https://pulumi.com logo
Docs
Join the conversationJoin Slack
Channels
announcements
automation-api
aws
azure
blog-posts
built-with-pulumi
cloudengineering
cloudengineering-support
content-share
contribex
contribute
docs
dotnet
finops
general
getting-started
gitlab
golang
google-cloud
hackathon-03-19-2020
hacktoberfest
install
java
jobs
kubernetes
learn-pulumi-events
linen
localstack
multi-language-hackathon
office-hours
oracle-cloud-infrastructure
plugin-framework
pulumi-cdk
pulumi-crosscode
pulumi-deployments
pulumi-kubernetes-operator
pulumi-service
pulumiverse
python
registry
status
testingtesting123
testingtesting321
typescript
welcome
workshops
yaml
Powered by Linen
aws
  • w

    white-secretary-18260

    06/21/2021, 4:42 PM
    I am having an issue with loading the AWS plugin on Apple M1. I enter this:
    pulumi plugin install resource aws v3.32.0
    and I get this:
    error: [resource plugin aws-3.32.0] downloading from : 403 HTTP error fetching plugin from <https://get.pulumi.com/releases/plugins/pulumi-resource-aws-v3.32.0-darwin-arm64.tar.gz>
    CLI v3.5.1, using typescript npm modules: pulumi 2.22 and aws 3.32
    b
    • 2
    • 8
  • c

    creamy-knife-93354

    06/22/2021, 8:12 AM
    Hey all! How can I work with AWS resources in different regions with Pulumi? Most of my resources is in the same region, but there is one specific resource (SES) that needs to be configured in a different one, due to feature availability..
    b
    • 2
    • 4
  • g

    great-sunset-355

    06/22/2021, 10:30 AM
    Hi, is there a way to preserve a bucket object? I'm trying to replicate behaviour of
    eb cli
    that zips and uploads the app directory to S3 bucket and references that to EB environment When I use this with
    pulumi
    it will manage the object and when it changes it deletes the old one and uploads a new version instead of preserving the old object. Do I need to write my own function with aws sdk to zip the file and upload or can pulumi do that for me? Thank you
    eb_app_archive = s3.BucketObject(
            f"app-archive-{ver}",
            bucket=eb_s3_bucket.id,
            key=f"jan-{ver}.zip",
            source=pulumi.FileArchive("../app"),
        )
    b
    • 2
    • 6
  • p

    proud-pizza-80589

    06/22/2021, 5:52 PM
    Anyone have an example of an EKS cluster with aws-ebs-csi-driver enabled? Mostly struggling with the oidc service account part.
  • b

    billowy-whale-42059

    06/22/2021, 6:45 PM
    Any chance someone can re-trigger the aws provider publish github action ? goreleaser failed there, potentially due to a transient error: https://github.com/pulumi/pulumi-aws/actions/runs/961483494 Thanks a ton !
    🙌 1
    s
    b
    • 3
    • 4
  • a

    adamant-dress-73325

    06/23/2021, 4:46 PM
    I seem to be getting unnecessary updates issued on S3.BucketObjects, whose file assets hashes haven't changed. Perhaps bug?
    b
    • 2
    • 5
  • f

    flat-appointment-12338

    06/23/2021, 5:32 PM
    Hey all - wondering if I am missing something in the docs. Is it possible to specify image tags when pushing to ECR using
    awsx.ecr.buildAndPushImage
    ?
    m
    • 2
    • 4
  • q

    quaint-guitar-13446

    06/24/2021, 5:32 AM
    enableExecuteCommand
    does not appear to be available on
    FargateService
    type. According to https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-exec.html it should be available as long as you're using platform version 1.4.0
    h
    • 2
    • 1
  • q

    quaint-guitar-13446

    06/24/2021, 5:33 AM
    https://github.com/pulumi/pulumi-awsx/issues/671
  • s

    stocky-morning-21061

    06/24/2021, 12:16 PM
    Hi, I just opened an issue addressing a multiple aws account setup with chained providers: https://github.com/pulumi/pulumi-aws/issues/1544 can somehow please have a look at it?
  • m

    millions-furniture-75402

    06/24/2021, 12:34 PM
    How do I set log retention on EC2 Instances that are part of an autoscaling group? With a single EC2 Instance I handle it like so:
    const myEc2 = new aws.ec2.Instance(...);
    
