google hasn't come up with much, any ideas what I might need to do?

I am using elasticache ReplicationGroup with atRestEncryptionEnabled=true and kmsId of key created in same stack. It seems like on every pulumi up (even when not changing anything at all) it identifies [diff: ~kmsKeyId] and decides to replace the replication group. I tested it many times and quite sure its consistent. Is it a known issue? I don't like the idea of ignoring the kmsId

Is there a way to get the

<http://awsx.lb|awsx.lb>.ApplicationListener

resource to not create security group rules? Even when I specifically pass a security group, it still adds additional rules to that SG to allow all traffic to the specified port. I'm trying to lock down the endpoint to specific CIDR blocks for now. I'll post code and pulumi output in the thread

Is it possible to set an aws provider's endpoints (

ProviderArgs.Endpoints

) via config yaml? Or do I have to new up

Provider

and set the Endpoints manually? (I've trawled the docs, can't find anything regarding this).

when trying to create an EFS resources and associated MountTargets, Pulumi always wants to recreate the MountTargets on every

pulumi up

, even though the resources are not changing. It then runs into a block, since MountTargets are already created in each subnet, and finally errors out. Does anyone know how to avoid this? (relevant code can be seen in the thread)

How can I use a Docker image that was created using buildAndPushImage as a base image for other images built the same way?

is there a way to cache values in a lambda by setting global variables with magic functions in Pulumi? Or do I need to resort to packaging lambdas manually?

using the awsx.ecs.EC2Service, is it possible to have multiple PortMappings on a container? Given an application listener and network listener in the portmappings, only the first one ever registers the container with the target group.

i have an edge-case-ish question about cross account permissions and pulumi’s autogenerated resource name suffixes: how do people deal with rebuilds that cause resource renames?

The Golang example for setting up CloudTrail and an S3 BucketPolicy does something a bit weird:

Policy: pulumi.All(bucket.ID(), bucket.ID()).ApplyT(func(_args []interface{}) (string, error) {
	bucketId := _args[0].(string)
	bucketId1 := _args[1].(string)
	// Policy fmt.Sprintf() here
}

Why is

bucket.ID()

repeated 2x in the

pulumi.All()

, and then assigned to two separate variables,

bucketId

and

bucketId1

? It's the same resource, so why does it need to be referenced 2x for the same policy doc? Is there some extra magic going on under the hood?

@millions-furniture-75402 thanks again for another PR "D

Hi folks - on creating a DirectoryService, AWS auto-generates a security group for the domain controllers. I need to amend the 15-odd rules in that group (replacing their default CIDR with our own prefix list). Trouble is pulumi's DirectoryService resource only gives me the

security_group_id

. There's a method called getSecurityGroup() but that doesn't actually seem to get a handle on the security group, but instead looks like a metadata object. I guess I really want the equivalent of

pulumi import

command, but inline in my main script after creating the directory, so I the script itself can amend the generated rules. What's the best way to achieve this?

In changing an RDS instance size, pulumi schedules the change during the maintenance window. Is there a way to trigger it immediately?

Has anyone got this kind of issue while creating eks nodegroup using pulumi-eks module ?

Type                             Name                                                Status                  Info
     pulumi:pulumi:Stack              test01-eks_cluster                                **failed**              2 errors; 65 messages
     ├─ eks:index:Cluster             custom-pulumi-test-eks-cluster-01
     │  └─ aws:eks:Cluster            custom-pulumi-test-eks-cluster-01-eksCluster
 +   ├─ eks:index:NodeGroup           eks-nodegroup-01                                    created
 +   │  ├─ eks:index:RandomSuffix     eks-nodegroup-01-cfnStackName                       created
 +   │  ├─ aws:ec2:SecurityGroup      eks-nodegroup-01-nodeSecurityGroup                  created
 +   │  ├─ aws:ec2:SecurityGroupRule  eks-nodegroup-01-eksExtApiServerClusterIngressRule  **creating failed**     1 error
 +   │  ├─ aws:ec2:SecurityGroupRule  eks-nodegroup-01-eksNodeInternetEgressRule          created
 +   │  └─ aws:ec2:SecurityGroupRule  eks-nodegroup-01-eksNodeIngressRule                 created
     └─ aws:ec2:SecurityGroupRule     eks-nodegroup-01-eksClusterIngressRule              **failed**              1 error

