Did something change in the way to create an EKS cluster? Just tonight suddenly

const cluster = new eks.Cluster(name, {
  instanceType: "t2.medium",
  desiredCapacity: 1,
  minSize: 1,
  maxSize: 2,
  storageClasses: 'gp2',
  deployDashboard: false,
});

fails with

Diagnostics:
  eks:index:VpcCni (chartmuseum-vpc-cni):
    error: Command failed: kubectl apply -f /var/folders/4z/2zvwp19d343djqc78xywc6p00000gn/T/tmp-215018e7GR5EVRaFT.tmp
    error: You must be logged in to the server (the server has asked for the client to provide credentials)
 
  kubernetes:<http://storage.k8s.io/v1:StorageClass|storage.k8s.io/v1:StorageClass> (chartmuseum-gp2):
    error: configured Kubernetes cluster is unreachable: unable to load schema information from the API server: the server has asked for the client to provide credentials
 
  kubernetes:core/v1:ConfigMap (chartmuseum-nodeAccess):
    error: configured Kubernetes cluster is unreachable: unable to load schema information from the API server: the server has asked for the client to provide credentials
 
  pulumi:pulumi:Stack (chartmuseum-tutorial-chartmuseum):
    error: You must be logged in to the server (the server has asked for the client to provide credentials)
 
    error: update failed

The cluster is created so not sure why this suddenly no longer works

I'm reading the documentation about alb, and what confusing me is the line of code

security_groups=[aws_security_group["lb_sg"]["id"]],

I believe the documentation assumed that I already have created a security group for application load balancer. But what if I want to create a new security group for alb? You have a documentation on how to create security group on elb but I think that alb has different approach in creating one.

Hi, when i run

pulumi import aws:ec2/instance:Instance myInstanceName i-0ba17989210ad396a

Import works fine but, it looks like one config is missing from import, networkInterfaces: [] Due to when running

pulumi up

networkInterfaces are in pulumi console. but now im getting this issue with imported resource:

>pumuli up
    +-aws:ec2/instance:Instance: (replace)
        [id=i-0bdc3124xxxx]
        [urn=urn:pulumi:ob-server83::local_proj::aws:ec2/instance:Instance::aws2-eu1tst-rhtestsuppdb002]
        [provider=urn:pulumi:ob-server83::local_proj::pulumi:providers:aws::default_3_30_0::9807bxxx]
      ~ networkInterfaces: [
          + [0]: {
                  + deleteOnTermination: false
                  + deviceIndex        : 0
                  + networkInterfaceId : "eni-021d47151dexxx"
                }
        ]
-----------------
    --aws:ec2/instance:Instance: (delete-replaced)
        [id=i-0bdc3124xxxx]
        [urn=urn:pulumi:ob-server83::local_proj::aws:ec2/instance:Instance::aws2-eu1tst-rhtestsuppdb002]
        [provider=urn:pulumi:ob-server83::local_proj::pulumi:providers:aws::default_3_30_0::9807bxxxx]

diff between

pulumi up

and

pulumi import

in console: is it possible to add manually config in stack so that when running

pulumi up

it wont have this networkInterfaces diff?

in ALB target group args, stickiness block has type any in newer pulumi/aws versions. what's the convention to configure application cookie stickiness for my target group? Should I follow the TF syntax? https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/app_cookie_stickiness_policy

Hey folks, I’m working on adding code examples to get to language parity across our top five code examples in AWS, Azure, Google Cloud, and Kubernetes. For AWS, these are the tutorials I’m adding examples for: Deploy a Webserver to EC2 (https://www.pulumi.com/docs/tutorials/aws/ec2-webserver/) Running Containers on ECS Fargate (https://www.pulumi.com/docs/tutorials/aws/ecs-fargate/) Serverless App using API Gateways and Lambda (https://www.pulumi.com/docs/tutorials/aws/rest-api/) Host a Static Website on Amazon S3 (https://www.pulumi.com/docs/tutorials/aws/s3-website/) Create a Slackbot for Posting Mention Notifications (https://www.pulumi.com/docs/tutorials/aws/aws-ts-slackbot/) Do these feel like the most important examples you’ve used or are there other examples from our examples repo that have been more helpful? Are there different examples you’d like to see? Thanks, Dave

I need to pass an availability zone to the constructor of a VpnGateay (don't know if it's a zone name or ID, can sort that later). I presume I get this from the subnets that I've created using awsx.ec2.Vpc.

