https://pulumi.com logo
Docs
Join the conversationJoin Slack
Channels
announcements
automation-api
aws
azure
blog-posts
built-with-pulumi
cloudengineering
cloudengineering-support
content-share
contribex
contribute
docs
dotnet
finops
general
getting-started
gitlab
golang
google-cloud
hackathon-03-19-2020
hacktoberfest
install
java
jobs
kubernetes
learn-pulumi-events
linen
localstack
multi-language-hackathon
office-hours
oracle-cloud-infrastructure
plugin-framework
pulumi-cdk
pulumi-crosscode
pulumi-deployments
pulumi-kubernetes-operator
pulumi-service
pulumiverse
python
registry
status
testingtesting123
testingtesting321
typescript
welcome
workshops
yaml
Powered by Linen
aws
  • h

    handsome-army-82617

    10/27/2020, 11:11 PM
    Just spent the last few hours trying to work out why my Pulumi config wasn't working for a project when it is literally a copy paste of a previous project that does work. Turns out this docker image was pulling 2.12.2 of Pulumi, whereas the previous project was on
    2.11.2
    . Looks like 2.12.x introduced breaking changes AWS around certificate generation and domain validation.
    ➕ 1
    f
    s
    • 3
    • 2
  • b

    brief-printer-34348

    10/27/2020, 11:17 PM
    How do folks handle rolling AMI upgrades on AWS EC2 machines with stateful storage? I have ENI and EBS attachments to the host but haven’t figured out a way to upgrade the AMI in a single execution. There appears to be issues with how detaching and reattaching the ENI from instances happens. I ran into a similar issue with volume attachments but seem able to work around it by using
    skip_destroy=True
    on the volume attachment.
  • g

    gentle-account-13294

    10/28/2020, 9:08 PM
    I'm getting an error trying to import an AWS RouteTable
    # Route tables
    opts.import_ = "rtb-a7a13cce"
    route_table_args = [
        RouteTableRouteArgs(
            cidr_block="0.0.0.0/0",
            gateway_id=igw_a2a13ccb.id,
            instance_id=inst_805db614.id,
            network_interface_id="eni-8e4a7cc2",
            egress_only_gateway_id="",
            ipv6_cidr_block="",
            local_gateway_id="",
            nat_gateway_id="",
            transit_gateway_id="",
            vpc_peering_connection_id="",
        )
    ]
    
    rtb_a7a13cce = aws.ec2.RouteTable(
        resource_name="rtb-a7a13cce",
        vpc_id=vpc_a5a13ccc.id,
        routes=route_table_args,
        propagating_vgws=[vgw_0dc6bd0a91af1ae21.id],
        opts=opts
    )
    the "diff" is resulting in :
    b
    • 2
    • 3
  • a

    average-kilobyte-47828

    10/30/2020, 9:15 AM
    I have 2 fargate services that need to be registered with 2 different target groups. The awsx examples use
    portMappings: [listener]
    , which looks like a bit of magic. It uses listeners default target group. Can I provide a target group directly instead of a listener?
    index.ts
    b
    • 2
    • 3
  • g

    gifted-vase-28337

    10/30/2020, 5:41 PM
    I want pulumi to assume a role to create some resources. We're using Amazon's SSO. The AWS-generated IAM Identity Provider looks like
    arn:aws:iam::{account ID}:saml-provider/AWSSSO_{redacted}_DO_NOT_DELETE
    . With that as the role's assume_role policy
    principal
    (with type
    Federated
    ), the role assumption fails with
    * error configuring Terraform AWS Provider: no valid credential sources for Terraform AWS Provider found.
    Should I be doing this differently?
    b
    i
    • 3
    • 20
  • b

    blue-morning-55097

    11/02/2020, 8:22 PM
    anyone ever hit this error or know how to solve it? https://gist.github.com/deadbender/789ac4a05d2ba4f0d85db060ba89d13b
    l
    s
    • 3
    • 4
  • b

    blue-morning-55097

    11/02/2020, 8:23 PM
    happens when i run any command, preview works but as soon as it is done that happens. can't run
    up
    successfully.
  • c

    creamy-traffic-12121

    11/03/2020, 2:46 PM
    Copying this question from the typescript room, in case this has a more general answer: How do I get a lambda using an S3 source to update its source code when a new zip file is uploaded to the bucket? Even if I push a new zip to the S3 bucket, the lambda function won't update on 
    $ pulumi up
     . The bucket in question does have versioning enabled.
    w
    • 2
    • 8
  • s

