https://pulumi.com logo
Docs
Join the conversationJoin Slack
Channels
announcements
automation-api
aws
azure
blog-posts
built-with-pulumi
cloudengineering
cloudengineering-support
content-share
contribex
contribute
docs
dotnet
finops
general
getting-started
gitlab
golang
google-cloud
hackathon-03-19-2020
hacktoberfest
install
java
jobs
kubernetes
learn-pulumi-events
linen
localstack
multi-language-hackathon
office-hours
oracle-cloud-infrastructure
plugin-framework
pulumi-cdk
pulumi-crosscode
pulumi-deployments
pulumi-kubernetes-operator
pulumi-service
pulumiverse
python
registry
status
testingtesting123
testingtesting321
typescript
welcome
workshops
yaml
Powered by Linen
aws
  • m

    millions-furniture-75402

    02/24/2021, 8:20 PM
    Can anyone offer a suggestion for mfa integration using assumeRole? It doesn’t look like there is a clear path. https://github.com/pulumi/pulumi-aws/issues/584 https://github.com/pulumi/pulumi-aws/issues/252#issuecomment-584903094
    aws --profile grey-sandbox-deployment ec2 describe-instances
    will work, but
    aws:profile
    in
    Pulumi.sandbox.yaml
    will not work, complaining about missing AWS accesskey and secretaccesskeys.
    pulumi preview
    
    ...
    
        Error: invocation of aws:index/getCallerIdentity:getCallerIdentity returned an error: unable to discover AWS AccessKeyID and/or SecretAccessKey - see <https://pulumi.io/install/aws.html> for details on configuration
    We see that assumeRole is supported by the provider https://www.pulumi.com/docs/reference/pkg/aws/provider/#providerassumerole — but there is no
    mfa_serial
    not that we want to pass that to the AWS Provider… It would be preferred if the AWS Provider understood the AWS config the same way as the aws cli.
    b
    l
    • 3
    • 17
  • c

    creamy-autumn-77774

    02/25/2021, 12:06 AM
    Anyone have issues with lambda policy attachments getting removed by the automation API? We perhaps have a unique situation: a Pulumi project inside of our main Pulumi project that is deployed with the automation API. Its along the lines of this example: https://github.com/pulumi/automation-api-examples/tree/main/nodejs/localProgram-tsnode For some reason when the automation API deploys the child project, policy attachments associated with lambdas in the "main" project are removed. The pulumi stack still thinks those resources are there, and it takes a
    pulumi refresh
    and a
    pulumi up
    to reattach those policies.
    • 1
    • 1
  • f

    fierce-television-51712

    02/25/2021, 5:42 PM
    hi. I wonder is there any articles / examples I can read about the
    creationRoleProvider
    option on the
    eks.Cluster
    resource?
    • 1
    • 1
  • l

    lively-ice-73493

    02/26/2021, 9:27 PM
    Recently I wrote a Blueprint at work showing how to do rapid API development on your Mac laptop with Pulumi, Localstack. Featuring API Gateway, Lambda (Python and Typescript), Secrets Manager, PostgreSQL, and Docker with unit tests in Jest. All feedback is welcome. https://www.linkedin.com/posts/chad-beaulac_rapid-aws-api-dev-on-your-laptop-with-localstack-activity-6770516704213782529-a_FN
    ❤️ 2
  • c

    chilly-magazine-6129

    02/27/2021, 11:07 PM
    👋 hey folks - if there's a new AWS resource (like AWS Timestream) that isn't supported by Pulumi (yet) - what would be the right way to give a stack permissions to access it? I get a permissions error when trying to access it using the S3 client
    w
    • 2
    • 4
  • s

    square-ability-48831

    02/28/2021, 6:46 PM
    👋 hello, just trying out the aws-ts-static-website example with out of the box with config set and running into a hanging
    pulumi up
    with no real idea what the holdup is - what can i do to determine why this is hanging for 30 minutes or more? attached output and also with
    --logtostderr
    file. nothing is being created in aws.
    i
    w
    • 3
    • 8
  • e

    enough-leather-70274

    03/01/2021, 6:54 AM
    Hi folks - I'd like to use AWS Secrets Manager to auto-generate a password. However I also need access to that secret value later in my pulumi script as it's a required input when creating the dependent resource. Is this possible?
    w
    b
    • 3
    • 12
  • a

