I'm having problems updating a recently-imported SNS TopicPolicy. I'm getting the less-then-helpful error InvalidParameter: Invalid parameter: Policy Error: null. Since the only field I'm updating is the policy doc, I'm guessing the error is there. I'm guessing the format of the doc based on IAM policy docs, so maybe I'm making mistakes. Is there an example of creating an SNS TopicPolcy in Pulumi anywhere? Or a spec for TopicPolicy policy documents?

Is there any way to use a bastion of sorts in Pulumi to use

mysql.User

on a MySQL cluster behind a VPC?

Hello friends, is there a way with pulumi to stop an ec2 instance without destroying it?

Is there a way to set a role to an inline lambda function to do stuff with the aws sdk?

const endpoint = new awsx.apigateway.API(`service-api`, {
  routes: [
    // Serve static files from the `www` folder (using AWS S3)
    {
      path: "/",
      localPath: "www",
    },

    // Serve a simple REST API on `GET /name` (using AWS Lambda)
    {
      path: "/start",
      method: "GET",
      eventHandler: async (event) => {
        try {
          const ec2 = new aws.sdk.EC2();
          const myInstance = await server.id.get();
          const params = {
            InstanceIds: [myInstance],
          };
...

Morning all.. anyone know how to reference complex types across stacks? For example, i have subnet ids that i want to export from one stack to put in another?

Output<string[]>

doesn't seem to convert well to

Input<string>[]

(using typescript btw).

Hello everyone, question here regarding EKS Fargate profiles and subnets. In short, I am getting the error "Subnet <subnet-name> provided in Fargate Profile is not a private subnet" but, as far as I'm aware, I already have set it to private? Has anyone else encountered this before and figured out how to solve it? Hopefully I'm not missing something simple 🤔

Hey guys, running into issue while creating records for a web server. The domain name is getting suffixed when the record is created and preventing proper routing. When deployed the record ends up with mydomain.com-suffix. I've referenced the docs and see that the 'name' property can be used to lock down the resource name but it seems to overlap with the record name param. I'm using the python sdk and for reference here is my record resource:

a_record = aws.route53.Record("a",
                              zone_id=hosted_zone.zone_id,
                              name="<http://mydomain.com|mydomain.com>",
                              type="A",
                              ttl=30,
                              records=[server.public_ip])

Does this example have valid IAM credentials attached to the lambda function? https://www.pulumi.com/blog/scheduling-serverless/

Is there any way to attach extra permissions to the inline lambdas?

Has anyone ever noticed weird spooky magicness happening with LogMetricFilters?

Has anyone used

keybase

to encrypt/decrypt user passwords with

aws.iam.UserLoginProfile

? The

encryptedPassword

output returns a simple string in the form

wcFMA433DHhZWgKpARAAXYd0q2oRc83hFcLJXQMV9yC…

but keybase seems to expect something of the form

BEGIN KEYBASE SALTPACK ENCRYPTED MESSAGE. keDIDMQWYvVR58B FTfTeDQNHx1585M … 1UfUcHnbYM8vtOw OsZfpid. END KEYBASE SALTPACK ENCRYPTED MESSAGE.

for decryption… 🤔

Hello folks, I am trying to run a script through userdata as per the example shown but look like it’s not successfully running.

user_data = """
#!/bin/bash

## Checking if Splunk user exist ##
if getent passwd splunk > /dev/null 2>&1;
then
    echo "splunk user exist"
else
    useradd -m splunk
    echo 'splunk    ALL=(ALL:ALL)   ALL' >> /etc/sudoers
    echo 'splunk    ALL=(ALL:ALL)   NOPASSWD' >> /etc/sudoers
fi
"""
Instances = aws.ec2.Instance(
                ins_name,
                user_data = user_data,
                ami = ami_centos.value,
                iam_instance_profile = iam_profile,
                instance_type = self.instance_type,
                subnet_id = sbnet,
                tags={"Name": ins_name},
            )
            instance_info = {
                "id": Instances.id,
                "primary_network_interface_id": Instances.primary_network_interface_id,
                "instance_name": ins_name,
            }
)

Is it possible that we can only have a single

aws.iam.GroupMembership

per

aws.iam.Group

? I want to be able to attach a user to a group, independently from the users already part of that group. Therefore, in my User component, I am creating a

GroupMembership

specifically for that user-group relationship:

new aws.iam.GroupMembership(
        `${username}-${group}`,
        {
          users: [username],
          group: group,
        },

However, it appears that this group membership gets overwritten by each user, even if all GroupMembership resources have unique names. The first time I run my stack, the group is correctly created in IAM with all users, however the state doesn’t seem to be updated correctly, because the next time I run the stack (while there is supposed to be no change), it removes all users from group in IAM but one. I assuming it’s a bug, because the second run of the stack should be idempotent.