Hi folks - I have a complex security group that I want to import into pulumi, however I'm a bit confused by the docs. When I run something like the example:

pulumi import aws:ec2/securityGroup:SecurityGroup elb_sg sg-903004f8

It just gives me a blank security group, not all the rules defined in it.

I found the docs for SecurityGroupRule, but the examples seem a bit mangled (is the word "console" meant to be everywhere?) and it all seems to be one-by-one. What's the easiest way of importing all the rules attached to a security group?

Hello, first time here. I would like to unit-test an IAM Policy that is build up dynamically using

aws.iam.getPolicyDocument

. However, I’ve noticed that

getPolicyDocument

gets mocked away during unit testing. As a result:

GetPolicyDocumentResult.json

returns undefined in the unit test 😒 Of course I can add something like this in

Mocks.call

:

pulumi.runtime.setMocks({
  newResource: function(resourceType: string, name: string, inputs: any, provider?: string, id?: string) {},
  call:  function(token: string, args: any, provider?: string) {
    switch (token) {
        case 'aws:iam/getPolicyDocument:getPolicyDocument':
          return {
            json: JSON.stringify(args),
          };
      }
      return args;
    },
});

But then the returned IAM Policy json document is not a valid IAM policy. What would be the preferred way of unit testing the result of

getPolicyDocument

? Thank you for your input. As you see the code is written in Typescript.

This fits in the context of testing the creation of an IAM Policy. I would like to check the IAM Policy json document that was assigned to that IAM Policy.

@here I have something to share I made an opinionated EKS provisioning pulumi code in javascript. I like to call it POKE- Provision Opinionated Kubernetes on EKS https://github.com/bit-cloner/poke

i have an RDS/Aurora cluster set up, and want to create an additional user for the database. i was planning to use the

pulumi_postgresql

provider to connect to the database via the endpoint (using the master credentials) but i'm getting a timeout:

postgresql:index:Role (pg-user):
    error: error detecting capabilities: error PostgreSQL version: dial tcp 10.0.1.136:5432: i/o timeout

That's when i realized that my database is in a VPC, and there is no public endpoint. So how can i use IaC to handle this task?

Hi folks - how do I setup a SecurityGroupRule to allow all ICMP IPv4 traffic from a specific prefix list?

Hi, I just ran a pulumi up that reported that it succeeded, but one resource in the stack was not created. I never got an error at any point, and it wasn't until a test ran later that I caught it at all. A pulumi preview --refresh showed that the resource needed to be created. This is the second time I've encountered this with Pulumi. I don't remember what the resource was the first time (I think it was a VPC SG, but I'm not sure). This time it was an alb listener rule. Is there some setting to make pulumi more sensitive to these failures?

Hi folks . I need to create a userdata script for eks windows nodes. The documentation says the script needs to be

<powershell>

              

[string]$EKSBinDir = "$env:ProgramFiles\Amazon\EKS"

              

[string]$EKSBootstrapScriptName = 'Start-EKSBootstrap.ps1'

              

[string]$EKSBootstrapScriptFile = "$EKSBinDir\$EKSBootstrapScriptName"

              

[string]$cfn_signal = "$env:ProgramFiles\Amazon\cfn-bootstrap\cfn-signal.exe"

              

& $EKSBootstrapScriptFile -EKSClusterName ${ClusterName} ${BootstrapArguments} 3>&1 4>&1 5>&1 6>&1

              

$LastError = if ($?) { 0 } else { $Error[0].Exception.HResult }

              `& $cfn_signal --exit-code=$LastError ``                 `--stack="${AWS::StackName}" ``                 `--resource="NodeGroup" ``                 

--region=${AWS::Region}

              

</powershell>

in pulumi code How can i get the values of

${AWS::StackName}

?

has anyone provisioned windows EKS nodes with pulumi ?

Anyone have any suggestions on dealing with

ValidationException

when creating Lambda functions in python? I’m already running with

pulumi up --logtostderr -v=9 2> out.txt

but I can’t find in the logs any detail about the AWS call that fails and why. This has had me stumped for a couple days now, so any help would be very much appreciated 😄

Hi! I have a problem with awsx.apigateway promise leak when I use component resource

Hello, I have question about CD tool I have 4 repositories an each repo which corespond to product In future there will be more products (repos) I want to deploy this stacks as products, independently. I want to deploy this stacks for many aws accounts. So I want to tool which allows add products, add envs, keep states which product is deployed on which envs? Do you know something better than GitLab for this problem?