    average-nest-71706

    03/01/2021, 1:00 PM
    I just started learning pulumi and I am having trouble in using the existing keypair to the ec2 instance I have created. I've been searching and reading for hours now but still could not find the answer. I found this documentation, https://www.pulumi.com/docs/reference/pkg/aws/ec2/keypair/, lack of detail and example on how to use this. Example existing KeyPair on AWS Name: MyExampleKeyPair ID: key-0f0e4
    import pulumi
    import pulumi_aws as aws 
    
    size = 't2.micro'
    ami = aws.get_ami(most_recent="true",
    				  owners=["amazon"],
    				  filters=[{"name":"name", "values":["amzn-ami-hvm-*"]}]
    				)
    
    group = aws.ec2.SecurityGroup('webserver-secgrp',
    							  description="Enable HTTP access",
    							  ingress=[
    							  			{ 'protocol': 'tcp', 'from_port': 22, 'to_port': 22, 'cidr_blocks': ['0.0.0.0/0'] },
    							  			{ 'protocol': 'tcp', 'from_port': 80, 'to_port': 80, 'cidr_blocks': ['0.0.0.0/0'] }
    							  		  ]
    								)
    
    user_data = """
    #!/bin/bash
    echo "Hello, World!" > index.html
    nohup python -m SimpleHTTPServer 80 &
    """
    
    server = aws.ec2.Instance('webserver-www',
    						  instance_type=size,
    						  vpc_security_group_ids = [group.id],
    						  user_data=user_data,
    						  ami=ami.id
    						  )
    
    pulumi.export('publicIp', server.public_ip)
    pulumi.export('publicHostName', server.public_dns)
    My question is how am I going to add that on the code above? I've been trying different code but still not successful in adding the existing keypair.
    b
    • 2
    • 19
  • c

    creamy-minister-70065

    03/01/2021, 5:10 PM
    Hi Everyone Im using windows + AWS + Typescript + visual studio code need to create a EC2 instance on my personal test account, How do I do that ?? Need Help
    b
    • 2
    • 9
  • e

    enough-leather-70274

    03/01/2021, 10:47 PM
    When creating/ configuring an EC2 instance I need to specify the Domain join directory and IAM role as shown here in the console. How do I do this with pulumi?
    l
    • 2
    • 37
  • c

    creamy-minister-70065

    03/02/2021, 12:24 PM
    I have used this code to create Instance const eip = new aws.ec2.Eip("myeip"); const securityGroup = new aws.ec2.SecurityGroup("mysecuritygroup", { ingress: [ { protocol: "tcp", fromPort: 80, toPort: 80, cidrBlocks: ["0.0.0.0/0"] }, ], }); const vpc = new aws.ec2.Vpc("myvpc", { cidrBlock: "10.0.0.0/16" }) const internetGateway = new aws.ec2.InternetGateway("myinternetgateway", { vpcId: vpc.id, }); const publicRouteTable = new aws.ec2.RouteTable("myroutetable", { routes: [ { cidrBlock: "0.0.0.0/0", gatewayId: internetGateway.id, }, ], vpcId: vpc.id, }); I was able to create security groups, eip & vpc but the code doesn't able to create the instance. Can anyone help me creating instance using pulumi
    h
    • 2
    • 1
  • c

    creamy-minister-70065

    03/02/2021, 12:24 PM
    w
    • 2
    • 1
  • d

    damp-school-17708

    03/02/2021, 4:27 PM
    Hi there, is there a way to 'modify' an existing dynamodb table with Pulumi? I've a bunch of tables which get created with a DMS task, I'd like to add streaming to all of them an a lambda handler, if I create a new table I get ... a new table..
    w
    • 2
    • 4
  • a

    adamant-dress-73325

    03/02/2021, 11:04 PM
    @chilly-crayon-57653 We noticed some security defaults that could be improved on the awsx library, should I post a public gh issue or is there some other channel to discuss security defaults?
    b
    • 2
    • 2
  • r

    rich-leather-25702

    03/03/2021, 12:22 PM
    I’m losing my mind trying to pass an S3 resource to an IAM policy using TypeScript, can someone tell me what rookie mistake I’m making in trying to get the Output<String> value of contentBucket.arn in the below code:
    const contentBucket = new aws.s3.Bucket('s3bucket',
      {
        bucket: 'bucket-1',
        acl: 'public-read',
      });
    
