Can anyone offer a suggestion for mfa integration using assumeRole? It doesn’t look like there is a clear path. https://github.com/pulumi/pulumi-aws/issues/584 https://github.com/pulumi/pulumi-aws/issues/252#issuecomment-584903094

aws --profile grey-sandbox-deployment ec2 describe-instances

will work, but

aws:profile

in

Pulumi.sandbox.yaml

will not work, complaining about missing AWS accesskey and secretaccesskeys.

pulumi preview

...

    Error: invocation of aws:index/getCallerIdentity:getCallerIdentity returned an error: unable to discover AWS AccessKeyID and/or SecretAccessKey - see <https://pulumi.io/install/aws.html> for details on configuration

We see that assumeRole is supported by the provider https://www.pulumi.com/docs/reference/pkg/aws/provider/#providerassumerole — but there is no

mfa_serial

not that we want to pass that to the AWS Provider… It would be preferred if the AWS Provider understood the AWS config the same way as the aws cli.

Anyone have issues with lambda policy attachments getting removed by the automation API? We perhaps have a unique situation: a Pulumi project inside of our main Pulumi project that is deployed with the automation API. Its along the lines of this example: https://github.com/pulumi/automation-api-examples/tree/main/nodejs/localProgram-tsnode For some reason when the automation API deploys the child project, policy attachments associated with lambdas in the "main" project are removed. The pulumi stack still thinks those resources are there, and it takes a

pulumi refresh

and a

pulumi up

to reattach those policies.

hi. I wonder is there any articles / examples I can read about the

creationRoleProvider

option on the

eks.Cluster

resource?

Recently I wrote a Blueprint at work showing how to do rapid API development on your Mac laptop with Pulumi, Localstack. Featuring API Gateway, Lambda (Python and Typescript), Secrets Manager, PostgreSQL, and Docker with unit tests in Jest. All feedback is welcome. https://www.linkedin.com/posts/chad-beaulac_rapid-aws-api-dev-on-your-laptop-with-localstack-activity-6770516704213782529-a_FN

👋 hey folks - if there's a new AWS resource (like AWS Timestream) that isn't supported by Pulumi (yet) - what would be the right way to give a stack permissions to access it? I get a permissions error when trying to access it using the S3 client

👋 hello, just trying out the aws-ts-static-website example with out of the box with config set and running into a hanging

pulumi up

with no real idea what the holdup is - what can i do to determine why this is hanging for 30 minutes or more? attached output and also with

--logtostderr

file. nothing is being created in aws.

Hi folks - I'd like to use AWS Secrets Manager to auto-generate a password. However I also need access to that secret value later in my pulumi script as it's a required input when creating the dependent resource. Is this possible?

I just started learning pulumi and I am having trouble in using the existing keypair to the ec2 instance I have created. I've been searching and reading for hours now but still could not find the answer. I found this documentation, https://www.pulumi.com/docs/reference/pkg/aws/ec2/keypair/, lack of detail and example on how to use this. Example existing KeyPair on AWS Name: MyExampleKeyPair ID: key-0f0e4

import pulumi
import pulumi_aws as aws 

size = 't2.micro'
ami = aws.get_ami(most_recent="true",
				  owners=["amazon"],
				  filters=[{"name":"name", "values":["amzn-ami-hvm-*"]}]
				)

group = aws.ec2.SecurityGroup('webserver-secgrp',
							  description="Enable HTTP access",
							  ingress=[
							  			{ 'protocol': 'tcp', 'from_port': 22, 'to_port': 22, 'cidr_blocks': ['0.0.0.0/0'] },
							  			{ 'protocol': 'tcp', 'from_port': 80, 'to_port': 80, 'cidr_blocks': ['0.0.0.0/0'] }
							  		  ]
								)

user_data = """
#!/bin/bash
echo "Hello, World!" > index.html
nohup python -m SimpleHTTPServer 80 &
"""

server = aws.ec2.Instance('webserver-www',
						  instance_type=size,
						  vpc_security_group_ids = [group.id],
						  user_data=user_data,
						  ami=ami.id
						  )

pulumi.export('publicIp', server.public_ip)
pulumi.export('publicHostName', server.public_dns)

My question is how am I going to add that on the code above? I've been trying different code but still not successful in adding the existing keypair.