I notice that aws.backup.RegionsSettings and aws.backup.VaultPolicy are documented but not included in the JS SDK. Is that intentional? Maybe I need to update?

hello friends, I'm curious about SpotInstances. When I run

pulumi up

and an instance is replaced, the old SpotInstance is not terminated, just kind of hangs around, is that the expected behavior?

I'm trying to launch an AWS EC2 instance using

iamInstanceProfile

so that I can pull an ECR container image from the EC2 instance, but I'm not seeing examples, and there seems to be problems (using the most recent version of Pulumi)

const role = new aws.iam.Role("role", {
    path: "/",
    assumeRolePolicy: `{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Principal": {
               "Service": "<http://ec2.amazonaws.com|ec2.amazonaws.com>"
            },
            "Effect": "Allow",
            "Sid": ""
        }
    ]
}
`,
});

const testProfile = new aws.iam.InstanceProfile("testProfile", {role: role.name});

const server = new aws.ec2.Instance("webserver-www", {
    ami: ami.id,
    iamInstanceProfile: testProfile,
...

I'm not sure if this is the right approach -- it's not working.

On a different note, it appears that AWS t4g instances are not supported? I'm getting this error when I try to launch an EC2 instance type of "t4g.nano":

aws:ec2:Instance (webserver-www):
    error: 1 error occurred:
        * Error launching source instance: Unsupported: The requested configuration is currently not supported. Please check the documentation for supported configurations.
        status code: 400, request id: f97087d6-efc6-4893-8362-344c997733c0

Is there a way to load an RDS instance akin to how

Vpc.fromExistingIds

works?

hey guys, i'm having a bit of trouble creating a creating the route53 Records that I need to for validation of a certificate request. this is the relevant code (C#) firstly i create a certificate:

var cert = new Certificate("cert", new CertificateArgs
        {
            DomainName = domainName,
            Tags =
            {
                {"Environment", "test"},
            },
            ValidationMethod = "DNS"
        });

then i try to create a dns record:

var validationRecord = new Record($"validationRecord",
                new RecordArgs
                {
                    AllowOverwrite = true,
                    Name = cert.DomainValidationOptions.Apply(x => x[0].ResourceRecordName),
                    Records = new[] {cert.DomainValidationOptions.Apply(x => x[0].ResourceRecordValue)},
                    Type = cert.DomainValidationOptions.Apply(x => x[0].ResourceRecordType),
                    Ttl = 60,
                    ZoneId = zone.Apply(z => z.ZoneId),
                })

however it seems like it's not actually passing the domain validation option values into the Record object. I'm getting this error:

Diagnostics:
    aws:route53:Record (validationRecord):
        error: aws:route53/record:Record resource 'validationRecord' has a problem: Required attribute is not set
        error: aws:route53/record:Record resource 'validationRecord' has a problem: Required attribute is not set

am i doing something obviously stupid?

Hi there , Anyone used eks package with nodegroups? especially this parameters extraNodeSecurityGroups: ? I can't seem to get security groups attached to worker nodes. Raised an issue too https://github.com/pulumi/pulumi-aws/issues/1242

I am launching a server, using

const server = new aws.ec2.Instance

and once it is up and running, I need to execute a command (I'm going to

scp

a Rust MUSL executable into the server from the harddrive of the machine that is running

pulumi

). Is there an existing and/or easy way to do that?

Hello - I'm new to Pulumi! It's particularly interesting to me because using the Automation API looks way better than shelling out to AWS CDK. The one problem I've noticed is that the docs omit any mention of support for AWS MediaLive, which is critical for my use case (even though it supports all its sister services like MediaPackage and MediaStore!). It seems like Terraform has the same limitation too. I'm not expecting to deploy general infrastructure through Pulumi in the near future - just simple video broadcast pipelines and a few S3 buckets. So my question is: should I just be hacking a solution with AWS CDK, or is there a workaround that would allow me to create MediaLive resources through Pulumi? I couldn't find anything in the Pulumi docs about this.

