pulumi-community #aws

aws

happy-pencil-64085

11/09/2020, 10:27 PM

Does the aws configuration bag contain other key:values other than aws:region?

sticky-bear-14421

11/10/2020, 10:43 AM

Accidently posted my question in the #general channel instead of here, will copy my assume role chaining problem over here

sticky-bear-14421

11/10/2020, 10:43 AM

Hi, I've got some trouble chaining providers with assumeRole and I guess Im doing something perfectly wrong, as the role chaining works in my shell. When executing pulumi up I am in the starting role, then I create the first provider ("intermediate") and execute aws.getCallerIdentity() and I get the correct json Then I use this provider to assume into the destination role inside a second account but ..

steep-spoon-2023

11/10/2020, 3:07 PM

Hey guys, any idea how to modify the aws-auth config map for EKS to allow other IAM entites aside from the creator to interact with the cluster?

able-morning-18592

11/10/2020, 5:15 PM

I am having issues with AWS/KMS secrets provider, error and info in thread.

little-cartoon-10569

11/11/2020, 1:54 AM

I'm using pulumi.awsx's SecurityGroups, and

createIngressRule()

etc. For at least the rules defined using

location

and

cidrBlocks

, if I update the cidrBlocks, then it causes duplicated security group rules, and errors out. I can't add

deleteBeforeCreate

because the

opts

field on this class takes a CustomResourceOptions, not a ComponentResourceOptions.

dazzling-sundown-39670

11/11/2020, 10:53 PM

How do I decode this error?

aws:ec2/launchTemplate:LaunchTemplate resource 'spot-workers' has a problem: ConflictsWith

dazzling-sundown-39670

11/12/2020, 8:51 PM

How can I tell if my

NodeGroup

changes will remove the nodes or just update them?

breezy-butcher-78604

11/13/2020, 7:14 AM

i'm attempting to import a Route53 hosted zone into a template but since Pulumi adds "Managed by Pulumi" to the

comment

property when nothing is provided, the import fails since there's a difference. I've tried supplying an empty string but that still causes a difference to be picked up. is there a way to simply not include the comment property?

colossal-librarian-55280

11/13/2020, 10:44 PM

Hi there! I'm running into some issues when trying to set up an ECS cluster with an AutoScalingGroup using a VPC defined in another stack. I've created a minimal reproduction example to illustrate the issue. The output is pretty opaque, I'm really blind here as to what seems to be the problem... https://github.com/eordano/autosg-repro Would really appreciate some help! More info in thread:

kind-school-28825

11/15/2020, 6:00 PM

Anyone care to share an example that points a Route53 A record to an ALB? I can only see an example in the docs that is pointing to an ELB and not an ALB. Not sure how to achieve this.

✅ 1

most-address-4174

11/16/2020, 6:15 PM

Hey all! 👋 I’m trying to launch an EC2 instance that looks like:

const server = new aws.ec2.Instance('xyz-staging-server-instance', {
  instanceType: 't2.micro',
  vpcSecurityGroupIds: [securityGroup.id], // reference the security group resource above
  ami: ami.id,
})

And I get the following error:

aws:ec2:Instance (xyz-staging-server-instance):

error: 1 error occurred:

* Error launching source instance: VPCIdNotSpecified: No default VPC for this user. GroupName is only supported for EC2-Classic and default VPC.

I found this issue, which says specifying a subnet ID should help, but I can’t seem to work out how specifying the

subnetId

property should work 🤔 Has anyone seen/dealt with this before?

dazzling-sundown-39670

11/16/2020, 9:45 PM

Seeing this while running pulumi up in Github Actions:

error: configured Kubernetes cluster is unreachable: unable to load Kubernetes client configuration from kubeconfig file: invalid configuration: no configuration has been provided, try setting KUBERNETES_MASTER environment variable

