https://pulumi.com logo
Join the conversationJoin Slack
Channels
announcements
automation-api
aws
azure
blog-posts
built-with-pulumi
cloudengineering
cloudengineering-support
content-share
contribex
contribute
docs
dotnet
finops
general
getting-started
gitlab
golang
google-cloud
hackathon-03-19-2020
hacktoberfest
install
java
jobs
kubernetes
learn-pulumi-events
linen
localstack
multi-language-hackathon
office-hours
oracle-cloud-infrastructure
plugin-framework
pulumi-cdk
pulumi-crosscode
pulumi-deployments
pulumi-kubernetes-operator
pulumi-service
pulumiverse
python
registry
status
testingtesting123
testingtesting321
typescript
welcome
workshops
yaml
Powered by Linen
aws
  • l

    little-cartoon-10569

    08/06/2020, 5:15 AM
    Is it possible to get the NACL rules of a given NACL using @pulumi/aws? Or do I have to drop out to the AWS SDK?
    • 1
    • 2
  • d

    delightful-controller-41497

    08/06/2020, 10:47 AM
    Hi there! Newbie here. I have question, if anyone is able to help. I've managed to create a Fargate service + RDS Postgres. The database is obviously empty, so I'd like to run
    create database X;
    as part of my Pulumi flow. How might one go about doing that?
    b
    b
    h
    • 4
    • 12
  • a

    astonishing-quill-88807

    08/06/2020, 3:41 PM
    So, I've got a cloudfront distribution and associated Route53 record that need to be replaced, but it's failing on the distribution because the Route53 record is already present. Any thoughts on how I can force it to remove the Route53 record before recreating the Cloudfront distribution? Relevant code here: https://github.com/mitodl/ol-infrastructure/blob/main/src/ol_infrastructure/infrastructure/aws/s3_sites/__main__.py#L17-L26
    b
    • 2
    • 1
  • i

    incalculable-engineer-92975

    08/06/2020, 3:59 PM
    Hello, is there any way to modify the assumeRolePolicy for an existing IAM role?
    l
    • 2
    • 1
  • h

    handsome-knife-3587

    08/06/2020, 9:38 PM
    I'm interested in using Fargate to run a cluster with multiple containers written in different languages. I've got a basic setup working but it's all in one repo. I'd like to move each container into a different repo and still have Pulumi 'do the right thing'. What is the right way to do this?
    h
    • 2
    • 6
  • l

    little-cartoon-10569

    08/07/2020, 1:43 AM
    Reviving my question from yesterday: how can I read NACL rules (not managed by Pulumi)? The getNetworkAcls function seems to hide the "Entries" part of what's returned from the SDK's DescribeNetworkAcls, so I can inspect the rules programmatically. I tried used the SDK directly, but this is problematic because I don't have any creds available to get a client, I only have the Pulumi provider, which doesn't expose the creds.
    b
    • 2
    • 1
  • a

    aloof-engine-23345

    08/08/2020, 1:44 AM
    howdy, does anyone here have an example of how to look up an existing route 53 zone?
  • i

    important-appointment-55126

    08/08/2020, 2:01 AM
    https://www.pulumi.com/docs/reference/pkg/aws/route53/zone/#look-up
  • a

    aloof-engine-23345

    08/08/2020, 4:40 PM
    @important-appointment-55126 thanks, i got that sorted out… next issue i’m having is that i’m walking through the process of setting up a an SSL cert for an API gateway domain outlined here: https://www.pulumi.com/docs/guides/crosswalk/aws/api-gateway/#configuring-aws-api-gateway-custom-domains-and-ssl-using-route53-and-acm The odd thing is that I see the CNAME record created for DNS validation but there is no cert in the ACM awaiting validation
  • a

    aloof-engine-23345

    08/08/2020, 4:44 PM
    oh… hold on… for some reason it is creating the cert request in the wrong account
  • a

    aloof-engine-23345

    08/08/2020, 4:50 PM
    i wonder why pulumi would create all my resources in the correct account but not this particular certificate… it looks like it has been issued and validated but the cert is in my top level AWS account while all other resources are in aws org child account
    s
    • 2
    • 3
  • m

    millions-furniture-75402

    08/11/2020, 2:29 PM
    How do I set CloudWatch log role ARN in apigateway settings?
    d
    • 2
    • 7
  • d

    delightful-controller-41497

    08/11/2020, 2:49 PM
    Hi folks, anyone managed to get
    awsx.apigateway.API
    working with
    aws.apigatewayv2.VpcLink
    ? I can see the VpcLink on the AWS Dashboard but I'm getting the error "Vpc Link <X> was not found in account <Y>"
    ✔️ 1
    • 1
    • 2
  • d

