Hi, I'm trying to setup aws cognito with Pulumi. I have successfully created and configured a user pool, but I'm stuck with: 1. Defining the preTokenGeneration lambda 2. Configuring the user pool to use the preTokenGeneration lambda Is there a guide/example on doing this?

Hey, Is GetRecordSet exists in AWS Node SDK? https://www.pulumi.com/docs/reference/pkg/aws/route53/

Am I correct in interpreting from this issue https://github.com/pulumi/pulumi/issues/6547 that it is not possible to import a volume?

A docs question. For

aws.cognito.UserPoolClient("client", user_pool_id=pool.id)

I can’t actually get the client to use cognito as an id provider unless I do

aws.cognito.UserPoolClient("client", user_pool_id=pool.id, supported_identity_providers=["COGNITO"]

… and the use of

COGNITO

as an arg is documented nowhere as far as I can tell. Am I misunderstanding how the method

userPoolClient

works? Or can we update the docs to link to the aws docs where I found this was an option as it is nowhere in the pulumi / terraform example code or docs: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html

Hey guys - getting an error when trying to delete a specific resource with the Pulumi cli. Trying to run

pulumi destroy --target urn:pulumi:dev::database::aws:rds/cluster:Cluster::aurora-cluster --target-dependents

but getting the following error:

error: Cannot delete parent resource 'urn:pulumi:dev::database::aws:rds/cluster:Cluster::aurora-cluster' without also deleting child 'urn:pulumi:dev::database::aws:rds/cluster:Cluster$aws:cloudwatch/metricAlarm:MetricAlarm::chumba-casino-dev-uptime-alarm'

Unsure why its failing on removing child resources when the

--target-dependents

toggle is being used.

I'm making some progress learning how to setup an ECS cluster. How do I configure a

FargateService

to allow me to ssh into the running container? I assume I need to assign a key pair somehow, but I can't find the right place to do that.

Hello, just getting started on the Slack here, we have a question with @colossal-camera-57941 about running nodeJs task on aws from an image ( using .fromFunction ); we’re not sure how to import others npm packages into this function. Is it here the right place to ask for that?

Anybody knows how to using pulumi CLI to import an existing lambda function? Any help will be appreciated.

Here is the command I use and the error result: "pulumi import awslambda/functionFunction mylambda MyLambda" awslambdaFunction (mylambda): error: Preview failed: diffing urnpulumidev:import s3awslambda/functionFunctionmylambda handler and runtime must be set when PackageType is Zip

here "import_s3" is just project name. I used the same project for importing a s3 bucket and it worked well.

Hi, folks! I’m having a devil of a time determining which missing AWS IAM action(s) are causing a fail when I run

pulumi up

or

pulumi destroy

. Is there any way to log the exact AWS API request or AWS error reply ? Pulumi gives me an error like “*Error reading new Lambda permissions: AccessDeniedException: status code: 403, request id: 22b39a15-7ff2-4fda-abf4-e7b057e073ef*” , but I’m looking for something to tell me which IAM action(s) I need to add to my IAM role (such as “`lambda:listFunctions`”). I don’t want to just use “`lambda:*`” for security reasons. I don’t know if the vague error message is coming from AWS or Pulumi. Any ideas? (-v=9 did not log the details I seek.) Thanks!

Hi guys, I’m trying create a folder into AWS S3 bucket but I do not have success yet, I’m using that code in Python:

s3.BucketObject("obj", bucket=bucket.id, source=pulumi.AssetArchive({"folder": pulumi.FileArchive("./segment-logs")}))

Can someone help me in figure out it?