    const s3Policy = new aws.iam.Policy('s3-test-policy', {
      policy: JSON.stringify({
        Version: '2012-10-17',
        Statement: [{
          Action: [
            's3:ListBucket',
            's3:GetObject ',
          ],
          Effect: 'Allow',
          Resource: contentBucket.arn
        }]
      })
    });
    Which returns
    aws:iam:Policy (s3-test-policy):
        error: 1 error occurred:
            * Error creating IAM policy shu-tower-frontend-dev-s3-policy-4518918: MalformedPolicyDocument: Partition "
            1" is not valid for resource "arn:
            1: o.apply(v => v.toJSON())
            2: o.apply(v => JSON.stringify(v))
    I’ve read the Inputs and Outputs page, but nothing I do seems to reveal the ARN of the resource (even though I can see in the Pulumi console that it was successfully created.
    f
    f
    +2
    • 5
    • 34
  • a

    adamant-translator-31969

    03/03/2021, 1:11 PM
    HI! I have a question! in aws.Dynamodb package, field type in TableAttribute should be S, N or B... I want to set this field with String Set (SS), is it possible?
    b
    • 2
    • 2
  • f

    future-nightfall-79300

    03/03/2021, 1:56 PM
    Hello! Any tips on how to get pulumi "unstuck"? I'm trying to make a refresh to make sure everything is up to date before doing an update on the stack (AWS), but the refresh operation gets stuck, with the last line in the log (running
    pulumi refresh --skip-preview --logtostderr -v=9 2> pulumi_out.log --tracing=file:./up.trace
    ) being:
    I0303 15:51:37.212112    4505 snapshot.go:437] SnapshotManager: refreshSnapshotMutation.End(..., true)
    b
    • 2
    • 3
  • r

    rhythmic-ambulance-86976

    03/03/2021, 4:38 PM
    I'm trying to use the pulumi_eks module to stand up an eks cluster with fargate. According to https://www.pulumi.com/docs/reference/pkg/eks/cluster/#outputs I should be able to use eks_cluster.id to get the cluster name, but when I attempt to use that in creating a aws.eks.FargateProfile,
    rbs_fargate_group = aws.eks.FargateProfile("rbs-infrastructure-fargate-profile",                                                                                        cluster_name=eks_cluster.id,
    I get
    TypeError: Missing required property 'cluster_name'
    any ideas why? and I've tried using eks_cluster.name, but then I get
    error: aws:eks/fargateProfile:FargateProfile resource 'rbs-infrastructure-fargate-profile' has a problem: Required attribute is not set
    w
    • 2
    • 11
  • m

    millions-furniture-75402

    03/03/2021, 7:05 PM
    If I want to generate a Cloudwatch Dashboard that aggregates all lambda function, should the approach I take be to use the AWS SDK to collect the function names? I’m not sure I should be updated 20+ projects to start exporting the Lambda Ids to be used as stackoutputs. Or does Pulumi have another way to collect ids of resources Pulumi manages?
    w
    • 2
    • 2
  • c

    chilly-hairdresser-56259

    03/03/2021, 8:57 PM
    Quick Question (As I am not seeing it currently): Does Pulumi support Redshift Schedules outside the scope of snapshot schedules?
  • b

    broad-hairdresser-1495

    03/04/2021, 12:51 AM
    Hi, When running
    pulumi up
    first time to create AWS ec2 instance with increased root disk and then run again same script with
    pulumi up
    , pulumi thinks there are changes needed in that instance (this happens only when deploying with increased root disk)
    >pulumi up
    Previewing update (aws2_rest_s)
    
         Type                         Name                              Plan       Info
     +   pulumi:pulumi:Stack          aws2_rest-aws2_rest_s             create     3 messages
     +   ├─ aws:ec2:NetworkInterface  aws2-eu1tst-rhtestsuppdb001-eth0  create
     +   └─ aws:ec2:Instance          aws2-eu1tst-test1                 create
    >pulumi up
    Previewing update (aws2_rest_s)
    