Is there any way to attach additional ssl certificates to a load balancer from pulumi? Eg to serve from multiple domains

I’m still learning docker and ECS but let’s say I have an ECR repo and I’ve pushed my docker image there, what resources do I need to add in pulumi to be able to utilise the image? I’ve gotten as far as getting a load balancer set up with ssl cert. now I would like to point it at a docker app. I can’t use fargate as it’s a windows docker image.

Trying to deploy to an AWS t4g instance using Typescript, but getting a typescript error in pulumi version = v2.14.0 that

node_modules/@pulumi/aws/types/enums/ec2/index.d.ts

does not have an enum value for "t4g.micro".

Diagnostics:
  pulumi:pulumi:Stack (website-website):
    error: Running program '/home/user/code/pulumi/website' failed with an unhandled exception:
    TSError: ⨯ Unable to compile TypeScript:
    index.ts(222,3): error TS2322: Type '"t4g.micro"' is not assignable to type 'Input<"a1.2xlarge" | "a1.4xlarge" | "a1.large" | "a1.medium" | "a1.xlarge" | "c3.2xlarge" | "c3.4xlarge" | "c3.8xlarge" | "c3.large" | "c3.xlarge" | "c4.2xlarge" | "c4.4xlarge" | ... 154 more ... | "z1d.xlarge">'.

        at createTSError (/home/user/code/pulumi/website/node_modules/ts-node/src/index.ts:261:12)
        at getOutput (/home/user/code/pulumi/website/node_modules/ts-node/src/index.ts:367:40)
        at Object.compile (/home/user/code/pulumi/website/node_modules/ts-node/src/index.ts:558:11)
        at Module.m._compile (/home/user/code/pulumi/website/node_modules/ts-node/src/index.ts:439:43)
        at Module._extensions..js (internal/modules/cjs/loader.js:1092:10)
        at Object.require.extensions.<computed> [as .ts] (/home/user/code/pulumi/website/node_modules/ts-node/src/index.ts:442:12)
        at Module.load (internal/modules/cjs/loader.js:928:32)
        at Function.Module._load (internal/modules/cjs/loader.js:769:14)
        at Module.require (internal/modules/cjs/loader.js:952:19)
        at require (internal/modules/cjs/helpers.js:88:18)

I got around this before by hand editing the ts file in node_modules, but that seems like a bad approach (since I had to 

npm install

 again and it blew away my hacky changes). What's the better way to get around this?

"devDependencies": {
        "@types/node": "^10.17.48"
    },
    "dependencies": {
        "@pulumi/aws": "^3.17.0",
        "@pulumi/awsx": "^0.22.0",
        "@pulumi/pulumi": "^2.15.0",
        "@types/ssh2": "^0.5.39",
        "@types/uuid": "^3.4.4",
        "scp2": "^0.5.0",
        "ssh2": "^0.8.5",
        "uuid": "^3.4.0"
    }

I'm seeing this error:

└─ aws:ec2:NatGateway    nat-gateway-nat-gateway  **failed**               1 error
 
Diagnostics:
  aws:ec2:NatGateway (nat-gateway-nat-gateway):
    error: aws:ec2/natGateway:NatGateway resource 'nat-gateway-nat-gateway' has a problem: Required attribute is not set

but it doesn't tell me what attribute is not set. Plus I've set all the required attributes per the documentation (resource_name, allocation_id, subnet_id). Here's the resource call:

nat_gateway = aws.ec2.NatGateway(
    resource_name="foo",
    allocation_id=eip.allocation_id,
    subnet_id=subnet.id,
)

where

eip

is an

aws.ec2.Eip

and

subnet

is an

aws.ec2.Subnet

, both created above. Is the issue that the

eip.allocation_id

or

subnet.id

calls aren't resolving, and I should use

apply

or some such?

