mysterious-wolf-74677
04/01/2021, 9:58 PMacceptable-stone-35112
04/02/2021, 11:10 AMpurple-jelly-68780
04/03/2021, 12:41 AM<http://awsx.lb|awsx.lb>.ApplicationListener
resource to not create security group rules? Even when I specifically pass a security group, it still adds additional rules to that SG to allow all traffic to the specified port. I'm trying to lock down the endpoint to specific CIDR blocks for now. I'll post code and pulumi output in the threadfresh-summer-65887
04/03/2021, 6:23 PMProviderArgs.Endpoints
) via config yaml? Or do I have to new up Provider
and set the Endpoints manually? (I've trawled the docs, can't find anything regarding this).agreeable-ram-97887
04/03/2021, 8:44 PMpulumi up
, even though the resources are not changing. It then runs into a block, since MountTargets are already created in each subnet, and finally errors out. Does anyone know how to avoid this? (relevant code can be seen in the thread)chilly-magazine-6129
04/05/2021, 2:58 AMbusy-apartment-9626
04/05/2021, 6:27 AMstocky-parrot-75654
04/05/2021, 3:40 PMstocky-fireman-97153
04/05/2021, 5:46 PMgreen-musician-49057
04/06/2021, 4:23 PMPolicy: pulumi.All(bucket.ID(), bucket.ID()).ApplyT(func(_args []interface{}) (string, error) {
bucketId := _args[0].(string)
bucketId1 := _args[1].(string)
// Policy fmt.Sprintf() here
}
Why is bucket.ID()
repeated 2x in the pulumi.All()
, and then assigned to two separate variables, bucketId
and bucketId1
? It's the same resource, so why does it need to be referenced 2x for the same policy doc? Is there some extra magic going on under the hood?broad-dog-22463
04/06/2021, 7:24 PMenough-leather-70274
04/07/2021, 3:03 AMsecurity_group_id
. There's a method called getSecurityGroup() but that doesn't actually seem to get a handle on the security group, but instead looks like a metadata object. I guess I really want the equivalent of pulumi import
command, but inline in my main script after creating the directory, so I the script itself can amend the generated rules.
What's the best way to achieve this?white-secretary-18260
04/07/2021, 2:32 PMhigh-toddler-86766
04/08/2021, 3:25 AMType Name Status Info
pulumi:pulumi:Stack test01-eks_cluster **failed** 2 errors; 65 messages
├─ eks:index:Cluster custom-pulumi-test-eks-cluster-01
│ └─ aws:eks:Cluster custom-pulumi-test-eks-cluster-01-eksCluster
+ ├─ eks:index:NodeGroup eks-nodegroup-01 created
+ │ ├─ eks:index:RandomSuffix eks-nodegroup-01-cfnStackName created
+ │ ├─ aws:ec2:SecurityGroup eks-nodegroup-01-nodeSecurityGroup created
+ │ ├─ aws:ec2:SecurityGroupRule eks-nodegroup-01-eksExtApiServerClusterIngressRule **creating failed** 1 error
+ │ ├─ aws:ec2:SecurityGroupRule eks-nodegroup-01-eksNodeInternetEgressRule created
+ │ └─ aws:ec2:SecurityGroupRule eks-nodegroup-01-eksNodeIngressRule created
└─ aws:ec2:SecurityGroupRule eks-nodegroup-01-eksClusterIngressRule **failed** 1 error
Diagnostics:
aws:ec2:SecurityGroupRule (eks-nodegroup-01-eksClusterIngressRule):
error: aws:ec2/securityGroupRule:SecurityGroupRule resource 'eks-nodegroup-01-eksClusterIngressRule' has a problem: Required attribute is not set. Examine values at 'SecurityGroupRule.SecurityGroupId'.
code:
import pulumi_eks as eks
eks_nodegroup = eks.NodeGroup("eks-nodegroup-01",
cluster=eks_cluster.name)
happy-window-83182
04/08/2021, 3:52 AMpulumi up
, it replaces all the container definitions and thus triggers a deploy to the ECS service, even if the docker image itself hasn't changed. I'm not sure why Pulumi is thinking something has changed.