Hi Everyone Im using windows + AWS + Typescript + visual studio code need to create a EC2 instance on my personal test account, How do I do that ?? Need Help

When creating/ configuring an EC2 instance I need to specify the Domain join directory and IAM role as shown here in the console. How do I do this with pulumi?

I have used this code to create Instance const eip = new aws.ec2.Eip("myeip"); const securityGroup = new aws.ec2.SecurityGroup("mysecuritygroup", { ingress: [ { protocol: "tcp", fromPort: 80, toPort: 80, cidrBlocks: ["0.0.0.0/0"] }, ], }); const vpc = new aws.ec2.Vpc("myvpc", { cidrBlock: "10.0.0.0/16" }) const internetGateway = new aws.ec2.InternetGateway("myinternetgateway", { vpcId: vpc.id, }); const publicRouteTable = new aws.ec2.RouteTable("myroutetable", { routes: [ { cidrBlock: "0.0.0.0/0", gatewayId: internetGateway.id, }, ], vpcId: vpc.id, }); I was able to create security groups, eip & vpc but the code doesn't able to create the instance. Can anyone help me creating instance using pulumi

Hi there, is there a way to 'modify' an existing dynamodb table with Pulumi? I've a bunch of tables which get created with a DMS task, I'd like to add streaming to all of them an a lambda handler, if I create a new table I get ... a new table..

@chilly-crayon-57653 We noticed some security defaults that could be improved on the awsx library, should I post a public gh issue or is there some other channel to discuss security defaults?

I’m losing my mind trying to pass an S3 resource to an IAM policy using TypeScript, can someone tell me what rookie mistake I’m making in trying to get the Output<String> value of contentBucket.arn in the below code:

const contentBucket = new aws.s3.Bucket('s3bucket',
  {
    bucket: 'bucket-1',
    acl: 'public-read',
  });

const s3Policy = new aws.iam.Policy('s3-test-policy', {
  policy: JSON.stringify({
    Version: '2012-10-17',
    Statement: [{
      Action: [
        's3:ListBucket',
        's3:GetObject ',
      ],
      Effect: 'Allow',
      Resource: contentBucket.arn
    }]
  })
});

Which returns

aws:iam:Policy (s3-test-policy):
    error: 1 error occurred:
        * Error creating IAM policy shu-tower-frontend-dev-s3-policy-4518918: MalformedPolicyDocument: Partition "
        1" is not valid for resource "arn:
        1: o.apply(v => v.toJSON())
        2: o.apply(v => JSON.stringify(v))

I’ve read the Inputs and Outputs page, but nothing I do seems to reveal the ARN of the resource (even though I can see in the Pulumi console that it was successfully created.

HI! I have a question! in aws.Dynamodb package, field type in TableAttribute should be S, N or B... I want to set this field with String Set (SS), is it possible?

Hello! Any tips on how to get pulumi "unstuck"? I'm trying to make a refresh to make sure everything is up to date before doing an update on the stack (AWS), but the refresh operation gets stuck, with the last line in the log (running

pulumi refresh --skip-preview --logtostderr -v=9 2> pulumi_out.log --tracing=file:./up.trace

) being:

I0303 15:51:37.212112    4505 snapshot.go:437] SnapshotManager: refreshSnapshotMutation.End(..., true)

I'm trying to use the pulumi_eks module to stand up an eks cluster with fargate. According to https://www.pulumi.com/docs/reference/pkg/eks/cluster/#outputs I should be able to use eks_cluster.id to get the cluster name, but when I attempt to use that in creating a aws.eks.FargateProfile,

rbs_fargate_group = aws.eks.FargateProfile("rbs-infrastructure-fargate-profile",                                                                                        cluster_name=eks_cluster.id,