. What can I do? It's worked so many times before. I'm using

pulumi.StackReference

to retrieve the kubeconfig. Works fine locally

hundreds-musician-51496

11/17/2020, 12:08 AM

I'm using Lambda@Edge (Cloudfront + lambda functions). When I try to destroy the stack, and occasionally when I update (and am removing functions), I get this error from AWS. Any ideas how to work around this?

error: deleting urn:pulumi:zzz::deploy::aws:lambda/function:Function::xxx: Error deleting Lambda Function: InvalidParameterValueException: Lambda was unable to delete arn:aws:lambda:us-east-1:1111:function:xxx:1 because it is a replicated function. Please see our documentation for Deleting Lambda@Edge Functions and Replicas.

most-address-4174

11/17/2020, 1:47 PM

Hey all! Does anyone have experience deploying an EC2 instance into ECS? We’re having issue where the creation of the ECS service is hanging on `pulumi up`:

future-journalist-90839

11/20/2020, 2:33 AM

Hello I’m having difficulties running pulumi up Basically this is what I’m trying to do but for AWS lambda https://www.pulumi.com/resources/getting-started-gcp-serverless-graphql/

error: Error serializing '() => { const typeDefs = ` type Quer ...': index.js(10,16)

const aws = require("@pulumi/aws");
const pulumi = require("@pulumi/pulumi");
const env = pulumi.getStack();

const { ApolloServer } = require("apollo-server-lambda");

const factory = () => {
  const typeDefs = `
    type Query {
      dummy: String!
    }
  `;

  const resolvers = {
    Query: {
      hello: () => "Hello world!",
    },
  };
  const server = new ApolloServer({
    typeDefs,
    resolvers,
    playground: true,
    introspection: true,
  });

  return server.createHandler();
};

module.exports = {
  route: {
    path: "/social/grapqql",
    method: "ANY",
    eventHandler: new aws.lambda.CallbackFunction(`${env}-social`, {
      callback: factory,
    }),
    apiKeyRequired: true,
  },
};

future-journalist-90839

11/20/2020, 3:18 AM

nvm found the problem, I was using react style imports 🤦

const { ApolloServer } = require("apollo-server-lambda");

🙂 1

👍 1

future-journalist-90839

11/20/2020, 3:22 AM

need coffee lol

alert-raincoat-81485

11/20/2020, 6:55 AM

Hello folks, When i am trying to create Ingress/Egress attribute of the SecurityGroup, it throws a following error

ingress=[aws.ec2.SecurityGroupIngressArgs(
    AttributeError: module 'pulumi_aws.ec2' has no attribute 'SecurityGroupIngressArgs'

The code was referred from an Pulumi docs example.

security_group = aws.ec2.SecurityGroup( # type: ignore
    "secgrp",
    description="Splunk Hybrid cloud security group",
    vpc_id=vpcid,
    ingress=[aws.ec2.SecurityGroupIngressArgs(
        description="TLS from VPC",
        from_port=443,
        to_port=443,
        protocol="tcp",
        cidr_blocks=["0.0.0.0/0"],
    )],
    egress=[aws.ec2.SecurityGroupEgressArgs(
        from_port=0,
        to_port=0,
        protocol="-1",
        cidr_blocks=["0.0.0.0/0"],
    )],
)

Any suggestions?

brash-student-27683

11/23/2020, 4:15 PM

I have a few hundred EC2 servers running (currently not part of a Pulumi stack). How do I do patch management across those servers? I am looking for an alternative to AWS Systems Manager. I also am looking for a way to execute other commands in these instances at scale (updating firewall rules for example). Is Pulumi a good tool to use for this use case?

future-nail-59564

11/23/2020, 10:35 PM

Hey! 👋 🙂 Could anyone point me to some doc about the proper format expected by the

pgpKey

property of classes such

aws.iam.AccessKey

and

aws.iam.UserLoginProfile

. It’s really unclear what the base-64 encoded PGP public key is expected to be. No matter what I try, I always get this:

* Error encrypting IAM Access Key Secret: error parsing given PGP key: openpgp: invalid data: tag byte does not have MSB set

I created my key-pair using:

