Anyone seen this error before:

pulumi:providers:aws (serverless-mono-shared-dev-targetaccount):
    error: rpc error: code = Unknown desc = could not validate provider configuration: 1 error occurred:
    	* assume_role.0: expected object, got string

Provider looks like this

export const deploymentProvider = new aws.Provider(
    `${projectName}-${environment}-targetaccount`,
    {
        region: awsConfig.require('region') as any,
        assumeRole: {
            roleArn: roleArnToAssume,
        },
    },
)

Role is pretty straight forward arnawssts:<account>role/Admin

Hello folks, I am trying to register the instances on AWS Service discovery service (cloudmap) but there are no specific API for service discovery where i can register instance id and IP here https://www.pulumi.com/docs/reference/pkg/aws/servicediscovery/service/

Hi! Let me try to ask this questions here. Maybe somebody know how to deal with this I faced with two issues yesterday. Help please, it's painful... 1. Autoscaling group creation for ECS (with EC2 type), failed with next error.

aws:cloudformation:Stack (sosafe-staging-sg):
    error: 1 error occurred:
    	* updating urn:pulumi:staging::ss-servers::awsx:x:ecs:Cluster$awsx:x:autoscaling:AutoScalingGroup$aws:cloudformation/stack:Stack::sosafe-staging-sg: ValidationError: Stack:arn:aws:cloudformation:eu-north-1:606515313688:stack/sosafe-staging-sg-211ef70/86ab6f70-e337-11ea-99ce-06cb12622298 is in ROLLBACK_COMPLETE state and can not be updated.
    	status code: 400, request id: 6e5d68df-e95c-486f-8ac1-f58ffeca0841

And second one - I cannot create security groups with error:

Diagnostics:
  pulumi:pulumi:Stack (ss-servers-staging):
    error: update failed

  aws:ec2:SecurityGroupRule (EcsSecurityGroupHTTPinbound):
    error: [WARN] A duplicate Security Group rule was found on (sg-0d4217ba67f301afc). This may be
    a side effect of a now-fixed Terraform issue causing two security groups with
    identical attributes but different source_security_group_ids to overwrite each
    other in the state. See <https://github.com/hashicorp/terraform/pull/2376> for more
    information and instructions for recovery. Error message: the specified rule "peer: 0.0.0.0/0, TCP, from port: 80, to port: 80, ALLOW" already exists

I see issue https://github.com/pulumi/pulumi-awsx/issues/293 , but I still have no idea how to solve this or find workaround.

If you create an isolated subnet in a VPC using the awsx.ec2.vps crosswalk is that visible to the other subnets automatically or do you need to add a NAT?

Hello, anyone having problem with ec2.Instance.associatePublicIpAddress? I clearly set this field to false, but it keeps having publicIp, and pulumi dashboard shows me that it thinks it's true

Can anyone tell me what affect auto-scaling has on nonessential containers? Do nonessential containers run again when scaling?

Hi Guys, I'm wonder if anyone has used the API gateway with sending message to SQS before. It ran fine with pulumi up but when I'm trying to test the API it is giving me a weird message indicating it can't load module "@pulumi/aws/sqs/index.js" Here is how I setup this:

import * as awsx from '@pulumi/awsx';
import { Context, nameOf } from './naming';
import * as sqs from '@pulumi/aws/sqs';
import * as sqssdk from 'aws-sdk/clients/sqs';

export function createApiGetaway(
	purpose: string,
	context: Context,
	queueName: string
): awsx.apigateway.API {
	const name = nameOf('api', context, purpose);

	const handler = async (event: any) => {
		const requestBody = event.body as string;

		const queue = await sqs.getQueue(
			{
				name: queueName,
			},
			{ async: true }
		);
		const sqsClient = new sqssdk();
		sqsClient.sendMessage(
			{
				QueueUrl: queue.url,
				MessageBody: requestBody,
			},
			() => {}
		);

		return {
			statusCode: 200,
			body: 'message',
		};
	};