    myEc2.id.apply(
      myEc2Id =>
        new aws.cloudwatch.LogGroup(`${appName}-ec2-lg`, {
          name: `/custom/ec2/${appName}/${myEc2Id}`,
          retentionInDays: 14,
        }),
    );
    I would think I could retrieve a collection of EC2 Instances from the autoscaling group, but I’m not finding that to be true. https://www.pulumi.com/docs/reference/pkg/aws/autoscaling/group/#outputs
    b
    • 2
    • 9
  • m

    millions-furniture-75402

    06/24/2021, 1:27 PM
    I’m not sure why I get this error:
    Type                       Name                                 Plan     Info
         pulumi:pulumi:Stack        outbound-proxy-sandbox.eu-central-1           
         └─ aws:ec2:LaunchTemplate  outbound-proxy-launch-template                1 error
     
    Diagnostics:
      aws:ec2:LaunchTemplate (outbound-proxy-launch-template):
        error: aws:ec2/launchTemplate:LaunchTemplate resource 'outbound-proxy-launch-template' has a problem: Expected Object Type: Expected object, got string. Examine values at 'LaunchTemplate.IamInstanceProfile'.
    I am declaring the object:
    const outboundProxyIamInstanceProfile = new aws.iam.InstanceProfile(`${appName}-instance-profile`, {
      role: outboundProxyInstanceRole,
    });
    
    const outboundProxyLaunchTemplate = new aws.ec2.LaunchTemplate(
      `${appName}-launch-template`,
      {
        namePrefix: `${appName}-`,
        iamInstanceProfile: outboundProxyIamInstanceProfile,
        ...
      },
      { dependsOn: outboundProxyIamInstanceProfile },
    );
    I can define it inline as an object… but then… lol…
    aws:iam:InstanceProfile (outbound-proxy-instance-profile):
        error: Duplicate resource URN 'urn:pulumi:sandbox.eu-central-1::outbound-proxy::aws:iam/instanceProfile:InstanceProfile::outbound-proxy-instance-profile'; try giving it a unique name
    l
    • 2
    • 12
  • d

    damp-school-17708

    06/24/2021, 1:54 PM
    Hi, I've just started to use the handy
    new awsx.ecs.FargateService
    therefore I am building docker images via pulumi, I am on an M1 mac, which means that if I try to build and push to ECR/ECS an image it will be in the wrong architecture to run in ECS later on. Do you know if there's a way to force buildx to build for a certain architecture? Or a way to pass the flag to pulumi? Thanks
    m
    • 2
    • 6
  • l

    lively-lizard-8189

    06/24/2021, 3:18 PM
    Hi, does anyone have tips on why
    pulumi up
    is building and pushing a new image for a containerized lambda when there are no changes to the image? The image builds quickly enough but it takes over 20 minutes 😱 to push the image to ECR (determined from viewing Diagnostics logs during deployment). Some avenues I’ve explored: • I’m not sure if there’s a disconnect between ECR’s layer caches.. am I’m inadvertently building an entirely new lambda each time rather than updating the image tag? • Why would pulumi find changes to the image when no source code was changed? • https://github.com/pulumi/pulumi-docker/issues/32 Are there any workarounds for this? The lambda built from a docker image (same design pattern as https://www.pulumi.com/blog/aws-lambda-container-support/)
    export const myLambda = new aws.lambda.Function('myName', {
      packageType: 'Image',
      imageUri: image.imageValue,
      }
    );
    Thanks!
  • s

    sparse-dog-88757

    06/24/2021, 4:50 PM
    How do I look up an existing resource in a different region than the one currently set in the pulumi config?
    s
    • 2
    • 2
  • d

    damp-school-17708

    06/25/2021, 1:02 PM
    Has anyone else ever encountered this error:
    * Error creating Cloudwatch log subscription filter: ResourceNotFoundException: The specified log group does not exist.
    We basically have a CW log subscription filter, which subscribes to a CW log, this is all on a lambda, when we create the lambda+log+subscription for the first time (before any invocation of the lambda) it always fails. It's nothing too fancy, code is here:
    const logGroup = new aws.cloudwatch.LogGroup(`log-group-${functionName}`, {
            name: `/aws/lambda/${functionName}`,
            retentionInDays: 30,
            tags,
          })
          new aws.cloudwatch.LogSubscriptionFilter(`log-sub-${functionName}`, {
            name: `log-sub-${functionName}`,
            logGroup: logGroup,
            filterPattern: '',
            destinationArn: `arn:aws:lambda:${region}:998119384210:function:datadog-ForwarderStack-C97LY7AXPME-Forwarder-1I6FZ9UCEMET2`,
          })
    Once you invoke the function then the filter works, everything is fine
    • 1
    • 2
  • r