Diagnostics:
  aws:ec2:SecurityGroupRule (eks-nodegroup-01-eksClusterIngressRule):
    error: aws:ec2/securityGroupRule:SecurityGroupRule resource 'eks-nodegroup-01-eksClusterIngressRule' has a problem: Required attribute is not set. Examine values at 'SecurityGroupRule.SecurityGroupId'.

code:

import pulumi_eks as eks
eks_nodegroup = eks.NodeGroup("eks-nodegroup-01",
                               cluster=eks_cluster.name)

Hey ya'll 👋 I've got a set of ECS services and task definitions defined via Pulumi. I'd like to integrate those into a deploy process when a new docker image is available. Should I be using Pulumi to do this? Currnetly, every time I run

pulumi up

, it replaces all the container definitions and thus triggers a deploy to the ECS service, even if the docker image itself hasn't changed. I'm not sure why Pulumi is thinking something has changed. This is making me wonder if I should even be doing this, or should I be updating the task definition separately for deploys?

Hi Everyone! Is there a way to disable the random hex string appending to objects on resource-by-resource basis?

Hi All, I'm having trouble with

aws.glue.crawler

docs. How do I configure and provision a TS Glue Crawler resource with

recrawlPolicy

property set to

CRAWL_NEW_FOLDERS_ONLY

? Here's what I have so far:

export const fooGlueCrawlerJsonRaw = new aws.glue.Crawler(
        "fooGlueCrawlerJsonRaw", 
        {
            name: "fooGlueCrawlerJsonRaw",
            role: glue.glueJobRole.arn,
            databaseName: fooGlueDatabaseRaw.name,
            classifiers: [housingRawGlueClassifier.name],
            recrawlPolicy: "CRAWL_NEW_FOLDERS_ONLY",
            s3Targets: [{path: `${path1}foo1.json`,},
                        {path: `${path2}foo2.json`},
                        {path: `${path3}foo3.json`},
                        {path: `${path4}foo4.json`},],
            tags: tags(),
        },
        {deleteBeforeReplace: true},
        );

Hey, I am having a problem with SecurityGroups

[WARN] A duplicate Security Group rule was found on (sg-example). This may be a side effect of a now-fixed Terraform issue causing two security groups with
identical attributes but different source_security_group_ids to overwrite each other in the state.

but the only way I managed to work around this is: Delete conflicting rule -> pulumi up -> Recreate conflicting rule manually. Should I set the

sourceSecurityGroupId

?

Hey all - API Gateway/Crosswalk question. We need to be able to access

requestParameters

for our method/routes. We can do this via the AWS Console but can’t figure it out via Crosswalk. I see that is an option on Method/Integration, but I don’t see Crosswalk creating a Method/Integration.

Hi folks - I'm creating a lambda function by using the s3_bucket, s3_key and s3_object_version args. I can get pulumi to update the bucket object successfully with fresh code, but it doesn't recognise the lambda resource itself needs updating, so skips it altogether. Is there a way to force pulumi to always update the lambda with the latest code?

I have setup ECS with an ALB and a Route53 record. Now I want to switch to HTTPS. Afaik I can generate an ACM certificate provided by Amazon for my domain, right? Can someone point me in the direction of a pulumi code example on how to do this? All I could find in the docs were separate snippets that don't tell the whole story.