	const api = new awsx.apigateway.API(name, {
		routes: [
			{
				path: '/',
				method: 'POST',
				eventHandler: handler,
			},
		],
	});

	return api;
}

The logs from testing this in the aws console is

Execution log for request b8ae63fa-7d2b-427e-b629-6b3e0a702610
Tue Aug 25 21:59:08 UTC 2020 : Starting execution for request: b8ae63fa-7d2b-427e-b629-6b3e0a702610
Tue Aug 25 21:59:08 UTC 2020 : HTTP Method: POST, Resource Path: /
Tue Aug 25 21:59:08 UTC 2020 : Method request path: {}
Tue Aug 25 21:59:08 UTC 2020 : Method request query string: {}
Tue Aug 25 21:59:08 UTC 2020 : Method request headers: {}
Tue Aug 25 21:59:08 UTC 2020 : Method request body before transformations: {
    "sample":""
}
Tue Aug 25 21:59:08 UTC 2020 : Endpoint request URI: <https://lambda.eu-west-1.amazonaws.com/2015-03-31/functions/arn:aws:lambda:eu-west-1:606148221596:function:ta-dev-api-damavand-process-image980655da-731571a/invocations>
Tue Aug 25 21:59:08 UTC 2020 : Endpoint request headers: {x-amzn-lambda-integration-tag=b8ae63fa-7d2b-427e-b629-6b3e0a702610, Authorization=************************************************************************************************************************************************************************************************************************************************************************************************************************23b3a8, X-Amz-Date=20200825T215908Z, x-amzn-apigateway-api-id=jxv808o1mk, X-Amz-Source-Arn=arn:aws:execute-api:eu-west-1:606148221596:jxv808o1mk/test-invoke-stage/POST/, Accept=application/json, User-Agent=AmazonAPIGateway_jxv808o1mk, X-Amz-Security-Token=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx [TRUNCATED]
Tue Aug 25 21:59:08 UTC 2020 : Endpoint request body after transformations: {"resource":"/","path":"/","httpMethod":"POST","headers":null,"multiValueHeaders":null,"queryStringParameters":null,"multiValueQueryStringParameters":null,"pathParameters":null,"stageVariables":null,"requestContext":{"resourceId":"72qfdqq0qf","resourcePath":"/","httpMethod":"POST","extendedRequestId":"R2Jy_H3iDoEFdfw=","requestTime":"25/Aug/2020:21:59:08 +0000","path":"/","accountId":"606148221596","protocol":"HTTP/1.1","stage":"test-invoke-stage","domainPrefix":"testPrefix","requestTimeEpoch":1598392748608,"requestId":"b8ae63fa-7d2b-427e-b629-6b3e0a702610","identity":{"cognitoIdentityPoolId":null,"cognitoIdentityId":null,"apiKey":"test-invoke-api-key","principalOrgId":null,"cognitoAuthenticationType":null,"userArn":"arn:aws:iam::606148221596:root","apiKeyId":"test-invoke-api-key-id","userAgent":"aws-internal/3 aws-sdk-java/1.11.829 Linux/4.9.217-0.1.ac.205.84.332.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.262-b10 java/1.8.0_262 vendor/Oracle_Corporation","accountId [TRUNCATED]
Tue Aug 25 21:59:08 UTC 2020 : Sending request to <https://lambda.eu-west-1.amazonaws.com/2015-03-31/functions/arn:aws:lambda:eu-west-1:606148221596:function:ta-dev-api-damavand-process-image980655da-731571a/invocations>
Tue Aug 25 21:59:08 UTC 2020 : Received response. Status: 200, Integration latency: 299 ms
Tue Aug 25 21:59:08 UTC 2020 : Endpoint response headers: {Date=Tue, 25 Aug 2020 21:59:08 GMT, Content-Type=application/json, Content-Length=781, Connection=keep-alive, x-amzn-RequestId=bc3f7c83-81d9-4b69-aebd-52e2fc0182d0, X-Amz-Function-Error=Unhandled, x-amzn-Remapped-Content-Length=0, X-Amz-Executed-Version=$LATEST, X-Amzn-Trace-Id=root=1-5f4589ac-0d5733967208c879ec0782d5;sampled=0}
Tue Aug 25 21:59:08 UTC 2020 : Endpoint response body before transformations: {"errorType":"Error","errorMessage":"Cannot find module '@pulumi/aws/sqs/index.js'\nRequire stack:\n- /var/task/__index.js\n- /var/runtime/UserFunction.js\n- /var/runtime/index.js","trace":["Error: Cannot find module '@pulumi/aws/sqs/index.js'","Require stack:","- /var/task/__index.js","- /var/runtime/UserFunction.js","- /var/runtime/index.js","    at Function.Module._resolveFilename (internal/modules/cjs/loader.js:966:15)","    at Function.Module._load (internal/modules/cjs/loader.js:842:27)","    at Module.require (internal/modules/cjs/loader.js:1026:19)","    at require (internal/modules/cjs/helpers.js:72:18)","    at /var/task/__index.js:23:34","    at Runtime.__f0 [as handler] (/var/task/__index.js:42:6)","    at Runtime.handleOnce (/var/runtime/Runtime.js:66:25)"]}
Tue Aug 25 21:59:08 UTC 2020 : Lambda execution failed with status 200 due to customer function error: Cannot find module '@pulumi/aws/sqs/index.js'
Require stack:
- /var/task/__index.js
- /var/runtime/UserFunction.js
- /var/runtime/index.js. Lambda request id: bc3f7c83-81d9-4b69-aebd-52e2fc0182d0
Tue Aug 25 21:59:08 UTC 2020 : Method completed with status: 502