    refined-toothbrush-89205

    06/25/2021, 5:05 PM
    since upgrading to pulumi 3, i haven't been able to get my CD to do AWS lambda deployments, i keep getting:
    while waiting for function (*****) update: ResourceNotReady: exceeded wait attempts
    , i presume this is an IAM permission issue with some new polling call (can reproduce if use CD creds locally) that has been introduced as it works just fine with my personal credentials (root) locally, but it is hard to debug this issue as I don't seem to get any useful output doing
    pulumi up -v=9 -p 1 --yes
    • 1
    • 3
  • b

    best-lifeguard-91445

    06/25/2021, 5:33 PM
    I see that in
    awsx/ec2/metrics.ts
    there is a comment regarding AutoScalingGroupName as an option to provide as a dimension. However, It doesn't look the metric() function actually sets the Property. Is this intended? I'm trying to create a CPU Utilization metric for ASG instances.
  • f

    flat-appointment-12338

    06/25/2021, 8:53 PM
    Hi, I am trying to create a
    aws.secretsmanager.Secret
    and then use this secret in the
    environment
    for a
    Container
    but I am not sure how to achieve this as the
    aws.ecs.Secret.valueFrom
    property only accepts a string rather than an
    Input
    \`Output` - is there a way to resolve the ARN output from the secret I created so that I may pass it into
    valueFrom
    ?
    b
    • 2
    • 4
  • b

    breezy-lunch-69325

    06/27/2021, 12:52 AM
    I have a monorepo setup with a core infra package which creates my vpc and ecs cluster that i need to reference in order to create fargate services in other stacks. I can't find any way to reference these resources to create a service, even using stack reference I am only able to access outputs, not resources. Is there any documentation on how to setup pulumi with a mono repo / reuse resources across stacks
    e
    d
    b
    • 4
    • 14
  • w

    white-action-27798

    06/27/2021, 11:14 AM
    Hi, We have a problem with autoscaling destroy process on pulumi , unlike Terrafrom after we created the autoscaling resource on pulumi, and the desired count of instances is greater than 0, it’s failed to delete the autoscaling resource because we have a running instances.(without error message) it’s just keep running and failed on timeout exception. What we need to do to remove autoscaling with running instances ?
    g
    • 2
    • 3
  • e

    echoing-zebra-28421

    06/27/2021, 11:52 PM
    Anyone has any ideas how to solve this error?
    Error reading file 'infra/package.json' when computing package dependencies. Error: ENOENT: no such file or directory, open '/infra/package.json'
    My dir:
    - project
        ...
        - infra
            - Pulumi.yaml
            - tsconfig.json
            ...
        - src
           ...
       - package.json
       - tsconfig.json
    I need to have the package.json at that place in my directory. Any help or alternatives to solve the problem will be welcome. I'm using 
    @pulumi/pulumi: "^3.4.0"
    this error occurs when i run 
    pulumi preview --cwd infra
      I run that command in the root of my project. the problem occurs when I try to use  
    aws.lambda.CallbackFunction
    l
    • 2
    • 20
  • a

    alert-cartoon-12389

    06/28/2021, 7:40 AM
    Please let me know if pulumi provides any implementation of adding arn:aws:states:::lambda:invoke.waitForTaskToken in state machine AWS. Thanks
  • g

    great-sunset-355

    06/28/2021, 2:04 PM
    What is the input
    path
    in User resource? https://www.pulumi.com/docs/reference/pkg/aws/iam/user/#path_python
    c
    • 2
    • 2
  • g

    great-sunset-355

    06/28/2021, 2:36 PM
    I'm trying to create programmatically managed SMTP credentials https://www.pulumi.com/docs/reference/pkg/aws/iam/accesskey/#ses_smtp_password_v4_python Am I able to get the credentials without PGP? Here is my code
    smtp_user = iam.User("smtp-user")
        access_key = iam.AccessKey("smtp-user-accesskey", user=smtp_user)
        pulumi.export("smtp-secret", access_key.encrypted_secret.ses_smtp_password_v4)
    but it results in
    AttributeError: 'NoneType' object has no attribute 'ses_smtp_password_v4'
    `
    b
    • 2
    • 3
  • p