This is making me wonder if I should even be doing this, or should I be updating the task definition separately for deploys?mysterious-oyster-86659
04/08/2021, 6:03 PMmysterious-oyster-86659
04/09/2021, 6:39 PMaws.glue.crawler
docs. How do I configure and provision a TS Glue Crawler resource with recrawlPolicy
property set to CRAWL_NEW_FOLDERS_ONLY
?
Here's what I have so far:
export const fooGlueCrawlerJsonRaw = new aws.glue.Crawler(
"fooGlueCrawlerJsonRaw",
{
name: "fooGlueCrawlerJsonRaw",
role: glue.glueJobRole.arn,
databaseName: fooGlueDatabaseRaw.name,
classifiers: [housingRawGlueClassifier.name],
recrawlPolicy: "CRAWL_NEW_FOLDERS_ONLY",
s3Targets: [{path: `${path1}foo1.json`,},
{path: `${path2}foo2.json`},
{path: `${path3}foo3.json`},
{path: `${path4}foo4.json`},],
tags: tags(),
},
{deleteBeforeReplace: true},
);
victorious-sugar-42620
04/09/2021, 6:41 PM[WARN] A duplicate Security Group rule was found on (sg-example). This may be a side effect of a now-fixed Terraform issue causing two security groups with
identical attributes but different source_security_group_ids to overwrite each other in the state.
but the only way I managed to work around this is: Delete conflicting rule -> pulumi up -> Recreate conflicting rule manually. Should I set the sourceSecurityGroupId
?lemon-machine-35564
04/09/2021, 7:26 PMrequestParameters
for our method/routes. We can do this via the AWS Console but can’t figure it out via Crosswalk. I see that is an option on Method/Integration, but I don’t see Crosswalk creating a Method/Integration.enough-leather-70274
04/12/2021, 9:25 AMwonderful-napkin-50018
04/12/2021, 4:32 PMlate-father-1105
04/13/2021, 8:22 AMcold-yacht-45876
04/13/2021, 10:29 AMwonderful-napkin-50018
04/13/2021, 11:04 AMconst caddyTargetGroup = alb.createTargetGroup('caddy', {
vpc,
port: 80,
protocol: 'HTTP',
});
const caddyHttpsListener = caddyTargetGroup.createListener(
'caddyHttps',
{ protocol: 'HTTPS', port: 443, certificateArn: certificate.arn },
{ dependsOn: [domainVerificationRecord] }
);
The created security group for the ALB allow inbound and outbound traffic on port 443, but I need outbound traffic on port 80 obviously, or the listener cannot reach the container on port 80. When I change this by hand to port 80 in the SG it works. Is this a bug in pulumi or am I missing something?cold-yacht-45876
04/13/2021, 7:43 PMconst role = new aws.iam.Role(`role-name`, {
assumeRolePolicy: '...'
},
{
provider
});
Now I'd like to remove the provider option to use the default provider, but now pulumi wants to replace the resource:
const role = new aws.iam.Role(`role-name`, {
assumeRolePolicy: '...'
});
Is there a way around this, or am I stuck with keeping the explicit provider or accepting the replace operation? Not that big of a deal for this particular resource, but it's worse for stuff like databases, queues, etc.cold-yacht-45876
04/13/2021, 9:05 PMdamp-school-17708
04/14/2021, 8:13 AMconst docsHandlerFunc = new aws.lambda.Function("docsHandlerFunc", {
// Upload the code for our Lambda from the "./app" directory:
code: new pulumi.asset.AssetArchive({
".": new pulumi.asset.FileArchive("./app"),
}),
runtime: "nodejs12.x",
role: docsHandlerRole.arn,
});
gifted-island-55702
04/14/2021, 10:55 AMsecretBinary
and secretString
as sensitive values? I am using them as input values to my resources managed with a dynamic provider and it seems the input that got the value from GetSecretVersionResult.secretString
is stored in the state unencrypted. It seems like a bug in the GetSecretVersion datasource.bumpy-laptop-30846
04/14/2021, 4:52 PMlemon-machine-35564
04/16/2021, 5:15 PMnew aws.ec2.SecurityGroupRule(
`bastion-rule-` + env,
{
type: 'ingress',
toPort: 0,
protocol: '-1',
fromPort: 0,
securityGroupId: vpc.vpc.defaultSecurityGroupId,
sourceSecurityGroupId: bastionSecGroup.id
},
{ deleteBeforeReplace: true }
);