    delightful-controller-41497

    08/11/2020, 5:35 PM
    Is there a cost associated with VPC Links? (I can only find information about VPC PrivateLinks but I reckon these are different things)
    l
    • 2
    • 5
  • g

    gifted-vase-28337

    08/11/2020, 8:26 PM
    ✅ 👋 hi all, I'm experiencing unexpected behavior with pulumi aws. When
    config:aws:endpoints
    contains endpoints for both
    iam
    and
    cloudwatch
    , the `iam`endpoint is ignored, causing IAM requests to be sent to
    <http://iam.amazonaws.com|iam.amazonaws.com>
    .
    • 1
    • 6
  • c

    crooked-knife-92853

    08/12/2020, 5:23 PM
    Hi everyone. We have an existing EKS cluster (not created with Pulumi) and are wondering if there is any way to get the cluster’s kubeconfig programmatically?
    b
    w
    • 3
    • 4
  • d

    delightful-controller-41497

    08/13/2020, 10:34 AM
    Anyone managed to get a CloudFlare domain set up with API Gateway?
    • 1
    • 2
  • w

    witty-ice-69000

    08/13/2020, 4:21 PM
    Any ideas what this error is trying to tell me? Google doesn't help and neither does Pulumi docs so far.
    error: Program failed with an unhandled exception:
        error: Traceback (most recent call last):
          File "/usr/local/bin/pulumi-language-python-exec", line 85, in <module>
            loop.run_until_complete(coro)
          File "/usr/local/Cellar/python@3.8/3.8.5/Frameworks/Python.framework/Versions/3.8/lib/python3.8/asyncio/base_events.py", line 616, in run_until_complete
            return future.result()
          File ".venv/lib/python3.8/site-packages/pulumi/runtime/stack.py", line 83, in run_in_stack
            await run_pulumi_func(lambda: Stack(func))
          File ".venv/lib/python3.8/site-packages/pulumi/runtime/stack.py", line 51, in run_pulumi_func
            await RPC_MANAGER.rpcs.pop()
          File ".venv/lib/python3.8/site-packages/pulumi/runtime/stack.py", line 35, in run_pulumi_func
            func()
          File ".venv/lib/python3.8/site-packages/pulumi/runtime/stack.py", line 83, in <lambda>
            await run_pulumi_func(lambda: Stack(func))
          File ".venv/lib/python3.8/site-packages/pulumi/runtime/stack.py", line 106, in __init__
            func()
          File "/usr/local/bin/pulumi-language-python-exec", line 84, in <lambda>
            coro = pulumi.runtime.run_in_stack(lambda: runpy.run_path(args.PROGRAM, run_name='__main__'))
          File "/usr/local/Cellar/python@3.8/3.8.5/Frameworks/Python.framework/Versions/3.8/lib/python3.8/runpy.py", line 282, in run_path
            return _run_code(code, mod_globals, init_globals,
          File "/usr/local/Cellar/python@3.8/3.8.5/Frameworks/Python.framework/Versions/3.8/lib/python3.8/runpy.py", line 87, in _run_code
            exec(code, run_globals)
          File "./__main__.py", line 41, in <module>
            main()
          File "./__main__.py", line 37, in main
            create_stack_deployment_iam(this_provider, "production", permission_boundaries)
          File "/asi/aws/infrastructure.py", line 62, in create_stack_deployment_iam
            instance_assume_role_policy = iam.get_policy_document(
          File ".venv/lib/python3.8/site-packages/pulumi_aws/iam/get_policy_document.py", line 317, in get_policy_document
            __ret__ = pulumi.runtime.invoke('aws:iam/getPolicyDocument:getPolicyDocument', __args__, opts=opts).value
          File ".venv/lib/python3.8/site-packages/pulumi/runtime/invoke.py", line 127, in invoke
            return InvokeResult(_sync_await(asyncio.ensure_future(do_rpc())))
          File ".venv/lib/python3.8/site-packages/pulumi/runtime/sync_await.py", line 95, in _sync_await
            return fut.result()
          File ".venv/lib/python3.8/site-packages/pulumi/runtime/invoke.py", line 124, in do_rpc
            raise exn
          File ".venv/lib/python3.8/site-packages/pulumi/runtime/rpc_manager.py", line 67, in rpc_wrapper
            result = await rpc
          File ".venv/lib/python3.8/site-packages/pulumi/runtime/invoke.py", line 108, in do_invoke
            resp = await asyncio.get_event_loop().run_in_executor(None, do_invoke)
          File "/usr/local/Cellar/python@3.8/3.8.5/Frameworks/Python.framework/Versions/3.8/lib/python3.8/concurrent/futures/thread.py", line 57, in run
            result = self.fn(*self.args, **self.kwargs)
          File ".venv/lib/python3.8/site-packages/pulumi/runtime/invoke.py", line 106, in do_invoke
            raise Exception(details)
        Exception: invocation of aws:iam/getPolicyDocument:getPolicyDocument returned an error: grpc: error while marshaling: proto: repeated field Values has nil element
        error: an unhandled error occurred: Program exited with non-zero exit code: 1
    The snippet of my code that it's referencing is this:
  • w

