https://pulumi.com logo
Docs
Join the conversationJoin Slack
Channels
announcements
automation-api
aws
azure
blog-posts
built-with-pulumi
cloudengineering
cloudengineering-support
content-share
contribex
contribute
docs
dotnet
finops
general
getting-started
gitlab
golang
google-cloud
hackathon-03-19-2020
hacktoberfest
install
java
jobs
kubernetes
learn-pulumi-events
linen
localstack
multi-language-hackathon
office-hours
oracle-cloud-infrastructure
plugin-framework
pulumi-cdk
pulumi-crosscode
pulumi-deployments
pulumi-kubernetes-operator
pulumi-service
pulumiverse
python
registry
status
testingtesting123
testingtesting321
typescript
welcome
workshops
yaml
Powered by Linen
aws
  • m

    mysterious-wolf-74677

    04/01/2021, 9:58 PM
    google hasn't come up with much, any ideas what I might need to do?
  • a

    acceptable-stone-35112

    04/02/2021, 11:10 AM
    I am using elasticache ReplicationGroup with atRestEncryptionEnabled=true and kmsId of key created in same stack. It seems like on every pulumi up (even when not changing anything at all) it identifies [diff: ~kmsKeyId] and decides to replace the replication group. I tested it many times and quite sure its consistent. Is it a known issue? I don't like the idea of ignoring the kmsId
  • p

    purple-jelly-68780

    04/03/2021, 12:41 AM
    Is there a way to get the
    <http://awsx.lb|awsx.lb>.ApplicationListener
    resource to not create security group rules? Even when I specifically pass a security group, it still adds additional rules to that SG to allow all traffic to the specified port. I'm trying to lock down the endpoint to specific CIDR blocks for now. I'll post code and pulumi output in the thread
    b
    • 2
    • 4
  • f

    fresh-summer-65887

    04/03/2021, 6:23 PM
    Is it possible to set an aws provider's endpoints (
    ProviderArgs.Endpoints
    ) via config yaml? Or do I have to new up
    Provider
    and set the Endpoints manually? (I've trawled the docs, can't find anything regarding this).
    b
    • 2
    • 45
  • a

    agreeable-ram-97887

    04/03/2021, 8:44 PM
    when trying to create an EFS resources and associated MountTargets, Pulumi always wants to recreate the MountTargets on every
    pulumi up
    , even though the resources are not changing. It then runs into a block, since MountTargets are already created in each subnet, and finally errors out. Does anyone know how to avoid this? (relevant code can be seen in the thread)
    • 1
    • 1
  • c

    chilly-magazine-6129

    04/05/2021, 2:58 AM
    How can I use a Docker image that was created using buildAndPushImage as a base image for other images built the same way?
    w
    • 2
    • 1
  • b

    busy-apartment-9626

    04/05/2021, 6:27 AM
    is there a way to cache values in a lambda by setting global variables with magic functions in Pulumi? Or do I need to resort to packaging lambdas manually?
    l
    b
    • 3
    • 4
  • s

    stocky-parrot-75654

    04/05/2021, 3:40 PM
    using the awsx.ecs.EC2Service, is it possible to have multiple PortMappings on a container? Given an application listener and network listener in the portmappings, only the first one ever registers the container with the target group.
  • s

    stocky-fireman-97153

    04/05/2021, 5:46 PM
    i have an edge-case-ish question about cross account permissions and pulumi’s autogenerated resource name suffixes: how do people deal with rebuilds that cause resource renames?
    l
    c
    • 3
    • 5
  • g

    green-musician-49057

    04/06/2021, 4:23 PM
    The Golang example for setting up CloudTrail and an S3 BucketPolicy does something a bit weird:
    Policy: pulumi.All(bucket.ID(), bucket.ID()).ApplyT(func(_args []interface{}) (string, error) {
    	bucketId := _args[0].(string)
    	bucketId1 := _args[1].(string)
    	// Policy fmt.Sprintf() here
    }
    Why is
    bucket.ID()
    repeated 2x in the
    pulumi.All()
    , and then assigned to two separate variables,
    bucketId
    and
    bucketId1
    ? It's the same resource, so why does it need to be referenced 2x for the same policy doc? Is there some extra magic going on under the hood?
    f
    w
    • 3
    • 3
  • b

    broad-dog-22463

    04/06/2021, 7:24 PM
    @millions-furniture-75402 thanks again for another PR "D
    👍 1
    m
    • 2
    • 1
  • e

