Just spent the last few hours trying to work out why my Pulumi config wasn't working for a project when it is literally a copy paste of a previous project that does work. Turns out this docker image was pulling 2.12.2 of Pulumi, whereas the previous project was on

2.11.2

. Looks like 2.12.x introduced breaking changes AWS around certificate generation and domain validation.

How do folks handle rolling AMI upgrades on AWS EC2 machines with stateful storage? I have ENI and EBS attachments to the host but haven’t figured out a way to upgrade the AMI in a single execution. There appears to be issues with how detaching and reattaching the ENI from instances happens. I ran into a similar issue with volume attachments but seem able to work around it by using

skip_destroy=True

on the volume attachment.

I'm getting an error trying to import an AWS RouteTable

# Route tables
opts.import_ = "rtb-a7a13cce"
route_table_args = [
    RouteTableRouteArgs(
        cidr_block="0.0.0.0/0",
        gateway_id=igw_a2a13ccb.id,
        instance_id=inst_805db614.id,
        network_interface_id="eni-8e4a7cc2",
        egress_only_gateway_id="",
        ipv6_cidr_block="",
        local_gateway_id="",
        nat_gateway_id="",
        transit_gateway_id="",
        vpc_peering_connection_id="",
    )
]

rtb_a7a13cce = aws.ec2.RouteTable(
    resource_name="rtb-a7a13cce",
    vpc_id=vpc_a5a13ccc.id,
    routes=route_table_args,
    propagating_vgws=[vgw_0dc6bd0a91af1ae21.id],
    opts=opts
)

the "diff" is resulting in :

I have 2 fargate services that need to be registered with 2 different target groups. The awsx examples use

portMappings: [listener]

, which looks like a bit of magic. It uses listeners default target group. Can I provide a target group directly instead of a listener?

I want pulumi to assume a role to create some resources. We're using Amazon's SSO. The AWS-generated IAM Identity Provider looks like

arn:aws:iam::{account ID}:saml-provider/AWSSSO_{redacted}_DO_NOT_DELETE

. With that as the role's assume_role policy

principal

(with type

Federated

), the role assumption fails with

* error configuring Terraform AWS Provider: no valid credential sources for Terraform AWS Provider found.

Should I be doing this differently?

anyone ever hit this error or know how to solve it? https://gist.github.com/deadbender/789ac4a05d2ba4f0d85db060ba89d13b

happens when i run any command, preview works but as soon as it is done that happens. can't run

up

successfully.

Copying this question from the typescript room, in case this has a more general answer: How do I get a lambda using an S3 source to update its source code when a new zip file is uploaded to the bucket? Even if I push a new zip to the S3 bucket, the lambda function won't update on 

$ pulumi up

 . The bucket in question does have versioning enabled.

I need to provision AWS resources in multiple regions. Locally I'm using a local EC2 instance metadata service agent (called limes), this since we have a multi-account setup where we need to assume roles. However, with this setup of two providers the region doesn't seem to take affect. Using the

providerAwsGlobal

provider still creates resources in "eu-west-1". The instance metadata service is on a profile that defaults to "eu-west-1", but it's still possible using it to interact with other regions. E.g. if I run

AWS_REGION=us-east-1 aws ...

it nicely interacts with another region. Anyone encountered this and have any ideas how to tackle it? Does pulumi support setting region when the instance metadata service is relied upon for authentication? EDIT: I noticed, having a resource outside my ComponentResource it creates it in the correct region. But not the resources within the ComponentResource. I updated the code example for more clarity

How is it possible to tag EKS worker node group instances? Currently we are using Python/NodeGroup-module to create a node group. This creates an auto scaling group automatically. Nodegroup/Tags-property tags only the node group, not instances in auto scaling group

👋 Hey, I'm following the tutorial for "Configuring AWS API Gateway Custom Domains and SSL using Route53 and ACM" but am receiving the following error after a timeout:

Error describing created certificate: Expected certificate to be issued but was in state PENDING_VALIDATION

. I've downgraded to Pulumi 2.11.2 with no success. A few issues I've stumbled across: Terraform, interface {} is string, not int, deletion of ACM Certificate.

anyone ever experience issues with pulumi creating resources based off of previous changes on your index.ts? pulumi seems to be caching our task definition with previous changes in our index.ts file...tried it and pulumi refresh, tried removing the stack, and importing/exporting stack as well but none work

Trying to import/create Managed Prefix List. Can someone tell me where I can find them for the python SDK .. ie.

import pulumi
import pulumi_aws as aws

#e.g. for SecurityGroup
aws.ec2.SecurityGroup

# what is the equivalent for Managed Prefix List ??

Folks, I'm trying to upload a file from one bucket to another (replicate an archive for a Lambda that needs to run in multiple regions): BucketObject -> BucketObject Thought of using RemoteAsset but not sure how to get a working link (signed) from an existing BucketObject. Any other ideas welcome 🙂