    witty-ice-69000

    08/13/2020, 4:21 PM
    [10:53 AM]     instance_assume_role_policy = iam.get_policy_document(
            opts=pulumi.ResourceOptions(depends_on=[user], provider=provider),
            statements=[
                {
                    "actions": ["sts:AssumeRole"],
                    "effect": "Allow",
                    "principals": [
                        {"identifiers": [user.arn.apply(lambda arn: arn)], "type": "AWS"}
                    ],
                },
            ],
        )
    d
    • 2
    • 5
  • d

    delightful-controller-41497

    08/13/2020, 4:25 PM
    Anyone ever faced
    aws.acm.Certificate
    trying to create a new ARN every time instead of returning the ARN for the existing certificate? it doesn't actually create the duplicated certificate, but the wrong arn makes my workflow break.
    ✔️ 1
    i
    • 2
    • 6
  • f

    future-diamond-31373

    08/13/2020, 5:45 PM
    Hey everyone! I'm creating rest apis via
    awsx
    and have run into a major roadblock trying to enable IAM authorization on my methods. The documentation seems to have extensive support for token auth, lambda auth, and api key auth - however doesn't seem to have much detail in the way of IAM auth. After doing a lot of documentation and library digging, I've found that the
    AWS_IAM
    string can be specified on the
    aws.apigateway.Method
    resource, however when using
    awsx
    a lot of this wiring and resource generation happens behind the scenes, so I'm unable to get the method (since I don't know the id and the resource isn't accounted for anywhere in the output or UI to my knowledge), and unable to create a new method since the path is already in use. Any help on the matter would be greatly appreciated!
    m
    • 2
    • 8
  • m

    most-lighter-1731

    08/14/2020, 10:04 AM
    Hi, when creating an
    ecs.Cluster
    resource, I'm seeing a child s3 bucket resource whose parent is the cluster's
    AutoScalingLaunchConfiguration
    . The bucket seems to be empty all or most of the time and I'm wondering why it's there, what data might be stored there and if it's possible to either prevent pulumi from creating it or to specify that it be encrypted.
    👍 1
    b
    • 2
    • 1
  • w

    worried-engineer-33884

    08/14/2020, 5:55 PM
    Hi, I just upgraded pulumi/aws to v3.x and now getting an error.
    Diagnostics:
      pulumi:providers:aws (admin-provider):
        error: rpc error: code = Unknown desc = could not validate provider configuration: 1 error occurred:
        	* assume_role.0: expected object, got string
    Untitled
    • 1
    • 1
  • f

    famous-garage-15683

    08/14/2020, 9:11 PM
    I created a VPC just by doing
    new awsx.ec2.Vpc("name", {})
    . It looks like it created a private subnet and a public subnet by default and the way it secured the private subnet is with a NAT Gateway. Why use a NAT Gateway instead of just using a Network ACL? Is there some advantage to NAT Gateway that makes it worth the extra cost?
    b
    • 2
    • 4
  • s

    salmon-ghost-86211

    08/14/2020, 9:39 PM
    I have a launch template being created and updated by
    pulumi
    but I found that the
    default
    launch template version was not being changed. I'm not sure how to use the
    updateDefaultVersion
    LaunchTemplate resource property listed here
    <https://www.pulumi.com/docs/reference/pkg/aws/ec2/launchtemplate/#updatedefaultversion_nodejs>
    . I can't seem to get this property in my code correctly. It doesn't go in
    LaunchTemplateArgs
    and I can't seem to assign a boolean to it as if it's a property. What am I doing wrong?
    b
    • 2
    • 18
  • n

    nice-airport-15607

    08/19/2020, 4:42 PM
    Anyone know how, or where to override the
    isBase64Encoded
    property on API Gateways? I’m trying to make it
    false
    , but not sure where to pass that in since the
    eventHandler
    takes a
    aws.lambda.EventHandler<Request, Response>
    , but I’m not sure how to pass those arguments along to the API when its pointing to a new `aws.lambda.CallbackFunction`… Thanks in advance.
    f
    • 2
    • 4
  • q