👋 hello! New to pulumi. I have a couple questions: Q1. Is there an example that exposes a service running in Kubernetes (EKS) through an ALB with pulumi in Python? Doing the task (i.e. exposing an EKS service through an ALB) has a number of steps, including: 1. Create an identity provider and associate it to the cluster (this might already be done? see Q2) 2. Create an IAM role with a policy that (a) grants it permissions to manage ALBs, and (b) trusts the identity provider created in (1). 3. Create a ServiceAccount and ClusterRole in k8s and annotate it with the arn of the role in (2). 4. Create an ALB ingress controller with the role created in (3). 5. Create an actual Ingress for the service! Seems like a lot of moving parts. Before I spend hours miserably trying to do it, I wanted to see if there’s prior art. I think steps 3-5 are easy (just k8s config). But steps 1-2 (esp. step 1) may not be as easy? Any pointers very much appreciated!

(Second question in separate message) Q2. I created my EKS cluster with pulumi. It has an associated OICD provider. However, if I do

aws iam list-open-id-connect-providers

, I don’t see the provider that the EKS cluster is using. Why?

How does one lookup the ID for an existing resource SES EmailIdentity for adoption using the

import

paramater? The EmailIdentity get function seems to need the ID as input. Similar issues exist for some other resources where the

get

method requires an ID parameter to find it, but no ID is apparent from aws-cli or from AWS Console.

Hello! I’m having issues creating AWS RDS aurora-mysql DB instances. Referring to the AWS documentation, the value for

AllocatedStorage

is not applicable, but still is required when instanciating an

Rds.Instance()

with Engine

aurora-mysql

. Furthermore, the CLI reports, that a value for

iops

has to be set, but setting an

iops

value for engine

aurora-mysql

seems to be invalid  (

InvalidParameterCombination: Specifying IOPs is not allowed for this engine

). I can’t find an applicable example of how to create AWS RDS Aurora-Mysql instances on the web - may someone give me some hints of what I'm doing wrong?

Hello, I'm trying to create a EKs cluster with managed groups, I'm following this example https://www.pulumi.com/blog/aws-eks-managed-nodes-fargate/, but can't find how to assign a InstanceType in a managed Group, I'm using the function

createManagedNodeGroup

I have an AWS/pulumi process that is configured to acquire a specific role and then pass that aws.Provider around to be incorporated using

ResourceOptions

for authenticating resource creation. Having to constantly remember to apply the resource options to correctly acquire the provider is both tedious and error prone. Is there a way I can declare the assume role provider to be the default provider, or at least the default provider within a specific scope to eliminate this toil?