I have a lambda where I import ‘aws-xray-sdk’ but the dependency does not seem to be uploaded to AWS as the lambda throws “errorType”:“Runtime.ImportModuleError”,“errorMessage”:“Error: Cannot find module ‘aws-xray-sdk’… Shouldn’t Pulumi automatically handle this? I run npm i aws-xray-sdk before pulumi up ofc.

Does parameter store use some efault AWS KMS when using

SecureString

? https://www.pulumi.com/docs/reference/pkg/aws/ssm/parameter/ or do we need to supply its ARN/ID ourselves?

To specify an AWS KMS CMK, use the KeyId parameter. The default is the AWS managed CMK for your account, aws/ssm.

It sounds like it uses a default one if not supplied.

Hi, I'm learning about stacks today and how to configure them for different environments. To do this I have set up 3 different AWS accounts - dev, non-prod and prod and configured a profile for each one in my credentials file. I then use the appropriate profile in the appropriate stack that I have created - dev, non-prod and prod and ran pulumi up. As expected the resource appeared in the stack that was currently active. Now, when I change the aws profile for that stack using pulumi config set aws:profile to one of the other profiles and run pulumi up, then the resource is still deployed to the original profile's account and not the profile that I've changed to. This doesn't seem to be the correct behaviour. Could anyone point where I'm going wrong?

My code:

test = aws.lb.LoadBalancer(
							"MyTestALB",
							internal=False,
							load_balancer_type="application",
							security_groups=[alb_security_group.id],
							subnets=[__item["id"] for __item in aws_subnet["public"]],
							enable_deletion_protection=True,
							#access_logs=aws.lb.LoadBalancerAccessLogsArgs(
							#		bucket=
							#	)
						  )

I would like to understand what this line of code is saying:

subnets=[__item["id"] for __item in aws_subnet["public"]],

My question is how am I going to get the subnets, because the lb documentation assumed that I already the code getting the subnets and it is assigned to aws_subnet["public"].

Hey all, I'm experiencing some weird behavior with

pulumi destroy

, where pulumi incorrectly thinks an AWS resource failed to destroy (when in fact, it had). The process goes something like this: 1. I call

pulumi up

on a stack which includes and AWS EKS Cluster. I am not an admin user on AWS, but nevertheless I have access to all EKS-relevant actions for resources with the proper tags. So the building succeeds without any issues 2. I then tear this stack down with

pulumi destroy

which fails for some unknown reason. The error message tells me that the EKS cluster failed to be destroyed due to a permissions issue (as a result, pulumi thinks the cluster still exists) 3. But I check on the AWS console, and can confirm that in fact the cluster HAS been properly destroyed. Looking into CloudWatch, it appears that the the pulumi destroy process successfully destroyed the EKS cluster, but then tried to do it again (which is then denied since the non-existent cluster of course does not have the proper tags which allow me to operate on it) 4. Any subsequent

pulumi destroy

call also fails for the same reason. Similarly

pulumi refresh

fails because pulumi would like to "describe" the cluster to determine it's state, which of course also fails due to the same tag-condition 5. The situation is thus stuck until a colleague who is an AWS admin calls either

pulumi destroy

or

pulumi refresh

on my behalf So has anyone else experienced similar behavior? Or are there any thoughts on what could be wrong here? It seems to me like it is a Pulumi issue (rather than an AWS permissions issue) since Pulumi mistakenly thinks the cluster fails to be destroyed

Pulumi novice here, just wondering what the difference between `apigateway.Deployment`'s

triggers

and

variables

. I noticed in AWSX a redeployed is forced by a new hash of a bunch of settings in

variables

, but my impression is that's what

triggers

are for. Am I missing something here?

Hi - Are there any functions to create a users in AWS Managed Microsoft AD?

Advice for best strategy: Our team wants to use AWS Airflow (which is quite new). Pulumi doesn’t yet accomodate for that service, so we have decided to do the following: 1] Build another separate repository and corresponding Pulumi stack that handles only the provisioning and management of AWS Airflow through CloudFormation. 2] Keep our (mostly) monolithic project in its own repository and Pulumi stack BUT still be able reference and use some of the AWS resources (i.e. S3, VPC) made from #1 after all resources have been entirely and successfully deployed (via

pulumi up

). So, ideally #1 would occur first with its own

pulumi up

and then - after that entire deployment is complete - automatically do the same for #2 but somehow be able to be aware of and use resources that were changed/deleted/added from #1. Finally, being able to “tear” all this down in an automated way would be fantastic, but that’s secondary for now. What your advice for approaching this use-case?