    purple-appointment-84502

    06/29/2021, 2:19 AM
    Hi all, getting some strange updates/diff when running pulumi refresh that includes some RouteTableAssociations
    gatewayId : undefined => ""
    I'm using the automation api and the
    expect_no_changes
    flag which causes an error. Any idea what causes these properties changes? Thanks!
    l
    • 2
    • 8
  • m

    millions-furniture-75402

    06/29/2021, 12:35 PM
    Given a
    LogMetricFilter
    , e.g.
    const yada = new aws.cloudwatch.LogMetricFilter("yada", {
        pattern: "",
        logGroupName: dada.name,
        metricTransformation: {
            name: "EventCount",
            namespace: "YourNamespace",
            value: "1",
        },
    });
    How do I create a cloudwatch alarm with this? With regular metrics, I can use awsx an
    .createAlarm()
    but even falling back to the
    aws
    package for the
    LogMetricFilter
    it’s unclear to me. https://www.pulumi.com/docs/reference/pkg/aws/cloudwatch/metricalarm/
    w
    b
    • 3
    • 4
  • s

    sparse-dog-88757

    06/29/2021, 4:10 PM
    having trouble figuring out how to create a rds instance from a snapshot via pulumi. I see modules for creating or getting snapshots, but have yet to figure out how to spin up a new instance from an existing snapshot
    w
    • 2
    • 1
  • b

    bright-sandwich-93783

    06/30/2021, 12:56 AM
    Hi all. Has anyone run into this issue that when creating an IAM OIDC Provider for EKS using a cluster's OIDC issuer URL, you also need the thumbprint which is not an output of the created cluster?
  • b

    bright-sandwich-93783

    06/30/2021, 12:59 AM
    you need to run something like this script to compute the thumbprint. Any suggestions for doing this in Pulumi? running code to do this in the Apply function of the returned cluster issuer output property?
    l
    b
    • 3
    • 32
Powered by Linen
Title
b

bright-sandwich-93783

06/30/2021, 12:59 AM
you need to run something like this script to compute the thumbprint. Any suggestions for doing this in Pulumi? running code to do this in the Apply function of the returned cluster issuer output property?
l

little-cartoon-10569

06/30/2021, 3:26 AM
You could run it form your program before creating the resource. Or pass the thumbprint in via config.
b

bright-sandwich-93783

06/30/2021, 3:39 AM
that kind of defeats the purpose of using something like pulumi to imperatively define resource dependency graphs. But yeah, I might have to
thx for the input 🙂
b

billowy-army-68599

06/30/2021, 8:44 AM
@bright-sandwich-93783 the thumprint is the same for every cluster, most people hardcode it
this is how we retrieve it in our EKS provider: https://github.com/pulumi/pulumi-eks/blob/4f4a75b17de98cf2f9c3d34a960b59503cbc4f0a/nodejs/eks/cert-thumprint.ts
b

bright-sandwich-93783

06/30/2021, 9:02 PM
@billowy-army-68599 thank you! I did eventually realize thumbprint is basically static for each cluster and each region. However, I did find a decent solution using the Pulumi TLS package! You can grab the cert using the Pulumi TLS package and access the fingerprint. A somewhat incomplete example of this can be seen here (it notably omits the critical call to
GetCertificate
)
https://www.pulumi.com/docs/reference/pkg/tls/getcertificate/
i figured this out by reading this article, in which point 3 mentions that the TF TLS provider update sometime last year made the fingerprint accessible
https://marcincuber.medium.com/amazon-eks-with-oidc-provider-iam-roles-for-kubernetes-services-accounts-59015d15cb0c
b

billowy-army-68599

06/30/2021, 9:06 PM
@bright-sandwich-93783 this actually sounds really cool, can you show me how it works?
b

bright-sandwich-93783

06/30/2021, 9:08 PM
@billowy-army-68599 yeah once I get the code working I'll paste it here
wait, why would the TS pulumi EKS provider do this, but not the Go provider?
seems like the TS EKS provider gives you a thumbprint output
b

