Apologies if this is not the right channel for such queries ... i am trying to create VPC, Security Group and EC2 Instances using pulumi-javascript, however, my EC2 instance is failing with error "security group id and subnet is a different network" i am creating VPC then Security Group by passing the VPC object and then i using both SG.id and VPC.subnetids in Instance creation: let ec2_1 = new aws.ec2.Instance("webserver-www-1", {     instanceType: size,     vpcSecurityGroupIds: [sg.id],     ami: ami.id,     subnetId: vpc.publicSubnetIds[0],     userData: userData1, }); however, when i print the vpc.publicSubnetIds[0], it s coming as [object promise] .. i am not sure how to get the value from vpc.publicSubnetIds? Thanks for the help in advance ...

Is cross-region backup replication supported through Pulumi? I can see the feature in the AWS SDK (https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StartDBInstanceAutomatedBackupsReplication.html) but not in TF or Pulumi. I may be looking in the wrong place though...

I am trying to make a vpc, ec2 instance, a load balancer and an nginx web server with a page deployed in it through Pulumi. I’m looking for some example based on which I can start expanding

If anyone is looking for a pet project over Christmas, wrapping AWS' Reachability Analyzer in something that can be easily used in Pulumi integration tests would be O for Oarsome... https://docs.aws.amazon.com/vpc/latest/reachability/getting-started.html

Does Pulumi support AWS Client VPN?

I'd like to manage a lambda environment variables with Pulumi. Having imported an existing resource and trying to make a change it's failing with

* filename or s3_* attributes must be set

Is it possible to work around this some how? Note that I need to ignore code updates which happens elsewhere.

Terraform does not seem to have this requirement on its

aws_lambda_function

resource as I've been able to define and use those independent of code. The code is updated separately using the AWS cli and it all seems to work the way I expect.

I've got an API gateway setup using crosswalk. I'd like to add CORS to one of my endpoints (which has a Cognito Authorizer associated with it)... i can't seem to find any examples/docs of how to do this. Anyone have any ideas?

is there a way to configure and deploy S3 static-website using “HTTPS” protocol within pulumi aws.s3.Bucket ?

Hi everyone! Is aws elasticsearch CNAME supported on pulumi? (python) https://aws.amazon.com/about-aws/whats-new/2020/11/amazon-elasticsearch-service-now-supports-defining-a-custom-name-for-your-domain-endpoint/

although i am returning, *headers: { “Access-Control-Allow-Origin”: “*” }*, from my lambda function and also got following configuration for API Gateway endpoint: // add vote api const songsAddApiResource = new aws.apigateway.Resource(preName(‘voteresource’), { restApi: songsApiRest.id, parentId: songsApiRest.rootResourceId, pathPart: ‘vote’ }) const authApi = new aws.apigateway.Authorizer(preName(‘authorizer’), { restApi: songsApiRest.id, authorizerUri: authFunction.invokeArn }) const songsAddApiMethod = new aws.apigateway.Method(preName(‘votemethod’), { restApi: songsApiRest.id, resourceId: songsAddApiResource.id, authorization: ‘CUSTOM’, authorizerId: authApi.id, httpMethod: ‘POST’ }) const songsAddApiIntegration = new aws.apigateway.Integration(preName(‘voteintegration-post’), { restApi: songsApiRest.id, resourceId: songsAddApiResource.id, httpMethod: songsAddApiMethod.httpMethod, integrationHttpMethod: ‘POST’, type: ‘AWS_PROXY’, uri: recordVotesFunction.invokeArn }) i am still getting following CORS error while accessing post endpoint from javascript: has been blocked by CORS policy: Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource. If an opaque response serves your needs, set the request’s mode to ‘no-cors’ to fetch the resource with CORS disabled.

Folks, how to handle error handling if ssm parameter not found? is there any way of handling exceptions if parameter not found? What i am getting in my code is invocation of ‘PARAMETER’ returned an error and doesn’t execute else part. Any help?

I guess this is some how related to the previous message, but I still want to ask, is there any option to handle these type of Exceptions from AWS API? I wasn't able to catch this exception with regular

try/except

blocks inside my python code. Any pattern or suggestion? Thanks.

Hi all! Is there anyway to hook a lambda function with a Cloudwatch Event rule that returns a static JSON? The

EventRule.onEvent

doesn’t seem to support customize the payload and only support the default one. More info: EventRule -> SQS: you can use 

new aws.cloudwatch.EventTarget

 and it will emit a static JSON to the SQS queue. When I tried to do the same thing for Lambda, passing the Lambda ARN into 

aws.cloudwatch.EventTarget

 , the Lambda triggered is not created (presumably because EventSourceMapping is not created underneath). The only way to hook an 

EventRule

 to a Lambda is to call: 

EventRule.onEvent

. But that doesn’t let me configure the payload (code linked in the comment)

Hey guys. When deploying a RDS instance with both

snapshot_identifier

and

username

defined the username does not get set to what I've defined. It always stays at what was originally in the snapshot. The problem is this results in a replacement loop as pulumi always detects a difference. Anyone know if I'm missing something or are these two not meant to be used together?