    enough-leather-70274

    04/07/2021, 3:03 AM
    Hi folks - on creating a DirectoryService, AWS auto-generates a security group for the domain controllers. I need to amend the 15-odd rules in that group (replacing their default CIDR with our own prefix list). Trouble is pulumi's DirectoryService resource only gives me the
    security_group_id
    . There's a method called getSecurityGroup() but that doesn't actually seem to get a handle on the security group, but instead looks like a metadata object. I guess I really want the equivalent of
    pulumi import
    command, but inline in my main script after creating the directory, so I the script itself can amend the generated rules. What's the best way to achieve this?
    l
    • 2
    • 51
  • w

    white-secretary-18260

    04/07/2021, 2:32 PM
    In changing an RDS instance size, pulumi schedules the change during the maintenance window. Is there a way to trigger it immediately?
    g
    • 2
    • 2
  • h

    high-toddler-86766

    04/08/2021, 3:25 AM
    Has anyone got this kind of issue while creating eks nodegroup using pulumi-eks module ?
    Type                             Name                                                Status                  Info
         pulumi:pulumi:Stack              test01-eks_cluster                                **failed**              2 errors; 65 messages
         ├─ eks:index:Cluster             custom-pulumi-test-eks-cluster-01
         │  └─ aws:eks:Cluster            custom-pulumi-test-eks-cluster-01-eksCluster
     +   ├─ eks:index:NodeGroup           eks-nodegroup-01                                    created
     +   │  ├─ eks:index:RandomSuffix     eks-nodegroup-01-cfnStackName                       created
     +   │  ├─ aws:ec2:SecurityGroup      eks-nodegroup-01-nodeSecurityGroup                  created
     +   │  ├─ aws:ec2:SecurityGroupRule  eks-nodegroup-01-eksExtApiServerClusterIngressRule  **creating failed**     1 error
     +   │  ├─ aws:ec2:SecurityGroupRule  eks-nodegroup-01-eksNodeInternetEgressRule          created
     +   │  └─ aws:ec2:SecurityGroupRule  eks-nodegroup-01-eksNodeIngressRule                 created
         └─ aws:ec2:SecurityGroupRule     eks-nodegroup-01-eksClusterIngressRule              **failed**              1 error
    
    Diagnostics:
      aws:ec2:SecurityGroupRule (eks-nodegroup-01-eksClusterIngressRule):
        error: aws:ec2/securityGroupRule:SecurityGroupRule resource 'eks-nodegroup-01-eksClusterIngressRule' has a problem: Required attribute is not set. Examine values at 'SecurityGroupRule.SecurityGroupId'.
    code:
    import pulumi_eks as eks
    eks_nodegroup = eks.NodeGroup("eks-nodegroup-01",
                                   cluster=eks_cluster.name)
  • h

    happy-window-83182

    04/08/2021, 3:52 AM
    Hey ya'll 👋 I've got a set of ECS services and task definitions defined via Pulumi. I'd like to integrate those into a deploy process when a new docker image is available. Should I be using Pulumi to do this? Currnetly, every time I run
    pulumi up
    , it replaces all the container definitions and thus triggers a deploy to the ECS service, even if the docker image itself hasn't changed. I'm not sure why Pulumi is thinking something has changed. This is making me wonder if I should even be doing this, or should I be updating the task definition separately for deploys?
    s
    • 2
    • 1
  • m

    mysterious-oyster-86659

    04/08/2021, 6:03 PM
    Hi Everyone! Is there a way to disable the random hex string appending to objects on resource-by-resource basis?
    b
    l
    • 3
    • 8
  • m

    mysterious-oyster-86659

    04/09/2021, 6:39 PM
    Hi All, I'm having trouble with
    aws.glue.crawler
    docs. How do I configure and provision a TS Glue Crawler resource with
    recrawlPolicy
    property set to
    CRAWL_NEW_FOLDERS_ONLY
    ? Here's what I have so far:
    export const fooGlueCrawlerJsonRaw = new aws.glue.Crawler(
            "fooGlueCrawlerJsonRaw", 
            {
                name: "fooGlueCrawlerJsonRaw",
                role: glue.glueJobRole.arn,
                databaseName: fooGlueDatabaseRaw.name,
                classifiers: [housingRawGlueClassifier.name],
                recrawlPolicy: "CRAWL_NEW_FOLDERS_ONLY",
                s3Targets: [{path: `${path1}foo1.json`,},
                            {path: `${path2}foo2.json`},
                            {path: `${path3}foo3.json`},
                            {path: `${path4}foo4.json`},],
                tags: tags(),
            },
            {deleteBeforeReplace: true},
            );
  • v

