Does the aws configuration bag contain other key:values other than aws:region?

Accidently posted my question in the #general channel instead of here, will copy my assume role chaining problem over here

Hi, I've got some trouble chaining providers with assumeRole and I guess Im doing something perfectly wrong, as the role chaining works in my shell. When executing pulumi up I am in the starting role, then I create the first provider ("intermediate") and execute aws.getCallerIdentity() and I get the correct json Then I use this provider to assume into the destination role inside a second account but ..

Hey guys, any idea how to modify the aws-auth config map for EKS to allow other IAM entites aside from the creator to interact with the cluster?

I am having issues with AWS/KMS secrets provider, error and info in thread.

I'm using pulumi.awsx's SecurityGroups, and

createIngressRule()

etc. For at least the rules defined using

location

and

cidrBlocks

, if I update the cidrBlocks, then it causes duplicated security group rules, and errors out. I can't add

deleteBeforeCreate

because the

opts

field on this class takes a CustomResourceOptions, not a ComponentResourceOptions.

How do I decode this error?

aws:ec2/launchTemplate:LaunchTemplate resource 'spot-workers' has a problem: ConflictsWith

How can I tell if my

NodeGroup

changes will remove the nodes or just update them?

i'm attempting to import a Route53 hosted zone into a template but since Pulumi adds "Managed by Pulumi" to the

comment

property when nothing is provided, the import fails since there's a difference. I've tried supplying an empty string but that still causes a difference to be picked up. is there a way to simply not include the comment property?

Hi there! I'm running into some issues when trying to set up an ECS cluster with an AutoScalingGroup using a VPC defined in another stack. I've created a minimal reproduction example to illustrate the issue. The output is pretty opaque, I'm really blind here as to what seems to be the problem... https://github.com/eordano/autosg-repro Would really appreciate some help! More info in thread:

Anyone care to share an example that points a Route53 A record to an ALB? I can only see an example in the docs that is pointing to an ELB and not an ALB. Not sure how to achieve this.

Hey all! 👋 I’m trying to launch an EC2 instance that looks like:

const server = new aws.ec2.Instance('xyz-staging-server-instance', {
  instanceType: 't2.micro',
  vpcSecurityGroupIds: [securityGroup.id], // reference the security group resource above
  ami: ami.id,
})

And I get the following error:

awsec2Instance (xyz-staging-server-instance):

error: 1 error occurred:

* Error launching source instance: VPCIdNotSpecified: No default VPC for this user. GroupName is only supported for EC2-Classic and default VPC.

I found this issue, which says specifying a subnet ID should help, but I can’t seem to work out how specifying the

subnetId

property should work 🤔 Has anyone seen/dealt with this before?

Seeing this while running pulumi up in Github Actions:

error: configured Kubernetes cluster is unreachable: unable to load Kubernetes client configuration from kubeconfig file: invalid configuration: no configuration has been provided, try setting KUBERNETES_MASTER environment variable

. What can I do? It's worked so many times before. I'm using

pulumi.StackReference

to retrieve the kubeconfig. Works fine locally

I'm using Lambda@Edge (Cloudfront + lambda functions). When I try to destroy the stack, and occasionally when I update (and am removing functions), I get this error from AWS. Any ideas how to work around this?

error: deleting urn:pulumi:zzz::deploy::aws:lambda/function:Function::xxx: Error deleting Lambda Function: InvalidParameterValueException: Lambda was unable to delete arn:aws:lambda:us-east-1:1111:function:xxx:1 because it is a replicated function. Please see our documentation for Deleting Lambda@Edge Functions and Replicas.