         Type                 Name                   Plan        Info
         pulumi:pulumi:Stack  aws2_rest-aws2_rest_s              3 messages
     +-  └─ aws:ec2:Instance  aws2-eu1tst-test1      replace     [diff: ~ebsBlockDevices]  <<<this should not be a diff
    Do you want to perform this update? details
      pulumi:pulumi:Stack: (same)
        [urn=urn:pulumi:aws2_rest_s::aws2_rest::pulumi:pulumi:Stack::aws2_rest-aws2_rest_s]
        ++aws:ec2/instance:Instance: (create-replacement)
            [id=i-003ff8680bbece029]
            [urn=urn:pulumi:aws2_rest_s::aws2_rest::aws:ec2/instance:Instance::aws2-eu1tst-test1]
            [provider=urn:pulumi:aws2_rest_s::aws2_rest::pulumi:providers:aws::default_3_31_0::41672f54-4965-4cdb-81b5-cced77d0ff83]
          ~ ebsBlockDevices: [
              ~ [0]: {
                      + deleteOnTermination: true
                      + deviceName         : "/dev/sda1"
                      + volumeSize         : 60
                    }
            ]
        +-aws:ec2/instance:Instance: (replace)
            [id=i-003ff8680bbece029]
            [urn=urn:pulumi:aws2_rest_s::aws2_rest::aws:ec2/instance:Instance::aws2-eu1tst-test1]
            [provider=urn:pulumi:aws2_rest_s::aws2_rest::pulumi:providers:aws::default_3_31_0::41672f54-4965-4cdb-81b5-cced77d0ff83]
          ~ ebsBlockDevices: [
              ~ [0]: {
                      + deleteOnTermination: true
                      + deviceName         : "/dev/sda1"
                      + volumeSize         : 60
                    }
            ]
        --aws:ec2/instance:Instance: (delete-replaced)
            [id=i-003ff8680bbece029]
            [urn=urn:pulumi:aws2_rest_s::aws2_rest::aws:ec2/instance:Instance::aws2-eu1tst-test1]
            [provider=urn:pulumi:aws2_rest_s::aws2_rest::pulumi:providers:aws::default_3_31_0::41672f54-4965-4cdb-81b5-cced77d0ff83]
    is there some workaround this issue? or is it a bug?
    w
    c
    • 3
    • 5
  • a

    acceptable-stone-35112

    03/04/2021, 12:50 PM
    I need to create resources under multiple AWS accounts in same stack (e.g. create OU with several accounts and a VPC in each). If I understand correctly the recommended way is to create a new provider resource for each account with assumeRole?
    b
    • 2
    • 1
  • c

    colossal-plastic-46140

    03/04/2021, 2:32 PM
    HI Folks, I am trying to understand if this terraform issue impacts the pulumi provider https://github.com/hashicorp/terraform-provider-aws/issues/16536. Its just a little confusing to me as there appears to be bucket_key support in the pulumi docs. https://www.pulumi.com/docs/reference/pkg/aws/s3/bucket/#bucket_key_enabled_python
    b
    • 2
    • 8
  • a

    acoustic-room-2113

    03/04/2021, 11:16 PM
    I'm trying to import some route table associations from existing infra and getting the following error.
    pulumi import aws:ec2/routeTableAssociation:RouteTableAssociation platform-public-0.prod subnet-0123/rtb-4567
    Previewing import (network.prod):
         Type                              Name                    Plan       Info
         pulumi:pulumi:Stack               network-network.prod               1 error
     =   └─ aws:ec2:RouteTableAssociation  platform-public-0.prod  import     3 errors
    
    Diagnostics:
      pulumi:pulumi:Stack (network-network.prod):
        error: preview failed
    
      aws:ec2:RouteTableAssociation (platform-public-0.prod):
        error: aws:ec2/routeTableAssociation:RouteTableAssociation resource 'platform-public-0.prod' has a problem: ExactlyOne: "subnet_id": one of `gateway_id,subnet_id` must be specified
        error: aws:ec2/routeTableAssociation:RouteTableAssociation resource 'platform-public-0.prod' has a problem: ExactlyOne: "gateway_id": one of `gateway_id,subnet_id` must be specified
        error: Preview failed: one or more inputs failed to validate
    l
    • 2
    • 5
  • b

    breezy-apartment-46543

    03/05/2021, 12:58 PM
    How do you come around the problem that you cannot run pulumi destroy on a project containing an s3 bucket that is non-empty?
    a
    b
    • 3
    • 5
  • p

    purple-jelly-68780

    03/05/2021, 3:03 PM
    I saw a mention of the automation API in the above thread and it has me wondering if I could use it for post-provisioning tasks on EC2 instances (i.e. a replacement for userData)? @brave-planet-10645 if you have any input on this I'd love to hear it
    b
    l
    • 3
    • 4
  • m

    millions-furniture-75402

    03/05/2021, 4:44 PM
    How do I add a Cloudwatch Metrics Alarm Widget to a Cloudwatch Dashboard? I don’t see the widget type, is it unsupported? https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/awsx/cloudwatch/#apis In a cloudwatch dashboard body it would look something like:
    {
      "widgets": [
        {
          "type": "alarm",
          "x": 0,
          "y": 0,
          "width": 24,
          "height": 3,
          "properties": {
            "title": "",
            "alarms": [
              "arn:aws:cloudwatch:us-east-2:0123456789:alarm:SystemBackupDuration-a2737a4",
            ]
          }
        }
      ]
    }
    p
    f
    • 3
    • 21
  • b