    victorious-sugar-42620

    04/09/2021, 6:41 PM
    Hey, I am having a problem with SecurityGroups
    [WARN] A duplicate Security Group rule was found on (sg-example). This may be a side effect of a now-fixed Terraform issue causing two security groups with
    identical attributes but different source_security_group_ids to overwrite each other in the state.
    but the only way I managed to work around this is: Delete conflicting rule -> pulumi up -> Recreate conflicting rule manually. Should I set the
    sourceSecurityGroupId
    ?
    b
    • 2
    • 8
  • l

    lemon-machine-35564

    04/09/2021, 7:26 PM
    Hey all - API Gateway/Crosswalk question. We need to be able to access
    requestParameters
    for our method/routes. We can do this via the AWS Console but can’t figure it out via Crosswalk. I see that is an option on Method/Integration, but I don’t see Crosswalk creating a Method/Integration.
    c
    • 2
    • 3
  • e

    enough-leather-70274

    04/12/2021, 9:25 AM
    Hi folks - I'm creating a lambda function by using the s3_bucket, s3_key and s3_object_version args. I can get pulumi to update the bucket object successfully with fresh code, but it doesn't recognise the lambda resource itself needs updating, so skips it altogether. Is there a way to force pulumi to always update the lambda with the latest code?
    b
    • 2
    • 20
  • w

    wonderful-napkin-50018

    04/12/2021, 4:32 PM
    I have setup ECS with an ALB and a Route53 record. Now I want to switch to HTTPS. Afaik I can generate an ACM certificate provided by Amazon for my domain, right? Can someone point me in the direction of a pulumi code example on how to do this? All I could find in the docs were separate snippets that don't tell the whole story.
    f
    s
    • 3
    • 3
  • l

    late-father-1105

    04/13/2021, 8:22 AM
    I started to test pulumi with AWS and by accident got pulumi to disconnect while creating an EKS cluster. The cluster was created but pulumi could not recognize it. I tried to use the refresh command, but it seems like it does not pull information from AWS about what resources are created. Pulumi can only know about resources that it connects with URN. Is there a way to ask pulumi to pull the correct state from AWS? I could start adding tags with a UUID to every component (basically like the URN) and use Get functions of resources to look for those who were created, but this is less then ideal.
    b
    • 2
    • 1
  • c

    cold-yacht-45876

    04/13/2021, 10:29 AM
    Hi, have anyone seem this error before? I can connect to AWS using the aws cli, but pulumi destroy fails (pulumi v2.24.1):
    b
    b
    • 3
    • 36
  • w

    wonderful-napkin-50018

    04/13/2021, 11:04 AM
    I have a weird issue with awsx. I am setting up an ALB with a HTTPS listener that forwards to a HTTP target in ECS. But awsx generates the wrong security group rules, which causes the health checks to fail. This is my code:
    const caddyTargetGroup = alb.createTargetGroup('caddy', {
      vpc,
      port: 80,
      protocol: 'HTTP',
    });
    
    const caddyHttpsListener = caddyTargetGroup.createListener(
      'caddyHttps',
      { protocol: 'HTTPS', port: 443, certificateArn: certificate.arn },
      { dependsOn: [domainVerificationRecord] }
    );
    The created security group for the ALB allow inbound and outbound traffic on port 443, but I need outbound traffic on port 80 obviously, or the listener cannot reach the container on port 80. When I change this by hand to port 80 in the SG it works. Is this a bug in pulumi or am I missing something?
  • c

    cold-yacht-45876

    04/13/2021, 7:43 PM
    Hi, I've previously used an explicit provider for resources in a stack:
    const role = new aws.iam.Role(`role-name`, {
          assumeRolePolicy: '...'
        },
        {
          provider
        });
    Now I'd like to remove the provider option to use the default provider, but now pulumi wants to replace the resource:
    const role = new aws.iam.Role(`role-name`, {
          assumeRolePolicy: '...'
        });
    Is there a way around this, or am I stuck with keeping the explicit provider or accepting the replace operation? Not that big of a deal for this particular resource, but it's worse for stuff like databases, queues, etc.
    l
    • 2
    • 4
  • c

    cold-yacht-45876

    04/13/2021, 9:05 PM
    Hi, I'm working with aws iot, using the TopicRule pulumi resource, and would like to configure something like the following (see attached image from the aws console): Multiple actions of the same type (in this example, a matching rule will send the message to two different sqs queues). The TopicRule resource in pulumi does not seem to allow more than one action of the same type (at least to my knowledge). Anyone know if that's possible in pulumi?
    l
    • 2
    • 4
  • d

    damp-school-17708

    04/14/2021, 8:13 AM
    One possibly silly question, is the FileArchive on a folder slower than a FileArchive on a zip?
    const docsHandlerFunc = new aws.lambda.Function("docsHandlerFunc", {
       // Upload the code for our Lambda from the "./app" directory:
       code: new pulumi.asset.AssetArchive({
          ".": new pulumi.asset.FileArchive("./app"),
       }),
       runtime: "nodejs12.x",
       role: docsHandlerRole.arn,
    });
    b
    • 2
    • 8
  • g

