Hello! I was hoping someone could help me come up with a solution for moving Docker images around (in ECR)... i'd like to do the following: 1. Pull a docker image from a source (we'll call this repository A) 2. Push the image from repository A to repository B I've been trying to do this with the following steps without success: 1. Fetch repository A metadata with aws.ecr.getRepository 2. Fetch repository A creds with aws.ecr.getCredentials 3. Create a new docker.RemoteImage (using the image I want and a custom provider with the credentials from (2)) 4. I then create a new repository (repository B) using new aws.ecr.Repository 5. I then get the credentials for that repository and create a new docker.RegistryImage and pass the creds from (4) in authConfigs I run into an issue at (5) because I have no Dockerfile to pass to the build context. I try to use the output from the docker.RemoteImage which is supposed to pull the remote image to my local filesystem but can't locate that file. Any guidance is appreciated, thanks!

Hej everyone! Using Typescript, how would I go about using pulumi-specific types in Lambda functions? Naively importing them in the same way you would with custom defined types results in the

Cannot find module '@pulumi/pulumi/runtime/index.js'

error, I guess because

@pulumi/...

packages are not included in the Lambda. Any way around this?

Is there a way to programmatically hand in a provider of a mks cluster when creating a Kafka Topic in AWS rather then using

pulumi config set kafka:bootstrapServers

? Im a little confused since there is very little resources or examples to read regarding kafka.

Are there plans to add native functionality to the VpcEndpoint for subnet association. IE I have 3 subnets but according to the docs I can only do a 1 to 1 per association unless I was to write a loop around the play vs being able to natively read a list to iterate over?

VPC Endpoint Subnet Association (an association between a VPC endpoint and a single subnet_id

how can i use the name of a resource i'm defining in one of its properties? for example, if i create a Firehose stream with logging in the console, AWS uses the name of the stream in the log group name. but how can i do that in Pulumi?

stream = aws.kinesis.FirehoseDeliveryStream(
    'my-stream",
    destination="s3",
    s3_configuration=aws.kinesis.FirehoseDeliveryStreamS3ConfigurationArgs(
        role_arn=my_role.arn, 
        bucket_arn=data_lake.arn, 
        cloudwatch_logging_options=aws.kinesis.FirehoseDeliveryStreamS3ConfigurationCloudwatchLoggingOptionsArgs(
            enabled=True,
            log_group_name=f'aws/kinesisfirehose/{stream.name}',  # FIXME: undefined at this point
            log_stream_name='S3Delivery'
        )
    ),
)

Hi, does pulumi supports AWS in China?

What is the best practice for organizing stacks for multiple regions? Some resources are region specific, some are region agnostic. What is the best practice to organize code in such cases? Any advices will be appreciated.

this may be a bit of an antipattern but has anyone looked into a way to have pulumi not adjust the size of an auto scaling group if its configured size is less than the actual size?

Hello, I would like to migrate DNS records and CloudFront distributions managed with Pulumi project from one account to another inside the same organization. Looks like those resources should be first deleted in the source account and created again in the destination as the same domain name should not be used for more than one DNS record/CloudFront distribution. How can Pulumi assist with the migration and to ensure the minimum downtime of the websites? Thank you. CC @wonderful-dog-9045

If my Pulumi plan wants to replace a NodeGroup in an EKS cluster, will it automatically handle the cordoning of old nodes and moving pods over to the new NodeGroup for me?

When trying to apply a change to my stack, I'm running into this issue:

* error creating Route Table (rtb-041aa78738eeae220) Association: Resource.AlreadyAssociated: the specified association for route table rtb-041aa78738eeae220 conflicts with an existing association

What is the best way to proceed? Seems it's not properly cleaning up the previous resources before applying the new ones

Hi, I tried to use the awsx.apigateway and we have several routes that we would like to use the same authorizer for, but the I can't find out how to use the same authorizer for several routes, is that possible? And if it's then how?

What's the general approach for creating a service discovery service using an SRV record type for the

DnsConfig

? It appears that

type

is expected to be

HTTP

,

HTTPS

, or

TCP

, but the code example shows using type

A

, and AWS's docs mention the possibility to use

SRV

.