Hey all! Does anyone have experience deploying an EC2 instance into ECS? We’re having issue where the creation of the ECS service is hanging on `pulumi up`:

Hello I’m having difficulties running pulumi up Basically this is what I’m trying to do but for AWS lambda https://www.pulumi.com/resources/getting-started-gcp-serverless-graphql/

error: Error serializing '() => { const typeDefs = ` type Quer ...': index.js(10,16)

const aws = require("@pulumi/aws");
const pulumi = require("@pulumi/pulumi");
const env = pulumi.getStack();

const { ApolloServer } = require("apollo-server-lambda");

const factory = () => {
  const typeDefs = `
    type Query {
      dummy: String!
    }
  `;

  const resolvers = {
    Query: {
      hello: () => "Hello world!",
    },
  };
  const server = new ApolloServer({
    typeDefs,
    resolvers,
    playground: true,
    introspection: true,
  });

  return server.createHandler();
};

module.exports = {
  route: {
    path: "/social/grapqql",
    method: "ANY",
    eventHandler: new aws.lambda.CallbackFunction(`${env}-social`, {
      callback: factory,
    }),
    apiKeyRequired: true,
  },
};

nvm found the problem, I was using react style imports 🤦

const { ApolloServer } = require("apollo-server-lambda");

need coffee lol

Hello folks, When i am trying to create Ingress/Egress attribute of the SecurityGroup, it throws a following error

ingress=[aws.ec2.SecurityGroupIngressArgs(
    AttributeError: module 'pulumi_aws.ec2' has no attribute 'SecurityGroupIngressArgs'

The code was referred from an Pulumi docs example.

security_group = aws.ec2.SecurityGroup( # type: ignore
    "secgrp",
    description="Splunk Hybrid cloud security group",
    vpc_id=vpcid,
    ingress=[aws.ec2.SecurityGroupIngressArgs(
        description="TLS from VPC",
        from_port=443,
        to_port=443,
        protocol="tcp",
        cidr_blocks=["0.0.0.0/0"],
    )],
    egress=[aws.ec2.SecurityGroupEgressArgs(
        from_port=0,
        to_port=0,
        protocol="-1",
        cidr_blocks=["0.0.0.0/0"],
    )],
)

Any suggestions?

I have a few hundred EC2 servers running (currently not part of a Pulumi stack). How do I do patch management across those servers? I am looking for an alternative to AWS Systems Manager. I also am looking for a way to execute other commands in these instances at scale (updating firewall rules for example). Is Pulumi a good tool to use for this use case?

Hey! 👋 🙂 Could anyone point me to some doc about the proper format expected by the

pgpKey

property of classes such

aws.iam.AccessKey

and

aws.iam.UserLoginProfile

. It’s really unclear what the base-64 encoded PGP public key is expected to be. No matter what I try, I always get this:

* Error encrypting IAM Access Key Secret: error parsing given PGP key: openpgp: invalid data: tag byte does not have MSB set

I created my key-pair using:

$ openssl genrsa -out keypair.pem 2048

Then exported the public-key part with:

$ openssl rsa -in keypair.pem -pubout -out publickey.crt

Then I tried to pass that public key using different variations: 1. with/without BEGIN/END markers, 2. with/without new lines, 3. with/without over-base-64-encoding the whole thing, etc… But no luck! 😓

Folks, How to assign multiple policies to one role. As per example, only one arn is assigned to the role. Is there any way we can assign multiple existing policies.

policy = aws.iam.Policy("policy",
    description="A test policy",
    policy="""{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ec2:Describe*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
""")
test_attach = aws.iam.PolicyAttachment("test-attach",
    users=[user.name],
    roles=[role.name],
    groups=[group.name],
    policy_arn=policy.arn)

Is there a shortcut for using Outputs in policy documents? How to I refer to outputs from resources when calling

aws.iam.getPolicyDocument

, short of using

pulumi.all().apply()

?