Hi, I'm trying to setup a Fargate service using

pulumi/awsx

. Here's the relevant part of the Pulumi program:

// Create an ALB associated with the default VPC listening to HTTP traffic on port 80.
const lb = new awsx.lb.ApplicationListener("flatzone-sk-strapi-lb", {
  external: true,
  protocol: "HTTP",
  port: 80,
  targetGroup: {
    protocol: "HTTP",
    port: 1337
  }
});

// Create an ECS service containing a Strapi task running on Fargate.
const service = new awsx.ecs.FargateService("flatzone-sk-strapi-svc", {
  cluster: cluster,
  taskDefinitionArgs: {
    container: {
      image: image,
      cpu: 256,
      memory: 1024,
      portMappings: [ lb ]
    },
    executionRole: executionRole,
    logGroup: logGroup
  },
  desiredCount: 1
});

After deployment, I can't connect to the port 80 of the listener endpoint. I keep seeing this in the Events tab of the service:

0762c099-8eb3-4b80-aa6b-1282013cea6e
2021-05-07 21:45:26 +0200
service flatzone-sk-strapi-svc-8d4bf16 (port 1337) is unhealthy in target-group flatzone-sk-strapi-lb-78d9d12 due to (reason Health checks failed).
fdda0e3f-f1d9-4518-9fb8-81f37023a205
2021-05-07 21:42:30 +0200
service flatzone-sk-strapi-svc-8d4bf16 registered 1 targets in target-group flatzone-sk-strapi-lb-78d9d12
48ca16be-c96c-490e-b984-1ce03e2755f8
2021-05-07 21:41:49 +0200
service flatzone-sk-strapi-svc-8d4bf16 has started 1 tasks: task d1810b4141bf4af8a64e65b672007abb.
a8a501ed-7e2b-446d-b16c-9f7d1d1b0b4d
2021-05-07 21:41:38 +0200
service flatzone-sk-strapi-svc-8d4bf16 has stopped 1 running tasks: task 32808dc77f0149ddb251926417d45710.
7736ecad-8ebf-44a1-aedd-cbce2e1c0e72
2021-05-07 21:41:38 +0200
service flatzone-sk-strapi-svc-8d4bf16 deregistered 1 targets in target-group flatzone-sk-strapi-lb-78d9d12
a17597c4-a163-4dff-a17f-03263ea54b35
2021-05-07 21:41:38 +0200
service flatzone-sk-strapi-svc-8d4bf16 (port 1337) is unhealthy in target-group flatzone-sk-strapi-lb-78d9d12 due to (reason Request timed out).
22b214d3-0dd5-4dca-a80d-0ab7ccb485fa
2021-05-07 21:39:03 +0200
service flatzone-sk-strapi-svc-8d4bf16 registered 1 targets in target-group flatzone-sk-strapi-lb-78d9d12
3ba68e54-225d-41f3-acbe-53452d14c58d
2021-05-07 21:38:10 +0200
service flatzone-sk-strapi-svc-8d4bf16 has started 1 tasks: task 32808dc77f0149ddb251926417d45710.

The container is listening on port 1337 and I can connect to it using running tasks pubic IP, however the health check keeps failing. The weird thing is that when I change the listener port from 80 to 1337 by explicitely

port: 1337

then I can connect to the listener endpoint on 1337. I've spent half a day trying to get it to work but without success. What am I doing wrong? Thanks for help

I'm getting an error running

pulumi up

in a situation where there should be no changes:

Diagnostics:
  aws:elasticache:Cluster (example):
    error: unmarshaling urn:pulumi:dev::core::aws:elasticache/cluster:Cluster::example's instance state: could not read field snapshot_arns: '' expected type 'string', got unconvertible type '[]interface {}', value: '[]'

Does anyone know how to interpolate the id of another resource inside an S3 bucket policy? I'm trying to do the below, but the interpolation of the

originAccessIdentity.id

value is not working, and results in an error

Error putting S3 policy: MalformedPolicy: Policy has invalid principal

I can't seem to find an example anywhere that uses anything other than the bucket name in the policy.

