pulumi-community #aws

aws

little-cartoon-10569

08/06/2020, 5:15 AM

Is it possible to get the NACL rules of a given NACL using @pulumi/aws? Or do I have to drop out to the AWS SDK?

delightful-controller-41497

08/06/2020, 10:47 AM

Hi there! Newbie here. I have question, if anyone is able to help. I've managed to create a Fargate service + RDS Postgres. The database is obviously empty, so I'd like to run

create database X;

as part of my Pulumi flow. How might one go about doing that?

astonishing-quill-88807

08/06/2020, 3:41 PM

So, I've got a cloudfront distribution and associated Route53 record that need to be replaced, but it's failing on the distribution because the Route53 record is already present. Any thoughts on how I can force it to remove the Route53 record before recreating the Cloudfront distribution? Relevant code here: https://github.com/mitodl/ol-infrastructure/blob/main/src/ol_infrastructure/infrastructure/aws/s3_sites/__main__.py#L17-L26

incalculable-engineer-92975

08/06/2020, 3:59 PM

Hello, is there any way to modify the assumeRolePolicy for an existing IAM role?

handsome-knife-3587

08/06/2020, 9:38 PM

I'm interested in using Fargate to run a cluster with multiple containers written in different languages. I've got a basic setup working but it's all in one repo. I'd like to move each container into a different repo and still have Pulumi 'do the right thing'. What is the right way to do this?

little-cartoon-10569

08/07/2020, 1:43 AM

Reviving my question from yesterday: how can I read NACL rules (not managed by Pulumi)? The getNetworkAcls function seems to hide the "Entries" part of what's returned from the SDK's DescribeNetworkAcls, so I can inspect the rules programmatically. I tried used the SDK directly, but this is problematic because I don't have any creds available to get a client, I only have the Pulumi provider, which doesn't expose the creds.

aloof-engine-23345

08/08/2020, 1:44 AM

howdy, does anyone here have an example of how to look up an existing route 53 zone?

important-appointment-55126

08/08/2020, 2:01 AM

https://www.pulumi.com/docs/reference/pkg/aws/route53/zone/#look-up

aloof-engine-23345

08/08/2020, 4:40 PM

@important-appointment-55126 thanks, i got that sorted out… next issue i’m having is that i’m walking through the process of setting up a an SSL cert for an API gateway domain outlined here: https://www.pulumi.com/docs/guides/crosswalk/aws/api-gateway/#configuring-aws-api-gateway-custom-domains-and-ssl-using-route53-and-acm The odd thing is that I see the CNAME record created for DNS validation but there is no cert in the ACM awaiting validation

aloof-engine-23345

08/08/2020, 4:44 PM

oh… hold on… for some reason it is creating the cert request in the wrong account

aloof-engine-23345

08/08/2020, 4:50 PM

i wonder why pulumi would create all my resources in the correct account but not this particular certificate… it looks like it has been issued and validated but the cert is in my top level AWS account while all other resources are in aws org child account

millions-furniture-75402

08/11/2020, 2:29 PM

How do I set CloudWatch log role ARN in apigateway settings?

delightful-controller-41497

08/11/2020, 2:49 PM

Hi folks, anyone managed to get

awsx.apigateway.API

working with

aws.apigatewayv2.VpcLink

? I can see the VpcLink on the AWS Dashboard but I'm getting the error "Vpc Link <X> was not found in account <Y>"

✔️ 1

delightful-controller-41497

08/11/2020, 5:35 PM

Is there a cost associated with VPC Links? (I can only find information about VPC PrivateLinks but I reckon these are different things)

gifted-vase-28337

08/11/2020, 8:26 PM

✅ 👋 hi all, I'm experiencing unexpected behavior with pulumi aws. When

config:aws:endpoints

contains endpoints for both

iam

and

cloudwatch

, the `iam`endpoint is ignored, causing IAM requests to be sent to

<http://iam.amazonaws.com|iam.amazonaws.com>

crooked-knife-92853

08/12/2020, 5:23 PM

Hi everyone. We have an existing EKS cluster (not created with Pulumi) and are wondering if there is any way to get the cluster’s kubeconfig programmatically?