    sticky-translator-17495

    11/03/2020, 7:09 PM
    I need to provision AWS resources in multiple regions. Locally I'm using a local EC2 instance metadata service agent (called limes), this since we have a multi-account setup where we need to assume roles. However, with this setup of two providers the region doesn't seem to take affect. Using the
    providerAwsGlobal
    provider still creates resources in "eu-west-1". The instance metadata service is on a profile that defaults to "eu-west-1", but it's still possible using it to interact with other regions. E.g. if I run
    AWS_REGION=us-east-1 aws ...
    it nicely interacts with another region. Anyone encountered this and have any ideas how to tackle it? Does pulumi support setting region when the instance metadata service is relied upon for authentication? EDIT: I noticed, having a resource outside my ComponentResource it creates it in the correct region. But not the resources within the ComponentResource. I updated the code example for more clarity
    Untitled.ts
    • 1
    • 2
  • c

    curved-pencil-86122

    11/04/2020, 8:56 AM
    How is it possible to tag EKS worker node group instances? Currently we are using Python/NodeGroup-module to create a node group. This creates an auto scaling group automatically. Nodegroup/Tags-property tags only the node group, not instances in auto scaling group
  • v

    victorious-car-86108

    11/04/2020, 1:57 PM
    👋 Hey, I'm following the tutorial for "Configuring AWS API Gateway Custom Domains and SSL using Route53 and ACM" but am receiving the following error after a timeout:
    Error describing created certificate: Expected certificate to be issued but was in state PENDING_VALIDATION
    . I've downgraded to Pulumi 2.11.2 with no success. A few issues I've stumbled across: Terraform, interface {} is string, not int, deletion of ACM Certificate.
    w
    a
    • 3
    • 15
  • m

    mammoth-hair-25087

    11/04/2020, 5:46 PM
    anyone ever experience issues with pulumi creating resources based off of previous changes on your index.ts? pulumi seems to be caching our task definition with previous changes in our index.ts file...tried it and pulumi refresh, tried removing the stack, and importing/exporting stack as well but none work
  • g

    gentle-account-13294

    11/05/2020, 12:37 AM
    Trying to import/create Managed Prefix List. Can someone tell me where I can find them for the python SDK .. ie.
    import pulumi
    import pulumi_aws as aws
    
    #e.g. for SecurityGroup
    aws.ec2.SecurityGroup
    
    # what is the equivalent for Managed Prefix List ??
    b
    • 2
    • 2
  • h

    handsome-dinner-91163

    11/05/2020, 12:01 PM
    Folks, I'm trying to upload a file from one bucket to another (replicate an archive for a Lambda that needs to run in multiple regions): BucketObject -> BucketObject Thought of using RemoteAsset but not sure how to get a working link (signed) from an existing BucketObject. Any other ideas welcome 🙂
    g
    • 2
    • 1
  • r

    red-keyboard-36959

    11/05/2020, 3:23 PM
    Hello all, when going through the example at https://github.com/pulumi/examples/blob/master/aws-ts-eks-hello-world/index.ts I get an error:
    error: Running program '/home/tom/work/aws-typescript' failed with an unhandled exception:
        Error: Unable to deserialize resource urn:pulumi:dev::aws-typescript::eks:index:Cluster$aws:iam/instanceProfile:InstanceProfile::helloworld-instanceProfile, no module is registered for iam/instanceProfile.
            at deserializeProperty (/home/tom/work/aws-typescript/node_modules/@pulumi/pulumi/runtime/rpc.js:486:31)
            at Object.deserializeProperties (/home/tom/work/aws-typescript/node_modules/@pulumi/pulumi/runtime/rpc.js:125:24)
            at /home/tom/work/aws-typescript/node_modules/@pulumi/pulumi/runtime/resource.js:436:43
            at Generator.next (<anonymous>)
            at /home/tom/work/aws-typescript/node_modules/@pulumi/pulumi/runtime/resource.js:21:71
            at new Promise (<anonymous>)
            at __awaiter (/home/tom/work/aws-typescript/node_modules/@pulumi/pulumi/runtime/resource.js:17:12)
            at resolveOutputs (/home/tom/work/aws-typescript/node_modules/@pulumi/pulumi/runtime/resource.js:431:12)
            at Object.<anonymous> (/home/tom/work/aws-typescript/node_modules/@pulumi/pulumi/runtime/resource.js:233:19)
            at Generator.throw (<anonymous>)
    b
    • 2
    • 5
  • r