I get

TypeError: Missing required property 'cluster_name'

any ideas why? and I've tried using eks_cluster.name, but then I get

error: aws:eks/fargateProfile:FargateProfile resource 'rbs-infrastructure-fargate-profile' has a problem: Required attribute is not set

If I want to generate a Cloudwatch Dashboard that aggregates all lambda function, should the approach I take be to use the AWS SDK to collect the function names? I’m not sure I should be updated 20+ projects to start exporting the Lambda Ids to be used as stackoutputs. Or does Pulumi have another way to collect ids of resources Pulumi manages?

Quick Question (As I am not seeing it currently): Does Pulumi support Redshift Schedules outside the scope of snapshot schedules?

Hi, When running

pulumi up

first time to create AWS ec2 instance with increased root disk and then run again same script with

pulumi up

, pulumi thinks there are changes needed in that instance (this happens only when deploying with increased root disk)

>pulumi up
Previewing update (aws2_rest_s)

     Type                         Name                              Plan       Info
 +   pulumi:pulumi:Stack          aws2_rest-aws2_rest_s             create     3 messages
 +   ├─ aws:ec2:NetworkInterface  aws2-eu1tst-rhtestsuppdb001-eth0  create
 +   └─ aws:ec2:Instance          aws2-eu1tst-test1                 create

>pulumi up
Previewing update (aws2_rest_s)

     Type                 Name                   Plan        Info
     pulumi:pulumi:Stack  aws2_rest-aws2_rest_s              3 messages
 +-  └─ aws:ec2:Instance  aws2-eu1tst-test1      replace     [diff: ~ebsBlockDevices]  <<<this should not be a diff

Do you want to perform this update? details
  pulumi:pulumi:Stack: (same)
    [urn=urn:pulumi:aws2_rest_s::aws2_rest::pulumi:pulumi:Stack::aws2_rest-aws2_rest_s]
    ++aws:ec2/instance:Instance: (create-replacement)
        [id=i-003ff8680bbece029]
        [urn=urn:pulumi:aws2_rest_s::aws2_rest::aws:ec2/instance:Instance::aws2-eu1tst-test1]
        [provider=urn:pulumi:aws2_rest_s::aws2_rest::pulumi:providers:aws::default_3_31_0::41672f54-4965-4cdb-81b5-cced77d0ff83]
      ~ ebsBlockDevices: [
          ~ [0]: {
                  + deleteOnTermination: true
                  + deviceName         : "/dev/sda1"
                  + volumeSize         : 60
                }
        ]
    +-aws:ec2/instance:Instance: (replace)
        [id=i-003ff8680bbece029]
        [urn=urn:pulumi:aws2_rest_s::aws2_rest::aws:ec2/instance:Instance::aws2-eu1tst-test1]
        [provider=urn:pulumi:aws2_rest_s::aws2_rest::pulumi:providers:aws::default_3_31_0::41672f54-4965-4cdb-81b5-cced77d0ff83]
      ~ ebsBlockDevices: [
          ~ [0]: {
                  + deleteOnTermination: true
                  + deviceName         : "/dev/sda1"
                  + volumeSize         : 60
                }
        ]
    --aws:ec2/instance:Instance: (delete-replaced)
        [id=i-003ff8680bbece029]
        [urn=urn:pulumi:aws2_rest_s::aws2_rest::aws:ec2/instance:Instance::aws2-eu1tst-test1]
        [provider=urn:pulumi:aws2_rest_s::aws2_rest::pulumi:providers:aws::default_3_31_0::41672f54-4965-4cdb-81b5-cced77d0ff83]

is there some workaround this issue? or is it a bug?

I need to create resources under multiple AWS accounts in same stack (e.g. create OU with several accounts and a VPC in each). If I understand correctly the recommended way is to create a new provider resource for each account with assumeRole?