Not sure why I'm getting an error trying to create a couple of security group rules. Something like:

new SecurityGroupRule($"{awsEksPrefix}-1",
    new SecurityGroupRuleArgs
    {
        Type = "ingress",
        Protocol = "tcp",
        FromPort = 0,
        ToPort = 65535,
        SourceSecurityGroupId = internalSgId,
        SecurityGroupId = clusterSgId
    },
    new CustomResourceOptions { Provider = awsProvider });

new SecurityGroupRule($"{awsEksPrefix}-2",
    new SecurityGroupRuleArgs
    {
        Type = "ingress",
        Protocol = "tcp",
        FromPort = 0,
        ToPort = 65535,
        SourceSecurityGroupId = internetSgId,
        SecurityGroupId = clusterSgId
    },
    new CustomResourceOptions { Provider = awsProvider });

Fails with error:

Duplicate resource URN 'urn:pulumi:alpha::aws-eks::aws:ec2/securityGroupRule:SecurityGroupRule::alpha-aws-eks-2'; try giving it a unique name

But I am specifying unique names!?

broadcasting this here as we had issues yesterday with datadog using aws-for-fluent https://github.com/aws/aws-for-fluent-bit/issues/233 if for some reason you are using a log router with the latest image, switch to stable

'log-router': {
          image: 'amazon/aws-for-fluent-bit:latest',

        'log-router': {
          image: 'amazon/aws-for-fluent-bit:stable',

I’m using pulumi to manage a

aws.wafv2.WebAcl

resource. I have some

rules

defined like:

{
        name: "web-test",
        overrideAction: {
          count: {},
        },
        priority: 1,
        statement: {
          managedRuleGroupStatement: {
            excludedRules: [],
            name: "AWSManagedRulesCommonRuleSet",
            vendorName: "AWS",
          },
        },
        visibilityConfig: {
          cloudwatchMetricsEnabled: true,
          metricName: "web-test-metrics",
          sampledRequestsEnabled: true,
        },
      }

The resource is created w/o any trouble and seems to work. However, whenever I run

pulumi preview

or

pulumi up

it thinks the rules are changing, even though I haven’t made changes. Any ideas on how to fix that?

I have a lambda function that gets invoked with an event trigger every x minutes. In Pulumi, I was able to set up the lambda function with event rule and event target, but I can’t seem to figure out how I can configure the

trigger

. Maybe I’m missing something in the docs… does anyone have any idea that can help me out here?

Hi, just wondering if there's a nice way to do this https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html with Pulumi? I have used

createOidcProvider

on my cluster resource, but unsure how to translate step 5 of this https://aws.amazon.com/premiumsupport/knowledge-center/eks-alb-ingress-controller-fargate/ into Pulumi I have found this guide https://www.pulumi.com/blog/kubernetes-ingress-with-aws-alb-ingress-controller-and-pulumi-crosswalk/ but it is not for a fargate cluster, and I assume I do not have an equivalent role to

NodeInstanceRole

in fargate?

Anyone have a link to a Pulumi example for coding an async Lambda with success and failure destinations? I’d love to use a awsx example, but a more low-level Lambda example would be fine. I literally just want to demonstrate Lambda1 routing to a Success Lambda or Failure Lambda. All they’ll do is console.log().

Hello. I'm trying to import existing EKS cluster to pulumi and getting error below. The cluster was created by terraform. It looks pretty odd that provider tries to set output-only values without my intervention. Any ideas how to bypass the error?

➜ pulumi import --debug aws:eks/cluster:Cluster xxx xxx
Please choose a stack: xxx
Previewing import (xxx)

View Live: <https://app.pulumi.com/xxx/xxx/previews/xxxxxxx>

     Type                 Name              Plan       Info
     pulumi:pulumi:Stack  xxx               1 error; 9 debugs
 =   └─ aws:eks:Cluster   xxxx  import     3 errors