Hello all, when going through the example at https://github.com/pulumi/examples/blob/master/aws-ts-eks-hello-world/index.ts I get an error:

error: Running program '/home/tom/work/aws-typescript' failed with an unhandled exception:
    Error: Unable to deserialize resource urn:pulumi:dev::aws-typescript::eks:index:Cluster$aws:iam/instanceProfile:InstanceProfile::helloworld-instanceProfile, no module is registered for iam/instanceProfile.
        at deserializeProperty (/home/tom/work/aws-typescript/node_modules/@pulumi/pulumi/runtime/rpc.js:486:31)
        at Object.deserializeProperties (/home/tom/work/aws-typescript/node_modules/@pulumi/pulumi/runtime/rpc.js:125:24)
        at /home/tom/work/aws-typescript/node_modules/@pulumi/pulumi/runtime/resource.js:436:43
        at Generator.next (<anonymous>)
        at /home/tom/work/aws-typescript/node_modules/@pulumi/pulumi/runtime/resource.js:21:71
        at new Promise (<anonymous>)
        at __awaiter (/home/tom/work/aws-typescript/node_modules/@pulumi/pulumi/runtime/resource.js:17:12)
        at resolveOutputs (/home/tom/work/aws-typescript/node_modules/@pulumi/pulumi/runtime/resource.js:431:12)
        at Object.<anonymous> (/home/tom/work/aws-typescript/node_modules/@pulumi/pulumi/runtime/resource.js:233:19)
        at Generator.throw (<anonymous>)

When I get rid of everything below the vpc line, it works without a problem, but when I add the cluster resource in, it fails with the above error message

hi guys, do you have any example of integrating aws.apigateway.Method, aws.apigateway.Integration, aws.apigateway.MethodResponse with an API created with awsx.apigateway.API? Specifically, I'd like to enable cors

/**
 * routes
 */
export const routes: Route[] = [
  {
    path: '/api/speak',
    method: 'POST',
    eventHandler: speakApiLambdaFn,
  },
];

const aspScanApiEndpoint = new awsx.apigateway.API('myApi' {
  stageName: pulumi.getStack(),
  routes
});

I'm getting a panic in my typescript app but I'm not sure what's changed... it's the first time I've deployed this stack in a week or so... anyone recognize anything here?

pulumi preview -v 9

is reporting this error:

error: aws:ec2/instance:Instance resource 'preprod-batch' has a problem: Computed attribute cannot be set

Nothing else. No idea how to tell which property or what value. It's in code that hasn't changed in days. Any idea if recent changes to Pulumi or the AWS provider might cause previously-valid config to become invalid?

Hi, How is it possible to create an IAM Policy with the ARN from an EBS created also within Pulumi: Python Pulumi code:

ebs_volume = ebs.Volume(
    resource_name=f"{self.stack_name}-ebs",
    availability_zone=preferred_az,
    size=self.stack_config['ebs_volume_size'],
    encrypted=True,
    tags={
        'Name': f"{self.stack_name}-ebs-data",
    })

policy_params = {
    'EBS_ARN': ebs_volume.arn
}

policy = iam.Policy(
    resource_name=f'{self.stack_name}-instance-policy',
    opts=ResourceOptions(depends_on=[ebs_volume]),
    policy=render_jinja2_template('templates/instance_policy.json', policy_params)
)

Policy Doc snippet:

{
    "Effect": "Allow",
    "Action": [
        "ec2:AttachVolume",
        "ec2:DetachVolume"
    ],
    "Resource": [
        "{{ EBS_ARN }}",
        "arn:aws:ec2:*:*:instance/*"
    ]
},

I currently get malformed policy due to

<pulumi.output.Output object at 0x7fb6e7a67880>

Any help would be greatly appreciated! thanks I don't understand how I can (for example): Create a RDS instance and then create a Route53 record based on the RDS endpoint output...

Hi all, I’m getting an unusual error that can’t be reproduced on any of my coworker’s machines:

Error: Running program '/services/legacy-alert-sync' failed with an unhandled exception:
    Error: Unable to deserialize resource urn:pulumi:dev::legacy-alert-sync::aws:iam/role:Role::legacy-alert-sync-dev-legacyAlertSync, no module is registered for iam/role.

Has anyone seen something like this?

This is a long shot but here goes... I'm running an nginx container on fargate and all was good until I disabled assignPublicIp. Now nginx binds to the IPV6 adress [::] and I no longer have connectivity. Network mode is awsvpc. Any ideas?

hihi I found examples of how Pulumi can deploy an application to Fargate via a Container (which is amazing!) are there examples/docs on how Pulumi manages iterations of the application? I.e. if I wanted to make a text change on the voting app (i.e. vim vs emac) how would one go about doing that?

Hi @billions-glass-17089 There are some examples using awsx.ecs.Image.fromPath() and fromDockerBuild() here: https://www.pulumi.com/docs/guides/crosswalk/aws/ecs/

I haven’t tried them yet so not sure how image versioning works. I prefer to build and push docker images to ECR separately and always using a unique tag, usually the git commit hash. Then I use pulumi to update the task definition with the new image url where the tag is set from an env variable.

Here’s how I’m doing it…

And you probably want to use something like this to make sure you’re building off an actual commit.

hey, the docs here use an

isTaggable

function, are you expected to make it yourself or is it provided in some library, its a bit unclear to me sorry https://www.pulumi.com/blog/automatically-enforcing-aws-resource-tagging-policies/