delightful-controller-41497

08/13/2020, 10:34 AM

Anyone managed to get a CloudFlare domain set up with API Gateway?

witty-ice-69000

08/13/2020, 4:21 PM

Any ideas what this error is trying to tell me? Google doesn't help and neither does Pulumi docs so far.

error: Program failed with an unhandled exception:
    error: Traceback (most recent call last):
      File "/usr/local/bin/pulumi-language-python-exec", line 85, in <module>
        loop.run_until_complete(coro)
      File "/usr/local/Cellar/python@3.8/3.8.5/Frameworks/Python.framework/Versions/3.8/lib/python3.8/asyncio/base_events.py", line 616, in run_until_complete
        return future.result()
      File ".venv/lib/python3.8/site-packages/pulumi/runtime/stack.py", line 83, in run_in_stack
        await run_pulumi_func(lambda: Stack(func))
      File ".venv/lib/python3.8/site-packages/pulumi/runtime/stack.py", line 51, in run_pulumi_func
        await RPC_MANAGER.rpcs.pop()
      File ".venv/lib/python3.8/site-packages/pulumi/runtime/stack.py", line 35, in run_pulumi_func
        func()
      File ".venv/lib/python3.8/site-packages/pulumi/runtime/stack.py", line 83, in <lambda>
        await run_pulumi_func(lambda: Stack(func))
      File ".venv/lib/python3.8/site-packages/pulumi/runtime/stack.py", line 106, in __init__
        func()
      File "/usr/local/bin/pulumi-language-python-exec", line 84, in <lambda>
        coro = pulumi.runtime.run_in_stack(lambda: runpy.run_path(args.PROGRAM, run_name='__main__'))
      File "/usr/local/Cellar/python@3.8/3.8.5/Frameworks/Python.framework/Versions/3.8/lib/python3.8/runpy.py", line 282, in run_path
        return _run_code(code, mod_globals, init_globals,
      File "/usr/local/Cellar/python@3.8/3.8.5/Frameworks/Python.framework/Versions/3.8/lib/python3.8/runpy.py", line 87, in _run_code
        exec(code, run_globals)
      File "./__main__.py", line 41, in <module>
        main()
      File "./__main__.py", line 37, in main
        create_stack_deployment_iam(this_provider, "production", permission_boundaries)
      File "/asi/aws/infrastructure.py", line 62, in create_stack_deployment_iam
        instance_assume_role_policy = iam.get_policy_document(
      File ".venv/lib/python3.8/site-packages/pulumi_aws/iam/get_policy_document.py", line 317, in get_policy_document
        __ret__ = pulumi.runtime.invoke('aws:iam/getPolicyDocument:getPolicyDocument', __args__, opts=opts).value
      File ".venv/lib/python3.8/site-packages/pulumi/runtime/invoke.py", line 127, in invoke
        return InvokeResult(_sync_await(asyncio.ensure_future(do_rpc())))
      File ".venv/lib/python3.8/site-packages/pulumi/runtime/sync_await.py", line 95, in _sync_await
        return fut.result()
      File ".venv/lib/python3.8/site-packages/pulumi/runtime/invoke.py", line 124, in do_rpc
        raise exn
      File ".venv/lib/python3.8/site-packages/pulumi/runtime/rpc_manager.py", line 67, in rpc_wrapper
        result = await rpc
      File ".venv/lib/python3.8/site-packages/pulumi/runtime/invoke.py", line 108, in do_invoke
        resp = await asyncio.get_event_loop().run_in_executor(None, do_invoke)
      File "/usr/local/Cellar/python@3.8/3.8.5/Frameworks/Python.framework/Versions/3.8/lib/python3.8/concurrent/futures/thread.py", line 57, in run
        result = self.fn(*self.args, **self.kwargs)
      File ".venv/lib/python3.8/site-packages/pulumi/runtime/invoke.py", line 106, in do_invoke
        raise Exception(details)
    Exception: invocation of aws:iam/getPolicyDocument:getPolicyDocument returned an error: grpc: error while marshaling: proto: repeated field Values has nil element
    error: an unhandled error occurred: Program exited with non-zero exit code: 1