Hey guys I'm getting a crash in pulumi causing my stack to be corrupted

panic: fatal: An assertion has failed

goroutine 49346 [running]:
<http://github.com/pulumi/pulumi/sdk/v2/go/common/util/contract.failfast(...)|github.com/pulumi/pulumi/sdk/v2/go/common/util/contract.failfast(...)>
        /Users/runner/work/pulumi/pulumi/sdk/go/common/util/contract/failfast.go:23
<http://github.com/pulumi/pulumi/sdk/v2/go/common/util/contract.Assert(...)|github.com/pulumi/pulumi/sdk/v2/go/common/util/contract.Assert(...)>
        /Users/runner/work/pulumi/pulumi/sdk/go/common/util/contract/assert.go:26
<http://github.com/pulumi/pulumi/sdk/v2/go/common/resource/plugin.(*provider).Read|github.com/pulumi/pulumi/sdk/v2/go/common/resource/plugin.(*provider).Read>(0xc0007a1260, 0xc001e93880, 0x65, 0x0, 0x0, 0x0, 0xc001652270, 0xe9b18d, 0x7fc200000004, 0xc001a49800, ...)
        /Users/runner/work/pulumi/pulumi/sdk/go/common/resource/plugin/provider_plugin.go:763 +0x1037
<http://github.com/pulumi/pulumi/pkg/v2/resource/deploy.(*ReadStep).Apply(0xc0016522d0|github.com/pulumi/pulumi/pkg/v2/resource/deploy.(*ReadStep).Apply(0xc0016522d0>, 0x0, 0x1cf17e0, 0x23, 0xc00054de40, 0x3)
        /Users/runner/work/pulumi/pulumi/pkg/resource/deploy/step.go:620 +0x105
<http://github.com/pulumi/pulumi/pkg/v2/resource/deploy.(*stepExecutor).executeStep(0xc000734400|github.com/pulumi/pulumi/pkg/v2/resource/deploy.(*stepExecutor).executeStep(0xc000734400>, 0x60, 0x201a480, 0xc0016522d0, 0x5, 0x0)
        /Users/runner/work/pulumi/pulumi/pkg/resource/deploy/step_executor.go:271 +0x209
<http://github.com/pulumi/pulumi/pkg/v2/resource/deploy.(*stepExecutor).executeChain(0xc000734400|github.com/pulumi/pulumi/pkg/v2/resource/deploy.(*stepExecutor).executeChain(0xc000734400>, 0x60, 0xc001f74260, 0x1, 0x1)
        /Users/runner/work/pulumi/pulumi/pkg/resource/deploy/step_executor.go:221 +0xef
<http://github.com/pulumi/pulumi/pkg/v2/resource/deploy.(*stepExecutor).worker.func1(0xc000734400|github.com/pulumi/pulumi/pkg/v2/resource/deploy.(*stepExecutor).worker.func1(0xc000734400>, 0x60, 0xc001f74260, 0x1, 0x1, 0xc0017f4360)
        /Users/runner/work/pulumi/pulumi/pkg/resource/deploy/step_executor.go:371 +0xc5
created by <http://github.com/pulumi/pulumi/pkg/v2/resource/deploy.(*stepExecutor).worker|github.com/pulumi/pulumi/pkg/v2/resource/deploy.(*stepExecutor).worker>
        /Users/runner/work/pulumi/pulumi/pkg/resource/deploy/step_executor.go:368 +0x2e7
error Command failed with exit code 2.

This message was deleted.

i'm trying to set up an ECS cluster and getting an error:

error creating capacity provider: ClientException: ECS Service Linked Role does not exist. Please create a Service linked role for ECS and try again.

My code is pretty much based on this example: https://github.com/pulumi/examples/blob/aws-ecs-conatiner-instances-automation/aws-py-ecs-instances-autoapi/py-ecs-instance/__main__.py i don't see where I would be setting up a service linked role in this code workflow. would it be something similar to lines 36-57 above?

Is there any working example on how to use EKS and NLB with mix protocols on the same ip address (different ports are fine)?

error: resource demo/demo-service-x3i6m60y was not successfully created by the Kubernetes API server : Service "demo-service-x3i6m60y" is invalid: spec.ports: Invalid value: []core.ServicePort{core.ServicePort{Name:"udp-demo", Protocol:"UDP", AppProtocol:(*string)(nil), Port:6666, TargetPort:intstr.IntOrString{Type:1, IntVal:0, StrVal:"udp-demo"}, NodePort:0}, core.ServicePort{Name:"tcp-demo", Protocol:"TCP", AppProtocol:(*string)(nil), Port:6665, TargetPort:intstr.IntOrString{Type:1, IntVal:0, StrVal:"tcp-demo"}, NodePort:0}}: cannot create an external load balancer with mix protocols