$ openssl genrsa -out keypair.pem 2048

Then exported the public-key part with:

$ openssl rsa -in keypair.pem -pubout -out publickey.crt

Then I tried to pass that public key using different variations: 1. with/without BEGIN/END markers, 2. with/without new lines, 3. with/without over-base-64-encoding the whole thing, etc… But no luck! 😓

alert-raincoat-81485

11/23/2020, 11:33 PM

Folks, How to assign multiple policies to one role. As per example, only one arn is assigned to the role. Is there any way we can assign multiple existing policies.

policy = aws.iam.Policy("policy",
    description="A test policy",
    policy="""{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ec2:Describe*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
""")
test_attach = aws.iam.PolicyAttachment("test-attach",
    users=[user.name],
    roles=[role.name],
    groups=[group.name],
    policy_arn=policy.arn)

little-cartoon-10569

11/24/2020, 4:00 AM

Is there a shortcut for using Outputs in policy documents? How to I refer to outputs from resources when calling

aws.iam.getPolicyDocument

, short of using

pulumi.all().apply()

victorious-helmet-11068

11/24/2020, 10:12 AM

hi all. can I use multiple region with aws.cloudformation.get_export() ? I’m tring with:

victorious-helmet-11068

11/24/2020, 10:12 AM

Untitled

victorious-helmet-11068

11/24/2020, 10:12 AM

with no success (py)

future-nail-59564

11/24/2020, 1:37 PM

hundreds-receptionist-31352

11/24/2020, 3:39 PM

Hi, I'm trying to import a Eks cluster created previously without pulumi, using the command line and I'm getting this error:

pulumi import aws:eks/cluster:Cluster mserv-test-eks mserv-testing-eks -d -v 999
Previewing import (testing):
     Type                 Name                 Plan       Info
     pulumi:pulumi:Stack  qallariy-testing                1 error; 11 debugs
 =   └─ aws:eks:Cluster   mserv-test-eks  import     3 errors
Diagnostics:
  pulumi:pulumi:Stack (qallariy-testing):
    debug: Attempting to use session-derived credentials
    debug: Successfully derived credentials from session
    debug: AWS Auth provider used: "AssumeRoleProvider"
    debug: Trying to get account information via sts:GetCallerIdentity
    debug: Trying to get account information via sts:GetCallerIdentity
    debug: Reading EKS Cluster: {
    debug:   Name: "mserv-testing-eks"
    debug: }
    debug: Truncating attribute path of 0 diagnostics for TypeSet
    debug: Truncating attribute path of 0 diagnostics for TypeSet
    debug: Truncating attribute path of 0 diagnostics for TypeSet
    error: preview failed
  aws:eks:Cluster (mserv-test-eks):
    error: aws:eks/cluster:Cluster resource 'mserv-test-eks' has a problem: Computed attribute cannot be set
    error: aws:eks/cluster:Cluster resource 'mserv-test-eks' has a problem: Computed attribute cannot be set
    error: Preview failed: one or more inputs failed to validate
Please copy the following code into your Pulumi application. Not doing so
will cause Pulumi to report that an update will happen on the next update command.
Please note, that the imported resources are marked as protected. To destroy them
you will need to remove the `protect` option and run `pulumi update` *before*
the destroy will take effect.

does anyone have a clue? thanks in advance!

broad-dog-22463

11/24/2020, 3:54 PM

Hi @hundreds-receptionist-31352 / @adamant-translator-31969 It seems you both have the same issue wth the import of an EKS Cluster - can one of you opena . bug in pulumi-aws to suggest this so we can track it and get it fixed up?