I started to test pulumi with AWS and by accident got pulumi to disconnect while creating an EKS cluster. The cluster was created but pulumi could not recognize it. I tried to use the refresh command, but it seems like it does not pull information from AWS about what resources are created. Pulumi can only know about resources that it connects with URN. Is there a way to ask pulumi to pull the correct state from AWS? I could start adding tags with a UUID to every component (basically like the URN) and use Get functions of resources to look for those who were created, but this is less then ideal.

Hi, have anyone seem this error before? I can connect to AWS using the aws cli, but pulumi destroy fails (pulumi v2.24.1):

I have a weird issue with awsx. I am setting up an ALB with a HTTPS listener that forwards to a HTTP target in ECS. But awsx generates the wrong security group rules, which causes the health checks to fail. This is my code:

const caddyTargetGroup = alb.createTargetGroup('caddy', {
  vpc,
  port: 80,
  protocol: 'HTTP',
});

const caddyHttpsListener = caddyTargetGroup.createListener(
  'caddyHttps',
  { protocol: 'HTTPS', port: 443, certificateArn: certificate.arn },
  { dependsOn: [domainVerificationRecord] }
);

The created security group for the ALB allow inbound and outbound traffic on port 443, but I need outbound traffic on port 80 obviously, or the listener cannot reach the container on port 80. When I change this by hand to port 80 in the SG it works. Is this a bug in pulumi or am I missing something?

Hi, I've previously used an explicit provider for resources in a stack:

const role = new aws.iam.Role(`role-name`, {
      assumeRolePolicy: '...'
    },
    {
      provider
    });

Now I'd like to remove the provider option to use the default provider, but now pulumi wants to replace the resource:

const role = new aws.iam.Role(`role-name`, {
      assumeRolePolicy: '...'
    });

Is there a way around this, or am I stuck with keeping the explicit provider or accepting the replace operation? Not that big of a deal for this particular resource, but it's worse for stuff like databases, queues, etc.

Hi, I'm working with aws iot, using the TopicRule pulumi resource, and would like to configure something like the following (see attached image from the aws console): Multiple actions of the same type (in this example, a matching rule will send the message to two different sqs queues). The TopicRule resource in pulumi does not seem to allow more than one action of the same type (at least to my knowledge). Anyone know if that's possible in pulumi?

One possibly silly question, is the FileArchive on a folder slower than a FileArchive on a zip?

const docsHandlerFunc = new aws.lambda.Function("docsHandlerFunc", {
   // Upload the code for our Lambda from the "./app" directory:
   code: new pulumi.asset.AssetArchive({
      ".": new pulumi.asset.FileArchive("./app"),
   }),
   runtime: "nodejs12.x",
   role: docsHandlerRole.arn,
});

Hi everyone! Is it correct that aws.secretsmanager.getSecretVersion returns an object that doesn't mark

secretBinary

and

secretString

as sensitive values? I am using them as input values to my resources managed with a dynamic provider and it seems the input that got the value from

GetSecretVersionResult.secretString

is stored in the state unencrypted. It seems like a bug in the GetSecretVersion datasource.

Hi all, I deploy an app with a LB service. Pulumi waits for it and then I want to do something with the service status. In this second step, I then need pulumi to manage another resource (acutally a route53 record). Does pulumi manage this multi step / asynchronous architecture? Currently, if the record is already there, I get an error: * [ERR]: Error building changeset: InvalidChangeBatch: [Tried to create resource record set [name=‘xxxxx’, type=‘A’] but it already exists] I don’t see a way to check if the record exists beforehand. Any idea on how to not have the app fail? Actually it’s more a general question even if my use case is with aws resources.

Hey all - I have a security group rule I’m creating and I want it to be deleted before it’s created:

new aws.ec2.SecurityGroupRule(
  `bastion-rule-` + env,
  {
    type: 'ingress',
    toPort: 0,
    protocol: '-1',
    fromPort: 0,
    securityGroupId: vpc.vpc.defaultSecurityGroupId,
    sourceSecurityGroupId: bastionSecGroup.id
  },
  { deleteBeforeReplace: true }
);