The snippet of my code that it's referencing is this:

witty-ice-69000

08/13/2020, 4:21 PM

[10:53 AM]     instance_assume_role_policy = iam.get_policy_document(
        opts=pulumi.ResourceOptions(depends_on=[user], provider=provider),
        statements=[
            {
                "actions": ["sts:AssumeRole"],
                "effect": "Allow",
                "principals": [
                    {"identifiers": [user.arn.apply(lambda arn: arn)], "type": "AWS"}
                ],
            },
        ],
    )

delightful-controller-41497

08/13/2020, 4:25 PM

Anyone ever faced

aws.acm.Certificate

trying to create a new ARN every time instead of returning the ARN for the existing certificate? it doesn't actually create the duplicated certificate, but the wrong arn makes my workflow break.

✔️ 1

future-diamond-31373

08/13/2020, 5:45 PM

Hey everyone! I'm creating rest apis via

awsx

and have run into a major roadblock trying to enable IAM authorization on my methods. The documentation seems to have extensive support for token auth, lambda auth, and api key auth - however doesn't seem to have much detail in the way of IAM auth. After doing a lot of documentation and library digging, I've found that the

AWS_IAM

string can be specified on the

aws.apigateway.Method

resource, however when using

awsx

a lot of this wiring and resource generation happens behind the scenes, so I'm unable to get the method (since I don't know the id and the resource isn't accounted for anywhere in the output or UI to my knowledge), and unable to create a new method since the path is already in use. Any help on the matter would be greatly appreciated!

most-lighter-1731

08/14/2020, 10:04 AM

Hi, when creating an

ecs.Cluster

resource, I'm seeing a child s3 bucket resource whose parent is the cluster's

AutoScalingLaunchConfiguration

. The bucket seems to be empty all or most of the time and I'm wondering why it's there, what data might be stored there and if it's possible to either prevent pulumi from creating it or to specify that it be encrypted.

👍 1

worried-engineer-33884

08/14/2020, 5:55 PM

Hi, I just upgraded pulumi/aws to v3.x and now getting an error.

Diagnostics:
  pulumi:providers:aws (admin-provider):
    error: rpc error: code = Unknown desc = could not validate provider configuration: 1 error occurred:
    	* assume_role.0: expected object, got string

Untitled

famous-garage-15683

08/14/2020, 9:11 PM

I created a VPC just by doing

new awsx.ec2.Vpc("name", {})

. It looks like it created a private subnet and a public subnet by default and the way it secured the private subnet is with a NAT Gateway. Why use a NAT Gateway instead of just using a Network ACL? Is there some advantage to NAT Gateway that makes it worth the extra cost?

salmon-ghost-86211

08/14/2020, 9:39 PM

I have a launch template being created and updated by

pulumi

but I found that the

default

launch template version was not being changed. I'm not sure how to use the

updateDefaultVersion

LaunchTemplate resource property listed here

<https://www.pulumi.com/docs/reference/pkg/aws/ec2/launchtemplate/#updatedefaultversion_nodejs>

. I can't seem to get this property in my code correctly. It doesn't go in

LaunchTemplateArgs

and I can't seem to assign a boolean to it as if it's a property. What am I doing wrong?

nice-airport-15607

08/19/2020, 4:42 PM

Anyone know how, or where to override the

isBase64Encoded

property on API Gateways? I’m trying to make it

false

, but not sure where to pass that in since the

eventHandler

takes a

aws.lambda.EventHandler<Request, Response>

, but I’m not sure how to pass those arguments along to the API when its pointing to a new `aws.lambda.CallbackFunction`… Thanks in advance.