    best-lifeguard-91445

    03/05/2021, 7:59 PM
    Is there a utility method for generating an arn based on the account # / region / resource type?
  • a

    adamant-dress-73325

    03/06/2021, 12:21 AM
    I've noticed that when changing the value of the VPC input arg on awsx.elasticloadbalancingv2.ApplicationLoadBalancer, pulumi is not issuing a replace to recreate the ALB in a new VPC, has anyone run into this problem before? Right now it issues an update of the sg only, which leads to a 400 bad request from the AWS api.
    • 1
    • 1
  • f

    flat-address-97791

    03/06/2021, 11:30 AM
    Hi all. I'm trying to set up a cloudwatch event rule to schedule a lambda function using cron. I'm not too familiar with AWS and I think I'm missing something really obvious, and I can't seem to work this out from the Pulumi python docs. I have:
    # Create the cloudwatch event that triggers the lambda
        cloudwatchEventRule = cloudwatch.EventRule(
            resource_name="exportDashboardLambdaTrigger",
            schedule_expression=schedule_expression,  # 0 10 * * 1 10.00 AM on Monday
    
        )
        cloudwatchTarget = cloudwatch.EventTarget(
            "cloudwatchEventTargetLambda",
            rule=cloudwatchEventRule.id,
            arn=exportDashboardLambda.arn,
            input="{}"
        )
    And the following lambda
    # Create lambda function
        lambdaDownloadExport = lambda_.Function(
            resource_name="exportDashboardLambda",
            image_uri=f".../exportdashboard:latest-{branch}",
            role=role.arn,
            package_type="Image",
            timeout=500,
            tags={
                "environment": "prod",
                "creator": "pulumi",
                "project": "exportdashboard",
            },
        )
    I also defined a role to execute the lambda and gave cloudwatch permission to trigger the lambda. When I inspect the resource on AWS, I see the following (see attached img) The trigger has been created, and I can assign it manually to the function, but I'm missing how I can 'bind' the trigger to the lambda function. Any input appreciated. Thanks in advance! Jasper.
    • 1
    • 2
Powered by Linen
Title
f

flat-address-97791

03/06/2021, 11:30 AM
Hi all. I'm trying to set up a cloudwatch event rule to schedule a lambda function using cron. I'm not too familiar with AWS and I think I'm missing something really obvious, and I can't seem to work this out from the Pulumi python docs. I have:
# Create the cloudwatch event that triggers the lambda
    cloudwatchEventRule = cloudwatch.EventRule(
        resource_name="exportDashboardLambdaTrigger",
        schedule_expression=schedule_expression,  # 0 10 * * 1 10.00 AM on Monday

    )
    cloudwatchTarget = cloudwatch.EventTarget(
        "cloudwatchEventTargetLambda",
        rule=cloudwatchEventRule.id,
        arn=exportDashboardLambda.arn,
        input="{}"
    )
And the following lambda
# Create lambda function
    lambdaDownloadExport = lambda_.Function(
        resource_name="exportDashboardLambda",
        image_uri=f".../exportdashboard:latest-{branch}",
        role=role.arn,
        package_type="Image",
        timeout=500,
        tags={
            "environment": "prod",
            "creator": "pulumi",
            "project": "exportdashboard",
        },
    )
I also defined a role to execute the lambda and gave cloudwatch permission to trigger the lambda. When I inspect the resource on AWS, I see the following (see attached img) The trigger has been created, and I can assign it manually to the function, but I'm missing how I can 'bind' the trigger to the lambda function. Any input appreciated. Thanks in advance! Jasper.
Solved 🙂
Had a typo in my lambda permission:
# Give cloudwatch permission to trigger
lambda_.Permission(
    "exportDashboardEventTrigger",
    action="lambda:InvokeFunction",
    function=exportDashboardLambda.name,
    principal="<http://events.amazonaws.com|events.amazonaws.com>",
    source_arn=cloudWatchEventRule.arn
)
Works, and:
# Give cloudwatch permission to trigger
lambda_.Permission(
    "exportDashboardEventTrigger",
    action="lambda:InvokeFunction",
    function=exportDashboardLambda.name,
    principal="<http://events.amazonaws.com|events.amazonaws.com>",
    source_arn=cloudWatchEventRule.arn.apply(lambda arn: f"{arn}:*")
)
Does not work
View count: 1