Is there a way to use

m6g.large

instance types in a eks.NodeGroup?

error: Running program '/Users/daniel/code/infra/qa/03-cluster-configuration' failed with an unhandled exception:

  TSError: ⨯ Unable to compile TypeScript:

  index.ts(96,5): error TS2322: Type '"m6g.large"' is not assignable to type '"a1.2xlarge" | "a1.4xlarge" | "a1.large" | "a1.medium" | "a1.xlarge" | "c3.2xlarge" | "c3.4xlarge" | "c3.8xlarge" | "c3.large" | "c3.xlarge" | "c4.2xlarge" | "c4.4xlarge" | ... 157 more ... | undefined'.

Hi all! It seems i am unable to set enabledClusterLogTypes on an EKS cluster after provisioning without some weirdness. Btw, this is my first attempt with pulumi, so there is a change I am doing things the wrong way. Would love if you could correct me. This is my code:

const cluster = new aws.eks.Cluster(environment.name, {
        name: environment.name,
        vpcConfig: {
            subnetIds: subnets.map(s => s.id),
            endpointPublicAccess: false,
            endpointPrivateAccess: true,
            securityGroupIds: [clusterSecurityGroup.id]
        },
        //enabledClusterLogTypes: ["api","audit","authenticator","controllerManager","scheduler"], // Uncomment and cluster.vpcConfig.clusterSecurityGroupId becomes undefined
        roleArn: clusterRole.arn,
        version: environment.clusterKubernetesVersion ? environment.clusterKubernetesVersion : "1.17"
    })

    // Patch the cluster security group
    environment.extraClusterIngressSecurityGroupIds?.forEach((id, i) => {
        console.log(id, i, cluster.vpcConfig.clusterSecurityGroupId)
        new aws.ec2.SecurityGroupRule(`extra-cluster-ingress-rules-${i}`, {
            securityGroupId: cluster.vpcConfig.clusterSecurityGroupId,
            type: "ingress",
            fromPort: 0,
            toPort: 0,
            protocol: "-1",
            sourceSecurityGroupId: id,
        })
    })

I provisioned the cluster before I added

enabledClusterLogTypes

. I made a change that sets

enabledClusterLogTypes

, and now, when running

pulumi up

,

cluster.vpcConfig.clusterSecurityGroupId

is undefined. If I comment out the block that uses the undefined value, I can successfully add the cluster log types. This has the consequence of removing my security group rules. Afterwards, i can uncomment the block again and this work. Is what i am trying to do actually possible? I also tried using

dependsOn

as well as wrapping the for loop in

cluster.vpcConfig.apply()

to no avail.

are there any good examples of building standalone lambda functions

I'm using custom AWS providers with Pulumi (using Python) but I'm getting a weird error upgrading from pulumi-aws 2.x to 3.x:

~   ├─ pulumi:providers:aws          stack                  update      [diff: +assumeRole-assume_role]

This also wants to replace all my resources, which is of course a no-go. Anyone doing the same thing that I am, but able to use version 3.x?

Managed node groups now support EC2 launch templates ... and if I understand correctly, this requires Terraform AWS Provider 3.3.0 which requires Upgrade to v3.3.0 of the AWS Terraform Provider (or newer) for these features to be available in Pulumi.Aws?

Hey, fairly new here. Attempting to import an existing load balancer and I'm hitting a length constraint on the import identifier:

const main = new aws.elb.LoadBalancer("qa-elb", {
    name: "qa-elb",
    ...
}, { import: "arn:aws:elasticloadbalancing:us-west-2:115325214166:loadbalancer/app/a-really-long-arn1233412asd1 });

=> error: Preview failed: refreshing urnpulumistaging-managed-infra:infraawselb/loadBalancerLoadBalancerredjade qa Error retrieving ELB: ValidationError: LoadBalancer name cannot be longer than 32 characters Is there any way to work around this? Thanks!