HI Folks, I am trying to understand if this terraform issue impacts the pulumi provider https://github.com/hashicorp/terraform-provider-aws/issues/16536. Its just a little confusing to me as there appears to be bucket_key support in the pulumi docs. https://www.pulumi.com/docs/reference/pkg/aws/s3/bucket/#bucket_key_enabled_python

I'm trying to import some route table associations from existing infra and getting the following error.

pulumi import aws:ec2/routeTableAssociation:RouteTableAssociation platform-public-0.prod subnet-0123/rtb-4567
Previewing import (network.prod):
     Type                              Name                    Plan       Info
     pulumi:pulumi:Stack               network-network.prod               1 error
 =   └─ aws:ec2:RouteTableAssociation  platform-public-0.prod  import     3 errors

Diagnostics:
  pulumi:pulumi:Stack (network-network.prod):
    error: preview failed

  aws:ec2:RouteTableAssociation (platform-public-0.prod):
    error: aws:ec2/routeTableAssociation:RouteTableAssociation resource 'platform-public-0.prod' has a problem: ExactlyOne: "subnet_id": one of `gateway_id,subnet_id` must be specified
    error: aws:ec2/routeTableAssociation:RouteTableAssociation resource 'platform-public-0.prod' has a problem: ExactlyOne: "gateway_id": one of `gateway_id,subnet_id` must be specified
    error: Preview failed: one or more inputs failed to validate

How do you come around the problem that you cannot run pulumi destroy on a project containing an s3 bucket that is non-empty?

I saw a mention of the automation API in the above thread and it has me wondering if I could use it for post-provisioning tasks on EC2 instances (i.e. a replacement for userData)? @brave-planet-10645 if you have any input on this I'd love to hear it

How do I add a Cloudwatch Metrics Alarm Widget to a Cloudwatch Dashboard? I don’t see the widget type, is it unsupported? https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/awsx/cloudwatch/#apis In a cloudwatch dashboard body it would look something like:

{
  "widgets": [
    {
      "type": "alarm",
      "x": 0,
      "y": 0,
      "width": 24,
      "height": 3,
      "properties": {
        "title": "",
        "alarms": [
          "arn:aws:cloudwatch:us-east-2:0123456789:alarm:SystemBackupDuration-a2737a4",
        ]
      }
    }
  ]
}

Is there a utility method for generating an arn based on the account # / region / resource type?

I've noticed that when changing the value of the VPC input arg on awsx.elasticloadbalancingv2.ApplicationLoadBalancer, pulumi is not issuing a replace to recreate the ALB in a new VPC, has anyone run into this problem before? Right now it issues an update of the sg only, which leads to a 400 bad request from the AWS api.

Hi all. I'm trying to set up a cloudwatch event rule to schedule a lambda function using cron. I'm not too familiar with AWS and I think I'm missing something really obvious, and I can't seem to work this out from the Pulumi python docs. I have:

# Create the cloudwatch event that triggers the lambda
    cloudwatchEventRule = cloudwatch.EventRule(
        resource_name="exportDashboardLambdaTrigger",
        schedule_expression=schedule_expression,  # 0 10 * * 1 10.00 AM on Monday

    )
    cloudwatchTarget = cloudwatch.EventTarget(
        "cloudwatchEventTargetLambda",
        rule=cloudwatchEventRule.id,
        arn=exportDashboardLambda.arn,
        input="{}"
    )

And the following lambda

# Create lambda function
    lambdaDownloadExport = lambda_.Function(
        resource_name="exportDashboardLambda",
        image_uri=f".../exportdashboard:latest-{branch}",
        role=role.arn,
        package_type="Image",
        timeout=500,
        tags={
            "environment": "prod",
            "creator": "pulumi",
            "project": "exportdashboard",
        },
    )

I also defined a role to execute the lambda and gave cloudwatch permission to trigger the lambda. When I inspect the resource on AWS, I see the following (see attached img) The trigger has been created, and I can assign it manually to the function, but I'm missing how I can 'bind' the trigger to the lambda function. Any input appreciated. Thanks in advance! Jasper.