    quaint-guitar-13446

    08/20/2020, 4:14 AM
    I'm trying to pass ssm Parameters to Fargate and it's throwing the following error while provisioning:
    Fetching secret data from SSM Parameter Store in ap-southeast-2: AccessDeniedException: User: <...> is not authorized to perform: ssm:GetParameters on resource: <...> status code: 400, request id: f13766c0-3c7b-46c7-9a34-5dd3b12f0e86
    n
    • 2
    • 9
  • q

    quaint-guitar-13446

    08/20/2020, 4:14 AM
    Is this resolved with Pulumi or via the IAM console?
  • e

    echoing-angle-67526

    08/20/2020, 3:20 PM
    i've tried deploying eks but the nodes remain in a 'NotReady' status since it can't pull the VPC CNI plugin image for the aws-node DaemonSet. Not sure if this is problem happens in other regions but i'm seeing it in both the us-east-1 and ca-central-1 regions. see below:
    Events:
      Type     Reason     Age               From                                                   Message
      ----     ------     ----              ----                                                   -------
      Normal   Scheduled  9m                default-scheduler                                      Successfully assigned kube-system/aws-node-7rl2w to ip-10-0-47-120.ca-central-1.compute.internal
      Normal   Pulling    7m (x4 over 9m)   kubelet, ip-10-0-47-120.ca-central-1.compute.internal  Pulling image "<http://602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon-k8s-cni:v1.6.0|602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon-k8s-cni:v1.6.0>"
      Warning  Failed     7m (x4 over 9m)   kubelet, ip-10-0-47-120.ca-central-1.compute.internal  Failed to pull image "<http://602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon-k8s-cni:v1.6.0|602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon-k8s-cni:v1.6.0>": rpc error: code = Unknown desc = Error response from daemon: Get <https://602401143452.dkr.ecr.us-west-2.amazonaws.com/v2/amazon-k8s-cni/manifests/v1.6.0>: no basic auth credentials
      Warning  Failed     7m (x4 over 9m)   kubelet, ip-10-0-47-120.ca-central-1.compute.internal  Error: ErrImagePull
      Normal   BackOff    7m (x6 over 9m)   kubelet, ip-10-0-47-120.ca-central-1.compute.internal  Back-off pulling image "<http://602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon-k8s-cni:v1.6.0|602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon-k8s-cni:v1.6.0>"
      Warning  Failed     4m (x21 over 9m)  kubelet, ip-10-0-47-120.ca-central-1.compute.internal  Error: ImagePullBackOff
    and my pulumi program:
    import * as awsx from "@pulumi/awsx";
    import * as eks from "@pulumi/eks";
    
    // Create a VPC for our cluster.
    const vpc = new awsx.ec2.Vpc("vpc", { numberOfAvailabilityZones: 2 });
    
    // Create the EKS cluster itself and a deployment of the Kubernetes dashboard.
    const cluster = new eks.Cluster("cluster", {
        vpcId: vpc.id,
        subnetIds: vpc.publicSubnetIds,
        instanceType: "t2.medium",
        desiredCapacity: 1,
        minSize: 1,
        maxSize: 2,
        deployDashboard: true,
    });
    
    // Export the cluster's kubeconfig.
    export const kubeconfig = cluster.kubeconfig;
    I've checked the roles and it looks like the node has permissions to read from ECR. Any ideas why this is happening?
  • h

    handsome-knife-3587

    08/20/2020, 8:47 PM
    I'm porting a CloudFormation script into Pulumi and I'm looking at an SNS:Topic. The subscriptions is email but the Pulumi docs (https://www.pulumi.com/docs/reference/pkg/aws/sns/topicsubscription/) say 'email isn't supported - see below' but there is nothing below. Is this because it's auto-generated from Terraform or is something missing?
    l
    • 2
    • 3
Powered by Linen
Title
h

handsome-knife-3587

08/20/2020, 8:47 PM
I'm porting a CloudFormation script into Pulumi and I'm looking at an SNS:Topic. The subscriptions is email but the Pulumi docs (https://www.pulumi.com/docs/reference/pkg/aws/sns/topicsubscription/) say 'email isn't supported - see below' but there is nothing below. Is this because it's auto-generated from Terraform or is something missing?
l

little-cartoon-10569

08/20/2020, 8:57 PM
In the Terraform equivalent, it's because email requires a handshake response from the email address before it's enabled. I guess it's the same here?
In Terraform, you can set it up but you have to finalize the subscription manually.
h

handsome-knife-3587

08/20/2020, 11:16 PM
makes sense, I'll setup another method. Thank you!
View count: 2