billowy-army-68599

06/30/2021, 9:16 PM
The EKS provider uses multi language output, so it’s written in typescript but you can consume it in all our supported languages
b

bright-sandwich-93783

06/30/2021, 9:17 PM
oh ok. In that case, why is the EKS provider fetching the thumbprint? It's not exposed as an output anywhere
or is it used for something else entirely? Would be really neat to get it back as an output in the
ClusterIdentity
Oidcs
block
(yes the root CA expires in 2034 and probably won't change until then lol)
b

billowy-army-68599

06/30/2021, 9:21 PM
it does output them: https://github.com/jaxxstorm/pulumi-examples/blob/main/typescript/aws/eks-platform/eks/index.ts#L23-L24
b

bright-sandwich-93783

06/30/2021, 10:35 PM
not the thumbprint
b

billowy-army-68599

06/30/2021, 10:49 PM
oh sorry yes
b

bright-sandwich-93783

06/30/2021, 11:00 PM
@billowy-army-68599 theoretically, you could do something like this:
package main

import (
	"<http://github.com/pulumi/pulumi-aws/sdk/v3/go/aws/eks|github.com/pulumi/pulumi-aws/sdk/v3/go/aws/eks>"
	"<http://github.com/pulumi/pulumi-aws/sdk/v3/go/aws/iam|github.com/pulumi/pulumi-aws/sdk/v3/go/aws/iam>"
	"<http://github.com/pulumi/pulumi-tls/sdk/v4/go/tls|github.com/pulumi/pulumi-tls/sdk/v4/go/tls>"
	"<http://github.com/pulumi/pulumi/sdk/v3/go/pulumi|github.com/pulumi/pulumi/sdk/v3/go/pulumi>"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		exampleCluster, err := eks.NewCluster(ctx, "exampleCluster", nil)
		if err != nil {
			return err
		}
        exampleCert, err := tls.GetCertificate(ctx, tls.GetCertificateArgs {
          Url: exampleCluster.Identities[0].Url
         })
		_, err = iam.NewOpenIdConnectProvider(ctx, "exampleOpenIdConnectProvider", &iam.OpenIdConnectProviderArgs{
			ClientIdLists: pulumi.StringArray{
				pulumi.String("<http://sts.amazonaws.com|sts.amazonaws.com>"),
			},
			ThumbprintLists: pulumi.StringArray{
				exampleCertificate.ApplyT(func(exampleCertificate tls.GetCertificateResult) (string, error) {
					return exampleCertificate.Certificates[0].Sha1Fingerprint, nil
				}).(pulumi.StringOutput),
			},
			Url: pulumi.String(exampleCluster.Identities.ApplyT(func(identities []eks.ClusterIdentity) (string, error) {
				return identities[0].Oidcs[0].Issuer, nil
			}).(pulumi.StringOutput)),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
getting the
exampleCert
is pseudocode, because I couldn't figure out a way to get the actual
string
value of the issuer URL, unless I wanted to make the
GetCertificate
call inside of an ApplyT callback... Thoughts?
b

billowy-army-68599

06/30/2021, 11:03 PM
you can do it inside the
ApplyT
, we try not to recommend it because it won't show up in previews, but it should work
l

little-cartoon-10569

06/30/2021, 11:06 PM
Why does GetCertificate have to be in an ApplyT?
b

bright-sandwich-93783

06/30/2021, 11:06 PM
because GetCertificate requires a
string
value for the URL, not a StringOutput/Input
which is the type of
eksCluster.Identities.Index(<http://pulumi.Int|pulumi.Int>(0)).Oidcs().Index(<http://pulumi.Int|pulumi.Int>(0)).Issuer().Elem(),
l

little-cartoon-10569

06/30/2021, 11:07 PM
Hmm, could that be a bug in the docs?
b

bright-sandwich-93783

06/30/2021, 11:07 PM
the only way to get the underlying string of that Issuer URL is to use an
ApplyT
callback, at which point you could make the call to
tls.GetCertificate
probably not a bug in the docs, that's what the actual code error is if you try it out
i.e, the result of
GetCertificate
is a vanilla go struct
doesn't implement any methods
l

little-cartoon-10569

06/30/2021, 11:09 PM
Yep, I see that in the TS version too. Sometimes the docs say string but the implementation is in Output or Input... but not this time 😞
View count: 4