    red-keyboard-36959

    11/05/2020, 3:25 PM
    When I get rid of everything below the vpc line, it works without a problem, but when I add the cluster resource in, it fails with the above error message
  • b

    bitter-oil-45383

    11/05/2020, 10:42 PM
    hi guys, do you have any example of integrating aws.apigateway.Method, aws.apigateway.Integration, aws.apigateway.MethodResponse with an API created with awsx.apigateway.API? Specifically, I'd like to enable cors
    /**
     * routes
     */
    export const routes: Route[] = [
      {
        path: '/api/speak',
        method: 'POST',
        eventHandler: speakApiLambdaFn,
      },
    ];
    
    const aspScanApiEndpoint = new awsx.apigateway.API('myApi' {
      stageName: pulumi.getStack(),
      routes
    });
  • l

    little-cartoon-10569

    11/05/2020, 10:48 PM
    I'm getting a panic in my typescript app but I'm not sure what's changed... it's the first time I've deployed this stack in a week or so... anyone recognize anything here?
    Untitled
    b
    • 2
    • 19
  • l

    little-cartoon-10569

    11/06/2020, 12:53 AM
    pulumi preview -v 9
    is reporting this error:
    error: aws:ec2/instance:Instance resource 'preprod-batch' has a problem: Computed attribute cannot be set
    Nothing else. No idea how to tell which property or what value. It's in code that hasn't changed in days. Any idea if recent changes to Pulumi or the AWS provider might cause previously-valid config to become invalid?
    g
    w
    • 3
    • 11
  • b

    billions-forest-38488

    11/06/2020, 10:08 AM
    Hi, How is it possible to create an IAM Policy with the ARN from an EBS created also within Pulumi: Python Pulumi code:
    ebs_volume = ebs.Volume(
        resource_name=f"{self.stack_name}-ebs",
        availability_zone=preferred_az,
        size=self.stack_config['ebs_volume_size'],
        encrypted=True,
        tags={
            'Name': f"{self.stack_name}-ebs-data",
        })
    
    policy_params = {
        'EBS_ARN': ebs_volume.arn
    }
    
    policy = iam.Policy(
        resource_name=f'{self.stack_name}-instance-policy',
        opts=ResourceOptions(depends_on=[ebs_volume]),
        policy=render_jinja2_template('templates/instance_policy.json', policy_params)
    )
    Policy Doc snippet:
    {
        "Effect": "Allow",
        "Action": [
            "ec2:AttachVolume",
            "ec2:DetachVolume"
        ],
        "Resource": [
            "{{ EBS_ARN }}",
            "arn:aws:ec2:*:*:instance/*"
        ]
    },
    I currently get malformed policy due to
    <pulumi.output.Output object at 0x7fb6e7a67880>
    Any help would be greatly appreciated! thanks I don't understand how I can (for example): Create a RDS instance and then create a Route53 record based on the RDS endpoint output...
    f
    • 2
    • 2
  • q

    quick-apartment-308

    11/06/2020, 8:59 PM
    Hi all, I’m getting an unusual error that can’t be reproduced on any of my coworker’s machines:
    Error: Running program '/services/legacy-alert-sync' failed with an unhandled exception:
        Error: Unable to deserialize resource urn:pulumi:dev::legacy-alert-sync::aws:iam/role:Role::legacy-alert-sync-dev-legacyAlertSync, no module is registered for iam/role.
    Has anyone seen something like this?
    b
    g
    • 3
    • 3
  • a

    average-kilobyte-47828

    11/07/2020, 1:26 AM
    This is a long shot but here goes... I'm running an nginx container on fargate and all was good until I disabled assignPublicIp. Now nginx binds to the IPV6 adress [::] and I no longer have connectivity. Network mode is awsvpc. Any ideas?
  • b

    billions-glass-17089

    11/08/2020, 1:55 PM
    hihi I found examples of how Pulumi can deploy an application to Fargate via a Container (which is amazing!) are there examples/docs on how Pulumi manages iterations of the application? I.e. if I wanted to make a text change on the voting app (i.e. vim vs emac) how would one go about doing that?
  • a

    average-kilobyte-47828

    11/08/2020, 5:39 PM
    Hi @billions-glass-17089 There are some examples using awsx.ecs.Image.fromPath() and fromDockerBuild() here: https://www.pulumi.com/docs/guides/crosswalk/aws/ecs/
    b
    b
    • 3
    • 5
  • a