shy-football-10348

11/24/2020, 4:25 PM

Hi folks, I am about to try to set up AWS Codebuild + AWS Codepipeline for my Pulumi Jupyterhub ECS infrastructure. I’ve not set up a pipeline like this before and wanted to reach out to yall about some things that are a bit confusing to me in regards to Pulumi’s role in the pipeline. My directory structure for my stack looks like this:

jupyterhub > tree
.
├── README.md
├── jupyterhub.png
└── src
    ├── docker-hub
    │   ├── Dockerfile
    ├── docker-notebook
    │   ├── Dockerfile
    ├── jupyterhub-code-pipeline
    │   ├── Pulumi.jupyterhub-code-pipeline.yaml
    │   ├── Pulumi.yaml
    │   ├── __main__.py
    │   └── requirements.txt
    ├── jupyterhub-ecs-infra
    │   ├── Pulumi.jupyterhub-ecs-infra.yaml
    │   ├── Pulumi.yaml
    │   ├── __main__.py
    │   └── requirements.txt
    ├── jupyterhub-net-infra
    │   ├── Pulumi.jupyterhub-network-infra.yaml
    │   ├── Pulumi.yaml
    │   ├── __main__.py
    │   ├── config.yml
    │   └── requirements.txt
    └── notebook-ecs-infra
        ├── Pulumi.notebook-ecs-infra.yaml
        ├── Pulumi.yaml
        ├── __main__.py
        └── requirements.txt

Based on this structure and the following documentation for Pulumi + Codebuild — I believe I will need multiple

buildspec.yml

files to account for these different stacks, is that correct? Looking at the Pulumi module for Codebuild shows a supporting type called

ProjectSecondarySource

where you need to specify a buildspec — is there where I would specify each of my projects? For example, will I need a

ProjectSecondarySource

for

jupyterhub-net-infra

notebook-ecs-infra

, and

jupyterhub-ecs-infra

? It seems so. Finally, one thing I am concerned about is this reliance of

jupyterhub-ecs-infra

and

notebook-ecs-infra

to be in sync. Specifically, when you make an update to the task definition in

notebook-ecs-infra

the arn for the task definition changes, as a result,

jupyterhub-ecs-infra

needs to be updated to reference that new taskdefiniton arn from the updated notebook stack. How do I account for this in my pipeline? Should I be completely rebuilding the infrastructure after every merge to master? Apologies if this is a massive post. Thanks in advance!

Title

shy-football-10348

11/24/2020, 4:25 PM

jupyterhub > tree
.
├── README.md
├── jupyterhub.png
└── src
    ├── docker-hub
    │   ├── Dockerfile
    ├── docker-notebook
    │   ├── Dockerfile
    ├── jupyterhub-code-pipeline
    │   ├── Pulumi.jupyterhub-code-pipeline.yaml
    │   ├── Pulumi.yaml
    │   ├── __main__.py
    │   └── requirements.txt
    ├── jupyterhub-ecs-infra
    │   ├── Pulumi.jupyterhub-ecs-infra.yaml
    │   ├── Pulumi.yaml
    │   ├── __main__.py
    │   └── requirements.txt
    ├── jupyterhub-net-infra
    │   ├── Pulumi.jupyterhub-network-infra.yaml
    │   ├── Pulumi.yaml
    │   ├── __main__.py
    │   ├── config.yml
    │   └── requirements.txt
    └── notebook-ecs-infra
        ├── Pulumi.notebook-ecs-infra.yaml
        ├── Pulumi.yaml
        ├── __main__.py
        └── requirements.txt

Based on this structure and the following documentation for Pulumi + Codebuild — I believe I will need multiple

buildspec.yml

files to account for these different stacks, is that correct? Looking at the Pulumi module for Codebuild shows a supporting type called

ProjectSecondarySource

where you need to specify a buildspec — is there where I would specify each of my projects? For example, will I need a

ProjectSecondarySource

for

jupyterhub-net-infra

notebook-ecs-infra

, and

jupyterhub-ecs-infra

? It seems so. Finally, one thing I am concerned about is this reliance of

jupyterhub-ecs-infra

and

notebook-ecs-infra

to be in sync. Specifically, when you make an update to the task definition in

notebook-ecs-infra

the arn for the task definition changes, as a result,

jupyterhub-ecs-infra

i figured it out

View count: 3