const domain = "<mailto:testing@example.com|testing@example.com>";

const contentBucket = new aws.s3.Bucket("content-bucket", {
  bucket: domain,
  acl: "private",
  website: {
    indexDocument: "index.html",
    errorDocument: "index.html",
  },
  forceDestroy: true,
});

const originAccessIdentity = new aws.cloudfront.OriginAccessIdentity(
  "cloudfront-oai",
  {
    comment: pulumi.interpolate`OAI-${contentBucket.bucketDomainName}`,
  }
);

new aws.s3.BucketPolicy("bucket-policy", {
  bucket: contentBucket.bucket,
  policy: contentBucket.bucket.apply((bucketName) =>
    JSON.stringify({
      Version: "2012-10-17",
      Statement: [
        {
          Sid: "CloudfrontAllow",
          Effect: "Allow",
          Principal: {
            AWS: pulumi.interpolate`arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity ${originAccessIdentity.id}`,
          },
          Action: "s3:GetObject",
          Resource: `arn:aws:s3:::${bucketName}/*`,
        },
      ],
    })
  ),
});

Hi everyone. I’m trying to build an API Gateway RestApi. The problem that i am facing is that each file is trying (asynchronously) create a Resource/Method, without knowing if the path/resource already exist. E.g., someone creates

GET /path/abc

another creates

POST /path/abc

and another creates

GET /path/xyz

When Im trying to create them I don’t know if

path

(or

abc

) exists already or not. Pulumi’s documentation for

awsx.apigateway.API

shows that it receives the entire routes altogether, which I cannot do. and using

aws.apigateway.Resource

will fail if resource exists or not. Any thoughts?

cloudformation

allows the management of routes inside the Lambda declaration. Why is it not possible with Pulumi?

Greetings! Any update on the ElastiCache Redis snapshotArn issue? It is currently blocking us from upgrade to v3.0.0.

Does anyone know of a wrapper around the various supported EC2 user data formats? Something that will create MIME multiparts, cloud-init files, etc.?

How do I set up an S3 bucket to use SSE-S3 encryption? Apparently it's a requirement for ALB access logs. I can see how to do it in the console, but neither TF nor Pulumi docs are enlightening me....

Hey, is there a way to get the default subnet from the default Vpc and give it to a StateMachine definition? (with node)

Hi! Does anyone have any idea on how I can clean this up? This happens during a

pulumi destroy

. Do I have to resolve things manually in the AWS Console (e.g. by mapping the VPC to a different route table, or something)?

aws:ec2:RouteTable (development-vpc-route-table-public):
    error: deleting urn:pulumi:development::playground-infrastructure::aws:ec2/routeTable:RouteTable::development-vpc-route-table-public: 1 error occurred:
        * InvalidParameterValue: cannot disassociate the main route table association rtbassoc-035832433d2a099be
        status code: 400, request id: c0f480d9-abe5-472d-96f2-27c71a837aff

So after reading through this: AWS IAM Role vs Group I'm not entirely sure what would be better for a group of users. We're looking at implementing a group of users with least privileges, but doing it by giving them all a 'dev' role to assume, rather than a group. This seems reasonable but what's the best practice here? What advantages do AWS User Groups have over Roles or vice versa?

I've been trying to figure out why my EventRuleEventSubscription has so many RolePolicyAttachment resources that I can't add any of my own.

Hello, Is it possible to dynamically start / stop an existing ec2 instance? Pulumi up would start the instance, destroy would stop it, without destroying it? I don’t see how to do it with the api.

Hi all, I seem to get an error when Pulumi tries to update a Managed Prefix List:

error updating EC2 Managed Prefix List (pl-......): InvalidParameterValue: The specified value for version is not valid. The value must be greater than (1).

Am I doing something wrong, or is there a bug here somewhere? 😅 EDIT: Never mind, worked fine with Pulumi 3.2.1! (was on 2.23.1) EDIT: It failed with 3.2.1, too.. but works if I try again?! EDIT: It only pretends to work on the second attempt, but doesn't change anything..