    average-kilobyte-47828

    11/08/2020, 5:43 PM
    I haven’t tried them yet so not sure how image versioning works. I prefer to build and push docker images to ECR separately and always using a unique tag, usually the git commit hash. Then I use pulumi to update the task definition with the new image url where the tag is set from an env variable.
  • a

    average-kilobyte-47828

    11/08/2020, 5:49 PM
    Here’s how I’m doing it…
    fargate_ts.ts
  • a

    average-kilobyte-47828

    11/08/2020, 5:51 PM
    githash.sh
  • a

    average-kilobyte-47828

    11/08/2020, 5:54 PM
    And you probably want to use something like this to make sure you’re building off an actual commit.
    Untitled
  • h

    hundreds-egg-46465

    11/09/2020, 4:08 AM
    hey, the docs here use an
    isTaggable
    function, are you expected to make it yourself or is it provided in some library, its a bit unclear to me sorry https://www.pulumi.com/blog/automatically-enforcing-aws-resource-tagging-policies/
    l
    c
    • 3
    • 6
  • g

    gifted-vase-28337

    11/09/2020, 8:21 AM
    I'm unable to get Pulumi to assume a role when authenticated via SSO. Details in thread.
    • 1
    • 6
Powered by Linen
Title
g

gifted-vase-28337

11/09/2020, 8:21 AM
I'm unable to get Pulumi to assume a role when authenticated via SSO. Details in thread.
The
assume_role
policy attached to the role:
assume_role_policy_document = aws.iam.get_policy_document(
    statements=[
        aws.iam.GetPolicyDocumentStatementArgs(
            actions=["sts:AssumeRoleWithSAML", "sts:AssumeRole"],
            effect="Allow",
            principals=[
                aws.iam.GetPolicyDocumentStatementPrincipalArgs(
                    identifiers=[
                        "arn:aws:iam::{account id}:saml-provider/AWSSSO_d3b6798fb784ed5e_DO_NOT_DELETE"
                    ],
                    type="Federated"
                ),
            ],
            conditions=[
                aws.iam.GetPolicyDocumentStatementConditionArgs(
                    test="StringEquals",
                    values=["<https://signin.aws.amazon.com/saml>"],
                    variable="SAML:aud",
                ),
            ],
        )
    ]
)
which comports with https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html#idp_saml_Prerequisites
I'm seeing this error:
error: 1 error occurred:
        * error configuring Terraform AWS Provider: IAM Role (arn:aws:iam::{account id}:role/debug) cannot be assumed.
    
    There are a number of possible causes of this - the most common are:
      * The credentials used in order to assume the role are invalid
      * The credentials do not have appropriate permission to assume the role
      * The role ARN is not valid
    
    Error: NoCredentialProviders: no valid providers in chain. Deprecated.
        For verbose messaging see aws.Config.CredentialsChainVerboseErrors
~/.aws/config
contains the following (it's using aws2-wrap):
[default]
region = us-west-2
sso_account_id = {account id}
sso_region = us-west-2
sso_role_name = AWSAdministratorAccess
sso_start_url = {redacted}
credential_process = aws2-wrap --process --profile default

[profile chaueter-sandbox]
region = us-west-2
role_arn = arn:aws:iam::{account id}:role/aws-reserved/sso.amazonaws.com/us-west-2/AWSReservedSSO_AWSAdministratorAccess_dbc09583d3a27737
source_profile = default
sso_account_id = {account id}
sso_region = us-west-2
sso_role_name = AWSAdministratorAccess
sso_start_url = {redacted}
Pulumi is able to authenticate with the
chaueter-sandbox
profile and CRUD resources. However, it cannot assume the role set by
assume_role
in an
aws.Provider
:
aws.Provider(
        resource_name="provider",
        assume_role=aws.ProviderAssumeRoleArgs(
            duration_seconds=2 * 60 * 60,
            role_arn="{the role arn}",
            session_name="session",
        ),
        max_retries=1,
        profile=os.environ["AWS_PROFILE"],
        region=pulumi.Config("aws").require("region"),
    )
I tried this condition for the
assume_role
policy:
test="StringEquals",
values=["<mailto:chaueter@valohealth.com|chaueter@valohealth.com>"],
variable="SAML:mail",
and got the same error message.
Earlier thread
View count: 3