quaint-guitar-13446

08/20/2020, 4:14 AM

I'm trying to pass ssm Parameters to Fargate and it's throwing the following error while provisioning:

Fetching secret data from SSM Parameter Store in ap-southeast-2: AccessDeniedException: User: <...> is not authorized to perform: ssm:GetParameters on resource: <...> status code: 400, request id: f13766c0-3c7b-46c7-9a34-5dd3b12f0e86

quaint-guitar-13446

08/20/2020, 4:14 AM

Is this resolved with Pulumi or via the IAM console?

echoing-angle-67526

08/20/2020, 3:20 PM

i've tried deploying eks but the nodes remain in a 'NotReady' status since it can't pull the VPC CNI plugin image for the aws-node DaemonSet. Not sure if this is problem happens in other regions but i'm seeing it in both the us-east-1 and ca-central-1 regions. see below:

Events:
  Type     Reason     Age               From                                                   Message
  ----     ------     ----              ----                                                   -------
  Normal   Scheduled  9m                default-scheduler                                      Successfully assigned kube-system/aws-node-7rl2w to ip-10-0-47-120.ca-central-1.compute.internal
  Normal   Pulling    7m (x4 over 9m)   kubelet, ip-10-0-47-120.ca-central-1.compute.internal  Pulling image "<http://602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon-k8s-cni:v1.6.0|602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon-k8s-cni:v1.6.0>"
  Warning  Failed     7m (x4 over 9m)   kubelet, ip-10-0-47-120.ca-central-1.compute.internal  Failed to pull image "<http://602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon-k8s-cni:v1.6.0|602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon-k8s-cni:v1.6.0>": rpc error: code = Unknown desc = Error response from daemon: Get <https://602401143452.dkr.ecr.us-west-2.amazonaws.com/v2/amazon-k8s-cni/manifests/v1.6.0>: no basic auth credentials
  Warning  Failed     7m (x4 over 9m)   kubelet, ip-10-0-47-120.ca-central-1.compute.internal  Error: ErrImagePull
  Normal   BackOff    7m (x6 over 9m)   kubelet, ip-10-0-47-120.ca-central-1.compute.internal  Back-off pulling image "<http://602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon-k8s-cni:v1.6.0|602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon-k8s-cni:v1.6.0>"
  Warning  Failed     4m (x21 over 9m)  kubelet, ip-10-0-47-120.ca-central-1.compute.internal  Error: ImagePullBackOff

and my pulumi program:

import * as awsx from "@pulumi/awsx";
import * as eks from "@pulumi/eks";

// Create a VPC for our cluster.
const vpc = new awsx.ec2.Vpc("vpc", { numberOfAvailabilityZones: 2 });

// Create the EKS cluster itself and a deployment of the Kubernetes dashboard.
const cluster = new eks.Cluster("cluster", {
    vpcId: vpc.id,
    subnetIds: vpc.publicSubnetIds,
    instanceType: "t2.medium",
    desiredCapacity: 1,
    minSize: 1,
    maxSize: 2,
    deployDashboard: true,
});

// Export the cluster's kubeconfig.
export const kubeconfig = cluster.kubeconfig;

I've checked the roles and it looks like the node has permissions to read from ECR. Any ideas why this is happening?

handsome-knife-3587

08/20/2020, 8:47 PM

I'm porting a CloudFormation script into Pulumi and I'm looking at an SNS:Topic. The subscriptions is email but the Pulumi docs (https://www.pulumi.com/docs/reference/pkg/aws/sns/topicsubscription/) say 'email isn't supported - see below' but there is nothing below. Is this because it's auto-generated from Terraform or is something missing?

Title

handsome-knife-3587

08/20/2020, 8:47 PM

little-cartoon-10569

08/20/2020, 8:57 PM

In the Terraform equivalent, it's because email requires a handshake response from the email address before it's enabled. I guess it's the same here?

In Terraform, you can set it up but you have to finalize the subscription manually.

handsome-knife-3587

08/20/2020, 11:16 PM

makes sense, I'll setup another method. Thank you!

View count: 2