Diagnostics:
  pulumi:pulumi:Stack (xxx):
    debug: AWS Auth provider used: "SharedCredentialsProvider"
    debug: AWS Auth provider used: "SharedCredentialsProvider"
    debug: AWS Auth provider used: "SharedCredentialsProvider"
    debug: Trying to get account information via iam:GetUser
    debug: AWS Auth provider used: "SharedCredentialsProvider"
    debug: Trying to get account information via iam:GetUser
    debug: Truncating attribute path of 0 diagnostics for TypeSet
    debug: Truncating attribute path of 0 diagnostics for TypeSet
    debug: Truncating attribute path of 0 diagnostics for TypeSet
    error: preview failed

  aws:eks:Cluster (xxx):
    error: aws:eks/cluster:Cluster resource 'xxx' has a problem: Computed attributes cannot be set: Computed attributes cannot be set, but a value was set for "vpc_config.0.vpc_id".. Examine values at 'Cluster.VpcConfig.VpcId'.
    error: aws:eks/cluster:Cluster resource 'xxx' has a problem: Computed attributes cannot be set: Computed attributes cannot be set, but a value was set for "vpc_config.0.cluster_security_group_id".. Examine values at 'Cluster.VpcConfig.ClusterSecurityGroupId'.
    error: Preview failed: one or more inputs failed to validate

Anybody know if there's a way to query the aws:region that is set in the yaml file? for example if my yaml file looks like:

config:
  aws:region: ap-southeast-2
  aws:profile: prod
  shared:stackConfig:
    regionCode: au

is there a way I can do something like (typescript code)

const config = new Config();
const awsRegion = config.require("aws:region");

When i try to execute the above, i get an error:

error: Missing required configuration variable 'shared:aws:region'

Is

pulumi-awsx

ever going to be made available as a dotnet nuget package?

How do I configure the VPC for an RDS Cluster? It seems to be taking the default, and when I try to assign a vpcSecurityGroupId I get the error that they're in different VPCs

Hello! I’m running into this error while trying to run

pulumi up

:

error: resource complete event returned an error: failed to verify snapshot: resource urn:pulumi:theNameOfMyResource::awsx:x:ecs:FargateTaskDefinition$aws:ecs/taskDefinition:TaskDefinition: refers to missing resource

This error occured after I’ve runned

pulumi cancel

&

pulumi stack export | pulumi stack import

. I’ve runned the commands because pulumi was blocked in a pending state.

I'm not sure if this is possible but basically when

ElasticBeanstalk

creates an

Environment

, one of the outputs is

autoscalingGroups

. I'd like to update the auto scaling group(s) to enable metrics collection. This doesn't appear to be possible in the EBS initialisation options so I think i might need to update it afterwards. i tried something like this:

const autoScalingGroup = Group.get(`autoscaling`, environment.autoscalingGroups[0]);
    autoScalingGroup.enabledMetrics = [`GroupDesiredCapacity`, `GroupInServiceCapacity`, `GroupPendingCapacity`, `GroupMinSize`, `GroupMaxSize`, `GroupInServiceInstances`, `GroupPendingInstances`, `GroupStandbyInstances`, `GroupStandbyCapacity`, `GroupTerminatingCapacity`, `GroupTerminatingInstances`, `GroupTotalCapacity`, `GroupTotalInstances`];

but the property is readonly

hello everyone! I’m trying to replace default fargate ecs role, with my own and run into an issue that the role created by default cannot be removed properly

error: deleting urn:pulumi:dev::ice-online-apollo-pt-imex-adapter::awsx:x:ecs:FargateTaskDefinition$aws:iam/role:Role::role-name: 1 error occurred:
    	* error deleting IAM Role (role-id): DeleteConflict: Cannot delete entity, must detach all policies first.
    	status code: 409, request id: d3b77f2a-176a-4d0c-ae6f-03d773f32371

looks like it might be a terraform bug, is there any known workaround or do I need to manually remove it?

HI everyone!! I'm very happy to stay here!! A greetings from 🇨🇴

@adorable-rose-78846 buenos dias!

Hi folks, is there a way to read a file in an EC2 instance after provisioning it? I want to upload this file to a S3 bucket then

Hey guys, is it possible to enable report batch item failures in dynamodb table stream subscriptions (created via table.onEvent)? documentation says something about a

functionResponseTypes

arg, but I cannot pass it to

onEvent

, it only exists in the result subscription as an Output<string[] | undefined>.