Hi all. I’m trying to update an ECS service and I’m getting this mystic message:

Creation of service was not idempotent. "personal-andy-AugmentationService"

. Digging around it seems to be related to this one: https://github.com/terraform-providers/terraform-provider-aws/issues/2283 I can’t find the reference in pulumi doc for ECS, but it’s mentioned here: https://www.pulumi.com/docs/reference/pkg/aws/acm/certificate/. How do you specify the lifecycle block? A quick search in pulumi docs didn’t yield anything… 😞 I eventually managed to work around by rename the service, but I’m still curious about the

lifecycle

reference here since we have ACM certs…

Hi guys I'm trying to create a cloudwatch rule that publishes a message on SQS every 2 hours. That's where I'm stuck:

const queue = new aws.sqs.Queue('myQueueName', { visibilityTimeoutSeconds: 180 });

const eventRule = new aws.cloudwatch.EventRule('myRule', {
  scheduleExpression: 'cron(0 0 0/2 1/1 * ? *)',
});

new aws.cloudwatch.EventTarget('myEvent' {
  rule: eventRule.name,
  // ...
});

what do I have to pass as arguments to the

aws.cloudwatch.EventTarget

constructor to link the queue created above and the event? Also, how do I specify the SQS message format? Thank you!!

Is it possible to specify an ingress rule that is self-referential? Meaning, I want to create a security group that only allows access to a given port from other instances that are assigned to that same group. Pseudo code of how I would think it could work:

consul_agent_security_group = ec2.SecurityGroup(
    f'consul-agent-{environment_name}-security-group',
    name=f'{environment_name}-consul-agent',
    description='Access control between Consul agents',
    tags=aws_config.merged_tags({'Name': f'{environment_name}-consul-agent'}),
    vpc_id=destination_vpc['id'],
    ingress=[
        ec2.SecurityGroupIngressArgs(
            security_groups=[self.id],
            protocol='tcp',
            from_port=8301,
            to_port=8301,
            description='LAN gossip protocol'
        )
    ]
)

Or, alternatively, is it possible to append rules to an existing security group?

Nevermind, think I just found what I need in the form of

ec2.SecurityGroupIngressRule

This message was deleted.

This message was deleted.

This message was deleted.

hey all, I have two fargate services that I’ve registered with aws service discovery. one fargate service depends on the hostname assigned to the other service by AWS, yet it doesn’t seem there’s a way to query for it without creating a race condition in pulumi. am I missing something in the API? my code looks something like the following:

let myFirstServiceRegistryService = new aws.servicediscovery.Service("myFirstFargateService", {
    dnsConfig: {
        namespaceId: nodeServiceDiscoveryNamespace.id,
        dnsRecords: [{
            ttl: 10,
            type: "A"
        }],
        routingPolicy: "MULTIVALUE"
    }
});

let myFirstFargateService = new awsx.ecs.FargateService("myFirstFargateService", {
    ...
    serviceRegistries: {
        registryArn: myServiceRegistry.arn,
        containerName: myAppServiceRegistryService
    }
});

let mySecondFargateService = new awsx.ecs.FargateService("mySecondFargateService", {
    ...
    taskDefinitionArgs: {
        containers: {
            mySecondFargateService: {
                environment: [{
                    name: "APP_HOSTNAME",
                    value:  myAppFArgateService HOSTNAME GOES HERE
                }]
            }
        }
    }
});

unfortunately, doing something like the following creates a race condition:

environment: [{
    name: "APP_HOSTNAME",
    value: pulumi.output(pulumi.all([myFirstFargateService.id, myFirstServiceRegistryService.id])
        .apply(([myFirstFargateServiceId, myFirstServiceRegistryServiceId]) => {
            serviceDiscovery.listInstances({ServiceId: myFirstServiceRegistryServiceId}, function (err, data) {
                if (err) {
                    throw err;
                } else {
                    return data.Instances[0].Attributes["AWS_INSTANCE_IPV4"];
                }
            });
        }))
}]