hi all. can I use multiple region with aws.cloudformation.get_export() ? I’m tring with:

with no success (py)

ls

Hi, I'm trying to import a Eks cluster created previously without pulumi, using the command line and I'm getting this error:

pulumi import aws:eks/cluster:Cluster mserv-test-eks mserv-testing-eks -d -v 999
Previewing import (testing):
     Type                 Name                 Plan       Info
     pulumi:pulumi:Stack  qallariy-testing                1 error; 11 debugs
 =   └─ aws:eks:Cluster   mserv-test-eks  import     3 errors
Diagnostics:
  pulumi:pulumi:Stack (qallariy-testing):
    debug: Attempting to use session-derived credentials
    debug: Successfully derived credentials from session
    debug: AWS Auth provider used: "AssumeRoleProvider"
    debug: Trying to get account information via sts:GetCallerIdentity
    debug: Trying to get account information via sts:GetCallerIdentity
    debug: Reading EKS Cluster: {
    debug:   Name: "mserv-testing-eks"
    debug: }
    debug: Truncating attribute path of 0 diagnostics for TypeSet
    debug: Truncating attribute path of 0 diagnostics for TypeSet
    debug: Truncating attribute path of 0 diagnostics for TypeSet
    error: preview failed
  aws:eks:Cluster (mserv-test-eks):
    error: aws:eks/cluster:Cluster resource 'mserv-test-eks' has a problem: Computed attribute cannot be set
    error: aws:eks/cluster:Cluster resource 'mserv-test-eks' has a problem: Computed attribute cannot be set
    error: Preview failed: one or more inputs failed to validate
Please copy the following code into your Pulumi application. Not doing so
will cause Pulumi to report that an update will happen on the next update command.
Please note, that the imported resources are marked as protected. To destroy them
you will need to remove the `protect` option and run `pulumi update` *before*
the destroy will take effect.

does anyone have a clue? thanks in advance!

Hi @hundreds-receptionist-31352 / @adamant-translator-31969 It seems you both have the same issue wth the import of an EKS Cluster - can one of you opena . bug in pulumi-aws to suggest this so we can track it and get it fixed up?

Hi folks, I am about to try to set up AWS Codebuild + AWS Codepipeline for my Pulumi Jupyterhub ECS infrastructure. I’ve not set up a pipeline like this before and wanted to reach out to yall about some things that are a bit confusing to me in regards to Pulumi’s role in the pipeline. My directory structure for my stack looks like this:

jupyterhub > tree
.
├── README.md
├── jupyterhub.png
└── src
    ├── docker-hub
    │   ├── Dockerfile
    ├── docker-notebook
    │   ├── Dockerfile
    ├── jupyterhub-code-pipeline
    │   ├── Pulumi.jupyterhub-code-pipeline.yaml
    │   ├── Pulumi.yaml
    │   ├── __main__.py
    │   └── requirements.txt
    ├── jupyterhub-ecs-infra
    │   ├── Pulumi.jupyterhub-ecs-infra.yaml
    │   ├── Pulumi.yaml
    │   ├── __main__.py
    │   └── requirements.txt
    ├── jupyterhub-net-infra
    │   ├── Pulumi.jupyterhub-network-infra.yaml
    │   ├── Pulumi.yaml
    │   ├── __main__.py
    │   ├── config.yml
    │   └── requirements.txt
    └── notebook-ecs-infra
        ├── Pulumi.notebook-ecs-infra.yaml
        ├── Pulumi.yaml
        ├── __main__.py
        └── requirements.txt

Based on this structure and the following documentation for Pulumi + Codebuild — I believe I will need multiple

buildspec.yml

files to account for these different stacks, is that correct? Looking at the Pulumi module for Codebuild shows a supporting type called

ProjectSecondarySource

where you need to specify a buildspec — is there where I would specify each of my projects? For example, will I need a

ProjectSecondarySource

for

jupyterhub-net-infra

,

notebook-ecs-infra

, and

jupyterhub-ecs-infra

? It seems so. Finally, one thing I am concerned about is this reliance of

jupyterhub-ecs-infra

and

notebook-ecs-infra

to be in sync. Specifically, when you make an update to the task definition in

notebook-ecs-infra

the arn for the task definition changes, as a result,

jupyterhub-ecs-infra

needs to be updated to reference that new taskdefiniton arn from the updated notebook stack. How do I account for this in my pipeline? Should I be completely rebuilding the infrastructure after every merge to master? Apologies if this is a massive post. Thanks in advance!