    gifted-island-55702

    04/14/2021, 10:55 AM
    Hi everyone! Is it correct that aws.secretsmanager.getSecretVersion returns an object that doesn't mark
    secretBinary
    and
    secretString
    as sensitive values? I am using them as input values to my resources managed with a dynamic provider and it seems the input that got the value from
    GetSecretVersionResult.secretString
    is stored in the state unencrypted. It seems like a bug in the GetSecretVersion datasource.
    b
    • 2
    • 2
  • b

    bumpy-laptop-30846

    04/14/2021, 4:52 PM
    Hi all, I deploy an app with a LB service. Pulumi waits for it and then I want to do something with the service status. In this second step, I then need pulumi to manage another resource (acutally a route53 record). Does pulumi manage this multi step / asynchronous architecture? Currently, if the record is already there, I get an error: * [ERR]: Error building changeset: InvalidChangeBatch: [Tried to create resource record set [name=‘xxxxx’, type=‘A’] but it already exists] I don’t see a way to check if the record exists beforehand. Any idea on how to not have the app fail? Actually it’s more a general question even if my use case is with aws resources.
    b
    • 2
    • 29
  • l

    lemon-machine-35564

    04/16/2021, 5:15 PM
    Hey all - I have a security group rule I’m creating and I want it to be deleted before it’s created:
    new aws.ec2.SecurityGroupRule(
      `bastion-rule-` + env,
      {
        type: 'ingress',
        toPort: 0,
        protocol: '-1',
        fromPort: 0,
        securityGroupId: vpc.vpc.defaultSecurityGroupId,
        sourceSecurityGroupId: bastionSecGroup.id
      },
      { deleteBeforeReplace: true }
    );
    b
    • 2
    • 14
Powered by Linen
Title
l

lemon-machine-35564

04/16/2021, 5:15 PM
Hey all - I have a security group rule I’m creating and I want it to be deleted before it’s created:
new aws.ec2.SecurityGroupRule(
  `bastion-rule-` + env,
  {
    type: 'ingress',
    toPort: 0,
    protocol: '-1',
    fromPort: 0,
    securityGroupId: vpc.vpc.defaultSecurityGroupId,
    sourceSecurityGroupId: bastionSecGroup.id
  },
  { deleteBeforeReplace: true }
);
But that doesn’t seem to be happening because I get:
View Live: <https://app.pulumi.com/xxxx/xxx-xxx-vpc/development/updates/49>

     Type                          Name                                 Status                  Info
     pulumi:pulumi:Stack           xxx-foundations-vpc-development  **failed**              1 error
 +   └─ aws:ec2:SecurityGroupRule  bastion-rule-2137                    **creating failed**     1 error
 
Diagnostics:
  aws:ec2:SecurityGroupRule (bastion-rule-2137):
    error: 1 error occurred:
    	* [WARN] A duplicate Security Group rule was found on (sg-059e66fdf2c37c5ac). This may be
    a side effect of a now-fixed Terraform issue causing two security groups with
    identical attributes but different source_security_group_ids to overwrite each
    other in the state. See <https://github.com/hashicorp/terraform/pull/2376> for more
    information and instructions for recovery. Error message: the specified rule "peer: sg-06987771897f711dd, ALL, ALLOW" already exists
So you can see it’s trying to create the rule before deleting it. Does
deleteBeforeReplace
not work in some places?
b

billowy-army-68599

04/16/2021, 5:21 PM
are they both defined inside Pulumi?
l

lemon-machine-35564

04/16/2021, 5:23 PM
I’m just changing the name of it via
env
So the code is exactly the same,
env
just changed
So it tries to create the rule, but it’s already there and crashes. I was hoping
deleteBeforeReplace
would delete the rule first and then re-add it
b

billowy-army-68599

04/16/2021, 5:25 PM
it should, yes, but your error message indicates there might be a security group rule defined outside Pulumi?
l

lemon-machine-35564

04/16/2021, 5:25 PM
There should not be, no
I’ll check though
Yeah no, it’s just that it’s trying to add the rule before it deletes the old one
The rules are the same, only the name of the resource is changing.
b

billowy-army-68599

04/16/2021, 5:33 PM
can you open an issue in pulumi-aws?
l

lemon-machine-35564

04/16/2021, 5:33 PM
Yeah no problem, thanks!
https://github.com/pulumi/pulumi-aws/issues/1451
View count: 1