Are there full examples of creating a VPN with Self signed cert credentials somewhere ? Note: I was able to setup the VPN Endpoint in AWS , Add Associations , Routes etc.. however, the instructions i had before when i tried (without pulumi) using

easyrsa

certificates and keys, said that I have to: • download the VPN config from the Web console • Modify the config to add path to the cert and key • https://prasaddomala.com/2020/04/02/aws-client-vpn-setup-private-access-across-aws-accounts-and-vpcs/ So i tried to dump the cert and key generated using..

# one year
VALID_HOURS = 24 * 365

# read teh CA cert obtained from running
# ./easyrsa init-pki && ./easyrsa build-ca nopass
with open("ca_encoded.pem", "r") as ca_crt:
    ca_crt_chain = ca_crt.read().replace("\n", " ")

# TODO: check if we can use this instead of using easy rsa
test_vpn_private_key = tls.PrivateKey("test_vpn", algorithm="RSA")
test_vpn_self_signed_cert = tls.SelfSignedCert(
    "test_vpnSelfSignedCert",
    key_algorithm="RSA",
    private_key_pem=test_vpn_private_key.private_key_pem,
    subjects=[
        tls.SelfSignedCertSubjectArgs(
            common_name="<http://test_vpn.com|test_vpn.com>",
            organization="Valo Health",
        )
    ],
    validity_period_hours=VALID_HOURS,
    allowed_uses=[
        "key_encipherment",
        "digital_signature",
        "server_auth",
        "dns_names",
        "is_ca_certificate",
    ],
)

cert_test_vpn = aws.acm.Certificate(
    "test_vpn",
    private_key=test_vpn_private_key.private_key_pem,
    certificate_body=test_vpn_self_signed_cert.cert_pem,
    certificate_chain=test_vpn_self_signed_cert.cert_pem,
)

but the certificate chain is not what it should be…

Is there any pulumi api that runs the custom resource as cloudformation! https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-custom-resources.html

Anyone have a convention for using pulumi CLI to force a new ECS deployment (for example, after a Secret is changed)?

Has there been any Pulumi announcement or support for EKS Add-Ons? https://aws.amazon.com/blogs/containers/introducing-amazon-eks-add-ons/ Pulumi did a brief blog post about it (https://www.pulumi.com/blog/reinvent-2020-eks-announcements/#simplified-install-and-management-for-kubernetes-cni-plugin), but didn't mention if/when Pulumi would add support for it.

@here anyone created eks cluster using the option

vpcCni

This is to set custom vpc cni for cluster. I am looking to use vpc cni > 1.6.0 defualt pulumi creates 1.6.0

Hi, I'm having a very weird error, I have a custom pulumi component that call a sdk function to get the loadbalancer arn, and when it happens, I got this error: Error: connect EHOSTUNREACH 169.254.169.254:80 at TCPConnectWrap.afterConnect [as oncomplete] (net.js113416) if I execute the same code outsite of the pulumi component it works, I read that could be something related with the aws credentials, but the rest of the code works well, any idea? it only happens when I use a custom function that use the aws sdk.

Anyone know on EKS if there is a straightforward way to default to encrypted volumes? The only thing I've found so far is creating a copy of the EKS ami and then setting that through the launch template. I haven't gotten that working yet, and it seems like there would be a better route for what I imagine is a pretty common requirement.

Is there a way to specify for Cloudfront, the Cache and origin request settings -> Use a cache policy and origin request policy value? Cache Policy: Managed-CachingOptimized Origin Request Policy: Managed-CORS-S3Origin From the cloudfront console: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-cache-policies.html

Just curious to know how can we collect the logs using

pulumi logs

All i see the message is

Collecting logs for stack stack11 since 2021-01-05T13:55:54.000-08:00.

guys, would it be fair to say that the 'crosswalk' stuff is essentially an 'opinionated' version of some of the pulumi APIs?

Quick question I setup an event source mapping from msk to Lambda (the lambda and msk are both in my VPC which was created using crosswalk with 2 public subnets and 1 private subnet

export const vpc = new awsx.ec2.Vpc('vpc', {
    subnets: [
        { type: 'public' },
        { type: 'public', name: 'test-3' },
        { type: 'private' },
    ],
    numberOfNatGateways: 2
})

But when I check the status of my ESM I see this message under

LastProcessingResult

"PROBLEM: Connection error. Please check your event source connection configuration." After doing some digging and finding articles like https://awsfeed.com/whats-new/compute/using-amazon-msk-as-an-event-source-for-aws-lambda I'm at a loss for what the issue is FYI: ingress/egress are both allowing all traffic for the SG, and for the VPC config for both the consumer lambda and the msk cluster I'm using the first 2 subnets

vpcConfig: {
      securityGroupIds: [securityGroup.id],
      subnetIds: PRIVATE_SUBNETS
    }

Aren’t there functions to delete resources like VPC?

I'm now getting

"PROBLEM: Lambda internal error. Please contact Lambda customer support."

in the LastProcessingResult output for the ESM

Morning! Question about the DataDog provider: Is this method: https://www.pulumi.com/docs/reference/pkg/datadog/aws/integrationlogcollection/ the same thing as setting this up manually? https://docs.datadoghq.com/logs/guide/send-aws-services-logs-with-the-datadog-lambda-function/?tab=awsconsole

I would like to perform the same set of task in a couple of regions in AWS. Instead of creating 2 stack and associating regions to them, can I loop through the regions using a single stack?