Hey guys, need some help. I am creating an ec2 instance, it does get created but I’m unable to ssh into the instance.

import * as aws from "@pulumi/aws";

const size = "t2.small";

const group = new aws.ec2.SecurityGroup("metabase-security-group", {
    ingress: [
        { protocol: "tcp", fromPort: 22, toPort: 22, cidrBlocks: ["0.0.0.0/0"], },
        { protocol: "tcp", fromPort: 80, toPort: 81, cidrBlocks: ["0.0.0.0/0"], },
        { protocol: "tcp", fromPort: 443, toPort: 443, cidrBlocks: ["0.0.0.0/0"], },
    ],
});

const deployerKeyPair = new aws.ec2.KeyPair("metabase-deployer", {
    publicKey: "<ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCzTEEaJVG3RGdKhSo/VWBRX0uD+MMcCAtqqYZpFsdoyhJ/oZQgJas7AoazepSKUCge3B+7Flu7jLyesF7JrQm24c0aOkL2nXvOhVIt/8RrK/BuSmB942kXfcwfht01ANFh5Qnt+oMrPgVldtdAqLYMXZvYeGBFmknznbbEckl9rHcN7axN0cZk81SToyX6sr7QLNrPJXtdrOXvNAQe/GHuv5UdVk7k2o+YKqHJoR0ymprQ8VK9RvsboBjFhfMmHNBB5zvWo0NZCO/BWWEfq7JtIgF8HA1xdXkTux+UeRq2lxp9HljBVk1If1BqPURn6cttB2Zv9nUjU+qprIP7hwSf4E6hn+I9C4Vfl+yDtKnHjgf1OHfpaTtDG1WcKPubU5YN8dJUFZ6lOt5W865nnOgImjfeEOAtKr7xJciHaI3ZVE4w1xbWv2sRMdcDLzkMOknnDhqAMGU0/S7Uv2gYLoBGsg/EPmt0FLMrLXE/Kn7zzSFzW76RWoxEIqESZqH1ZQk= nikhil_shrv@nikhils-mbp\n>",
});

const server = new aws.ec2.Instance("metabase-instance", {
    instanceType: size,
    vpcSecurityGroupIds: [ group.id ],
    ami: 'ami-09e67e426f25ce0d7', // Ubuntu 20.04
    keyName: deployerKeyPair.keyName,
});

export const publicIp = server.publicIp;
export const publicHostName = server.publicDns;

That’s the script I’m using. Any ideas what I am doing wrong?

Hi all - need a quick sanity check. (I'm talking about a specific resource, but this might just be applicable to anything that accepts an Input of Sequence[SomethingArgs]) I'm wondering if it's idiomatic to mutate an `aws.ec2.SecurityGroup`'s

.ingress

(or

.egress

) after it's already been constructed - i.e.

ingress_rules: List[aws.ec2.SecurityGroupIngressArgs] = ...
security_group = aws.ec2.SecurityGroup(
    "SwarmSecurityGroup",
    ...
    ingress=ingress_rules,
)

# ... and later...
new_ingress_rule: aws.ec2.SecurityGroupIngressArgs = ...
# might need a .apply or something, but you get the gist - add something to this list
security_group.ingress = [new_ingress_rule, *security_group.ingress]

The problem is that

SecurityGroup#ingress

isn't of type IngressArgs, but an

outputs.SecurityGroupIngress

What makes me think this is forbidden: I could probably convert my IngressArgs into a SecurityGroupIngress, but the roundabout-ness of all this makes me wonder if I'm doing something wrong. What makes me think this is allowable: aws.ec2.SecurityGroup has getter-setters for

.ingress

(Thanks in advance!)

Regarding awsguard, why is the npm package

0.3.0

, but in GitHub it’s unreleased? https://www.npmjs.com/package/@pulumi/awsguard https://github.com/pulumi/pulumi-policy-aws/blob/master/CHANGELOG.md ? Also, this upgrades dependency MAJOR versions, I don’t think this should be released as a MINOR. It caused breaking changes https://github.com/pulumi/pulumi-policy-aws/commit/5b34b8fb4e10020052528d42643f72f96cbae597#diff-cc5a2f170768969f12410[…]d99a87a3a78fef4ab97bR13-R15

I'm trying to figure out how to reduce the default cloudwatch retention window for the Lambdas created through Pulumi. What's the right pattern / doc to follow? Thanks!