/2020, 2:45 PMacceptable-stone-35112
07/17/2020, 7:15 AMacceptable-stone-35112
07/17/2020, 7:15 AMsilly-train-98536
07/18/2020, 5:39 PMsilly-train-98536
07/19/2020, 4:44 AMrefined-teacher-35628
07/19/2020, 6:16 AMgray-jewelry-3360
07/20/2020, 7:47 PMstocky-lion-56153
07/20/2020, 9:41 PMPulumi.production.yaml
config has aws:region: eu-west-1
and aws:profile: prod_deploy
(a profile that assumes a role in production). However shell has AWS_PROFILE=dev
(a developer role in a different account) and I found that the ACM cert is getting created in dev
and everything else is (trying to be) created in prod
The code is as follows:
us_east_1 = Provider('us-east-1', region='us-east-1')
cert = acm.Certificate(
"cert",
domain_name=target_domain,
validation_method="DNS",
opts=pulumi.ResourceOptions(provider=us_east_1)
)
cert_validation_domain = route53.Record(
'cert-validation-domain',
zone_id=hosted_zone_id,
ttl=600,
name=cert.domain_validation_options[0]['resourceRecordName'],
type=cert.domain_validation_options[0]['resourceRecordType'],
records=[cert.domain_validation_options[0]['resourceRecordValue']]
)
cert_validation = acm.CertificateValidation(
'cert-validation',
certificate_arn=cert.arn,
validation_record_fqdns=[cert_validation_domain.fqdn],
opts=pulumi.ResourceOptions(provider=us_east_1)
)
stocky-lion-56153
07/20/2020, 9:43 PMexport AWS_REGION=prod_deploy
it works properly. Should I be doing something to pass the profile along when I create the provider in us-east-1
maybe?stocky-lion-56153
07/20/2020, 10:52 PMaws_profile = pulumi.Config('aws').require('profile')
us_east_1 = Provider('us-east-1', region='us-east-1', profile=aws_profile)
it’s quite unintuitive to need to do that though - especially when the DNS validation of the cert will work fine across accountssteep-alligator-79173
07/22/2020, 1:11 PMazs = aws.get_availability_zones(state="available")
base_image_storage = aws.ebs.Volume(
"qtx-base-image-storage",
availability_zone=azs.zone_ids[0],
size=10)
steep-alligator-79173
07/22/2020, 1:12 PMaws:ebs:Volume (image-storage):
error: Error creating EC2 volume: InvalidZone.NotFound: The zone 'euc1-az2' does not exist.
status code: 400, request id: 5659db1c-cbfc-4296-8705-e4d1fe226cec
steep-alligator-79173
07/22/2020, 1:12 PMazs.name[0]